From patchwork Fri Feb  2 14:19:23 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@linaro.org>
X-Patchwork-Id: 126712
Delivered-To: patch@linaro.org
Received: by 10.46.124.24 with SMTP id x24csp687203ljc;
 Fri, 2 Feb 2018 06:21:52 -0800 (PST)
X-Google-Smtp-Source: AH8x2249IQ9+MCRINE37ZgZ722TwcaWp0Q4iDLJmJ3nVZeW/8c66lah0lTa499p++Kspw8vVIyTm
X-Received: by 10.36.77.65 with SMTP id l62mr48066742itb.42.1517581312365;
 Fri, 02 Feb 2018 06:21:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517581312; cv=none;
 d=google.com; s=arc-20160816;
 b=qU5qzonJfkul9SvrStOkB2ddUrBz6yde6rjZJESyB/GIBMrFgP4PVhqvpqh7V84mJ8
 mOhl7izTazCu91sTsqr0RydiCchjeZKue4uVfon8FtroAHLEVVp/mP6+topVWAHteust
 hshW5R3StAVVFrQy0HCDKw+0Z3dQeTt73Fo1K+FBx2F7cUiS3Y1f28aZQQdD9yAWkfH7
 E9uTLOGUK+3y/ObIqbvQb+5cm4zDQmFaLONZF5HuG5jc2JYDYueRm3Q6IOclG6pRDJCM
 rsBmQB5s3Un5ByCu2Uh0/xZ5/u3WiinyrEbIbdYMMAVKSsElh2PAopIAziAiGW/WDuRu
 F06A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-unsubscribe:list-id
 :precedence:subject:cc:references:in-reply-to:message-id:date:to
 :from:dkim-signature:arc-authentication-results;
 bh=GM3enhaCddwNtxzvfWMDfl0BIveIhUW3K0KcQybASbM=;
 b=B1+EIZjEk0Lf1tiCTjURTx+avwPi6mtrbE7b/wgIxLzdgRu098POro9E9qlQPAR0R8
 hC4YMq9WsDm4ho/SGd1zovXc8hHIXEbek7LBUlI/NTX0Z4QFKvFKd/wdXXcB9cBJFrv/
 L6A1KcOr/gTNaHaVeRRkmNbnYMVILP+pgq9DXF5kABpJxWgkVNwa9luVGFNi0VL34YCB
 9kBzYd2eeRoUiTHW69eRqMMr65qDDDHv36rCsShw74i43phVBai22rWJR3zIgQugBrxw
 bjjVbTQOCYWc6lYzQjP6OgUOkRFrVE9cUcCWbXk1dnOYjk7Tx7LG1eJjHksnf5vx4oI9
 smUw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=IG1cabCi; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id
 y99si1728126ita.113.2018.02.02.06.21.52
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 02 Feb 2018 06:21:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=IG1cabCi; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <xen-devel-bounces@lists.xenproject.org>)
 id 1ehcBj-00086O-EB; Fri, 02 Feb 2018 14:19:35 +0000
Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6])
 by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from
 <srs0=ge3u=e4=linaro.org=julien.grall@srs-us1.protection.inumbo.net>)
 id 1ehcBi-00085w-FK
 for xen-devel@lists.xen.org; Fri, 02 Feb 2018 14:19:34 +0000
X-Inumbo-ID: 0c7ff5b4-0824-11e8-ba59-bc764e045a96
Received: from mail-wm0-x241.google.com (unknown [2a00:1450:400c:c09::241])
 by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS
 id 0c7ff5b4-0824-11e8-ba59-bc764e045a96;
 Fri, 02 Feb 2018 15:19:16 +0100 (CET)
Received: by mail-wm0-x241.google.com with SMTP id g1so12934814wmg.2
 for <xen-devel@lists.xen.org>; Fri, 02 Feb 2018 06:19:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=dgbg1Eo7FLFxDacoQNT23U+p6yhJgkPrPU9eaIYxhis=;
 b=IG1cabCik8Q1vLGiy8T3LQgimdFZt9l6tB3OdgaxwpiuHG6fzK0w1PyVTedormXpzn
 zxtI7Fu40mlZoUNGP8FXLvBKgCu4WU1lEFWahQklpiKf1oPX5XTT1EYzG5IT6K81SknA
 7cp5L1YeiRKQiltLRKLiwSZU2qpa2EPfVLZxY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=dgbg1Eo7FLFxDacoQNT23U+p6yhJgkPrPU9eaIYxhis=;
 b=U1ZKX253MxLQj/chfKzCGL+WTowoLOuz2l2THt93RSIZASmodaSXfJtX3SLMvTSAZZ
 o8WUvn6s1OJLQRrxZz+lS3mLaAr2bJF8b6LjKNwahZf3SJNURE8eb3zZ1UaDybJ2hD2Z
 RAsW4pqLfr3FZMsnxsTW1l7DC0A1yw/o4523RM0SBmdsPHVcSWBlpNC8KlZNud9fAR/Z
 3q6OEBJ7KoVYnSdREpvIc0yy1WgA0J3EUfzF2CQ0xWVWZaAzxPXV4UTzw/iLbohEaDYH
 L3HZ57riRGHiwuAxoPn29FQumwIorRytKkdygfeyLeKNbCKc1+aW9oycB6EmEQ0wkGC5
 Oa+g==
X-Gm-Message-State: AKwxytdllCiT7p0jTisLEXHJYDvCcXyblr6t8+frRvyhdZjA+m197nIL
 L02AJG4fvjlrsQQngHMU+p4e5dbQ2t8=
X-Received: by 10.28.53.130 with SMTP id c124mr26681136wma.110.1517581172175; 
 Fri, 02 Feb 2018 06:19:32 -0800 (PST)
Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1])
 by smtp.gmail.com with ESMTPSA id
 u79sm3057422wma.10.2018.02.02.06.19.31
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 02 Feb 2018 06:19:31 -0800 (PST)
From: Julien Grall <julien.grall@linaro.org>
To: xen-devel@lists.xen.org
Date: Fri,  2 Feb 2018 14:19:23 +0000
Message-Id: <20180202141925.19387-6-julien.grall@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180202141925.19387-1-julien.grall@linaro.org>
References: <20180202141925.19387-1-julien.grall@linaro.org>
Cc: Marc Zyngier <marc.zyngier@arm.com>, sstabellini@kernel.org,
 Julien Grall <julien.grall@linaro.org>, andre.przywara@linaro.org
Subject: [Xen-devel] [PATCH v4 5/7] xen/arm32: Invalidate BTB on guest exit
 for Cortex A17 and 12
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

In order to avoid aliasing attackes agains the branch predictor, let's
invalidate the BTB on guest exist. This is made complicated by the fact
that we cannot take a branch invalidating the BTB.

This is based on the fourth version posted by Marc Zyngier on Linux-arm
mailing list (see [1]).

This is part of XSA-254.

[1] https://www.spinics.net/lists/arm-kernel/msg632062.html

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Julien Grall <julien.grall@linaro.org>
---
    Changes in v3:
        - Drop Stefano's reviewed-by
        - Use the latest version of the Linux patch. This will improve
        code readability.

    Changes in v2:
        - Add Stefano's reviewed-by
---
 xen/arch/arm/arm32/entry.S | 38 ++++++++++++++++++++++++++++++++++++++
 xen/arch/arm/cpuerrata.c   | 19 +++++++++++++++++++
 2 files changed, 57 insertions(+)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index 828e52c25c..1ebbe4b065 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -160,6 +160,44 @@ GLOBAL(hyp_traps_vector)
         b trap_irq                      /* 0x18 - IRQ */
         b trap_fiq                      /* 0x1c - FIQ */
 
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+
+        .align 5
+GLOBAL(hyp_traps_vector_bp_inv)
+        /*
+         * We encode the exception entry in the bottom 3 bits of
+         * SP, and we have to guarantee to be 8 bytes aligned.
+         */
+        add sp, sp, #1                  /* Reset            7 */
+        add sp, sp, #1                  /* Undef            6 */
+        add sp, sp, #1                  /* Hypervisor Call  5 */
+        add sp, sp, #1                  /* Prefetch abort   4 */
+        add sp, sp, #1                  /* Data abort       3 */
+        add sp, sp, #1                  /* Hypervisor       2 */
+        add sp, sp, #1                  /* IRQ              1 */
+        nop                             /* FIQ              0 */
+
+        mcr	p15, 0, r0, c7, c5, 6	    /* BPIALL */
+        isb
+
+.macro vect_br val, targ
+        eor     sp, sp, #\val
+        tst     sp, #7
+        eorne   sp, sp, #\val
+        beq     \targ
+.endm
+
+        vect_br 0, trap_fiq
+        vect_br 1, trap_irq
+        vect_br 2, trap_guest_sync
+        vect_br 3, trap_data_abort
+        vect_br 4, trap_prefetch_abort
+        vect_br 5, trap_hypervisor_call
+        vect_br 6, trap_undefined_instruction
+        vect_br 7, trap_reset
+
+#endif /* CONFIG_HARDEN_BRANCH_PREDICTOR */
+
 DEFINE_TRAP_ENTRY(reset)
 DEFINE_TRAP_ENTRY(undefined_instruction)
 DEFINE_TRAP_ENTRY(hypervisor_call)
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index 0a138fa735..c79e6d65d3 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -198,6 +198,13 @@ install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry,
     this_cpu(bp_harden_vecs) = hyp_vecs;
 }
 
+static int enable_bp_inv_hardening(void *data)
+{
+    install_bp_hardening_vecs(data, hyp_traps_vector_bp_inv,
+                              "execute BPIALL");
+    return 0;
+}
+
 #endif
 
 #define MIDR_RANGE(model, min, max)     \
@@ -284,6 +291,18 @@ static const struct arm_cpu_capabilities arm_errata[] = {
         .enable = enable_psci_bp_hardening,
     },
 #endif
+#ifdef CONFIG_ARM32_HARDEN_BRANCH_PREDICTOR
+    {
+        .capability = ARM_HARDEN_BRANCH_PREDICTOR,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A12),
+        .enable = enable_bp_inv_hardening,
+    },
+    {
+        .capability = ARM_HARDEN_BRANCH_PREDICTOR,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A17),
+        .enable = enable_bp_inv_hardening,
+    },
+#endif
     {},
 };