From patchwork Tue Jan 23 21:16:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 13528141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9CAAEC47258 for ; Tue, 23 Jan 2024 21:16:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:MIME-Version:Message-Id:Date: Subject:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=5zdzID0E6Np0GngS3B9+qkU0LX5WwRcYYeSPSZYx+ec=; b=S6/bIUiDT8bOBs KoIeAV516SXLuGsnw5B60/PjjsNwoZExxWx5mUH8BXAbsJ8wPLGNYadGNXCRCad1RfvtQHtld82Qc 5+IoMHit/Y5kXuvcV1qq51o1P4l3FZccqtqAM7KIPFqq4bfba2/WgAuMU421+Aa4YZST2qYpkHZiI d8o09nX3sS4PUgjN5Hvngqn+uI1gYklDt/HNHqiwH406zhgSkydITl+vMeIkYl3TXLk6SUAniVbPz kN1M2Tv6iIMC6koKRroQeAF5w5s1TfxICD5MaFNR2Wo6+4NZcVqPbROGpmJJU8WytrtUFRmDbxgmC 2IyHcsvVjNwmpR6QS4tg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rSO87-000UuU-1G; Tue, 23 Jan 2024 21:16:23 +0000 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rSO83-000Us8-2T for linux-arm-kernel@lists.infradead.org; Tue, 23 Jan 2024 21:16:21 +0000 Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2cf16f2445bso10702861fa.2 for ; Tue, 23 Jan 2024 13:16:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1706044576; x=1706649376; darn=lists.infradead.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=BXh2/2R7L1isEBscKgKVece+aZUJ0S3WahLA94aK9iY=; b=rS/trys6+cn3YV/NZYbz98+KJKfny+2Bsa8gmB5GiIZdJgXe+yHVKGI1PpglcXv+tg TaIWIT5o4g6NtfVKmxLFLNfsFwrII8hPp6pIj3ZE8zIg/QovqGmvFXbnlrn8KOGA5+bb hGlFKK9crD1fJEzp5RuwH9BmCBanvJjuhBATqFaXkSWuZQb6tGnixabLvwv1t/Y9R+Hw h7Wwasj58eXgKzWvuMAMu1aK2VwUyDVNhsV0ws6MVafE0PPYj8Xu/SVCrGrmQq870nNe mteHrsbPsyIMiq7ZwHQBQuxUxlapGCYVTeIFvFAhR7PBHh41LsO1J0AbBFciXVf5apxn llNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706044576; x=1706649376; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BXh2/2R7L1isEBscKgKVece+aZUJ0S3WahLA94aK9iY=; b=SIa6TTehPRUm5G8/r41JzJLbP3st5J1iCMczy7c8/z0/Kt/5f0/8omGL+Rff60gqMh y5XbKUZmF9qqBDJve0y6Ygh4pgQ1J1KJSok27AEpJjj4+Ln6t8Xcb5KjsYRrMJDvWhcT lPSXxjqTCIxG1JU2zF9/9maElfQRyxZacUidY/433HrK6DcTmF5PvzLBBLgRyypKh/Ek VduwFaVN7d6bkE4eK3exLEMGKOqtdKrabLwUc2ukVaw4YXdGM/cFIJfqEWc+7daSxG0e Oc7CGNMInJheC4w742UhkQR+3GElHXWRSDc3YhVgelutZRHFdya1bx/EEX7haBLNFf0t nZsA== X-Gm-Message-State: AOJu0YyjH4Sm/CcU4h1uVi7jQYkrGQZTxCnSKzQ+iuuM3TF82e6RDA7+ aYzeAHBqy9eKJtMYGln2+xj5jHCULSIUOwpA9laS25bBLz9LoACoPwceihpWw92nfoZO1HhfyGA tDLY= X-Google-Smtp-Source: AGHT+IHyGAQE31HWTv7JSSJSRretO1f6aBw/F/jgMEC8tWimdjvTfldSheVp00FBdmSq3nGG5fk5oA== X-Received: by 2002:a19:9154:0:b0:510:9e9:109d with SMTP id y20-20020a199154000000b0051009e9109dmr735361lfj.135.1706044575751; Tue, 23 Jan 2024 13:16:15 -0800 (PST) Received: from [127.0.1.1] ([85.235.12.238]) by smtp.gmail.com with ESMTPSA id o3-20020a056512230300b0050ee557f1dcsm2385427lfu.115.2024.01.23.13.16.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 13:16:15 -0800 (PST) From: Linus Walleij Subject: [PATCH 0/4] PAN for ARM32 using LPAE Date: Tue, 23 Jan 2024 22:16:13 +0100 Message-Id: <20240123-arm32-lpae-pan-v1-0-7ea98a20514c@linaro.org> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAJ0ssGUC/13MQQrCMBCF4atI1o5kJiagK+8hXcR2bAdqUiZSl NK7m3bp8n/wvsUUVuFirofFKM9SJKcaeDyYdoipZ5CutiFLDgkDRH05gnGKDFNM4AOSj4/guuB MPU3KT/ns4L2pPUh5Z/3u/ozbulFni+T+qRnBAsVLYN96DsHeRklR8ylrb5p1XX+J1ZyHrQAAA A== To: Russell King , Ard Biesheuvel , Arnd Bergmann , Stefan Wahren , Kees Cook , Geert Uytterhoeven Cc: linux-arm-kernel@lists.infradead.org, Linus Walleij , Catalin Marinas X-Mailer: b4 0.12.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240123_131619_857975_A6D63363 X-CRM114-Status: GOOD ( 16.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is a patch set from Catalin that ended up on the back burner. Since LPAE systems, i.e. ARM32 systems with a lot of physical memory, will be with us for a while more, this is a pretty straight-forward hardening measure that we should support. The last patch explains the mechanism: since PAN using CPU domains isn't available when using the LPAE MMU tables, we use the split between the two translation base tables instead: TTBR0 is for userspace pages and TTBR1 is for kernelspace tables. When executing in kernelspace: we protect userspace by simply disabling page walks in TTBR0. This was tested by a simple hack in the ELF loader: create_elf_tables() + unsigned char *test; (...) if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes))) return -EFAULT; + /* Cause a kernelspace access to userspace memory */ + test = (char *)u_rand_bytes; + pr_info("Some byte: %02x\n", *test); This tries to read a byte from userspace memory right after the first unconditional copy_to_user(), a function that carefully switches access permissions if we're using PAN. Without LPAE PAN this will just happily print these bytes from userspace but with LPAE PAN it will cause a predictable crash: Run /init as init process Some byte: ac 8<--- cut here --- Unable to handle kernel paging request at virtual address 7ec59f6b when read [7ec59f6b] *pgd=82c3b003, *pmd=82863003, *pte=e00000882f6f5f Internal error: Oops: 206 [#1] SMP ARM CPU: 0 PID: 47 Comm: rc.init Not tainted 6.7.0-rc1+ #25 Hardware name: ARM-Versatile Express PC is at create_elf_tables+0x13c/0x608 Thus we can show that LPAE PAN does its job. Changes from Catalins initial patch set: - Use IS_ENABLED() to avoid some ifdefs - Create a uaccess_disabled() for classic CPU domains and reate a stub uaccess_disabled() for !PAN so we can always check this. Signed-off-by: Linus Walleij Tested-by: Kees Cook --- Catalin Marinas (4): ARM: Add TTBCR_* definitions to pgtable-3level-hwdef.h ARM: Move asm statements accessing TTBCR into C functions ARM: Reduce the number of #ifdef CONFIG_CPU_SW_DOMAIN_PAN ARM: Implement privileged no-access using TTBR0 page table walks disabling arch/arm/Kconfig | 22 ++++++++-- arch/arm/include/asm/assembler.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 26 +++++++++++ arch/arm/include/asm/proc-fns.h | 12 +++++ arch/arm/include/asm/uaccess-asm.h | 58 ++++++++++++++++++++++-- arch/arm/include/asm/uaccess.h | 68 ++++++++++++++++++++++++++--- arch/arm/kernel/suspend.c | 8 ++++ arch/arm/lib/csumpartialcopyuser.S | 20 ++++++++- arch/arm/mm/fault.c | 8 ++++ arch/arm/mm/mmu.c | 7 ++- 10 files changed, 212 insertions(+), 18 deletions(-) --- base-commit: 8615ebf1370a798c403b4495f39de48270ad48f9 change-id: 20231216-arm32-lpae-pan-56125ab63d63 Best regards,