From patchwork Wed Jan 31 16:53:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 126367 Delivered-To: patch@linaro.org Received: by 10.46.124.24 with SMTP id x24csp906029ljc; Wed, 31 Jan 2018 08:55:58 -0800 (PST) X-Google-Smtp-Source: AH8x2249IvO0rVqLUpcCcDDmq1FbonycGZItF+Md4CZMEREIIrNb36tmnBEoglzKcEGXK+vej3cD X-Received: by 10.107.142.147 with SMTP id q141mr33566062iod.15.1517417758692; Wed, 31 Jan 2018 08:55:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517417758; cv=none; d=google.com; s=arc-20160816; b=erTmtcPEp4aFEj4thp2XrNEvOPSA0cD4iOoZL9bZmJZnAcZGrVr/srWE54FsOz8j18 MQU/bFtHQHxg5RNiAXz4sghiIosjsHl6nTVFe70hxozEKHRfikcO7bPe+y4J/u2ojCSf ND9WN6scXthNTU7CulBl5eNJ/H4VU0uQ9iQ+U240ZuQn7zMoqhWS5OwuBXd9fWnaHhB0 kRvykkfiulvgoW6fzH+jif6lP8tnQpi//ogJOrQnNWVTxzjcni/dsj2dN85KJS3/uMqz tlYuZMsmEUuCFBK7OYr6ZXvTJV9ASfXPqNm42Yu6dQCmd7ucO63DAI69EnpyEXrXZTUc PkRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:cc:references:in-reply-to:message-id:date:to :from:dkim-signature:arc-authentication-results; bh=/oArc4DdpIidO10Tdt23ElagAKlB1hsOGNzW9F3sEiA=; b=vNwL8kR7Dmp+u2AYzgzUEsFP7uOpEHQCsLY4d0LUxDp6GxjVyURR1POc2yFsvdjFBy 7X4mZm0A/YWSQc07sTeYqzbu4j0jCLdqI/ExVpF6dPP4YSxRIA2Cn5JgrXhkE2kogW0J apR+3Kku8sDFXyQan0rt2d1qEFuN+zpcNzGrH2OTZRK0/6vJKdd5ldbLOpZcvAfEMPNS bqRDmC6nYqaWKEFKTq2IsjYMXkHB8xptzFR9j+ynDkwFJvWbAqIfrkmdtKXOO2UPpUcK IZEwiRp6MHtO+12c2oFj8HnbpIliLDIHMMFYO4f4R5gvRhHdWnfbZhDiZyHV4hhObuL4 CJ8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=bkgMHhEA; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id t1si93360itg.140.2018.01.31.08.55.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2018 08:55:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=bkgMHhEA; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1egvdr-000437-Ak; Wed, 31 Jan 2018 16:53:47 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1egvdq-00042Q-NV for xen-devel@lists.xen.org; Wed, 31 Jan 2018 16:53:46 +0000 X-Inumbo-ID: 43d74af6-06a7-11e8-ba59-bc764e045a96 Received: from mail-wm0-x242.google.com (unknown [2a00:1450:400c:c09::242]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 43d74af6-06a7-11e8-ba59-bc764e045a96; Wed, 31 Jan 2018 17:53:31 +0100 (CET) Received: by mail-wm0-x242.google.com with SMTP id r71so401381wmd.1 for ; Wed, 31 Jan 2018 08:53:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=SRRi4MYELI0at24H5HCmENu0qnc/LikNUcYduXU3NMs=; b=bkgMHhEAA98ehfH/aH5vI0GQi//E6eCf70d8AgIDlgAmr5APfr00r8LFReHWILpG77 PPTBuT8CqZOHj5nwZmkAmH7QNciGjRQ0EC9tFGLzVrFV1PWeFuf14nJ7+GokWVErantW KDB924aHfNswwNP4KhGEAF5BMlF3RlVyETfL8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=SRRi4MYELI0at24H5HCmENu0qnc/LikNUcYduXU3NMs=; b=jhCV8tVpH2q03g5gSYHB001uziug372jV+w40O+YagIGqrjXVlRf+mdrYXIVW6ScLl TEXZkf5nbP0pbgpMHxN5fwclBJFD9R5E2lW9of0e0EbMDoVoc8bj9B04f3ykzv0QiSDv EttiaB8ir+oGcbhQ5p5SnXCZjdQOVNXSAKJFoKSV2EtkZI2rytpbXliMv0pzZNVb4i9S V6YxEaxZ9IozTJSfwJM0ROxMN2yzzNKEwTqHL7BIzTlPtgoXKl9KVt8FI5e/TAEVQzCR JquuSZA5QFFVTPYkdXU4ycwGB9qX3OWGN5Csu/rRSu4QW+1CtAr04dHMQJ9hbisMhONW sCtg== X-Gm-Message-State: AKwxytfK1+aGfZPp4mgmZdLYTTAUcwQ7kFZknloyYu9pvFxHOzqaXvXM 2tYvnIM0alYHeUnnYFtaaYIGKRQbQD0= X-Received: by 10.28.225.133 with SMTP id y127mr22664753wmg.55.1517417623884; Wed, 31 Jan 2018 08:53:43 -0800 (PST) Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1]) by smtp.gmail.com with ESMTPSA id h194sm223745wma.8.2018.01.31.08.53.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jan 2018 08:53:43 -0800 (PST) From: Julien Grall X-Google-Original-From: Julien Grall To: xen-devel@lists.xen.org Date: Wed, 31 Jan 2018 16:53:32 +0000 Message-Id: <20180131165334.23175-6-julien.grall@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180131165334.23175-1-julien.grall@arm.com> References: <20180131165334.23175-1-julien.grall@arm.com> Cc: Marc Zyngier , sstabellini@kernel.org, Julien Grall , andre.przywara@linaro.org Subject: [Xen-devel] [PATCH v2 5/7] xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" From: Julien Grall In order to avoid aliasing attackes agains the branch predictor, let's invalidate the BTB on guest exist. This is made complicated by the fact that we cannot take a branch invalidating the BTB. This is based on the first version posrted by Marc Zyngier on Linux-arm mailing list (see [1]). This is part of XSA-254. Signed-off-by: Marc Zyngier Signed-off-by: Julien Grall Reviewed-by: Stefano Stabellini [1] https://www.spinics.net/lists/arm-kernel/msg627032.html --- Changes in v2: - Add Stefano's reviewed-by --- xen/arch/arm/arm32/entry.S | 55 ++++++++++++++++++++++++++++++++++++++++++++++ xen/arch/arm/cpuerrata.c | 19 ++++++++++++++++ 2 files changed, 74 insertions(+) diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S index 828e52c25c..a295f3ad67 100644 --- a/xen/arch/arm/arm32/entry.S +++ b/xen/arch/arm/arm32/entry.S @@ -160,6 +160,61 @@ GLOBAL(hyp_traps_vector) b trap_irq /* 0x18 - IRQ */ b trap_fiq /* 0x1c - FIQ */ + .align 5 +GLOBAL(hyp_traps_vector_bp_inv) + /* + * We encode the exception entry in the bottom 3 bits of + * SP, and we have to guarantee to be 8 bytes aligned. + */ + add sp, sp, #1 /* Reset 7 */ + add sp, sp, #1 /* Undef 6 */ + add sp, sp, #1 /* Hypervisor Call 5 */ + add sp, sp, #1 /* Prefetch abort 4 */ + add sp, sp, #1 /* Data abort 3 */ + add sp, sp, #1 /* Hypervisor 2 */ + add sp, sp, #1 /* IRQ 1 */ + nop /* FIQ 0 */ + + mcr p15, 0, r0, c7, c5, 6 /* BPIALL */ + isb + + /* + * As we cannot use any temporary registers and cannot + * clobber SP, we can decode the exception entry using + * an unrolled binary search. + */ + tst sp, #4 + bne 1f + + tst sp, #2 + bne 3f + + tst sp, #1 + bic sp, sp, #0x7 + bne trap_irq + b trap_fiq + +1: + tst sp, #2 + bne 2f + + tst sp, #1 + bic sp, sp, #0x7 + bne trap_hypervisor_call + b trap_prefetch_abort + +2: + tst sp, #1 + bic sp, sp, #0x7 + bne trap_reset + b trap_undefined_instruction + +3: + tst sp, #1 + bic sp, sp, #0x7 + bne trap_data_abort + b trap_guest_sync + DEFINE_TRAP_ENTRY(reset) DEFINE_TRAP_ENTRY(undefined_instruction) DEFINE_TRAP_ENTRY(hypervisor_call) diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 0a138fa735..c79e6d65d3 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -198,6 +198,13 @@ install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry, this_cpu(bp_harden_vecs) = hyp_vecs; } +static int enable_bp_inv_hardening(void *data) +{ + install_bp_hardening_vecs(data, hyp_traps_vector_bp_inv, + "execute BPIALL"); + return 0; +} + #endif #define MIDR_RANGE(model, min, max) \ @@ -284,6 +291,18 @@ static const struct arm_cpu_capabilities arm_errata[] = { .enable = enable_psci_bp_hardening, }, #endif +#ifdef CONFIG_ARM32_HARDEN_BRANCH_PREDICTOR + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A12), + .enable = enable_bp_inv_hardening, + }, + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A17), + .enable = enable_bp_inv_hardening, + }, +#endif {}, };