From patchwork Fri Feb  2 14:19:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@linaro.org>
X-Patchwork-Id: 126715
Delivered-To: patch@linaro.org
Received: by 10.46.124.24 with SMTP id x24csp687236ljc;
 Fri, 2 Feb 2018 06:21:54 -0800 (PST)
X-Google-Smtp-Source: AH8x2269EFm8HUAkB8Tl1IZnBejVj9r14AgoOrWUyg7gi2PDkTakDJjrLxuAYhhoDUQjtVew7ljl
X-Received: by 10.36.2.16 with SMTP id 16mr45914318itu.81.1517581314150;
 Fri, 02 Feb 2018 06:21:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517581314; cv=none;
 d=google.com; s=arc-20160816;
 b=PRv0HcXdjCZVMlC6d4Qrntrc3dWwG7nz0sjm6TarVwCW1WaQnBbCUUkkhfszjHGmgW
 xcd2eFME9KTY+OZWoOoOu2JegdMmLrYkyEjuc8s+YEBjgJejYyrhR886zohemHUA91LG
 xIBdQ43pn1yDQv0w/4cIFihmArytpS0NYJkzMH+6s7sW3evhqOHKs4hGQY91aiLh07ZQ
 PRGPvDTx0S8xuR813dGAODGEQXb5QpcxR6QOqieqcVM7pN2C8zBSjKl3kUmxMB7BQKHm
 KLKQU5NYv3/NSELAOnnY+nr4RyyWUNkufTk7rTMCXOT62lhSTu2wyjwKtJoXZiHFE7zM
 9CJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-unsubscribe:list-id
 :precedence:subject:cc:references:in-reply-to:message-id:date:to
 :from:dkim-signature:arc-authentication-results;
 bh=jb2ONX6iSpj59qBzJcnX0OKiT+VXlYtiM21nI3TvpW8=;
 b=LvnkW1oht9JvAXNo/Ze3JNnBnRZ7FlUE437f7ez9Q00vpJYHNw0sdazn0SXXCqsWGk
 4OPx1RbiA+e8aOM52kLIZSSR6N01kxBue6Ok0sywI2KbjJ8xpZap8ys/m0HpjWtwv6Q4
 go8+NaqYaPZy1n9C4stGi86/UPQ4+X9E8rQooZrHjvXup785uW7RuMZF5LM6udiNQVJJ
 BQib574+40XLEfTov0HHMWOqnEsWptDj7zxWxrs+dZ0IORTcFruP8XONCJlLHqWicYuz
 3KC1xg3hLfC83EAbiXZYnPgpaVLec1AetCGmEkcJ1S4KyNK1BjUCRupEemDRdjEmfSBm
 9UEw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=h8aCRt5G; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120])
 by mx.google.com with ESMTPS id
 w70si2167501ioe.32.2018.02.02.06.21.53
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 02 Feb 2018 06:21:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=h8aCRt5G; 
 spf=pass (google.com: best guess record for domain of
 xen-devel-bounces@lists.xenproject.org designates
 192.237.175.120 as permitted sender)
 smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <xen-devel-bounces@lists.xenproject.org>)
 id 1ehcBk-00088B-L4; Fri, 02 Feb 2018 14:19:36 +0000
Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6])
 by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from
 <srs0=ge3u=e4=linaro.org=julien.grall@srs-us1.protection.inumbo.net>)
 id 1ehcBj-00086Z-Nj
 for xen-devel@lists.xen.org; Fri, 02 Feb 2018 14:19:35 +0000
X-Inumbo-ID: 0d115074-0824-11e8-ba59-bc764e045a96
Received: from mail-wr0-x244.google.com (unknown [2a00:1450:400c:c0c::244])
 by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS
 id 0d115074-0824-11e8-ba59-bc764e045a96;
 Fri, 02 Feb 2018 15:19:17 +0100 (CET)
Received: by mail-wr0-x244.google.com with SMTP id v31so22696968wrc.11
 for <xen-devel@lists.xen.org>; Fri, 02 Feb 2018 06:19:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=05I9oMFvVF+hHcZSGPTnK3m1qiGyhpohpor09+2qcSE=;
 b=h8aCRt5GFmvwu+yxVn/0jzU364qCPx85KczPu6ukHzz+/V0KyQMCceFqdYrT+nv0s0
 cFEKOoihh4zI8n/MoHK6lY22fUcuuH3Jdwe6i5neUmBz+n3+Xy/ZNKi/2RaAp78mOK66
 p7smY7gioiedBWlr82fdhfndATnWz6STgxxDo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=05I9oMFvVF+hHcZSGPTnK3m1qiGyhpohpor09+2qcSE=;
 b=K6w5n+5Pfldo25kmSj2zf23zwk4itjAYQbC9E8XqWPBfnow7/WEYsNUV7SAoDZAsSg
 gF6Uc6ORhvMno5ylNkm0aH6FjZYvbOHSQWBj7voyPvG6tUJ9D4TJfV1W64IL965Y2RnC
 j52XaSODra75Agd/YsbHz+5Cd9SFB/+uZgaUUC3JorWmfm6j9uLQA7G2ezWCYP9LIq6H
 iLfYRzMoAcPE7+NiJLvpU+0h6OaDX8iqt1RoPhBZA5GP3qgl3RXaU3oepwzlHMvPHrgb
 4nzTf88bal0PxBETBC+bpnAXIuLlkSlE+yEb8TW4yvX801hEfM7Mpj4VRgGhzDIxzWTm
 5PPg==
X-Gm-Message-State: AKwxytelrTetgy2k4zTF+0U3yp37tL1H3dr8/1vajFT/Z6nACWH/j+2M
 0Cot+AspDGK17BoDpzl7ytcxXd4VaPc=
X-Received: by 10.223.130.234 with SMTP id 97mr15865800wrc.144.1517581173212; 
 Fri, 02 Feb 2018 06:19:33 -0800 (PST)
Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1])
 by smtp.gmail.com with ESMTPSA id
 u79sm3057422wma.10.2018.02.02.06.19.32
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 02 Feb 2018 06:19:32 -0800 (PST)
From: Julien Grall <julien.grall@linaro.org>
To: xen-devel@lists.xen.org
Date: Fri,  2 Feb 2018 14:19:24 +0000
Message-Id: <20180202141925.19387-7-julien.grall@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180202141925.19387-1-julien.grall@linaro.org>
References: <20180202141925.19387-1-julien.grall@linaro.org>
Cc: Marc Zyngier <marc.zyngier@arm.com>, sstabellini@kernel.org,
 Julien Grall <julien.grall@linaro.org>, andre.przywara@linaro.org
Subject: [Xen-devel] [PATCH v4 6/7] xen/arm32: Invalidate icache on guest
 exist for Cortex-A15
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>, 
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

In order to avoid aliasing attacks against the branch predictor on
Cortex A-15, let's invalidate the BTB on guest exit, which can only be
done by invalidating the icache (with ACTLR[0] being set).

We use the same hack as for A12/A17 to perform the vector decoding.

This is based on Linux patch from the kpti branch in [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---

Changes in v2:
    - Add Stefano's reviewed-by
---
 xen/arch/arm/arm32/entry.S | 21 +++++++++++++++++++++
 xen/arch/arm/cpuerrata.c   | 13 +++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
index 1ebbe4b065..2f8b7cb7b8 100644
--- a/xen/arch/arm/arm32/entry.S
+++ b/xen/arch/arm/arm32/entry.S
@@ -163,6 +163,26 @@ GLOBAL(hyp_traps_vector)
 #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
 
         .align 5
+GLOBAL(hyp_traps_vector_ic_inv)
+        /*
+         * We encode the exception entry in the bottom 3 bits of
+         * SP, and we have to guarantee to be 8 bytes aligned.
+         */
+        add sp, sp, #1                  /* Reset            7 */
+        add sp, sp, #1                  /* Undef            6 */
+        add sp, sp, #1                  /* Hypervisor call  5 */
+        add sp, sp, #1                  /* Prefetch abort   4 */
+        add sp, sp, #1                  /* Data abort       3 */
+        add sp, sp, #1                  /* Hypervisor       2 */
+        add sp, sp, #1                  /* IRQ              1 */
+        nop                             /* FIQ              0 */
+
+        mcr p15, 0, r0, c7, c5, 0       /* ICIALLU */
+        isb
+
+        b decode_vectors
+
+        .align 5
 GLOBAL(hyp_traps_vector_bp_inv)
         /*
          * We encode the exception entry in the bottom 3 bits of
@@ -180,6 +200,7 @@ GLOBAL(hyp_traps_vector_bp_inv)
         mcr	p15, 0, r0, c7, c5, 6	    /* BPIALL */
         isb
 
+decode_vectors:
 .macro vect_br val, targ
         eor     sp, sp, #\val
         tst     sp, #7
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index c79e6d65d3..9c7458ef06 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -180,6 +180,7 @@ static int enable_psci_bp_hardening(void *data)
 DEFINE_PER_CPU_READ_MOSTLY(const char *, bp_harden_vecs);
 
 extern char hyp_traps_vector_bp_inv[];
+extern char hyp_traps_vector_ic_inv[];
 
 static void __maybe_unused
 install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry,
@@ -205,6 +206,13 @@ static int enable_bp_inv_hardening(void *data)
     return 0;
 }
 
+static int enable_ic_inv_hardening(void *data)
+{
+    install_bp_hardening_vecs(data, hyp_traps_vector_ic_inv,
+                              "execute ICIALLU");
+    return 0;
+}
+
 #endif
 
 #define MIDR_RANGE(model, min, max)     \
@@ -302,6 +310,11 @@ static const struct arm_cpu_capabilities arm_errata[] = {
         MIDR_ALL_VERSIONS(MIDR_CORTEX_A17),
         .enable = enable_bp_inv_hardening,
     },
+    {
+        .capability = ARM_HARDEN_BRANCH_PREDICTOR,
+        MIDR_ALL_VERSIONS(MIDR_CORTEX_A15),
+        .enable = enable_ic_inv_hardening,
+    },
 #endif
     {},
 };