[v5,0/8] KVM: arm64: Add support for hypervisor kCFI

Message ID	20240610063244.2828978-1-ptosi@google.com (mailing list archive)
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> Date: Mon, 10 Jun 2024 07:32:29 +0100 Mime-Version: 1.0 Message-ID: <20240610063244.2828978-1-ptosi@google.com> Subject: [PATCH v5 0/8] KVM: arm64: Add support for hypervisor kCFI From: " =?utf-8?q?Pierre-Cl=C3=A9ment_Tosi?= " <ptosi@google.com> To: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org Cc: " =?utf-8?q?Pierre-Cl=C3=A9ment_Tosi?= " <ptosi@google.com>, Will Deacon <will@kernel.org>, Marc Zyngier <maz@kernel.org>, Oliver Upton <oliver.upton@linux.dev>, Suzuki K Poulose <suzuki.poulose@arm.com>, Vincent Donnefort <vdonnefort@google.com> Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	KVM: arm64: Add support for hypervisor kCFI \| expand [v5,0/8] KVM: arm64: Add support for hypervisor kCFI [v5,1/8] KVM: arm64: Fix clobbered ELR in sync abort/SError [v5,2/8] KVM: arm64: Fix __pkvm_init_switch_pgd call ABI [v5,3/8] KVM: arm64: nVHE: Simplify invalid_host_el2_vect [v5,4/8] KVM: arm64: nVHE: gen-hyprel: Skip R_AARCH64_ABS32 [v5,5/8] KVM: arm64: VHE: Mark __hyp_call_panic __noreturn [v5,6/8] arm64: Introduce esr_brk_comment, esr_is_cfi_brk [v5,7/8] KVM: arm64: Introduce print_nvhe_hyp_panic helper [v5,8/8] KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2

Message ID

20240610063244.2828978-1-ptosi@google.com (mailing list archive)

Headers

Date: Mon, 10 Jun 2024 07:32:29 +0100
Mime-Version: 1.0
Message-ID: <20240610063244.2828978-1-ptosi@google.com>
Subject: [PATCH v5 0/8] KVM: arm64: Add support for hypervisor kCFI
From: " =?utf-8?q?Pierre-Cl=C3=A9ment_Tosi?= " <ptosi@google.com>
To: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
	kvm@vger.kernel.org
Cc: " =?utf-8?q?Pierre-Cl=C3=A9ment_Tosi?= " <ptosi@google.com>,
 Will Deacon <will@kernel.org>, Marc Zyngier <maz@kernel.org>,
  Oliver Upton <oliver.upton@linux.dev>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
  Vincent Donnefort <vdonnefort@google.com>
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Series

KVM: arm64: Add support for hypervisor kCFI | expand

Message

Pierre-Clément Tosi June 10, 2024, 6:32 a.m. UTC

CONFIG_CFI_CLANG ("kernel Control Flow Integrity") makes the compiler inject
runtime type checks before any indirect function call. On AArch64, it generates
a BRK instruction to be executed on type mismatch and encodes the indices of the
registers holding the branch target and expected type in the immediate of the
instruction. As a result, a synchronous exception gets triggered on kCFI failure
and the fault handler can retrieve the immediate (and indices) from ESR_ELx.

This feature has been supported at EL1 ("host") since it was introduced by
b26e484b8bb3 ("arm64: Add CFI error handling"), where cfi_handler() decodes
ESR_EL1, giving informative panic messages such as

  [   21.885179] CFI failure at lkdtm_indirect_call+0x2c/0x44 [lkdtm]
  (target: lkdtm_increment_int+0x0/0x1c [lkdtm]; expected type: 0x7e0c52a)
  [   21.886593] Internal error: Oops - CFI: 0 [#1] PREEMPT SMP

However, it is not supported at EL2 in nVHE (or pKVM), as CONFIG_CFI_CLANG gets
filtered out at build time, preventing the compiler from injecting the checks.

To address this,

- [1/8] fixes an existing bug where the ELR_EL2 was getting clobbered on
  synchronous exceptions, causing the wrong "PC" to be reported by
  nvhe_hyp_panic_handler() or __hyp_call_panic(). This is particularly limiting
  for kCFI, as it would mask the location of the failed type check.
- [2/8] fixes a minor C/asm ABI mismatch which would trigger a kCFI failure
- [3/8]-[7/8] prepare nVHE for CONFIG_CFI_CLANG and [8/8] enables it

Note that kCFI errors remain fatal at EL2, even when CONFIG_CFI_PERMISSIVE=y.

Changes in v5 (addressed Will's comments on v4):
  - Dropped the patch making the handlers report the kCFI target & expected type
  - Dropped the hypervisor kCFI test module
  - Dropped the patch introducing handler for EL2h sync exceptions
  - Dropped the patch renaming __guest_exit_panic
  - Made invalid_host_el2_vect branch unconditionally to hyp_panic
  - Changed SP type in __pkvm_init_switch_pgd signature to unsigned long
  - Changed which registers __pkvm_init_switch_pgd used for intermediates
  - Fixed typo in commit message about esr_brk_comment()
  - Fixed mistake in commit message about context of invalid_host_el2_vect

Pierre-Clément Tosi (8):
  KVM: arm64: Fix clobbered ELR in sync abort/SError
  KVM: arm64: Fix __pkvm_init_switch_pgd call ABI
  KVM: arm64: nVHE: Simplify invalid_host_el2_vect
  KVM: arm64: nVHE: gen-hyprel: Skip R_AARCH64_ABS32
  KVM: arm64: VHE: Mark __hyp_call_panic __noreturn
  arm64: Introduce esr_brk_comment, esr_is_cfi_brk
  KVM: arm64: Introduce print_nvhe_hyp_panic helper
  KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2

 arch/arm64/include/asm/esr.h            | 11 +++++++++
 arch/arm64/include/asm/kvm_hyp.h        |  4 ++--
 arch/arm64/kernel/asm-offsets.c         |  1 +
 arch/arm64/kernel/debug-monitors.c      |  4 +---
 arch/arm64/kernel/traps.c               |  8 +++----
 arch/arm64/kvm/handle_exit.c            | 24 +++++++++++++++-----
 arch/arm64/kvm/hyp/entry.S              |  8 +++++++
 arch/arm64/kvm/hyp/include/hyp/switch.h |  5 +++--
 arch/arm64/kvm/hyp/nvhe/Makefile        |  6 ++---
 arch/arm64/kvm/hyp/nvhe/gen-hyprel.c    |  6 +++++
 arch/arm64/kvm/hyp/nvhe/host.S          |  6 -----
 arch/arm64/kvm/hyp/nvhe/hyp-init.S      | 30 +++++++++++++++----------
 arch/arm64/kvm/hyp/nvhe/setup.c         |  4 ++--
 arch/arm64/kvm/hyp/vhe/switch.c         |  3 +--
 14 files changed, 78 insertions(+), 42 deletions(-)

Comments

Oliver Upton June 20, 2024, 5:56 p.m. UTC | #1

On Mon, 10 Jun 2024 07:32:29 +0100, Pierre-Clément Tosi wrote:
> CONFIG_CFI_CLANG ("kernel Control Flow Integrity") makes the compiler inject
> runtime type checks before any indirect function call. On AArch64, it generates
> a BRK instruction to be executed on type mismatch and encodes the indices of the
> registers holding the branch target and expected type in the immediate of the
> instruction. As a result, a synchronous exception gets triggered on kCFI failure
> and the fault handler can retrieve the immediate (and indices) from ESR_ELx.
> 
> [...]

Applied to kvmarm/next, thanks!

[1/8] KVM: arm64: Fix clobbered ELR in sync abort/SError
      https://git.kernel.org/kvmarm/kvmarm/c/a8f0655887cc
[2/8] KVM: arm64: Fix __pkvm_init_switch_pgd call ABI
      https://git.kernel.org/kvmarm/kvmarm/c/ea9d7c83d14e
[3/8] KVM: arm64: nVHE: Simplify invalid_host_el2_vect
      https://git.kernel.org/kvmarm/kvmarm/c/6e3b773ed6bc
[4/8] KVM: arm64: nVHE: gen-hyprel: Skip R_AARCH64_ABS32
      https://git.kernel.org/kvmarm/kvmarm/c/4ab3f9dd561b
[5/8] KVM: arm64: VHE: Mark __hyp_call_panic __noreturn
      https://git.kernel.org/kvmarm/kvmarm/c/3c6eb6487693
[6/8] arm64: Introduce esr_brk_comment, esr_is_cfi_brk
      https://git.kernel.org/kvmarm/kvmarm/c/7a928b32f1de
[7/8] KVM: arm64: Introduce print_nvhe_hyp_panic helper
      https://git.kernel.org/kvmarm/kvmarm/c/8f3873a39529
[8/8] KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2
      https://git.kernel.org/kvmarm/kvmarm/c/eca4ba5b6dff

--
Best,
Oliver