| Message ID | 1512563739-25239-12-git-send-email-will.deacon@arm.com |
|---|---|
| State | Accepted |
| Commit | 51a0048beb449682d632d0af52a515adb9f9882e |
| Headers | show |
| Series | arm64: Unmap the kernel whilst running in userspace (KPTI) | expand |
On Wed, Dec 06, 2017 at 12:35:30PM +0000, Will Deacon wrote: > The exception entry trampoline needs to be mapped at the same virtual > address in both the trampoline page table (which maps nothing else) > and also the kernel page table, so that we can swizzle TTBR1_EL1 on > exceptions from and return to EL0. > > This patch maps the trampoline at a fixed virtual address in the fixmap > area of the kernel virtual address space, which allows the kernel proper > to be randomized with respect to the trampoline when KASLR is enabled. > > Signed-off-by: Will Deacon <will.deacon@arm.com> Reviewed-by: Mark Rutland <mark.rutland@arm.com> Mark. > --- > arch/arm64/include/asm/fixmap.h | 4 ++++ > arch/arm64/include/asm/pgtable.h | 1 + > arch/arm64/kernel/asm-offsets.c | 6 +++++- > arch/arm64/mm/mmu.c | 23 +++++++++++++++++++++++ > 4 files changed, 33 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h > index 4052ec39e8db..8119b49be98d 100644 > --- a/arch/arm64/include/asm/fixmap.h > +++ b/arch/arm64/include/asm/fixmap.h > @@ -58,6 +58,10 @@ enum fixed_addresses { > FIX_APEI_GHES_NMI, > #endif /* CONFIG_ACPI_APEI_GHES */ > > +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 > + FIX_ENTRY_TRAMP_TEXT, > +#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT)) > +#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ > __end_of_permanent_fixed_addresses, > > /* > diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h > index 149d05fb9421..774003b247ad 100644 > --- a/arch/arm64/include/asm/pgtable.h > +++ b/arch/arm64/include/asm/pgtable.h > @@ -680,6 +680,7 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, > > extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; > extern pgd_t idmap_pg_dir[PTRS_PER_PGD]; > +extern pgd_t tramp_pg_dir[PTRS_PER_PGD]; > > /* > * Encode and decode a swap entry: > diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c > index 71bf088f1e4b..af247d10252f 100644 > --- a/arch/arm64/kernel/asm-offsets.c > +++ b/arch/arm64/kernel/asm-offsets.c > @@ -24,6 +24,7 @@ > #include <linux/kvm_host.h> > #include <linux/suspend.h> > #include <asm/cpufeature.h> > +#include <asm/fixmap.h> > #include <asm/thread_info.h> > #include <asm/memory.h> > #include <asm/smp_plat.h> > @@ -148,11 +149,14 @@ int main(void) > DEFINE(ARM_SMCCC_RES_X2_OFFS, offsetof(struct arm_smccc_res, a2)); > DEFINE(ARM_SMCCC_QUIRK_ID_OFFS, offsetof(struct arm_smccc_quirk, id)); > DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS, offsetof(struct arm_smccc_quirk, state)); > - > BLANK(); > DEFINE(HIBERN_PBE_ORIG, offsetof(struct pbe, orig_address)); > DEFINE(HIBERN_PBE_ADDR, offsetof(struct pbe, address)); > DEFINE(HIBERN_PBE_NEXT, offsetof(struct pbe, next)); > DEFINE(ARM64_FTR_SYSVAL, offsetof(struct arm64_ftr_reg, sys_val)); > + BLANK(); > +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 > + DEFINE(TRAMP_VALIAS, TRAMP_VALIAS); > +#endif > return 0; > } > diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c > index 267d2b79d52d..fe68a48c64cb 100644 > --- a/arch/arm64/mm/mmu.c > +++ b/arch/arm64/mm/mmu.c > @@ -525,6 +525,29 @@ static int __init parse_rodata(char *arg) > } > early_param("rodata", parse_rodata); > > +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 > +static int __init map_entry_trampoline(void) > +{ > + extern char __entry_tramp_text_start[]; > + > + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; > + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); > + > + /* The trampoline is always mapped and can therefore be global */ > + pgprot_val(prot) &= ~PTE_NG; > + > + /* Map only the text into the trampoline page table */ > + memset(tramp_pg_dir, 0, PGD_SIZE); > + __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, > + prot, pgd_pgtable_alloc, 0); > + > + /* ...as well as the kernel page table */ > + __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot); > + return 0; > +} > +core_initcall(map_entry_trampoline); > +#endif > + > /* > * Create fine-grained mappings for the kernel. > */ > -- > 2.1.4 >
Hi Will, On 2017/12/6 20:35, Will Deacon wrote: > +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 > +static int __init map_entry_trampoline(void) > +{ > + extern char __entry_tramp_text_start[]; > + > + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; > + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); > + > + /* The trampoline is always mapped and can therefore be global */ > + pgprot_val(prot) &= ~PTE_NG; > + > + /* Map only the text into the trampoline page table */ > + memset(tramp_pg_dir, 0, PGD_SIZE); > + __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, > + prot, pgd_pgtable_alloc, 0); How the tramp_pg_dir is used, should it be set to ttbr1 when exit kernel? Sorry for I do not find where it is used. Thanks Yisheng > + > + /* ...as well as the kernel page table */ > + __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot); > + return 0; > +} > +core_initcall(map_entry_trampoline); > +#endif > + > /* > * Create fine-grained mappings for the kernel. > */ >
On Tue, Jan 23, 2018 at 04:28:45PM +0800, Yisheng Xie wrote: > On 2017/12/6 20:35, Will Deacon wrote: > > +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 > > +static int __init map_entry_trampoline(void) > > +{ > > + extern char __entry_tramp_text_start[]; > > + > > + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; > > + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); > > + > > + /* The trampoline is always mapped and can therefore be global */ > > + pgprot_val(prot) &= ~PTE_NG; > > + > > + /* Map only the text into the trampoline page table */ > > + memset(tramp_pg_dir, 0, PGD_SIZE); > > + __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, > > + prot, pgd_pgtable_alloc, 0); > > How the tramp_pg_dir is used, should it be set to ttbr1 when exit kernel? Sorry > for I do not find where it is used. Yes, that's what happens when we return to userspace. The code is a little convoluted, but the tramp_pg_dir is placed at a fixed offset from swapper (see the linker script) so the sub instruction in tramp_unmap_kernel is what gives us the ttbr1 value we need. Will
Hi Will, On 2018/1/23 18:04, Will Deacon wrote: > On Tue, Jan 23, 2018 at 04:28:45PM +0800, Yisheng Xie wrote: >> On 2017/12/6 20:35, Will Deacon wrote: >>> +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 >>> +static int __init map_entry_trampoline(void) >>> +{ >>> + extern char __entry_tramp_text_start[]; >>> + >>> + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; >>> + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); >>> + >>> + /* The trampoline is always mapped and can therefore be global */ >>> + pgprot_val(prot) &= ~PTE_NG; >>> + >>> + /* Map only the text into the trampoline page table */ >>> + memset(tramp_pg_dir, 0, PGD_SIZE); >>> + __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, >>> + prot, pgd_pgtable_alloc, 0); >> >> How the tramp_pg_dir is used, should it be set to ttbr1 when exit kernel? Sorry >> for I do not find where it is used. > > Yes, that's what happens when we return to userspace. The code is a little > convoluted, but the tramp_pg_dir is placed at a fixed offset from swapper > (see the linker script) so the sub instruction in tramp_unmap_kernel is what > gives us the ttbr1 value we need. oh, I missed that. Maybe a comment inline is better to understand. Thanks once more for your help and explain :) Thanks Yisheng > > Will > > . >
diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h index 4052ec39e8db..8119b49be98d 100644 --- a/arch/arm64/include/asm/fixmap.h +++ b/arch/arm64/include/asm/fixmap.h @@ -58,6 +58,10 @@ enum fixed_addresses { FIX_APEI_GHES_NMI, #endif /* CONFIG_ACPI_APEI_GHES */ +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + FIX_ENTRY_TRAMP_TEXT, +#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT)) +#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ __end_of_permanent_fixed_addresses, /* diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h index 149d05fb9421..774003b247ad 100644 --- a/arch/arm64/include/asm/pgtable.h +++ b/arch/arm64/include/asm/pgtable.h @@ -680,6 +680,7 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; extern pgd_t idmap_pg_dir[PTRS_PER_PGD]; +extern pgd_t tramp_pg_dir[PTRS_PER_PGD]; /* * Encode and decode a swap entry: diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c index 71bf088f1e4b..af247d10252f 100644 --- a/arch/arm64/kernel/asm-offsets.c +++ b/arch/arm64/kernel/asm-offsets.c @@ -24,6 +24,7 @@ #include <linux/kvm_host.h> #include <linux/suspend.h> #include <asm/cpufeature.h> +#include <asm/fixmap.h> #include <asm/thread_info.h> #include <asm/memory.h> #include <asm/smp_plat.h> @@ -148,11 +149,14 @@ int main(void) DEFINE(ARM_SMCCC_RES_X2_OFFS, offsetof(struct arm_smccc_res, a2)); DEFINE(ARM_SMCCC_QUIRK_ID_OFFS, offsetof(struct arm_smccc_quirk, id)); DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS, offsetof(struct arm_smccc_quirk, state)); - BLANK(); DEFINE(HIBERN_PBE_ORIG, offsetof(struct pbe, orig_address)); DEFINE(HIBERN_PBE_ADDR, offsetof(struct pbe, address)); DEFINE(HIBERN_PBE_NEXT, offsetof(struct pbe, next)); DEFINE(ARM64_FTR_SYSVAL, offsetof(struct arm64_ftr_reg, sys_val)); + BLANK(); +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + DEFINE(TRAMP_VALIAS, TRAMP_VALIAS); +#endif return 0; } diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 267d2b79d52d..fe68a48c64cb 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -525,6 +525,29 @@ static int __init parse_rodata(char *arg) } early_param("rodata", parse_rodata); +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 +static int __init map_entry_trampoline(void) +{ + extern char __entry_tramp_text_start[]; + + pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; + phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); + + /* The trampoline is always mapped and can therefore be global */ + pgprot_val(prot) &= ~PTE_NG; + + /* Map only the text into the trampoline page table */ + memset(tramp_pg_dir, 0, PGD_SIZE); + __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, + prot, pgd_pgtable_alloc, 0); + + /* ...as well as the kernel page table */ + __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot); + return 0; +} +core_initcall(map_entry_trampoline); +#endif + /* * Create fine-grained mappings for the kernel. */
The exception entry trampoline needs to be mapped at the same virtual address in both the trampoline page table (which maps nothing else) and also the kernel page table, so that we can swizzle TTBR1_EL1 on exceptions from and return to EL0. This patch maps the trampoline at a fixed virtual address in the fixmap area of the kernel virtual address space, which allows the kernel proper to be randomized with respect to the trampoline when KASLR is enabled. Signed-off-by: Will Deacon <will.deacon@arm.com> --- arch/arm64/include/asm/fixmap.h | 4 ++++ arch/arm64/include/asm/pgtable.h | 1 + arch/arm64/kernel/asm-offsets.c | 6 +++++- arch/arm64/mm/mmu.c | 23 +++++++++++++++++++++++ 4 files changed, 33 insertions(+), 1 deletion(-) -- 2.1.4