From patchwork Wed Jan 31 16:53:33 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@linaro.org>
X-Patchwork-Id: 126370
Delivered-To: patch@linaro.org
Received: by 10.46.124.24 with SMTP id x24csp906076ljc;
 Wed, 31 Jan 2018 08:56:02 -0800 (PST)
X-Google-Smtp-Source: AH8x226BUePIcyW0VuZoVklI0AbSGQotLrnihzXsY741VRNHcMeDLUZNOrH7Bln4CYxH9lH/F2pb
X-Received: by 10.36.19.5 with SMTP id 5mr36690962itz.38.1517417762193;
 Wed, 31 Jan 2018 08:56:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517417762; cv=none;
 d=google.com; s=arc-20160816;
 b=eLH8iuzFJ7ZHM/7UmOvIRz8HGN65KuoHD4cAtTAB904ItZIbZkLSi1d9Wd5r0g2re4
 VKJffPwmkfXTkTuJ1zkwWw/bLWAqPc23naHKw9a5IVd3mTQQXJFTWIOJ4dhTKqi/KB7P
 DGRgp88ZOBhNeluEk+hXu3QA9bYxBN5dcPze1VBUSFlzr2n+yeCdPt7btD6R/vYG5BG5
 zqLwv9QZOX7+IRKXhUEG8RJi1px/dZ5difwI9gzrw0y2NwMmKi9SjOOL9ox956MVy7tw
 8t3HmOzXNmPVeWTOtE3lHxJCI/k++OSW3Qiwe7quUiu56wTBasXkCu3f86wOumS4DYav
 n7vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-unsubscribe:list-id
 :precedence:subject:cc:references:in-reply-to:message-id:date:to
 :from:dkim-signature:arc-authentication-results;
 bh=W4BruILfgicHeUjSLsH+c6hnWTwYkt42shzGUth9dtY=;
 b=oPsqtumVpwDUB8zMf/Q1AubsQCZPlyQ9C+Uvq/HpUi0mgailbkrVXGVcE24bZ8aFt5
 gnGEOffdpt8oHqrczbxrm8R22TeRQ84m2sTFGkrDFOcfRAw0xq83gomKrMBQ9WOWaKhf
 GcDPH6PYVI7tOGAcoHXgxjOBntJ0GetQD7uSGRaEaKrs2+qe88D41vt7nzlU7Tc4LwJI
 47lxUtwGDSbmwCuBwBUzSVsbYc/4R86VV2UixTfGPiiuXvOqG3sEwKHs/QRDS/H64EkM
 XCccEHM2wGOZedNi50XfoBK+5FWU5BV2L85Fla3THkYzO3QbJ/xNHx2sb0+kzmmW6YUJ
 QfAQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=BJLBuXzA; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id
 d193si4270830iog.44.2018.01.31.08.56.01
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 31 Jan 2018 08:56:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=BJLBuXzA; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <xen-devel-bounces@lists.xenproject.org>)
 id 1egvdr-00043O-IL; Wed, 31 Jan 2018 16:53:47 +0000
Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6])
 by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from
 <srs0=7zm5=e2=linaro.org=julien.grall@srs-us1.protection.inumbo.net>)
 id 1egvdq-00042X-Um
 for xen-devel@lists.xen.org; Wed, 31 Jan 2018 16:53:46 +0000
X-Inumbo-ID: 4460a1b4-06a7-11e8-ba59-bc764e045a96
Received: from mail-wm0-x244.google.com (unknown [2a00:1450:400c:c09::244])
 by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS
 id 4460a1b4-06a7-11e8-ba59-bc764e045a96;
 Wed, 31 Jan 2018 17:53:31 +0100 (CET)
Received: by mail-wm0-x244.google.com with SMTP id 141so333486wme.3
 for <xen-devel@lists.xen.org>; Wed, 31 Jan 2018 08:53:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=lrTWqKEW6gP537ohAywj+4yXa6QFJXwL9vsnOYS1skM=;
 b=BJLBuXzArzdt2XMLQZqk0OgPE8tAN1eo0BQIb0Re/nSYDL5Wkvea4X4JusrrpYVcxT
 VcUcMCj0m+InE4MmH4qKtwluJ5mVCMNq9783QTiQ4uW24Jnq23w3I6VvFFgP8+WhShoy
 abORy6nONhLO2IYD52AFsS0PuEkBCiLRupRK4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=lrTWqKEW6gP537ohAywj+4yXa6QFJXwL9vsnOYS1skM=;
 b=hk5WWNgztdUdDg4aN4AKr6fzIMFIOgUJkpD4ijOBRqmw9Q8zQTLUOUz5xaw1J0K1of
 oVChka+M9VZNdwwiouzv92RIx/9DDEX0Q7G7Vde0OAE3IVDFO/+pME5iiNLRlvz/HC+6
 /iRly50A2LOKOlVfYJW7tPUgRZ6FQ6lerHOqBem8wQIxHHoZVdkyiHSmOO1Oj1Ikjb1v
 zklcItPcckHvFxzfI0peVaZjpfgap6zQGxqvAhEO7QHQCQTobKsAIfFL4/cXSqDomEtM
 ZTyacwBX3czC9O+oGo1uirGwmaYuFQfUt3jqm2sIJ94U8t+1g/8cFUrSl/B7lNAE7RC3
 KJHQ==
X-Gm-Message-State: AKwxytep8AMwR/7tecBDekByLcJr5RdpH+j8C/YWPBEI9kOR9R0MEwDu
 rfWpFEzhYXUoEdQP3AH93yUqRp6+y1s=
X-Received: by 10.28.4.206 with SMTP id 197mr22491745wme.42.1517417624798;
 Wed, 31 Jan 2018 08:53:44 -0800 (PST)
Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1])
 by smtp.gmail.com with ESMTPSA id
 h194sm223745wma.8.2018.01.31.08.53.43
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 31 Jan 2018 08:53:44 -0800 (PST)
From: Julien Grall <julien.grall@linaro.org>
X-Google-Original-From: Julien Grall <julien.grall@arm.com>
To: xen-devel@lists.xen.org
Date: Wed, 31 Jan 2018 16:53:33 +0000
Message-Id: <20180131165334.23175-7-julien.grall@arm.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180131165334.23175-1-julien.grall@arm.com>
References: <20180131165334.23175-1-julien.grall@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>, sstabellini@kernel.org,
 Julien Grall <julien.grall@linaro.org>, andre.przywara@linaro.org
Subject: [Xen-devel] [PATCH v2 6/7] xen/arm32: Invalidate icache on guest
 exist for Cortex-A15
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

From: Julien Grall <julien.grall@linaro.org>

In order to avoid aliasing attacks against the branch predictor on
Cortex A-15, let's invalidate the BTB on guest exit, which can only be
done by invalidating the icache (with ACTLR[0] being set).

We use the same hack as for A12/A17 to perform the vector decoding.

This is based on Linux patch from the kpti branch in [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---

Changes in v2:
    - Add Stefano's reviewed-by
---
 xen/arch/arm/arm32/entry.S | 21 +++++++++++++++++++++
 xen/arch/arm/cpuerrata.c   | 13 +++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index a295f3ad67..837f64d20d 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -161,6 +161,26 @@ GLOBAL(hyp_traps_vector)
         b trap_fiq                      /* 0x1c - FIQ */
 
         .align 5
+GLOBAL(hyp_traps_vector_ic_inv)
+        /*
+         * We encode the exception entry in the bottom 3 bits of
+         * SP, and we have to guarantee to be 8 bytes aligned.
+         */
+        add sp, sp, #1                  /* Reset            7 */
+        add sp, sp, #1                  /* Undef            6 */
+        add sp, sp, #1                  /* Hypervisor call  5 */
+        add sp, sp, #1                  /* Prefetch abort   4 */
+        add sp, sp, #1                  /* Data abort       3 */
+        add sp, sp, #1                  /* Hypervisor       2 */
+        add sp, sp, #1                  /* IRQ              1 */
+        nop                             /* FIQ              0 */
+
+        mcr p15, 0, r0, c7, c5, 0       /* ICIALLU */
+        isb
+
+        b decode_vectors
+
+        .align 5
 GLOBAL(hyp_traps_vector_bp_inv)
         /*
          * We encode the exception entry in the bottom 3 bits of
@@ -178,6 +198,7 @@ GLOBAL(hyp_traps_vector_bp_inv)
         mcr	p15, 0, r0, c7, c5, 6	    /* BPIALL */
         isb
 
+decode_vectors:
         /*
          * As we cannot use any temporary registers and cannot
          * clobber SP, we can decode the exception entry using
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index c79e6d65d3..9c7458ef06 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -180,6 +180,7 @@ static int enable_psci_bp_hardening(void *data)
 DEFINE_PER_CPU_READ_MOSTLY(const char *, bp_harden_vecs);
 
 extern char hyp_traps_vector_bp_inv[];
+extern char hyp_traps_vector_ic_inv[];
 
 static void __maybe_unused
 install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry,
@@ -205,6 +206,13 @@ static int enable_bp_inv_hardening(void *data)
     return 0;
 }
 
+static int enable_ic_inv_hardening(void *data)
+{
+    install_bp_hardening_vecs(data, hyp_traps_vector_ic_inv,
+                              "execute ICIALLU");
+    return 0;
+}
+
 #endif
 
 #define MIDR_RANGE(model, min, max)     \
@@ -302,6 +310,11 @@ static const struct arm_cpu_capabilities arm_errata[] = {
         MIDR_ALL_VERSIONS(MIDR_CORTEX_A17),
         .enable = enable_bp_inv_hardening,
     },
+    {
+        .capability = ARM_HARDEN_BRANCH_PREDICTOR,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A15),
+        .enable = enable_ic_inv_hardening,
+    },
 #endif
     {},
 };