From patchwork Tue May 22 17:42:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 136598 Delivered-To: patch@linaro.org Received: by 2002:a2e:9706:0:0:0:0:0 with SMTP id r6-v6csp1929684lji; Tue, 22 May 2018 10:45:56 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpTHmwcpllo59O85hTFWrwuA8ScxJvm4EdqUI57lgtXDbABAg4/fW7nBUJ31fZg3AEtbCOJ X-Received: by 2002:a24:1609:: with SMTP id a9-v6mr2126644ita.48.1527011156188; Tue, 22 May 2018 10:45:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527011156; cv=none; d=google.com; s=arc-20160816; b=jQIje0st8Zi3N8qf7y2J3SB/I6amHi4BGcYpNpQsYLghpAo+LFtTxWq3HVQESUcEo2 G7t7bWuDDXmjQryA1rMUZOCWsf6NyVG7u9+w/YwG6Yiuvd8ecf1g6LPe4nTHz1R8y05L s2CHpFiE5zURAvISkxokjMxDdt7lxdc4MxVPlEDB8t6eqnN07lp77ZHiPHQC2RbSmlsJ Jij2Dt+X6e/sLdfSToCCA6or7WTeGCfP9w7po0nW/uP9SytClmbnaZB2Xdro7TI5ZcMj MVidQSI4IBMGnyYg+Lp24FiK6XF5+RzsFuW5MKEyiRX+hH2LhaKKpHtkKrtTLEyxb0Wj /m+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:references:in-reply-to:message-id:date:to:from :arc-authentication-results; bh=icXac8IfYlnqFSWoH1I8I64RrgbcgZ/orh9wCHUSRkY=; b=QMb5k+hSsLqTbH9lp0X7BaEtQfUeE6/x4E43XkvGFbMJ42yBQQA3/soOgO/65rsAOe Uk/C4K5sJj5jQjRzUWTQF0TvxyqfN+JUwrzJcMtZoKIvE1zxilpZwYivudqze4aCG4Oq 8LsdX3tUFTOK/emvXQKEp0bLrWjOzydZhFq0KLq08sdetqfiSEPOzprCzVQaKdSfE970 rccbxLj0EZiq7K04ya+jLB2SsFr4zawvCC2l/wGLafuFKTMvWZEzZnljBahU/IevGbzV 2ZCESIkSu1vXYge+ZnkPZ1FnRGtNSksmlpI5cWZiqxw+PHWe262DCk45VfQ/XXhkI1nl pmCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id l185-v6si14940314ioe.246.2018.05.22.10.45.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 22 May 2018 10:45:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fLBJX-0002AR-SJ; Tue, 22 May 2018 17:43:11 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fLBJX-0002AE-2p for xen-devel@lists.xenproject.org; Tue, 22 May 2018 17:43:11 +0000 X-Inumbo-ID: 54790879-5de7-11e8-9728-bc764e045a96 Received: from foss.arm.com (unknown [217.140.101.70]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTP id 54790879-5de7-11e8-9728-bc764e045a96; Tue, 22 May 2018 19:41:17 +0200 (CEST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CAB911435; Tue, 22 May 2018 10:43:09 -0700 (PDT) Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com [10.1.206.53]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BD57F3F589; Tue, 22 May 2018 10:43:08 -0700 (PDT) From: Julien Grall To: xen-devel@lists.xenproject.org Date: Tue, 22 May 2018 18:42:46 +0100 Message-Id: <20180522174254.27551-6-julien.grall@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180522174254.27551-1-julien.grall@arm.com> References: <20180522174254.27551-1-julien.grall@arm.com> Subject: [Xen-devel] [PATCH 05/13] xen/arm: Add command line option to control SSBD mitigation X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: andre.przywara@arm.com, Julien Grall , sstabellini@kernel.org MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" On a system where the firmware implements ARCH_WORKAROUND_2, it may be useful to either permanently enable or disable the workaround for cases where the user decides that they'd rather not get a trap overhead, and keep the mitigation permanently on or off instead of switching it on exception entry/exit. In any case, default to mitigation being enabled. At the same time provide a accessor to know the state of the mitigation. SIgned-off-by: Julien Grall --- docs/misc/xen-command-line.markdown | 18 ++++++ xen/arch/arm/cpuerrata.c | 115 ++++++++++++++++++++++++++++++++---- xen/include/asm-arm/cpuerrata.h | 21 +++++++ xen/include/asm-arm/smccc.h | 1 + 4 files changed, 144 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 8712a833a2..962028b6ed 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -1756,6 +1756,24 @@ enforces the maximum theoretically necessary timeout of 670ms. Any number is being interpreted as a custom timeout in milliseconds. Zero or boolean false disable the quirk workaround, which is also the default. +### spec-ctrl (Arm) +> `= List of [ ssbd=force-disable|runtime|force-enable ]` + +Controls for speculative execution sidechannel mitigations. + +The option `ssbd=` is used to control the state of Speculative Store +Bypass Disable (SSBD) mitigation. + +* `ssbd=force-disable` will keep the mitigation permanently off. The guest +will not be able to control the state of the mitigation. +* `ssbd=runtime` will always turn on the mitigation when running in the +hypervisor context. The guest will be to turn on/off the mitigation for +itself by using the firmware interface ARCH\_WORKAROUND\_2. +* `ssbd=force-enable` will keep the mitigation permanently on. The guest will +not be able to control the state of the mitigation. + +By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm,msr-sc,rsb}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd}= ]` diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index bcea2eb6e5..f921721a66 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -237,6 +237,41 @@ static int enable_ic_inv_hardening(void *data) #ifdef CONFIG_ARM_SSBD +enum ssbd_state ssbd_state = ARM_SSBD_RUNTIME; + +static int __init parse_spec_ctrl(const char *s) +{ + const char *ss; + int rc = 0; + + do { + ss = strchr(s, ','); + if ( !ss ) + ss = strchr(s, '\0'); + + if ( !strncmp(s, "ssbd=", 5) ) + { + s += 5; + + if ( !strncmp(s, "force-disable", ss - s) ) + ssbd_state = ARM_SSBD_FORCE_DISABLE; + else if ( !strncmp(s, "runtime", ss - s) ) + ssbd_state = ARM_SSBD_RUNTIME; + else if ( !strncmp(s, "force-enable", ss - s) ) + ssbd_state = ARM_SSBD_FORCE_ENABLE; + else + rc = -EINVAL; + } + else + rc = -EINVAL; + + s = ss + 1; + } while ( *ss ); + + return rc; +} +custom_param("spec-ctrl", parse_spec_ctrl); + /* * Assembly code may use the variable directly, so we need to make sure * it fits in a register. @@ -246,25 +281,82 @@ DEFINE_PER_CPU_READ_MOSTLY(register_t, ssbd_callback_required); static bool has_ssbd_mitigation(const struct arm_cpu_capabilities *entry) { struct arm_smccc_res res; - bool supported = true; + bool required = true; if ( smccc_ver < SMCCC_VERSION(1, 1) ) return false; - /* - * The probe function return value is either negative (unsupported - * or mitigated), positive (unaffected), or zero (requires - * mitigation). We only need to do anything in the last case. - */ arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FID, ARM_SMCCC_ARCH_WORKAROUND_2_FID, &res); - if ( (int)res.a0 != 0 ) - supported = false; - if ( supported ) - this_cpu(ssbd_callback_required) = 1; + switch ( (int)res.a0 ) + { + case ARM_SMCCC_NOT_SUPPORTED: + ssbd_state = ARM_SSBD_UNKNOWN; + return false; + + case ARM_SMCCC_NOT_REQUIRED: + ssbd_state = ARM_SSBD_MITIGATED; + return false; + + case ARM_SMCCC_SUCCESS: + required = true; + break; + + case 1: /* Mitigation not required on this CPU. */ + required = false; + break; + + default: + ASSERT_UNREACHABLE(); + return false; + } + + switch ( ssbd_state ) + { + case ARM_SSBD_FORCE_DISABLE: + { + static bool once = true; + + if ( once ) + printk("%s disabled from command-line\n", entry->desc); + once = false; + + arm_smccc_1_1_smc(ARM_SMCCC_ARCH_WORKAROUND_2_FID, 0, NULL); + required = false; + + break; + } + + case ARM_SSBD_RUNTIME: + if ( required ) + { + this_cpu(ssbd_callback_required) = 1; + arm_smccc_1_1_smc(ARM_SMCCC_ARCH_WORKAROUND_2_FID, 1, NULL); + } + + break; + + case ARM_SSBD_FORCE_ENABLE: + { + static bool once = true; + + if ( once ) + printk("%s forced from command-line\n", entry->desc); + once = false; + + arm_smccc_1_1_smc(ARM_SMCCC_ARCH_WORKAROUND_2_FID, 1, NULL); + required = true; + + break; + } + + default: + ASSERT_UNREACHABLE(); + return false; + } - return supported; + return required; } #endif @@ -371,6 +463,7 @@ static const struct arm_cpu_capabilities arm_errata[] = { #endif #ifdef CONFIG_ARM_SSBD { + .desc = "Speculative Store Bypass Disabled", .capability = ARM_SSBD, .matches = has_ssbd_mitigation, }, diff --git a/xen/include/asm-arm/cpuerrata.h b/xen/include/asm-arm/cpuerrata.h index e628d3ff56..7fbb3dc0be 100644 --- a/xen/include/asm-arm/cpuerrata.h +++ b/xen/include/asm-arm/cpuerrata.h @@ -31,10 +31,26 @@ CHECK_WORKAROUND_HELPER(ssbd, ARM_SSBD, CONFIG_ARM_SSBD) #undef CHECK_WORKAROUND_HELPER +enum ssbd_state +{ + ARM_SSBD_UNKNOWN, + ARM_SSBD_FORCE_DISABLE, + ARM_SSBD_RUNTIME, + ARM_SSBD_FORCE_ENABLE, + ARM_SSBD_MITIGATED, +}; + #ifdef CONFIG_ARM_SSBD #include +extern enum ssbd_state ssbd_state; + +static inline enum ssbd_state get_ssbd_state(void) +{ + return ssbd_state; +} + DECLARE_PER_CPU(register_t, ssbd_callback_required); static inline bool cpu_require_ssbd_mitigation(void) @@ -49,6 +65,11 @@ static inline bool cpu_require_ssbd_mitigation(void) return false; } +static inline enum ssbd_state get_sbdd_state(void) +{ + return ARM_SSBD_UNKNOWN; +} + #endif #endif /* __ARM_CPUERRATA_H__ */ diff --git a/xen/include/asm-arm/smccc.h b/xen/include/asm-arm/smccc.h index 650744d28b..a6804cec99 100644 --- a/xen/include/asm-arm/smccc.h +++ b/xen/include/asm-arm/smccc.h @@ -265,6 +265,7 @@ struct arm_smccc_res { 0x7FFF) /* SMCCC error codes */ +#define ARM_SMCCC_NOT_REQUIRED (-2) #define ARM_SMCCC_ERR_UNKNOWN_FUNCTION (-1) #define ARM_SMCCC_NOT_SUPPORTED (-1) #define ARM_SMCCC_SUCCESS (0)