There is currently no way to disable nVHE ASLR, e.g. for debugging, so the
first patch in this series makes it conditional on RANDOMIZE_BASE, same as
KASLR. Note that the 'nokaslr' command line flag has no effect here.
Second patch unifies the HARDEN_EL2_VECTORS errate for A57 and A72 behind
the same Kconfig for simplicity. Happy to make it just depend on
RANDOMIZE_BASE if having an option to keep randomization on but hardenning
off is preferred.
David Brazdil (2):
KVM: arm64: Make nVHE ASLR conditional on RANDOMIZE_BASE
KVM: arm64: Substitute RANDOMIZE_BASE for HARDEN_EL2_VECTORS
arch/arm64/Kconfig | 16 ----------------
arch/arm64/include/asm/mmu.h | 6 ++----
arch/arm64/kernel/cpu_errata.c | 4 ++--
arch/arm64/kvm/Kconfig | 2 +-
arch/arm64/kvm/va_layout.c | 2 +-
5 files changed, 6 insertions(+), 24 deletions(-)
--
2.27.0
If there are spare bits in non-VHE hyp VA, KVM unconditionally replaces them
with a random tag chosen at init. Disable this if the kernel is built without
RANDOMIZE_BASE to align with kernel behavior.
Signed-off-by: David Brazdil <[email protected]>
---
arch/arm64/kvm/va_layout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/va_layout.c b/arch/arm64/kvm/va_layout.c
index a4f48c1ac28c..e0404bcab019 100644
--- a/arch/arm64/kvm/va_layout.c
+++ b/arch/arm64/kvm/va_layout.c
@@ -48,7 +48,7 @@ __init void kvm_compute_layout(void)
va_mask = GENMASK_ULL(tag_lsb - 1, 0);
tag_val = hyp_va_msb;
- if (tag_lsb != (vabits_actual - 1)) {
+ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE) && tag_lsb != (vabits_actual - 1)) {
/* We have some free bits to insert a random tag. */
tag_val |= get_random_long() & GENMASK_ULL(vabits_actual - 2, tag_lsb);
}
--
2.27.0
The HARDEN_EL2_VECTORS config maps vectors at a fixed location on cores which
are susceptible to Spector variant 3a (A57, A72) to prevent defeating hyp
layout randomization by leaking the value of VBAR_EL2.
Since this feature is only applicable when EL2 layout randomization is enabled,
unify both behind the same RANDOMIZE_BASE Kconfig. Majority of code remains
conditional on a capability selected for the affected cores.
Signed-off-by: David Brazdil <[email protected]>
---
arch/arm64/Kconfig | 16 ----------------
arch/arm64/include/asm/mmu.h | 6 ++----
arch/arm64/kernel/cpu_errata.c | 4 ++--
arch/arm64/kvm/Kconfig | 2 +-
4 files changed, 5 insertions(+), 23 deletions(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 66dc41fd49f2..527d217baf55 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1182,22 +1182,6 @@ config HARDEN_BRANCH_PREDICTOR
If unsure, say Y.
-config HARDEN_EL2_VECTORS
- bool "Harden EL2 vector mapping against system register leak" if EXPERT
- default y
- help
- Speculation attacks against some high-performance processors can
- be used to leak privileged information such as the vector base
- register, resulting in a potential defeat of the EL2 layout
- randomization.
-
- This config option will map the vectors to a fixed location,
- independent of the EL2 code mapping, so that revealing VBAR_EL2
- to an attacker does not give away any extra information. This
- only gets enabled on affected CPUs.
-
- If unsure, say Y.
-
config ARM64_SSBD
bool "Speculative Store Bypass Disable" if EXPERT
default y
diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h
index 8444df000181..e26542c0e79e 100644
--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -45,12 +45,10 @@ struct bp_hardening_data {
bp_hardening_cb_t fn;
};
-#if (defined(CONFIG_HARDEN_BRANCH_PREDICTOR) || \
- defined(CONFIG_HARDEN_EL2_VECTORS))
-
+#ifdef CONFIG_KVM_INDIRECT_VECTORS
extern char __bp_harden_hyp_vecs[];
extern atomic_t arm64_el2_vector_last_slot;
-#endif /* CONFIG_HARDEN_BRANCH_PREDICTOR || CONFIG_HARDEN_EL2_VECTORS */
+#endif
#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
DECLARE_PER_CPU_READ_MOSTLY(struct bp_hardening_data, bp_hardening_data);
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 79728bfb5351..6bd1d3ad037a 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -632,7 +632,7 @@ has_neoverse_n1_erratum_1542419(const struct arm64_cpu_capabilities *entry,
return is_midr_in_range(midr, &range) && has_dic;
}
-#if defined(CONFIG_HARDEN_EL2_VECTORS)
+#ifdef CONFIG_RANDOMIZE_BASE
static const struct midr_range ca57_a72[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
@@ -891,7 +891,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
.matches = check_branch_predictor,
},
-#ifdef CONFIG_HARDEN_EL2_VECTORS
+#ifdef CONFIG_RANDOMIZE_BASE
{
.desc = "EL2 vector hardening",
.capability = ARM64_HARDEN_EL2_VECTORS,
diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig
index 13489aff4440..318c8f2df245 100644
--- a/arch/arm64/kvm/Kconfig
+++ b/arch/arm64/kvm/Kconfig
@@ -58,7 +58,7 @@ config KVM_ARM_PMU
virtual machines.
config KVM_INDIRECT_VECTORS
- def_bool HARDEN_BRANCH_PREDICTOR || HARDEN_EL2_VECTORS
+ def_bool HARDEN_BRANCH_PREDICTOR || RANDOMIZE_BASE
endif # KVM
--
2.27.0
On Tue, 21 Jul 2020 10:44:43 +0100, David Brazdil wrote:
> There is currently no way to disable nVHE ASLR, e.g. for debugging, so the
> first patch in this series makes it conditional on RANDOMIZE_BASE, same as
> KASLR. Note that the 'nokaslr' command line flag has no effect here.
>
> Second patch unifies the HARDEN_EL2_VECTORS errate for A57 and A72 behind
> the same Kconfig for simplicity. Happy to make it just depend on
> RANDOMIZE_BASE if having an option to keep randomization on but hardenning
> off is preferred.
>
> [...]
Applied to kvm-arm64/misc-5.9, thanks!
[1/2] KVM: arm64: Make nVHE ASLR conditional on RANDOMIZE_BASE
commit: 24f69c0fa4e252f706884114b7d6353aa07678b5
[2/2] KVM: arm64: Substitute RANDOMIZE_BASE for HARDEN_EL2_VECTORS
commit: a59a2edbbba7397fede86e40a3da17e5beebf98b
Cheers,
M.
--
Without deviation from the norm, progress is not possible.