| Message ID | 20200604133354.1279412-4-maz@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kvm: arm64: Pointer Authentication handling fixes | expand |
Hi Marc, On Thu, Jun 04, 2020 at 02:33:54PM +0100, Marc Zyngier wrote: > Even if we don't expose PtrAuth to a guest, the guest can still > write to its SCTIRLE_1 register and set the En{I,D}{A,B} bits > and execute PtrAuth instructions from the NOP space. This has > the effect of trapping to EL2, and we currently inject an UNDEF. I think it's worth noting that this is an ill-behaved guest, as those bits are RES0 when pointer authentication isn't implemented. The rationale for RES0/RES1 bits is that new HW can rely on old SW programming them with the 0/1 as appropriate, and that old SW that does not do so may encounter behaviour which from its PoV is UNPREDICTABLE. The SW side of the contract is that you must program them as 0/1 unless you know they're allocated with a specific meaning. With that in mind I think the current behaviour is legitimate: from the guest's PoV it's the same as there being a distinct extension which it is not aware of where the En{I,D}{A,B} bits means "trap some HINTs to EL1". I don't think that we should attempt to work around broken software here unless we absolutely have to, as it only adds complexity for no real gain. Thanks, Mark. > This is definitely the wrong thing to do, as the architecture says > that these instructions should behave as NOPs. > > Instead, we can simply reset the offending SCTLR_EL1 bits to > zero, and resume the guest. It can still observe the SCTLR bits > being set and then being cleared by magic, but that's much better > than delivering an unexpected extension. > > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- > arch/arm64/kvm/handle_exit.c | 12 ------------ > arch/arm64/kvm/hyp/switch.c | 18 ++++++++++++++++-- > 2 files changed, 16 insertions(+), 14 deletions(-) > > diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c > index 5a02d4c90559..98d8adf6f865 100644 > --- a/arch/arm64/kvm/handle_exit.c > +++ b/arch/arm64/kvm/handle_exit.c > @@ -162,17 +162,6 @@ static int handle_sve(struct kvm_vcpu *vcpu, struct kvm_run *run) > return 1; > } > > -/* > - * Guest usage of a ptrauth instruction (which the guest EL1 did not turn into > - * a NOP). If we get here, it is that we didn't fixup ptrauth on exit, and all > - * that we can do is give the guest an UNDEF. > - */ > -static int kvm_handle_ptrauth(struct kvm_vcpu *vcpu, struct kvm_run *run) > -{ > - kvm_inject_undefined(vcpu); > - return 1; > -} > - > static exit_handle_fn arm_exit_handlers[] = { > [0 ... ESR_ELx_EC_MAX] = kvm_handle_unknown_ec, > [ESR_ELx_EC_WFx] = kvm_handle_wfx, > @@ -195,7 +184,6 @@ static exit_handle_fn arm_exit_handlers[] = { > [ESR_ELx_EC_BKPT32] = kvm_handle_guest_debug, > [ESR_ELx_EC_BRK64] = kvm_handle_guest_debug, > [ESR_ELx_EC_FP_ASIMD] = handle_no_fpsimd, > - [ESR_ELx_EC_PAC] = kvm_handle_ptrauth, > }; > > static exit_handle_fn kvm_get_exit_handler(struct kvm_vcpu *vcpu) > diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c > index 2a50b3771c3b..fc09c3dfa466 100644 > --- a/arch/arm64/kvm/hyp/switch.c > +++ b/arch/arm64/kvm/hyp/switch.c > @@ -503,8 +503,22 @@ static bool __hyp_text __hyp_handle_ptrauth(struct kvm_vcpu *vcpu) > struct kvm_cpu_context *ctxt; > u64 val; > > - if (!vcpu_has_ptrauth(vcpu)) > - return false; > + if (!vcpu_has_ptrauth(vcpu)) { > + if (ec != ESR_ELx_EC_PAC) > + return false; > + > + /* > + * Interesting situation: the guest has enabled PtrAuth, > + * despite KVM not advertising it. Fix SCTLR_El1 on behalf > + * of the guest (the bits should behave as RES0 anyway). > + */ > + val = read_sysreg_el1(SYS_SCTLR); > + val &= ~(SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | > + SCTLR_ELx_ENDA | SCTLR_ELx_ENDB); > + write_sysreg_el1(val, SYS_SCTLR); > + > + return true; > + } > > switch (ec) { > case ESR_ELx_EC_PAC: > -- > 2.26.2 >
Hi Mark, On 2020-06-04 16:39, Mark Rutland wrote: > Hi Marc, > > On Thu, Jun 04, 2020 at 02:33:54PM +0100, Marc Zyngier wrote: >> Even if we don't expose PtrAuth to a guest, the guest can still >> write to its SCTIRLE_1 register and set the En{I,D}{A,B} bits >> and execute PtrAuth instructions from the NOP space. This has >> the effect of trapping to EL2, and we currently inject an UNDEF. > > I think it's worth noting that this is an ill-behaved guest, as those > bits are RES0 when pointer authentication isn't implemented. > > The rationale for RES0/RES1 bits is that new HW can rely on old SW > programming them with the 0/1 as appropriate, and that old SW that does > not do so may encounter behaviour which from its PoV is UNPREDICTABLE. > The SW side of the contract is that you must program them as 0/1 unless > you know they're allocated with a specific meaning. > > With that in mind I think the current behaviour is legitimate: from the > guest's PoV it's the same as there being a distinct extension which it > is not aware of where the En{I,D}{A,B} bits means "trap some HINTs to > EL1". > > I don't think that we should attempt to work around broken software > here > unless we absolutely have to, as it only adds complexity for no real > gain. Fair enough. I was worried of the behaviour difference between HW without PtrAuth and a guest with HW not advertised. Ideally, they should have the same behaviour, but the architecture feels a bit brittle here. Anyway, I'll drop this patch, and hopefully no guest will play this game (they'll know pretty quickly about the issue anyway). Thanks, M.
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c index 5a02d4c90559..98d8adf6f865 100644 --- a/arch/arm64/kvm/handle_exit.c +++ b/arch/arm64/kvm/handle_exit.c @@ -162,17 +162,6 @@ static int handle_sve(struct kvm_vcpu *vcpu, struct kvm_run *run) return 1; } -/* - * Guest usage of a ptrauth instruction (which the guest EL1 did not turn into - * a NOP). If we get here, it is that we didn't fixup ptrauth on exit, and all - * that we can do is give the guest an UNDEF. - */ -static int kvm_handle_ptrauth(struct kvm_vcpu *vcpu, struct kvm_run *run) -{ - kvm_inject_undefined(vcpu); - return 1; -} - static exit_handle_fn arm_exit_handlers[] = { [0 ... ESR_ELx_EC_MAX] = kvm_handle_unknown_ec, [ESR_ELx_EC_WFx] = kvm_handle_wfx, @@ -195,7 +184,6 @@ static exit_handle_fn arm_exit_handlers[] = { [ESR_ELx_EC_BKPT32] = kvm_handle_guest_debug, [ESR_ELx_EC_BRK64] = kvm_handle_guest_debug, [ESR_ELx_EC_FP_ASIMD] = handle_no_fpsimd, - [ESR_ELx_EC_PAC] = kvm_handle_ptrauth, }; static exit_handle_fn kvm_get_exit_handler(struct kvm_vcpu *vcpu) diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c index 2a50b3771c3b..fc09c3dfa466 100644 --- a/arch/arm64/kvm/hyp/switch.c +++ b/arch/arm64/kvm/hyp/switch.c @@ -503,8 +503,22 @@ static bool __hyp_text __hyp_handle_ptrauth(struct kvm_vcpu *vcpu) struct kvm_cpu_context *ctxt; u64 val; - if (!vcpu_has_ptrauth(vcpu)) - return false; + if (!vcpu_has_ptrauth(vcpu)) { + if (ec != ESR_ELx_EC_PAC) + return false; + + /* + * Interesting situation: the guest has enabled PtrAuth, + * despite KVM not advertising it. Fix SCTLR_El1 on behalf + * of the guest (the bits should behave as RES0 anyway). + */ + val = read_sysreg_el1(SYS_SCTLR); + val &= ~(SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | + SCTLR_ELx_ENDA | SCTLR_ELx_ENDB); + write_sysreg_el1(val, SYS_SCTLR); + + return true; + } switch (ec) { case ESR_ELx_EC_PAC:
Even if we don't expose PtrAuth to a guest, the guest can still write to its SCTIRLE_1 register and set the En{I,D}{A,B} bits and execute PtrAuth instructions from the NOP space. This has the effect of trapping to EL2, and we currently inject an UNDEF. This is definitely the wrong thing to do, as the architecture says that these instructions should behave as NOPs. Instead, we can simply reset the offending SCTLR_EL1 bits to zero, and resume the guest. It can still observe the SCTLR bits being set and then being cleared by magic, but that's much better than delivering an unexpected extension. Signed-off-by: Marc Zyngier <maz@kernel.org> --- arch/arm64/kvm/handle_exit.c | 12 ------------ arch/arm64/kvm/hyp/switch.c | 18 ++++++++++++++++-- 2 files changed, 16 insertions(+), 14 deletions(-)