[PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1

[PATCH 00/14] arm64 SSBD (aka Spectre-v4) mitigation · Marc Zyngier <hidden> · 2018-05-22
[PATCH 01/14] arm/arm64: smccc: Add SMCCC-specific return codes · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 01/14] arm/arm64: smccc: Add SMCCC-specific return codes · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 03/14] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 03/14] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 03/14] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 06/14] arm64: ssbd: Add global mitigation state accessor · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 06/14] arm64: ssbd: Add global mitigation state accessor · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 06/14] arm64: ssbd: Add global mitigation state accessor · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 05/14] arm64: Add 'ssbd' command-line option · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 05/14] arm64: Add 'ssbd' command-line option · Randy Dunlap <hidden> · 2018-05-22
Re: [PATCH 05/14] arm64: Add 'ssbd' command-line option · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 05/14] arm64: Add 'ssbd' command-line option · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 05/14] arm64: Add 'ssbd' command-line option · Marc Zyngier <hidden> · 2018-05-24
[PATCH 07/14] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 07/14] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 07/14] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation · Dominik Brodowski <linux@dominikbrodowski.net> · 2018-05-22
Re: [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation · Will Deacon <hidden> · 2018-05-24
[PATCH 12/14] arm64: KVM: Add ARCH_WORKAROUND_2 support for guests · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 12/14] arm64: KVM: Add ARCH_WORKAROUND_2 support for guests · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 14/14] arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 14/14] arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 13/14] arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 13/14] arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 11/14] arm64: KVM: Add HYP per-cpu accessors · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 11/14] arm64: KVM: Add HYP per-cpu accessors · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation · Marc Zyngier <hidden> · 2018-05-24
Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation · Will Deacon <hidden> · 2018-05-24
Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation · Marc Zyngier <hidden> · 2018-05-24
[PATCH 08/14] arm64: ssbd: Disable mitigation on CPU resume if required by user · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 08/14] arm64: ssbd: Disable mitigation on CPU resume if required by user · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 08/14] arm64: ssbd: Disable mitigation on CPU resume if required by user · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Suzuki K Poulose <Suzuki.Poulose@arm.com> · 2018-05-24
Re: [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Will Deacon <hidden> · 2018-05-24
Re: [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Suzuki K Poulose <Suzuki.Poulose@arm.com> · 2018-05-24
Re: [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
[PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Marc Zyngier <hidden> · 2018-05-22
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Julien Grall <hidden> · 2018-05-23
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Robin Murphy <robin.murphy@arm.com> · 2018-05-24
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Mark Rutland <mark.rutland@arm.com> · 2018-05-24
Re: [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 · Marc Zyngier <hidden> · 2018-05-24

From: mark.rutland@arm.com (Mark Rutland)
Date: 2018-05-24 11:01:08
Also in: kvmarm, lkml

On Tue, May 22, 2018 at 04:06:36PM +0100, Marc Zyngier wrote:

quoted hunk ↗ jump to hunk

In order for the kernel to protect itself, let's call the SSBD mitigation
implemented by the higher exception level (either hypervisor or firmware)
on each transition between userspace and kernel.

We must take the PSCI conduit into account in order to target the
right exception level, hence the introduction of a runtime patching
callback.

Signed-off-by: Marc Zyngier <redacted>
---
 arch/arm64/kernel/cpu_errata.c | 18 ++++++++++++++++++
 arch/arm64/kernel/entry.S      | 22 ++++++++++++++++++++++
 include/linux/arm-smccc.h      |  5 +++++
 3 files changed, 45 insertions(+)

diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index a900befadfe8..46b3aafb631a 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c

@@ -232,6 +232,24 @@ enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
 }
 #endif	/* CONFIG_HARDEN_BRANCH_PREDICTOR */
 
+#ifdef CONFIG_ARM64_SSBD
+void __init arm64_update_smccc_conduit(struct alt_instr *alt,
+				       __le32 *origptr, __le32 *updptr,
+				       int nr_inst)
+{
+	u32 insn;
+
+	BUG_ON(nr_inst != 1);
+
+	if (psci_ops.conduit == PSCI_CONDUIT_HVC)
+		insn = aarch64_insn_get_hvc_value();
+	else
+		insn = aarch64_insn_get_smc_value();

Shouldn't this also handle the case where there is no conduit?

See below comment in apply_ssbd for rationale.

quoted hunk ↗ jump to hunk

+
+	*updptr = cpu_to_le32(insn);
+}
+#endif	/* CONFIG_ARM64_SSBD */
+
 #define CAP_MIDR_RANGE(model, v_min, r_min, v_max, r_max)	\
 	.matches = is_affected_midr_range,			\
 	.midr_range = MIDR_RANGE(model, v_min, r_min, v_max, r_max)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index ec2ee720e33e..f33e6aed3037 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S

@@ -18,6 +18,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/arm-smccc.h>
 #include <linux/init.h>
 #include <linux/linkage.h>

@@ -137,6 +138,18 @@ alternative_else_nop_endif
 	add	\dst, \dst, #(\sym - .entry.tramp.text)
 	.endm
 
+	// This macro corrupts x0-x3. It is the caller's duty
+	// to save/restore them if required.
+	.macro	apply_ssbd, state
+#ifdef CONFIG_ARM64_SSBD
+	mov	w0, #ARM_SMCCC_ARCH_WORKAROUND_2
+	mov	w1, #\state
+alternative_cb	arm64_update_smccc_conduit
+	nop					// Patched to SMC/HVC #0
+alternative_cb_end
+#endif
+	.endm

If my system doesn't have SMCCC1.1, or the FW doesn't have an
implementation of ARCH_WORKAROUND_2, does this stay as a NOP?

It looks like this would be patched to an SMC, which would be fatal on
systems without EL3 FW.

quoted hunk ↗ jump to hunk

+
 	.macro	kernel_entry, el, regsize = 64
 	.if	\regsize == 32
 	mov	w0, w0				// zero upper 32 bits of x0

@@ -163,6 +176,13 @@ alternative_else_nop_endif
 	ldr	x19, [tsk, #TSK_TI_FLAGS]	// since we can unmask debug
 	disable_step_tsk x19, x20		// exceptions when scheduling.
 
+	apply_ssbd 1


... and thus kernel_entry would be fatal.

Thanks,
Mark.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help