| Message ID | 20240801-arm64-gcs-v10-4-699e2bd2190b@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | arm64/gcs: Provide support for GCS in userspace | expand |
On Thu, Aug 01, 2024 at 01:06:31PM +0100, Mark Brown wrote: > + - If EL2 is present: > + > + - GCSCR_EL2 must be initialised to 0. > + > + - If the kernel is entered at EL1 and EL2 is present: > + > + - GCSCR_EL1 must be initialised to 0. > + > + - GCSCRE0_EL1 must be initialised to 0. Currently booting.rst doesn't list *_EL1 registers to be initialised when the kernel is entered at EL1, that would usually be the responsibility of EL1. The exception is some bits in SCTLR_EL1 around not entering with the MMU and caches enabled. But here I think it makes sense to add these GCS registers since if some random bits are set, they can affect kernels (and user apps) that don't have GCS support. Don't we need HCRX_EL2.GCSEn to be set when entered at EL1?
On Thu, Aug 15, 2024 at 06:00:15PM +0100, Catalin Marinas wrote: > On Thu, Aug 01, 2024 at 01:06:31PM +0100, Mark Brown wrote: > > + - If EL2 is present: > > + - GCSCR_EL2 must be initialised to 0. > > + - If the kernel is entered at EL1 and EL2 is present: > > + > > + - GCSCR_EL1 must be initialised to 0. > > + > > + - GCSCRE0_EL1 must be initialised to 0. > Currently booting.rst doesn't list *_EL1 registers to be initialised > when the kernel is entered at EL1, that would usually be the > responsibility of EL1. The exception is some bits in SCTLR_EL1 around > not entering with the MMU and caches enabled. But here I think it makes > sense to add these GCS registers since if some random bits are set, they > can affect kernels (and user apps) that don't have GCS support. Right, exactly - the trouble here is that if we enter EL1 with GCS enabled we aren't able to do function calls until we either disable GCS or configure the MMU and allocate a GCS. This means that all existing kernels which haven't heard of GCS require that GCS be disabled prior to starting, they'll just fault within a couple of instructions whenever they reach the EL for which GCS is enabled so it seems sensible to just require that this is set up. It is hard to envision a scenario in which it would be reasonable to start in a different configuration. Now I think about it I should move those two to not depend on EL2 being present, that's just cut'n'paste. > Don't we need HCRX_EL2.GCSEn to be set when entered at EL1? Yes, if we want GCS to do anything. I've added this.
diff --git a/Documentation/arch/arm64/booting.rst b/Documentation/arch/arm64/booting.rst index b57776a68f15..f5b8e4bb9653 100644 --- a/Documentation/arch/arm64/booting.rst +++ b/Documentation/arch/arm64/booting.rst @@ -411,6 +411,36 @@ Before jumping into the kernel, the following conditions must be met: - HFGRWR_EL2.nPIRE0_EL1 (bit 57) must be initialised to 0b1. + - For CPUs with Guarded Control Stacks (FEAT_GCS): + + - If EL3 is present: + + - SCR_EL3.GCSEn (bit 39) must be initialised to 0b1. + + - If EL2 is present: + + - GCSCR_EL2 must be initialised to 0. + + - If the kernel is entered at EL1 and EL2 is present: + + - GCSCR_EL1 must be initialised to 0. + + - GCSCRE0_EL1 must be initialised to 0. + + - HFGITR_EL2.nGCSEPP (bit 59) must be initialised to 0b1. + + - HFGITR_EL2.nGCSSTR_EL1 (bit 58) must be initialised to 0b1. + + - HFGITR_EL2.nGCSPUSHM_EL1 (bit 57) must be initialised to 0b1. + + - HFGRTR_EL2.nGCS_EL1 (bit 53) must be initialised to 0b1. + + - HFGRTR_EL2.nGCS_EL0 (bit 52) must be initialised to 0b1. + + - HFGWTR_EL2.nGCS_EL1 (bit 53) must be initialised to 0b1. + + - HFGWTR_EL2.nGCS_EL0 (bit 52) must be initialised to 0b1. + The requirements described above for CPU mode, caches, MMUs, architected timers, coherency and system registers apply to all CPUs. All CPUs must enter the kernel in the same exception level. Where the values documented
FEAT_GCS introduces a number of new system registers, we require that access to these registers is not trapped when we identify that the feature is detected. Since if GCS is enabled any function call instruction will be checked we also require that the feature be specifically disabled. Signed-off-by: Mark Brown <broonie@kernel.org> --- Documentation/arch/arm64/booting.rst | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)