From patchwork Thu Jan 4 15:08:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 123432 Delivered-To: patch@linaro.org Received: by 10.80.135.92 with SMTP id 28csp6819787edv; Thu, 4 Jan 2018 07:09:41 -0800 (PST) X-Google-Smtp-Source: ACJfBotUyjMQMoDbPE15iQn3v7ReG+49Rgkx/4yOyxECHwTe6s2gnXqlUH7WWqP69V8TXpAwGA3D X-Received: by 10.84.242.69 with SMTP id c5mr4880706pll.73.1515078581774; Thu, 04 Jan 2018 07:09:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515078581; cv=none; d=google.com; s=arc-20160816; b=MIc2yrt7zkzfko+bG7Y8N+RptVySEM7JbsnOeEJiJ1BVPNvBZaid6d/y7cd1VDR9Gd sdt5170VMBFp/DFAKC22Ddugc+b+H0hOHsC5FzSDBPgjaCpOuChNvXBIrbjMPY0kIvyh QcG9SKBjb/EvDne25Sru2VFlqgkjpTN8uRkEgn+dtBM5BUcDeyVsOl8oRjM2g+n3vTbO DG7Ip+O6H34YvofQ4ZloXGdXQYOnW62McA+Yah1osllKzBVNkXa9o+NNaWUc5ATnlomb z6T+ODwk89hA94BbR/mcUhgoL59DLqMv/cqDlKRMaKom614hRF1JMpNkq1sAJbiIxjlx HbUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=YOWLIab6KwQkp+2B2TNNGytIvGOlJ4grGQAbPvM/Yo0=; b=rWkibeyua1moCu6kQDogEV/N7IhqKSa/Wow7+QUh2Qu+RKwtIj5M+CP+bdjPGEjKX2 OJP4/3QVj+jghzCG3ETQWCRKO8LYl8UlAnDH6Gy6W1Zsml9onnmt2UNcWbn2e7ztufv1 aMPDH2rg6Jlu5D7zteeYJegD+uVZwOy4rg0xrUct4t1X5LvGj2glRgyOsJq7AfUABUJC Z9py3WKaQ9Ka5ezxQ8AczJVk2n3s0E4w2DR/HcMkCRs7U5MNX4krXYftTmWtSJDMTOqD ABYbfxjpzQT75KhnhvgljYn6mrQso5MOS1/VLd+8q3PRVlDkPVZownlwFpQQFEGX7O4t uNvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h12si2467499pln.288.2018.01.04.07.09.41; Thu, 04 Jan 2018 07:09:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932129AbeADPIu (ORCPT + 22 others); Thu, 4 Jan 2018 10:08:50 -0500 Received: from foss.arm.com ([217.140.101.70]:33786 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753366AbeADPIk (ORCPT ); Thu, 4 Jan 2018 10:08:40 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7F15415A2; Thu, 4 Jan 2018 07:08:40 -0800 (PST) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 506CD3F6CF; Thu, 4 Jan 2018 07:08:40 -0800 (PST) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id 76E301AE0D6A; Thu, 4 Jan 2018 15:08:40 +0000 (GMT) From: Will Deacon To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, ard.biesheuvel@linaro.org, marc.zyngier@arm.com, lorenzo.pieralisi@arm.com, christoffer.dall@linaro.org, linux-kernel@vger.kernel.org, Will Deacon Subject: [PATCH 01/11] arm64: use RET instruction for exiting the trampoline Date: Thu, 4 Jan 2018 15:08:25 +0000 Message-Id: <1515078515-13723-2-git-send-email-will.deacon@arm.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1515078515-13723-1-git-send-email-will.deacon@arm.com> References: <1515078515-13723-1-git-send-email-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Signed-off-by: Will Deacon --- arch/arm64/kernel/entry.S | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 2.1.4 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 031392ee5f47..b9feb587294d 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -1029,6 +1029,9 @@ alternative_else_nop_endif .if \regsize == 64 msr tpidrro_el0, x30 // Restored in kernel_ventry .endif + bl 2f + b . +2: tramp_map_kernel x30 #ifdef CONFIG_RANDOMIZE_BASE adr x30, tramp_vectors + PAGE_SIZE @@ -1041,7 +1044,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 msr vbar_el1, x30 add x30, x30, #(1b - tramp_vectors) isb - br x30 + ret .endm .macro tramp_exit, regsize = 64