From patchwork Thu May 11 12:46:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Alex_Benn=C3=A9e?= X-Patchwork-Id: 99642 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp711716qge; Thu, 11 May 2017 05:46:02 -0700 (PDT) X-Received: by 10.99.114.72 with SMTP id c8mr102693pgn.81.1494506762371; Thu, 11 May 2017 05:46:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494506762; cv=none; d=google.com; s=arc-20160816; b=OSLQ0tjnl/f8SvQxirQsqq2E83iHr8LODuMdPYNSNLHon9JOUvWJL+Ye0DjdBovRgv MpHDXpX8exgOHTPVKy3bDomtOPyP/z0YMx38ATrANb9lEnEDxekjwVVwsbvfr8DX1bPB ovBeqpAMZF8Dl0YX47TyJ+4/eh/lUH7IZ6KUI6JO+EhNBerZsDLLiGzIECUMaVdEInD9 nijoBUtZ5BDYeg69bHl/EqzP02JeoCiAVCdpCqbBu5YnQemsM76Ai5C/ZYe1+aoceb4t YrBPcNE06R68GnUGCA1hFrMCOE1zPFd842ayz1+GNMiJYPZgFTRM3X4FFv6e/l/UTbPL WY7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=EglkGpbF5ZrPazL1L0G5D0+wsTHa8vGKbfLkU/XBcDc=; b=bNf5bGPjL45u6EVzRSeG7vVhBP8cnPNh8WZhVI/nPG+s1pZYuaPsHCwGBN0CG+5Cwu B/KWDyFtb9IL9c4b4+7qpI+foj2N4N7P8GQ9Nz3KZiXuOLLrEBHzRkUM2+PuGS+LvzCH NP9zdVR5m9aa2OBPV5II7bkRUwuAocO4LBh4IuO7h1c8REbd6soNFmBcXKz4Lh/Cv4aI q8H32fY4aKynVb11HBN5ZEnSR1o4hoti4JBkwKBWCCc/OW9jWPVAO+z6ewsxVa/AklRM HtalEsG/TyhBFHJs+fSu0PHpx9mrZj/Nj63WVMCj8gjKTD5hovnqGF9dP6F/IUVIZaLy 2npg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5si41013pfa.417.2017.05.11.05.46.01; Thu, 11 May 2017 05:46:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932599AbdEKMpa (ORCPT + 25 others); Thu, 11 May 2017 08:45:30 -0400 Received: from mail-wm0-f43.google.com ([74.125.82.43]:37849 "EHLO mail-wm0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932434AbdEKMp1 (ORCPT ); Thu, 11 May 2017 08:45:27 -0400 Received: by mail-wm0-f43.google.com with SMTP id m123so34777608wma.0 for ; Thu, 11 May 2017 05:45:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=EglkGpbF5ZrPazL1L0G5D0+wsTHa8vGKbfLkU/XBcDc=; b=LYedQZW2/cX7BnhtR5L7J8NuAHggUAizYRt3lrFeE8I8W/HJrD5UJXuSpid64X13NT ITI7UQs5HZX6mFqSe37j0o+TO+VnINiPJMA+wOibHOJK7N03DNKEYmLWp79HT8RbsPPn 95CqhxC8MTsi4s5hoAw/18R51kRvKeErEDA6k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EglkGpbF5ZrPazL1L0G5D0+wsTHa8vGKbfLkU/XBcDc=; b=ssXCL7Cz8zWxJ1ka7ul3egMZI3vXb7ARWk7/1HvfSQPtfrdUgPpmc1rsHN0BjfVgHc pN3pqo3we4039IF5tqokEAGejCAod7hyBLrG41KweP68NJ5OSLWGswQkktl70b+i2e6U PclVEnHrFqrzfZx1lJPhcPUATe9Rqf45SuT4Q+uj44U3rRvDDWdeR9fSJKl5wQkjjEWQ LmLFgknY5fTfnIdHIODFVZ3yilrPJa7cm9sl7l4QamEJlxkdcCqksgfJFBsczitI68xX /0m5FmDm7HMBkUcDHOrlRUBNpoB7lKJHgpCa8Gx8Zcydm92pJOgD33GxmXO8ehxtqD2x VrtQ== X-Gm-Message-State: AODbwcA/DXdERMSbd9DgH4DhUMtfmMQwE9C0IPqOK+I2YKBvgBBGsMVY B22b+AytVhpftT+h X-Received: by 10.28.4.216 with SMTP id 207mr4928853wme.142.1494506726307; Thu, 11 May 2017 05:45:26 -0700 (PDT) Received: from zen.linaro.local ([81.128.185.34]) by smtp.gmail.com with ESMTPSA id c37sm94458wra.16.2017.05.11.05.45.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 May 2017 05:45:25 -0700 (PDT) Received: from zen.linaroharston (localhost [127.0.0.1]) by zen.linaro.local (Postfix) with ESMTP id 06FF73E0126; Thu, 11 May 2017 13:46:14 +0100 (BST) From: =?utf-8?q?Alex_Benn=C3=A9e?= To: christoffer.dall@linaro.org, marc.zyngier@arm.com Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, Zhichao Huang , =?utf-8?q?Alex_Benn=C3=A9e?= , Paolo Bonzini , =?utf-8?q?Radim_Kr=C4=8Dm?= =?utf-8?b?w6HFmQ==?= , Russell King , Vladimir Murzin , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 1/2] KVM: arm: plug potential guest hardware debug leakage Date: Thu, 11 May 2017 13:46:11 +0100 Message-Id: <20170511124612.11212-2-alex.bennee@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170511124612.11212-1-alex.bennee@linaro.org> References: <20170511124612.11212-1-alex.bennee@linaro.org> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zhichao Huang Hardware debugging in guests is not intercepted currently, it means that a malicious guest can bring down the entire machine by writing to the debug registers. This patch enable trapping of all debug registers, preventing the guests to access the debug registers. This includes access to the debug mode(DBGDSCR) in the guest world all the time which could otherwise mess with the host state. Reads return 0 and writes are ignored (RAZ_WI). The result is the guest cannot detect any working hardware based debug support. As debug exceptions are still routed to the guest normal debug using software based breakpoints still works. To support debugging using hardware registers we need to implement a debug register aware world switch as well as special trapping for registers that may affect the host state. Signed-off-by: Zhichao Huang Signed-off-by: Alex BennĂ©e --- ajb v2: - don't (void) unused return value - fix some 0/1 bool usage - further re-factor to avoid hacky if (cp15) in trap path ajb v1: - convert to C world switch - reword commit message --- arch/arm/include/asm/kvm_coproc.h | 3 +- arch/arm/kvm/coproc.c | 77 ++++++++++++++++++++++++++++++--------- arch/arm/kvm/handle_exit.c | 4 +- arch/arm/kvm/hyp/switch.c | 4 +- 4 files changed, 66 insertions(+), 22 deletions(-) -- 2.11.0 diff --git a/arch/arm/include/asm/kvm_coproc.h b/arch/arm/include/asm/kvm_coproc.h index 4917c2f7e459..e74ab0fbab79 100644 --- a/arch/arm/include/asm/kvm_coproc.h +++ b/arch/arm/include/asm/kvm_coproc.h @@ -31,7 +31,8 @@ void kvm_register_target_coproc_table(struct kvm_coproc_target_table *table); int kvm_handle_cp10_id(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp_0_13_access(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run); -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run); diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c index 3e5e4194ef86..c3ed6bd5ddf3 100644 --- a/arch/arm/kvm/coproc.c +++ b/arch/arm/kvm/coproc.c @@ -93,12 +93,6 @@ int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run) return 1; } -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run) -{ - kvm_inject_undefined(vcpu); - return 1; -} - static void reset_mpidr(struct kvm_vcpu *vcpu, const struct coproc_reg *r) { /* @@ -514,12 +508,7 @@ static int emulate_cp15(struct kvm_vcpu *vcpu, return 1; } -/** - * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +static struct coproc_params decode_64bit_hsr(struct kvm_vcpu *vcpu) { struct coproc_params params; @@ -533,9 +522,38 @@ int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Rt2 = (kvm_vcpu_get_hsr(vcpu) >> 10) & 0xf; params.CRm = 0; + return params; +} + +/** + * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_64bit_hsr(vcpu); + return emulate_cp15(vcpu, ¶ms); } +/** + * kvm_handle_cp14_64 -- handles a mrrc/mcrr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_64bit_hsr(vcpu); + + /* raz_wi cp14 */ + pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + static void reset_coproc_regs(struct kvm_vcpu *vcpu, const struct coproc_reg *table, size_t num) { @@ -546,12 +564,7 @@ static void reset_coproc_regs(struct kvm_vcpu *vcpu, table[i].reset(vcpu, &table[i]); } -/** - * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu) { struct coproc_params params; @@ -565,9 +578,37 @@ int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Op2 = (kvm_vcpu_get_hsr(vcpu) >> 17) & 0x7; params.Rt2 = 0; + return params; +} + +/** + * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_32bit_hsr(vcpu); return emulate_cp15(vcpu, ¶ms); } +/** + * kvm_handle_cp14_32 -- handles a mrc/mcr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_32bit_hsr(vcpu); + + /* raz_wi cp14 */ + pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + /****************************************************************************** * Userspace API *****************************************************************************/ diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c index 96af65a30d78..42f5daf715d0 100644 --- a/arch/arm/kvm/handle_exit.c +++ b/arch/arm/kvm/handle_exit.c @@ -95,9 +95,9 @@ static exit_handle_fn arm_exit_handlers[] = { [HSR_EC_WFI] = kvm_handle_wfx, [HSR_EC_CP15_32] = kvm_handle_cp15_32, [HSR_EC_CP15_64] = kvm_handle_cp15_64, - [HSR_EC_CP14_MR] = kvm_handle_cp14_access, + [HSR_EC_CP14_MR] = kvm_handle_cp14_32, [HSR_EC_CP14_LS] = kvm_handle_cp14_load_store, - [HSR_EC_CP14_64] = kvm_handle_cp14_access, + [HSR_EC_CP14_64] = kvm_handle_cp14_64, [HSR_EC_CP_0_13] = kvm_handle_cp_0_13_access, [HSR_EC_CP10_ID] = kvm_handle_cp10_id, [HSR_EC_HVC] = handle_hvc, diff --git a/arch/arm/kvm/hyp/switch.c b/arch/arm/kvm/hyp/switch.c index 92678b7bd046..624a510d31df 100644 --- a/arch/arm/kvm/hyp/switch.c +++ b/arch/arm/kvm/hyp/switch.c @@ -48,7 +48,9 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu, u32 *fpexc_host) write_sysreg(HSTR_T(15), HSTR); write_sysreg(HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11), HCPTR); val = read_sysreg(HDCR); - write_sysreg(val | HDCR_TPM | HDCR_TPMCR, HDCR); + val |= HDCR_TPM | HDCR_TPMCR; /* trap performance monitors */ + val |= HDCR_TDRA | HDCR_TDOSA | HDCR_TDA; /* trap debug regs */ + write_sysreg(val, HDCR); } static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu)