From patchwork Wed May 10 17:01:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 99009 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp327501qge; Wed, 10 May 2017 10:01:35 -0700 (PDT) X-Received: by 10.99.98.65 with SMTP id w62mr7488288pgb.207.1494435695020; Wed, 10 May 2017 10:01:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494435695; cv=none; d=google.com; s=arc-20160816; b=NJVL4CNTcNULVS6VuIceBhxxNqTh5AtaqQloZXeMU6tCbktLj+c0914r6DJkJLvQ9U iezEyD06eW3vw/H9tpUIUztW81D9xPhLVK+R18/IXs5THK1AF8AsVoeE5V7qTj/duC6s ZDDC9Z6xOwUx5r3TEJfRyPN4UEfHCtheCMfHRSJRSyHgPu/G6ofRThSfl6Z7C/O0TQhH 1MkPteK0h0L2a/v4RG583KVN98uLKuwFhUMPS5X8rDfpoKPRd7NBY2yaSqHk5gRe4qJ+ fUsfhDgBtkS2UaEycTediaJPhX3qpimLiQk45yP70kI0kcfMR2hxhVwsmWVa9527d88X C3BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=Tn44ZoJ5DBssxaZS30lCwXyoIiEk19crJ24Cuf1mgRk=; b=QJb+cpJlb9WpOPU/BoebbmxhWXZwDyLSYoTrPjaNDT99xEfKSszenw0D/vhRQg/MLu 3ctgBMP0DNwRNIzcSn46dHTYNJdCcrvs71YZz50Gd3ecRMYwxi4EWHW0Ffdzv21pBDQs u8cjwCH7/tlo0C1lEDMcFDHaEoEbDuwmeG3JRNzEMcsTfCtw0pN1FHPmV9cBiLpQkwqU EHdSxQes9a1Ggq/XtMjw0gX+5Eex8UL+SOkZVjDswgAwvham4IaAYAChAwTm845vJEjQ wwtseA15y2UWcoqO5H46B4F1/G4+dxfGXOVpWZS7jrTw/O6pL0jodAJp+G3Dgc+Hzh8r K+Kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5si3535580pfk.335.2017.05.10.10.01.34; Wed, 10 May 2017 10:01:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753759AbdEJRBU (ORCPT + 25 others); Wed, 10 May 2017 13:01:20 -0400 Received: from mail-wm0-f51.google.com ([74.125.82.51]:36382 "EHLO mail-wm0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753455AbdEJRBQ (ORCPT ); Wed, 10 May 2017 13:01:16 -0400 Received: by mail-wm0-f51.google.com with SMTP id u65so11138870wmu.1 for ; Wed, 10 May 2017 10:01:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Tn44ZoJ5DBssxaZS30lCwXyoIiEk19crJ24Cuf1mgRk=; b=UtCkDnCgUFAgSQ9TLN0SeGPSQdIhMSfB67bNkoVpimA9GbRcCq1x9Zds7g9Y0oR+6O QNiu1paGr8emHcfAkrqiOQpkdP8T6B8pUC9FfhNpKKJ7sIoCVYf9NNPxDYw8cbP05k8R 6ICycGsngfPBL6XqBgQd2OrDIAo6lbLwVyn2g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Tn44ZoJ5DBssxaZS30lCwXyoIiEk19crJ24Cuf1mgRk=; b=eVrg1Jf4qFHEvozqWlx8HsPjcY++fPDi3gCioC1flmrLm22B3m6BmlnY1QWDpaoKuS 0Vy4/rtTiFDBIhYkTiwjW38vJfndE+L2PofboXWhB48GKt1tETDpUF9cEkzfkLdSqBd6 W0W6DnZLewZqrczEnXfynf/x7q+/2zFUiCttdymWyZbgcjb7CpjWvXVij4c5szW5N4Ns xBAtG+HUmurCOjvZ36a8cDvGH5fm3Y1HqygVj7JKyPYP4dqdJ7WIzT1KfRQwURjp8kEl Z+1OSQVDDTE5Djh769bOAgqnVdoUlLpRk2CtnKQebXjtE9dF1ELe9U/o0MUlzyYrlRMY R48g== X-Gm-Message-State: AODbwcAOMB+SQMGG7WTlc5f+xQGh7euaN62IPlIJzfMyh26g6yqz+1jt kHaMCnlsklG2m1kM X-Received: by 10.28.154.133 with SMTP id c127mr3959169wme.42.1494435674897; Wed, 10 May 2017 10:01:14 -0700 (PDT) Received: from zen.linaro.local ([81.128.185.34]) by smtp.gmail.com with ESMTPSA id n27sm2662205wra.57.2017.05.10.10.01.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 May 2017 10:01:13 -0700 (PDT) Received: from zen.linaroharston (localhost [127.0.0.1]) by zen.linaro.local (Postfix) with ESMTP id 15CF83E02A4; Wed, 10 May 2017 18:02:01 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: christoffer.dall@linaro.org, marc.zyngier@arm.com Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, Zhichao Huang , =?utf-8?q?Alex_Benn=C3=A9e?= , Paolo Bonzini , =?utf-8?q?Radim_Kr=C4=8Dm?= =?utf-8?b?w6HFmQ==?= , Russell King , Vladimir Murzin , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v1 1/2] KVM: arm: plug guest debug exploit Date: Wed, 10 May 2017 18:01:58 +0100 Message-Id: <20170510170200.13285-2-alex.bennee@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170510170200.13285-1-alex.bennee@linaro.org> References: <20170510170200.13285-1-alex.bennee@linaro.org> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zhichao Huang Hardware debugging in guests is not intercepted currently, it means that a malicious guest can bring down the entire machine by writing to the debug registers. This patch enable trapping of all debug registers, preventing the guests to access the debug registers. This includes access to the debug mode(DBGDSCR) in the guest world all the time which could otherwise mess with the host state. Reads return 0 and writes are ignored. The result is the guest cannot detect any working hardware based debug support. As debug exceptions are still routed to the guest normal debug using software based breakpoints still works. To support debugging using hardware registers we need to implement a debug register aware world switch as well as special trapping for registers that may affect the host state. Signed-off-by: Zhichao Huang Signed-off-by: Alex BennĂ©e --- ajb: - convert to C world switch - reword commit message --- arch/arm/include/asm/kvm_coproc.h | 3 +- arch/arm/kvm/coproc.c | 82 +++++++++++++++++++++++++++++---------- arch/arm/kvm/handle_exit.c | 4 +- arch/arm/kvm/hyp/switch.c | 4 +- 4 files changed, 69 insertions(+), 24 deletions(-) -- 2.11.0 diff --git a/arch/arm/include/asm/kvm_coproc.h b/arch/arm/include/asm/kvm_coproc.h index 4917c2f7e459..e74ab0fbab79 100644 --- a/arch/arm/include/asm/kvm_coproc.h +++ b/arch/arm/include/asm/kvm_coproc.h @@ -31,7 +31,8 @@ void kvm_register_target_coproc_table(struct kvm_coproc_target_table *table); int kvm_handle_cp10_id(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp_0_13_access(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run); -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run); diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c index 3e5e4194ef86..b2053393bb1f 100644 --- a/arch/arm/kvm/coproc.c +++ b/arch/arm/kvm/coproc.c @@ -93,12 +93,6 @@ int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run) return 1; } -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run) -{ - kvm_inject_undefined(vcpu); - return 1; -} - static void reset_mpidr(struct kvm_vcpu *vcpu, const struct coproc_reg *r) { /* @@ -514,12 +508,8 @@ static int emulate_cp15(struct kvm_vcpu *vcpu, return 1; } -/** - * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +static int kvm_handle_cp_64(struct kvm_vcpu *vcpu, struct kvm_run *run, + bool cp15) { struct coproc_params params; @@ -533,7 +523,35 @@ int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Rt2 = (kvm_vcpu_get_hsr(vcpu) >> 10) & 0xf; params.CRm = 0; - return emulate_cp15(vcpu, ¶ms); + if (cp15) + return emulate_cp15(vcpu, ¶ms); + + /* raz_wi cp14 */ + (void)pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + +/** + * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + return kvm_handle_cp_64(vcpu, run, 1); +} + +/** + * kvm_handle_cp14_64 -- handles a mrrc/mcrr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + return kvm_handle_cp_64(vcpu, run, 0); } static void reset_coproc_regs(struct kvm_vcpu *vcpu, @@ -546,12 +564,8 @@ static void reset_coproc_regs(struct kvm_vcpu *vcpu, table[i].reset(vcpu, &table[i]); } -/** - * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +static int kvm_handle_cp_32(struct kvm_vcpu *vcpu, struct kvm_run *run, + bool cp15) { struct coproc_params params; @@ -565,7 +579,35 @@ int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Op2 = (kvm_vcpu_get_hsr(vcpu) >> 17) & 0x7; params.Rt2 = 0; - return emulate_cp15(vcpu, ¶ms); + if (cp15) + return emulate_cp15(vcpu, ¶ms); + + /* raz_wi cp14 */ + (void)pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + +/** + * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + return kvm_handle_cp_32(vcpu, run, 1); +} + +/** + * kvm_handle_cp14_32 -- handles a mrc/mcr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + return kvm_handle_cp_32(vcpu, run, 0); } /****************************************************************************** diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c index 96af65a30d78..42f5daf715d0 100644 --- a/arch/arm/kvm/handle_exit.c +++ b/arch/arm/kvm/handle_exit.c @@ -95,9 +95,9 @@ static exit_handle_fn arm_exit_handlers[] = { [HSR_EC_WFI] = kvm_handle_wfx, [HSR_EC_CP15_32] = kvm_handle_cp15_32, [HSR_EC_CP15_64] = kvm_handle_cp15_64, - [HSR_EC_CP14_MR] = kvm_handle_cp14_access, + [HSR_EC_CP14_MR] = kvm_handle_cp14_32, [HSR_EC_CP14_LS] = kvm_handle_cp14_load_store, - [HSR_EC_CP14_64] = kvm_handle_cp14_access, + [HSR_EC_CP14_64] = kvm_handle_cp14_64, [HSR_EC_CP_0_13] = kvm_handle_cp_0_13_access, [HSR_EC_CP10_ID] = kvm_handle_cp10_id, [HSR_EC_HVC] = handle_hvc, diff --git a/arch/arm/kvm/hyp/switch.c b/arch/arm/kvm/hyp/switch.c index 92678b7bd046..624a510d31df 100644 --- a/arch/arm/kvm/hyp/switch.c +++ b/arch/arm/kvm/hyp/switch.c @@ -48,7 +48,9 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu, u32 *fpexc_host) write_sysreg(HSTR_T(15), HSTR); write_sysreg(HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11), HCPTR); val = read_sysreg(HDCR); - write_sysreg(val | HDCR_TPM | HDCR_TPMCR, HDCR); + val |= HDCR_TPM | HDCR_TPMCR; /* trap performance monitors */ + val |= HDCR_TDRA | HDCR_TDOSA | HDCR_TDA; /* trap debug regs */ + write_sysreg(val, HDCR); } static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu)