CC Marc Zyngier marc.zyngier@arm.com
On 01/31/2018 12:05 AM, Alex Shi wrote:
Aliasing attacks against CPU branch predictors can allow an attacker to redirect speculative control flow on some CPUs and potentially divulge information from one context to another.
This patch adds initial skeleton code behind a new Kconfig option to enable implementation-specific mitigations against these attacks for CPUs that are affected.
Co-developed-by: Marc Zyngier marc.zyngier@arm.com Signed-off-by: Will Deacon will.deacon@arm.com (cherry picked from commit 7bd293b6845d003ab087faa6515a626c8703b8da) Signed-off-by: Alex Shi alex.shi@linaro.org
Conflicts: expand enable_da_f in entry.S use 5 parameters ARM64_FTR_BITS() add percpu.h in mm_types.h for percpu functions use cpus_have_cap instead of cpus_have_const_cap
<snip>...
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR +#include <asm/mmu_context.h> +#include <asm/cacheflush.h>
+DEFINE_PER_CPU_READ_MOSTLY(struct bp_hardening_data, bp_hardening_data);
+#ifdef CONFIG_KVM +static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start,
const char *hyp_vecs_end)
+{
- void *dst = lm_alias(__bp_harden_hyp_vecs_start + slot * SZ_2K)
Hi Will,
Here lm_alias get the virtual address of __bp_harden_hyp_vecs_start from 0xffff000008098800(for example) to 0xffff800008098800 Code basing on v4.15-rc3 works well for this new address 0xffff80000.... but code basing on v4.9 will report null page:
Unable to handle kernel paging request at virtual address ffff8000000....
And without the lm_alias, the kernel booted well. Another place used lm_alias is in kvm_get_hyp_vector(),
Is this safe to drop lm_alias? Or is there some place to request pages for aliaed adderss?
+static inline void *kvm_get_hyp_vector(void) +{ + struct bp_hardening_data *data = arm64_get_bp_hardening_data(); + void *vect = kvm_ksym_ref(__kvm_hyp_vector); + + if (data->fn) { + vect = __bp_harden_hyp_vecs_start + + data->hyp_vectors_slot * SZ_2K; + + if (!cpus_have_cap(ARM64_HAS_VIRT_HOST_EXTN)) + vect = lm_alias(vect);
Thanks Alex
- int i;
- for (i = 0; i < SZ_2K; i += 0x80)
memcpy(dst + i, hyp_vecs_start, hyp_vecs_end - hyp_vecs_start);
- flush_icache_range((uintptr_t)dst, (uintptr_t)dst + SZ_2K);
+}
<snip>...