[3/5] spapr: Generate random HASHPKEYR for spapr machines

Message ID	20241219034035.1826173-4-npiggin@gmail.com (mailing list archive)
State	New
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Nicholas Piggin <npiggin@gmail.com> To: qemu-ppc@nongnu.org Cc: Nicholas Piggin <npiggin@gmail.com>, Daniel Henrique Barboza <danielhb413@gmail.com>, Harsh Prateek Bora <harshpb@linux.ibm.com>, qemu-devel@nongnu.org Subject: [PATCH 3/5] spapr: Generate random HASHPKEYR for spapr machines Date: Thu, 19 Dec 2024 13:40:33 +1000 Message-ID: <20241219034035.1826173-4-npiggin@gmail.com> In-Reply-To: <20241219034035.1826173-1-npiggin@gmail.com> References: <20241219034035.1826173-1-npiggin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::635; envelope-from=npiggin@gmail.com; helo=mail-pl1-x635.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	ppc: misc ppc patches \| expand [0/5] ppc: misc ppc patches [1/5] target/ppc: fix timebase register reset state [2/5] spapr: Fix vpa dispatch count for record-replay [3/5] spapr: Generate random HASHPKEYR for spapr machines [4/5] target/ppc: Avoid warning message for zero process table entries [5/5] target/ppc: Wire up BookE ATB registers for e500 family

Message ID

20241219034035.1826173-4-npiggin@gmail.com (mailing list archive)

State

New

Headers

From: Nicholas Piggin <npiggin@gmail.com>
To: qemu-ppc@nongnu.org
Cc: Nicholas Piggin <npiggin@gmail.com>,
 Daniel Henrique Barboza <danielhb413@gmail.com>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>, qemu-devel@nongnu.org
Subject: [PATCH 3/5] spapr: Generate random HASHPKEYR for spapr machines
Date: Thu, 19 Dec 2024 13:40:33 +1000
Message-ID: <20241219034035.1826173-4-npiggin@gmail.com>
In-Reply-To: <20241219034035.1826173-1-npiggin@gmail.com>
References: <20241219034035.1826173-1-npiggin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::635;
 envelope-from=npiggin@gmail.com; helo=mail-pl1-x635.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

ppc: misc ppc patches | expand

Commit Message

Nicholas Piggin Dec. 19, 2024, 3:40 a.m. UTC

The hypervisor is expected to create a value for the HASHPKEY SPR for
each partition. Currently it uses zero for all partitions, use a
random number instead, which in theory might make kernel ROP protection
more secure.

Signed-of-by: Nicholas Piggin <npiggin@gmail.com>
---
 include/hw/ppc/spapr.h  | 1 +
 hw/ppc/spapr.c          | 3 +++
 hw/ppc/spapr_cpu_core.c | 2 ++
 3 files changed, 6 insertions(+)

Comments

Harsh Prateek Bora Dec. 20, 2024, 9:16 a.m. UTC | #1

On 12/19/24 09:10, Nicholas Piggin wrote:
> The hypervisor is expected to create a value for the HASHPKEY SPR for
> each partition. Currently it uses zero for all partitions, use a
> random number instead, which in theory might make kernel ROP protection
> more secure.
> 
> Signed-of-by: Nicholas Piggin <npiggin@gmail.com>

Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>

> ---
>   include/hw/ppc/spapr.h  | 1 +
>   hw/ppc/spapr.c          | 3 +++
>   hw/ppc/spapr_cpu_core.c | 2 ++
>   3 files changed, 6 insertions(+)
> 
> diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
> index af4aa1cb0fb..db44893689b 100644
> --- a/include/hw/ppc/spapr.h
> +++ b/include/hw/ppc/spapr.h
> @@ -201,6 +201,7 @@ struct SpaprMachineState {
>       uint32_t fdt_initial_size;
>       void *fdt_blob;
>       uint8_t fdt_rng_seed[32];
> +    uint64_t hashpkey_val;
>       long kernel_size;
>       bool kernel_le;
>       uint64_t kernel_addr;
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index fa05e0c5156..34934afd551 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -2888,6 +2888,9 @@ static void spapr_machine_init(MachineState *machine)
>           spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
>       }
>   
> +    qemu_guest_getrandom_nofail(&spapr->hashpkey_val,
> +                                sizeof(spapr->hashpkey_val));
> +
>       /* init CPUs */
>       spapr_init_cpus(spapr);
>   
> diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> index 88d743a3c3f..bf9f29f4ff3 100644
> --- a/hw/ppc/spapr_cpu_core.c
> +++ b/hw/ppc/spapr_cpu_core.c
> @@ -273,6 +273,8 @@ static bool spapr_realize_vcpu(PowerPCCPU *cpu, SpaprMachineState *spapr,
>       env->spr_cb[SPR_PIR].default_value = cs->cpu_index;
>       env->spr_cb[SPR_TIR].default_value = thread_index;
>   
> +    env->spr_cb[SPR_HASHPKEYR].default_value = spapr->hashpkey_val;
> +
>       cpu_ppc_set_1lpar(cpu);
>   
>       /* Set time-base frequency to 512 MHz. vhyp must be set first. */

Philippe Mathieu-Daudé Dec. 20, 2024, 10:30 a.m. UTC | #2

On 19/12/24 04:40, Nicholas Piggin wrote:
> The hypervisor is expected to create a value for the HASHPKEY SPR for
> each partition. Currently it uses zero for all partitions, use a
> random number instead, which in theory might make kernel ROP protection
> more secure.
> 
> Signed-of-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>   include/hw/ppc/spapr.h  | 1 +
>   hw/ppc/spapr.c          | 3 +++
>   hw/ppc/spapr_cpu_core.c | 2 ++
>   3 files changed, 6 insertions(+)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index af4aa1cb0fb..db44893689b 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -201,6 +201,7 @@  struct SpaprMachineState {
     uint32_t fdt_initial_size;
     void *fdt_blob;
     uint8_t fdt_rng_seed[32];
+    uint64_t hashpkey_val;
     long kernel_size;
     bool kernel_le;
     uint64_t kernel_addr;
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index fa05e0c5156..34934afd551 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2888,6 +2888,9 @@  static void spapr_machine_init(MachineState *machine)
         spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
     }
 
+    qemu_guest_getrandom_nofail(&spapr->hashpkey_val,
+                                sizeof(spapr->hashpkey_val));
+
     /* init CPUs */
     spapr_init_cpus(spapr);
 
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 88d743a3c3f..bf9f29f4ff3 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -273,6 +273,8 @@  static bool spapr_realize_vcpu(PowerPCCPU *cpu, SpaprMachineState *spapr,
     env->spr_cb[SPR_PIR].default_value = cs->cpu_index;
     env->spr_cb[SPR_TIR].default_value = thread_index;
 
+    env->spr_cb[SPR_HASHPKEYR].default_value = spapr->hashpkey_val;
+
     cpu_ppc_set_1lpar(cpu);
 
     /* Set time-base frequency to 512 MHz. vhyp must be set first. */

[3/5] spapr: Generate random HASHPKEYR for spapr machines

Commit Message

Comments

Patch