From patchwork Fri Apr 12 03:20:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Daniel Kachhap X-Patchwork-Id: 10897159 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0900F1800 for ; Fri, 12 Apr 2019 03:21:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6A1728D82 for ; Fri, 12 Apr 2019 03:21:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CA30E28DD1; Fri, 12 Apr 2019 03:21:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 72E8928D82 for ; Fri, 12 Apr 2019 03:21:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=HMsq62yEvUhebgpwJ9uJVjQn8J3+UWBklUs0GPsJkNM=; b=IHw D99WMp6/9pdkGpx0C9QT/ht+4gDcEkapM+8US17DDdIKfdsnySCOkMidPc0pLwVDqUbEqUZzTLr8n gw1P6wR0TAuRVdQJTijUlMqPZ54mxfTmVuq/HVV558t4IbBTPvme/1Ffe75HxlxW1BueA0fGfI329 PwCIEiIXf+H3DP8GSGe7E99Ve9nBqrVgiNgmRcx9fdFiQah8ngUT9Vd31zuR4t1keQgcI9Dzg1gVY 6s4t0H6Ce/rKZHtgxkvOZgGP2Hn/up9S5ZShtj943Tq60rUcfI8og4GjnaLnyP6x7sr+INIf8iVSl Tm8FtTpSEKIXQEW+CQKvXwhpKCD8eEw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hEmkM-0001Vv-8h; Fri, 12 Apr 2019 03:20:58 +0000 Received: from foss.arm.com ([217.140.101.70]) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hEmkJ-0001Uy-3X for linux-arm-kernel@lists.infradead.org; Fri, 12 Apr 2019 03:20:56 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CAD9C15AB; Thu, 11 Apr 2019 20:20:51 -0700 (PDT) Received: from a075553-lin.blr.arm.com (a075553-lin.blr.arm.com [10.162.0.144]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 8AB593F59C; Thu, 11 Apr 2019 20:20:47 -0700 (PDT) From: Amit Daniel Kachhap To: linux-arm-kernel@lists.infradead.org Subject: [PATCH v9 0/5] Add ARMv8.3 pointer authentication for kvm guest Date: Fri, 12 Apr 2019 08:50:31 +0530 Message-Id: <1555039236-10608-1-git-send-email-amit.kachhap@arm.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190411_202055_156427_6223598A X-CRM114-Status: GOOD ( 19.82 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Andrew Jones , Julien Thierry , Marc Zyngier , Catalin Marinas , Will Deacon , Christoffer Dall , Kristina Martsenko , kvmarm@lists.cs.columbia.edu, James Morse , Ramana Radhakrishnan , Amit Daniel Kachhap , Dave Martin , linux-kernel@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Hi, This patch series adds pointer authentication support for KVM guest and is based on top of Linux kvmarm/next repo. The basic patches in this series was originally posted by Mark Rutland earlier[1,2] and contains some history of this work. Extension Overview: ============================================= The ARMv8.3 pointer authentication extension adds functionality to detect modification of pointer values, mitigating certain classes of attack such as stack smashing, and making return oriented programming attacks harder. The extension introduces the concept of a pointer authentication code (PAC), which is stored in some upper bits of pointers. Each PAC is derived from the original pointer, another 64-bit value (e.g. the stack pointer), and a secret 128-bit key. New instructions are added which can be used to: * Insert a PAC into a pointer * Strip a PAC from a pointer * Authenticate and strip a PAC from a pointer The detailed description of ARMv8.3 pointer authentication support in userspace/kernel and can be found in Kristina's generic pointer authentication patch series[3]. KVM guest work: ============================================== If pointer authentication is enabled for KVM guests then the new PAC instructions will not trap to EL2. If not then they may be ignored if in HINT region or trapped in EL2 as illegal instruction. Since KVM guest vcpu runs as a thread so they have a key initialized which will be used by PAC. When world switch happens between host and guest then this key is exchanged. The current v9 patch series contains review comments and suggestions by Kristina Martsenko, Dave Martin, James Morse and Mark Zyngier. Changes since v8 [10]: Major changes are listed below and detail changes are in each patch. * Added a new vcpu specific arch flag to control enabling/disabling ptrauth. * Patches restructured as 3 patches related to hcr_el2, mdcr_el2 and hyp_symbol_addr cleanup and optimization dropped. They will be posted separately. Changes since v7 [9]: Major changes are listed below and detail changes are in each patch. * Comments and Documentation updated to reflect using address/generic features flag together. * Dropped the documentation patch and added those details in the relevant patches. * Rebased the patch series on 2 patches of Dave Martin v6 SVE series. * Small bug fixes. Changes since v6 [8]: Major changes are listed below. * Pointer authentication key switch entirely in assembly now. * isb instruction added after Key switched to host. * Use __hyp_this_cpu_ptr for both VHE and nVHE mode. * 2 separate flags for address and generic authentication. * kvm_arm_vcpu_ptrauth_allowed renamed to has_vcpu_ptrauth. * kvm_arm_vcpu_ptrauth_reset renamed to kvm_arm_vcpu_ptrauth_setup_lazy. * Save of host Key registers now done in ptrauth instruction trap. * A fix to add kern_hyp_va to get correct host_ctxt pointer in nVHE mode. * Patches re-structured to better reflect ABI change. Changes since v5 [7]: Major changes are listed below. * Split hcr_el2 and mdcr_el2 save/restore in two patches. * Reverted back save/restore of sys-reg keys as done in V4 [5]. There was suggestion by James Morse to use ptrauth utilities in a single place in arm core and use them from kvm. However this change deviates from the existing sys-reg implementations and is not scalable. * Invoked the key switch C functions from __guest_enter/__guest_exit assembly. * Host key save is now done inside vcpu_load. * Reverted back masking of cpufeature ID registers for ptrauth when disabled from userpace. * Reset of ptrauth key registers not done conditionally. * Code and Documentation cleanup. Changes since v4 [6]: Several suggestions from James Morse * Move host registers to be saved/restored inside struct kvm_cpu_context. * Similar to hcr_el2, save/restore mdcr_el2 register also. * Added save routines for ptrauth keys in generic arm core and use them during KVM context switch. * Defined a GCC attribute __no_ptrauth which discards generating ptrauth instructions in a function. This is taken from Kristina's earlier kernel pointer authentication support patches [4]. * Dropped a patch to mask cpufeature when not enabled from userspace and now only key registers are masked from register list. Changes since v3 [5]: * Use pointer authentication only when VHE is present as ARM8.3 implies ARM8.1 features to be present. * Added lazy context handling of ptrauth instructions from V2 version again. * Added more details in Documentation. Changes since v2 [1,2]: * Allow host and guest to have different HCR_EL2 settings and not just constant value HCR_HOST_VHE_FLAGS or HCR_HOST_NVHE_FLAGS. * Optimise the reading of HCR_EL2 in host/guest switch by fetching it once during KVM initialisation state and using it later. * Context switch pointer authentication keys when switching between guest and host. Pointer authentication was enabled in a lazy context earlier[2] and is removed now to make it simple. However it can be revisited later if there is significant performance issue. * Added a userspace option to choose pointer authentication. * Based on the userspace option, ptrauth cpufeature will be visible. * Based on the userspace option, ptrauth key registers will be accessible. * A small document is added on how to enable pointer authentication from userspace KVM API. Looking for feedback and comments. Thanks, Amit [1]: https://lore.kernel.org/lkml/20171127163806.31435-11-mark.rutland@arm.com/ [2]: https://lore.kernel.org/lkml/20171127163806.31435-10-mark.rutland@arm.com/ [3]: https://lkml.org/lkml/2018/12/7/666 [4]: https://lore.kernel.org/lkml/20181005084754.20950-1-kristina.martsenko@arm.com/ [5]: https://lkml.org/lkml/2018/10/17/594 [6]: https://lkml.org/lkml/2018/12/18/80 [7]: https://lkml.org/lkml/2019/1/28/49 [8]: https://lkml.org/lkml/2019/2/19/190 [9]: https://lkml.org/lkml/2019/3/19/125 [10]: https://lkml.org/lkml/2019/4/1/1595 Linux (5.1-rc2 based kvmarm/next repo): Amit Daniel Kachhap (3): KVM: arm64: Add a vcpu flag to control ptrauth for guest KVM: arm64: Add userspace flag to enable pointer authentication KVM: arm64: Add capability to advertise ptrauth for guest Mark Rutland (1): KVM: arm/arm64: context-switch ptrauth registers Documentation/arm64/pointer-authentication.txt | 22 ++++- Documentation/virtual/kvm/api.txt | 8 ++ arch/arm/include/asm/kvm_host.h | 1 + arch/arm64/Kconfig | 5 +- arch/arm64/include/asm/kvm_host.h | 23 +++++- arch/arm64/include/asm/kvm_ptrauth_asm.h | 106 +++++++++++++++++++++++++ arch/arm64/include/uapi/asm/kvm.h | 2 + arch/arm64/kernel/asm-offsets.c | 6 ++ arch/arm64/kvm/guest.c | 14 ++++ arch/arm64/kvm/handle_exit.c | 24 ++++-- arch/arm64/kvm/hyp/entry.S | 7 ++ arch/arm64/kvm/reset.c | 29 +++++++ arch/arm64/kvm/sys_regs.c | 46 ++++++++++- include/uapi/linux/kvm.h | 2 + virt/kvm/arm/arm.c | 2 + 15 files changed, 279 insertions(+), 18 deletions(-) create mode 100644 arch/arm64/include/asm/kvm_ptrauth_asm.h kvmtool: Repo: git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git Amit Daniel Kachhap (1): KVM: arm/arm64: Add a vcpu feature for pointer authentication arm/aarch32/include/kvm/kvm-cpu-arch.h | 1 + arm/aarch64/include/asm/kvm.h | 2 ++ arm/aarch64/include/kvm/kvm-config-arch.h | 6 +++++- arm/aarch64/include/kvm/kvm-cpu-arch.h | 2 ++ arm/include/arm-common/kvm-config-arch.h | 2 ++ arm/kvm-cpu.c | 11 +++++++++++ include/linux/kvm.h | 2 ++ 7 files changed, 25 insertions(+), 1 deletion(-)