| Message ID | E1fMDHD-00073Q-Ob@rmk-PC.armlinux.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
* Russell King <rmk+kernel@armlinux.org.uk> [180525 15:10]: > +static void cpu_v7_spectre_init(void) > +{ > + const char *spectre_v2_method = NULL; > + int cpu = smp_processor_id(); > + > + if (per_cpu(harden_branch_predictor_fn, cpu)) > + return; > + > + switch (read_cpuid_part()) { > + case ARM_CPU_PART_CORTEX_A8: > + case ARM_CPU_PART_CORTEX_A9: > + case ARM_CPU_PART_CORTEX_A12: > + case ARM_CPU_PART_CORTEX_A17: > + case ARM_CPU_PART_CORTEX_A73: > + case ARM_CPU_PART_CORTEX_A75: > + per_cpu(harden_branch_predictor_fn, cpu) = > + harden_branch_predictor_bpiall; > + spectre_v2_method = "BPIALL"; > + break; > + > + case ARM_CPU_PART_CORTEX_A15: > + case ARM_CPU_PART_BRAHMA_B15: > + per_cpu(harden_branch_predictor_fn, cpu) = > + harden_branch_predictor_iciallu; > + spectre_v2_method = "ICIALLU"; > + break; > + } > + if (spectre_v2_method) > + pr_info("CPU%u: Spectre v2: using %s workaround\n", > + smp_processor_id(), spectre_v2_method); > +} We can now get this with the whole series applied: CPU0: Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable CPU: Spectre v2: using ICIALLU workaround So maybe change the wording from "using %s workaround" to "chosen workaround %s"? Or I guess disabling the pr_info when not functional can be done in the later patches based on some variable set by check_spectre_auxcr() would be doable too. Regards, Tony
On Fri, May 25, 2018 at 08:47:42AM -0700, Tony Lindgren wrote: > * Russell King <rmk+kernel@armlinux.org.uk> [180525 15:10]: > > +static void cpu_v7_spectre_init(void) > > +{ > > + const char *spectre_v2_method = NULL; > > + int cpu = smp_processor_id(); > > + > > + if (per_cpu(harden_branch_predictor_fn, cpu)) > > + return; > > + > > + switch (read_cpuid_part()) { > > + case ARM_CPU_PART_CORTEX_A8: > > + case ARM_CPU_PART_CORTEX_A9: > > + case ARM_CPU_PART_CORTEX_A12: > > + case ARM_CPU_PART_CORTEX_A17: > > + case ARM_CPU_PART_CORTEX_A73: > > + case ARM_CPU_PART_CORTEX_A75: > > + per_cpu(harden_branch_predictor_fn, cpu) = > > + harden_branch_predictor_bpiall; > > + spectre_v2_method = "BPIALL"; > > + break; > > + > > + case ARM_CPU_PART_CORTEX_A15: > > + case ARM_CPU_PART_BRAHMA_B15: > > + per_cpu(harden_branch_predictor_fn, cpu) = > > + harden_branch_predictor_iciallu; > > + spectre_v2_method = "ICIALLU"; > > + break; > > + } > > + if (spectre_v2_method) > > + pr_info("CPU%u: Spectre v2: using %s workaround\n", > > + smp_processor_id(), spectre_v2_method); > > +} > > We can now get this with the whole series applied: > > CPU0: Spectre v2: firmware did not set auxiliary control register > IBE bit, system vulnerable > CPU: Spectre v2: using ICIALLU workaround > > So maybe change the wording from "using %s workaround" to > "chosen workaround %s"? > > Or I guess disabling the pr_info when not functional can > be done in the later patches based on some variable set > by check_spectre_auxcr() would be doable too. You should not be getting both messages. It looks like you're using an older series - I assumed you pulled my git tree rather than the patches? The public git tree isn't up to date with these changes.
* Russell King - ARM Linux <linux@armlinux.org.uk> [180525 15:54]: > On Fri, May 25, 2018 at 08:47:42AM -0700, Tony Lindgren wrote: > > We can now get this with the whole series applied: > > > > CPU0: Spectre v2: firmware did not set auxiliary control register > > IBE bit, system vulnerable > > CPU: Spectre v2: using ICIALLU workaround > > > > So maybe change the wording from "using %s workaround" to > > "chosen workaround %s"? > > > > Or I guess disabling the pr_info when not functional can > > be done in the later patches based on some variable set > > by check_spectre_auxcr() would be doable too. > > You should not be getting both messages. It looks like you're using > an older series - I assumed you pulled my git tree rather than the > patches? The public git tree isn't up to date with these changes. Yes I just fetched your git tree because it allows using git mergetool because of the conflicts with next. I'll apply manually and test again. Thanks, Tony
* Tony Lindgren <tony@atomide.com> [180525 16:04]: > * Russell King - ARM Linux <linux@armlinux.org.uk> [180525 15:54]: > > On Fri, May 25, 2018 at 08:47:42AM -0700, Tony Lindgren wrote: > > > We can now get this with the whole series applied: > > > > > > CPU0: Spectre v2: firmware did not set auxiliary control register > > > IBE bit, system vulnerable > > > CPU: Spectre v2: using ICIALLU workaround > > > > > > So maybe change the wording from "using %s workaround" to > > > "chosen workaround %s"? > > > > > > Or I guess disabling the pr_info when not functional can > > > be done in the later patches based on some variable set > > > by check_spectre_auxcr() would be doable too. > > > > You should not be getting both messages. It looks like you're using > > an older series - I assumed you pulled my git tree rather than the > > patches? The public git tree isn't up to date with these changes. > > Yes I just fetched your git tree because it allows using > git mergetool because of the conflicts with next. I'll apply > manually and test again. And testing with the correct patches in the $subject series makes the issue go away. Regards, Tony
diff --git a/arch/arm/include/asm/cp15.h b/arch/arm/include/asm/cp15.h index 4c9fa72b59f5..07e27f212dc7 100644 --- a/arch/arm/include/asm/cp15.h +++ b/arch/arm/include/asm/cp15.h @@ -65,6 +65,9 @@ #define __write_sysreg(v, r, w, c, t) asm volatile(w " " c : : "r" ((t)(v))) #define write_sysreg(v, ...) __write_sysreg(v, __VA_ARGS__) +#define BPIALL __ACCESS_CP15(c7, 0, c5, 6) +#define ICIALLU __ACCESS_CP15(c7, 0, c5, 0) + extern unsigned long cr_alignment; /* defined in entry-armv.S */ static inline unsigned long get_cr(void) diff --git a/arch/arm/include/asm/system_misc.h b/arch/arm/include/asm/system_misc.h index 78f6db114faf..8e76db83c498 100644 --- a/arch/arm/include/asm/system_misc.h +++ b/arch/arm/include/asm/system_misc.h @@ -8,6 +8,7 @@ #include <linux/linkage.h> #include <linux/irqflags.h> #include <linux/reboot.h> +#include <linux/percpu.h> extern void cpu_init(void); @@ -15,6 +16,20 @@ void soft_restart(unsigned long); extern void (*arm_pm_restart)(enum reboot_mode reboot_mode, const char *cmd); extern void (*arm_pm_idle)(void); +#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR +typedef void (*harden_branch_predictor_fn_t)(void); +DECLARE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn); +static inline void harden_branch_predictor(void) +{ + harden_branch_predictor_fn_t fn = per_cpu(harden_branch_predictor_fn, + smp_processor_id()); + if (fn) + fn(); +} +#else +#define harden_branch_predictor() do { } while (0) +#endif + #define UDBG_UNDEFINED (1 << 0) #define UDBG_SYSCALL (1 << 1) #define UDBG_BADABORT (1 << 2) diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c index b75eada23d0a..3b1ba003c4f9 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -163,6 +163,9 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr, { struct siginfo si; + if (addr > TASK_SIZE) + harden_branch_predictor(); + #ifdef CONFIG_DEBUG_USER if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || ((user_debug & UDBG_BUS) && (sig == SIGBUS))) { diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c index a32ce13479d9..585b2b61d7d3 100644 --- a/arch/arm/mm/proc-v7-bugs.c +++ b/arch/arm/mm/proc-v7-bugs.c @@ -2,28 +2,92 @@ #include <linux/kernel.h> #include <linux/smp.h> -static __maybe_unused void cpu_v7_check_auxcr_set(u32 mask, const char *msg) +#include <asm/cp15.h> +#include <asm/cputype.h> +#include <asm/system_misc.h> + +#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR +DEFINE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn); + +static void harden_branch_predictor_bpiall(void) +{ + write_sysreg(0, BPIALL); +} + +static void harden_branch_predictor_iciallu(void) +{ + write_sysreg(0, ICIALLU); +} + +static void cpu_v7_spectre_init(void) +{ + const char *spectre_v2_method = NULL; + int cpu = smp_processor_id(); + + if (per_cpu(harden_branch_predictor_fn, cpu)) + return; + + switch (read_cpuid_part()) { + case ARM_CPU_PART_CORTEX_A8: + case ARM_CPU_PART_CORTEX_A9: + case ARM_CPU_PART_CORTEX_A12: + case ARM_CPU_PART_CORTEX_A17: + case ARM_CPU_PART_CORTEX_A73: + case ARM_CPU_PART_CORTEX_A75: + per_cpu(harden_branch_predictor_fn, cpu) = + harden_branch_predictor_bpiall; + spectre_v2_method = "BPIALL"; + break; + + case ARM_CPU_PART_CORTEX_A15: + case ARM_CPU_PART_BRAHMA_B15: + per_cpu(harden_branch_predictor_fn, cpu) = + harden_branch_predictor_iciallu; + spectre_v2_method = "ICIALLU"; + break; + } + if (spectre_v2_method) + pr_info("CPU%u: Spectre v2: using %s workaround\n", + smp_processor_id(), spectre_v2_method); +} +#else +static void cpu_v7_spectre_init(void) +{ +} +#endif + +static __maybe_unused bool cpu_v7_check_auxcr_set(u32 mask, const char *msg) { u32 aux_cr; asm("mrc p15, 0, %0, c1, c0, 1" : "=r" (aux_cr)); - if ((aux_cr & mask) != mask) + if ((aux_cr & mask) != mask) { pr_err("CPU%u: %s", smp_processor_id(), msg); + return false; + } + return true; } -static void check_spectre_auxcr(u32 bit) +static bool check_spectre_auxcr(u32 bit) { - if (IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR)) + return IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR) && cpu_v7_check_auxcr_set(bit, "Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable\n"); } void cpu_v7_ca8_ibe(void) { - check_spectre_auxcr(BIT(6)); + if (check_spectre_auxcr(BIT(6))) + cpu_v7_spectre_init(); } void cpu_v7_ca15_ibe(void) { - check_spectre_auxcr(BIT(0)); + if (check_spectre_auxcr(BIT(0))) + cpu_v7_spectre_init(); +} + +void cpu_v7_bugs_init(void) +{ + cpu_v7_spectre_init(); } diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S index fa9214036fb3..79510011e7eb 100644 --- a/arch/arm/mm/proc-v7.S +++ b/arch/arm/mm/proc-v7.S @@ -532,8 +532,10 @@ ENDPROC(__v7_setup) __INITDATA + .weak cpu_v7_bugs_init + @ define struct processor (see <asm/proc-fns.h> and proc-macros.S) - define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 + define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR @ generic v7 bpiall on context switch @@ -548,7 +550,7 @@ ENDPROC(__v7_setup) globl_equ cpu_v7_bpiall_do_suspend, cpu_v7_do_suspend globl_equ cpu_v7_bpiall_do_resume, cpu_v7_do_resume #endif - define_processor_functions v7_bpiall, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 + define_processor_functions v7_bpiall, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init #define HARDENED_BPIALL_PROCESSOR_FUNCTIONS v7_bpiall_processor_functions #else @@ -584,7 +586,7 @@ ENDPROC(__v7_setup) globl_equ cpu_ca9mp_switch_mm, cpu_v7_switch_mm #endif globl_equ cpu_ca9mp_set_pte_ext, cpu_v7_set_pte_ext - define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 + define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init #endif @ Cortex-A15 - needs iciallu switch_mm for hardening
In order to prevent aliasing attacks on the branch predictor, invalidate the BTB or instruction cache on CPUs that are known to be affected when taking an abort on a address that is outside of a user task limit: Cortex A8, A9, A12, A17, A73, A75: flush BTB. Cortex A15, Brahma B15: invalidate icache. If the IBE bit is not set, then there is little point to enabling the workaround. Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> --- arch/arm/include/asm/cp15.h | 3 ++ arch/arm/include/asm/system_misc.h | 15 ++++++++ arch/arm/mm/fault.c | 3 ++ arch/arm/mm/proc-v7-bugs.c | 76 +++++++++++++++++++++++++++++++++++--- arch/arm/mm/proc-v7.S | 8 ++-- 5 files changed, 96 insertions(+), 9 deletions(-)