From patchwork Wed Jan 3 22:38:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 123358 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp10722283qgn; Wed, 3 Jan 2018 14:38:41 -0800 (PST) X-Google-Smtp-Source: ACJfBovDgTeWxiPmqRCz52t7+MTFosED+a454U0ywAddAc7hoTTP/cDK6bSIcIMAOtRAxfvi6jWF X-Received: by 10.84.138.131 with SMTP id 3mr2775941plp.304.1515019121374; Wed, 03 Jan 2018 14:38:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515019121; cv=none; d=google.com; s=arc-20160816; b=bbvJXEa+/YJ/v+ycqSUbFTJSTYNrE1hModmYx0x2yZXbraphNOpuoFPRs+MYIqf8ZA dHpB+HJkDS06+9POIRthGG4c25mBK7Bdu/VVK/yxbLu+t01YVw3Ask0UaM6gPAyqERlT p+7anpJ0/5ElLn78qKeLnkya8ixbuLI+R+lG9BgLcjVZsEseGl+wsalnW67EQ+ECvCMf q/twTgWfLbLegLwjXI00plpLaCaOgrgiDXvPFJ7Ks3T5sxi63U9cMGrO+v8G/+l8huG0 JzGIwu6KbI7mWCuZt4DviEMqN+Y9gCnr+Dv2vSDeqJ+HrXXlbrbmEqM2LKI37XN7uPzt mk2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=MfMotir1KwdP5rJkmwMjM9jrYyiysD4UpmUdNDWruDA=; b=BMGjrXvrfQ7uc5f0hSE9E8ZA3AgpWJ0PC4xQbMk1FT+EOYQQhGI1ShzGmgidjZDNuR 22brmid7A2aQYCkcrEK/Of1z/XsKvjvwbxqSPw2o0J4njlkU017QxCJAZYaUQO+vDXgm IEFF8nygBdWF8+dSpX7qkzIXkAfiTnTsp7V0Vz1orUc1uLgNV1W1LPW3IFcKfIOj6FGf khSt/Ukx4ZCcXUpjGDs7DUIejfHjhmBh0Deol+GlqC9MMHgKHLoyWCiD9sAI+GvuNpau proIKp7gMVZMpH7DW9W5Fh2ld/2HH1BohzSXh+eloM/B+yvwy2O6n6hFzFCz7XMovPt1 ltkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12si1326636pln.269.2018.01.03.14.38.41; Wed, 03 Jan 2018 14:38:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751305AbeACWih (ORCPT + 28 others); Wed, 3 Jan 2018 17:38:37 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55496 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751078AbeACWid (ORCPT ); Wed, 3 Jan 2018 17:38:33 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 394551529; Wed, 3 Jan 2018 14:38:33 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 6BB513F24A; Wed, 3 Jan 2018 14:38:32 -0800 (PST) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Mark Rutland Subject: [RFC PATCH 0/4] API for inhibiting speculative arbitrary read primitives Date: Wed, 3 Jan 2018 22:38:23 +0000 Message-Id: <20180103223827.39601-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Recently, Google Project Zero discovered several classes of attack against speculative execution. One of these, known as variant-1, allows explicit bounds checks to be bypassed under speculation, providing an arbitrary read gadget. Further details can be found on the GPZ blog [1] and the Documentation patch in this series. There are a number of potential gadgets in the Linux codebase, and mitigations for these are architecture-specific. This RFC attempts to provide a cross-architecture API for inhibiting these primitives. Hopefully, architecture-specific mitigations can be unified behind this. An arm64 implementation is provided following the architecturally recommended sequence laid out in the Arm whitepaper [2]. The API is based on a proposed compiler intrinsic [3]. I've provided a patch to BPF as an example use of the API. I know that this is incomplete and less than optimal. I'd appreciate feedback from other affected architectures as to whether this API is suitable for their required mitigation. I've pushed the series to my kernel.org repo [4]. [1] https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html [2] https://developer.arm.com/support/security-update [3] https://developer.arm.com/support/security-update/compiler-support-for-mitigations [4] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git core/nospec Thanks, Mark. Mark Rutland (4): asm-generic/barrier: add generic nospec helpers Documentation: document nospec helpers arm64: implement nospec_{load,ptr}() bpf: inhibit speculated out-of-bounds pointers Documentation/speculation.txt | 99 ++++++++++++++++++++++++++++++++++++++++ arch/arm64/include/asm/barrier.h | 61 +++++++++++++++++++++++++ include/asm-generic/barrier.h | 76 ++++++++++++++++++++++++++++++ kernel/bpf/arraymap.c | 21 ++++++--- kernel/bpf/cpumap.c | 8 ++-- kernel/bpf/devmap.c | 6 ++- kernel/bpf/sockmap.c | 6 ++- 7 files changed, 265 insertions(+), 12 deletions(-) create mode 100644 Documentation/speculation.txt -- 2.11.0