From patchwork Fri Jan 19 13:41:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@linaro.org>
X-Patchwork-Id: 125252
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp425937ljf;
 Sat, 20 Jan 2018 12:48:46 -0800 (PST)
X-Google-Smtp-Source: AH8x225C+1x2M28jw+PafuFS9m5xpNRpcwWQVe9iD/aimY2M2OJK1qh2d8ccFL3TI0ieohp4OSa4
X-Received: by 10.36.210.133 with SMTP id z127mr2920815itf.116.1516481326018; 
 Sat, 20 Jan 2018 12:48:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516481326; cv=none;
 d=google.com; s=arc-20160816;
 b=DX0MVmaET+T+Y15LJRcL0hR2AL46+bvi2Fwh8V/gFHbC4K5j21Tpbau0RPWrntEV4z
 Zhm+x9U9nOAc+aeDpdIDsLmgIRKdGyD980gsl0STtYV/PPHbgFSCIkeWR4zYiqhSS0LF
 69kNaxmtLi7eFHyLvN/vB4MejhS+y0f/6a3ZahJr+Rtd09CE6ix5YEE7NfZX1ecTcI34
 YXuU6amz18aYRcOnUiMTf4h4asm33SBrPsvW9pbAk9WvH+qsJmXpWb+e4Oip55cVPjML
 278fVBlXXl40GXOZ/nj5hIk0VRpMxMmm4bAY9IWXN4L9vZnJFSGirLo65wVcJp0gTdul
 yluQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-unsubscribe:list-id
 :precedence:subject:cc:references:in-reply-to:message-id:date:to
 :from:dkim-signature:arc-authentication-results;
 bh=sS8V1a+T3XQeQXdEKXe1QXa5/bg6RXQj+GmhpMeu68E=;
 b=XBH0YrpJcN0djSiGOiuPpfD4EgUj3c3lxsQltPoANpSJV+y3X3tET6Nqhp2jTX+xpF
 uIQQWRZQXoSSZyvI0te46Bhgc7lCJhg/BV53fQxvwdVaQykGVwX+bDQOPHxnFHRFjD8r
 Qm9eTK+CNJ03g7F+vApKLvDmC4ENgwQ0HgP4fInPpGavW4+mYVYT0xLvUiyhp+0WRl7r
 /P/Q+G2uL+eeWfs88+sHiE7idvADqQ72cQCJKJTVipDaj2kixY774e6vro4onIxr6JYZ
 3RwClvlFfLGtBGRQ97NhXLwtpFd6fHRkcJe9zFx6eb9NwZ+EActwfWoGbRej0EvvLnlx
 UJBA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=JICkUcsY; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id 21si3481515itu.74.2018.01.20.12.48.45
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 20 Jan 2018 12:48:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=JICkUcsY; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <xen-devel-bounces@lists.xenproject.org>)
 id 1ed01A-0004i3-0n; Sat, 20 Jan 2018 20:45:36 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57])
 by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from
 <srs0=kdiy=ep=linaro.org=julien.grall@srs-us1.protection.inumbo.net>)
 id 1ed018-0004hR-Bd
 for xen-devel@lists.xen.org; Sat, 20 Jan 2018 20:45:34 +0000
X-Inumbo-ID: 388f0cb5-fe23-11e7-b0d7-9f685aff125f
Received: from mail-wm0-f67.google.com (unknown [74.125.82.67])
 by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS
 id 388f0cb5-fe23-11e7-b0d7-9f685aff125f;
 Sat, 20 Jan 2018 20:48:09 +0000 (UTC)
Received: by mail-wm0-f67.google.com with SMTP id i186so9472849wmi.4
 for <xen-devel@lists.xen.org>; Sat, 20 Jan 2018 12:45:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=gGF4fA9+h7PrU1mFoShz0EdWaJ/sLBHBmL17tQPzzks=;
 b=JICkUcsYVF9udvPB6OU8JIgTryohkspEaZdEhZCQDYe3KcW8pG/F5Fm3RSPkOMYe9w
 52sHmsIPm4Uial4foC+7sCgwhEoghuCYz3MbbQtg+uZPnzDz1xR5OL0TUhgw6tg0YP2p
 jnriT7cjrkNmivysZ8HEI3Jlfj5rfv62aMSPs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=gGF4fA9+h7PrU1mFoShz0EdWaJ/sLBHBmL17tQPzzks=;
 b=c5n5mtUSN8ikgw3p+wSiQ1R/njFOAcWoZToP5GP2b/PDnE1rqH/ncFVPGQWD53N/E/
 n1/+Rj+txVbfg7hEmODxubm7J1/9Tk7wIgB0XlFckcyI2PVNaTG237xz9mOdXHbfqWB7
 aPgrjS+BNx+r0Ww0fRfPQSLiYt7AwgrM9Bwm11ywtU/civWucdAMWv3c5ulBAG0oDGR4
 pxsVmj6XgSLSNzICM3JUI70gGsEYOhfjKhEWkPU5M1xAsVKh0lHiXBf8gudfihbXCm5/
 /+6Rp3ycJOFUjpDOfWigkAqds8NL1BMoOW1Qw8RXDWWFUinJuMJj3etNrGvB1coHaRhw
 EQbA==
X-Gm-Message-State: AKwxytfkLtx7NT65mrKyCUexSf27k2QLB1BVSFOEfb71mjvlVFkt1ahL
 oXOEaKZ+g91GDHE9JjzWG90EvVPyLTw=
X-Received: by 10.28.211.67 with SMTP id k64mr7691986wmg.95.1516369270404;
 Fri, 19 Jan 2018 05:41:10 -0800 (PST)
Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1])
 by smtp.gmail.com with ESMTPSA id
 s44sm5113642wrc.64.2018.01.19.05.41.09
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 19 Jan 2018 05:41:09 -0800 (PST)
From: Julien Grall <julien.grall@linaro.org>
To: xen-devel@lists.xen.org
Date: Fri, 19 Jan 2018 13:41:02 +0000
Message-Id: <20180119134103.3390-7-julien.grall@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180119134103.3390-1-julien.grall@linaro.org>
References: <20180119134103.3390-1-julien.grall@linaro.org>
Cc: sstabellini@kernel.org, andre.przywara@linaro.org
Subject: [Xen-devel] [PATCH 6/7] xen/arm32: Invalidate icache on guest exist
 for Cortex-A15
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

In order to avoid aliasing attacks against the branch predictor on
Cortex A-15, let's invalidate the BTB on guest exit, which can only be
done by invalidating the icache (with ACTLR[0] being set).

We use the same hack as for A12/A17 to perform the vector decoding.

This is based on Linux patch from the kpti branch in [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
 xen/arch/arm/arm32/entry.S | 21 +++++++++++++++++++++
 xen/arch/arm/cpuerrata.c   | 13 +++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index c6ec0aa399..c529592d20 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -161,6 +161,26 @@ GLOBAL(hyp_traps_vector)
         b trap_fiq                      /* 0x1c - FIQ */
 
         .align 5
+GLOBAL(hyp_traps_vector_ic_inv)
+        /*
+         * We encode the exception entry in the bottom 3 bits of
+         * SP, and we have to guarantee to be 8 bytes aligned.
+         */
+        add sp, sp, #1                  /* Reset            7 */
+        add sp, sp, #1                  /* Undef            6 */
+        add sp, sp, #1                  /* Hypervisor call  5 */
+        add sp, sp, #1                  /* Prefetch abort   4 */
+        add sp, sp, #1                  /* Data abort       3 */
+        add sp, sp, #1                  /* Hypervisor       2 */
+        add sp, sp, #1                  /* IRQ              1 */
+        nop                             /* FIQ              0 */
+
+        mcr p15, 0, r0, c7, c5, 0       /* ICIALLU */
+        isb
+
+        b decode_vectors
+
+        .align 5
 GLOBAL(hyp_traps_vector_bp_inv)
         /*
          * We encode the exception entry in the bottom 3 bits of
@@ -178,6 +198,7 @@ GLOBAL(hyp_traps_vector_bp_inv)
         mcr	p15, 0, r0, c7, c5, 6	    /* BPIALL */
         isb
 
+decode_vectors:
         /*
          * As we cannot use any temporary registers and cannot
          * clobber SP, we can decode the exception entry using
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index c79e6d65d3..9c7458ef06 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -180,6 +180,7 @@ static int enable_psci_bp_hardening(void *data)
 DEFINE_PER_CPU_READ_MOSTLY(const char *, bp_harden_vecs);
 
 extern char hyp_traps_vector_bp_inv[];
+extern char hyp_traps_vector_ic_inv[];
 
 static void __maybe_unused
 install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry,
@@ -205,6 +206,13 @@ static int enable_bp_inv_hardening(void *data)
     return 0;
 }
 
+static int enable_ic_inv_hardening(void *data)
+{
+    install_bp_hardening_vecs(data, hyp_traps_vector_ic_inv,
+                              "execute ICIALLU");
+    return 0;
+}
+
 #endif
 
 #define MIDR_RANGE(model, min, max)     \
@@ -302,6 +310,11 @@ static const struct arm_cpu_capabilities arm_errata[] = {
         MIDR_ALL_VERSIONS(MIDR_CORTEX_A17),
         .enable = enable_bp_inv_hardening,
     },
+    {
+        .capability = ARM_HARDEN_BRANCH_PREDICTOR,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A15),
+        .enable = enable_ic_inv_hardening,
+    },
 #endif
     {},
 };