Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3451298imm; Fri, 19 Oct 2018 10:46:34 -0700 (PDT) X-Google-Smtp-Source: ACcGV63aLfpLyN+MCwVS/gVZDjtYOlumlIEz0ELWEH87mKyKA7fjh6eGB7v9dvySAKn8cnXtm/er X-Received: by 2002:a17:902:3341:: with SMTP id a59-v6mr35021212plc.138.1539971194757; Fri, 19 Oct 2018 10:46:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539971194; cv=none; d=google.com; s=arc-20160816; b=nmlHlxw+ETm2eV023l4ffHGxgEn8kYg4CoSruTHOYHzfZWv9dx4QSjnSgYDGD4t2ID hmBhEjOBmLP2zTIGdj2qsqwTDRq0ZsEEsuBTV9ZMs69VZW2KNw1F2Af1AekxaGqCx3Jl m7d6j0u8rozu8ndKa5EEJdHbjlhO+Mj8t03uh70h5mGrVdgE9APZOBscPvoHdiMGR3u0 UxISxhwk0AYD2j6psO84PnCU23LUY2KjlPdxhUeadtPt4Pae5VMuaMojCyOchxqFtmFF LFtGFew0ROdwaqE5S3hSut9HalIxDxRbIJ1WU2PlhT9MDh8YSJcuwAKfF5JK6u2n2JH0 0SXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ziDom4wHOOb8TUr5QGct5MVsH4uzsknIv1CbEM0jECg=; b=JSL21PU3VWbaVhIf3GugQ9fyOE4l4p6+qyukwWvgEfDCtPuybncv4VBaRfk6jK8YeX d5ADEv+9GS3RibQL0RCpc7XieKRLkdhGt9AekW6CrxT8C1wNG2Xzm9zuKARndG2SvxqH 6fAZIedUi+/c5pwKAsXqC8RcAUmxeo+dhILbjTIpZonm09cQ6TA819Qxu49Bf6U9u+8U lBjTufcdE7ODA5RmoY1XRQPBd+XyOcEaynOUyzYRQQJF9M5VjjzB6w4XkxBaQzRmDcDl mUfR9rW6SzAw2lncWj8lYNKmyqTHQim3jCuc/e0gz8jHGFAJJnqoWq7i2q4vlfOcCTic cYGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si21847555plb.341.2018.10.19.10.46.19; Fri, 19 Oct 2018 10:46:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728004AbeJTBwi (ORCPT + 99 others); Fri, 19 Oct 2018 21:52:38 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:56450 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727549AbeJTBwi (ORCPT ); Fri, 19 Oct 2018 21:52:38 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DF77DA78; Fri, 19 Oct 2018 10:45:32 -0700 (PDT) Received: from brain-police (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8A3903F71D; Fri, 19 Oct 2018 10:45:28 -0700 (PDT) Date: Fri, 19 Oct 2018 18:45:24 +0100 From: Will Deacon To: Catalin Marinas Cc: Kristina Martsenko , Mark Rutland , "linux-arch@vger.kernel.org" , Andrew Jones , Jacob Bramley , Arnd Bergmann , Ard Biesheuvel , Marc Zyngier , "linux-kernel@vger.kernel.org" , Adam Wallis , Suzuki Poulose , Christoffer Dall , Dave P Martin , Amit Kachhap , Ramana Radhakrishnan , "kvmarm@lists.cs.columbia.edu" , "linux-arm-kernel@lists.infradead.org" , Kees Cook Subject: Re: [PATCH v5 11/17] arm64: docs: document pointer authentication Message-ID: <20181019174524.GC4429@brain-police> References: <20181005084754.20950-1-kristina.martsenko@arm.com> <20181005084754.20950-12-kristina.martsenko@arm.com> <9acb0cd2-66b0-1c41-b1a8-7c70608e9a9b@foss.arm.com> <7b0de19b-45b9-f4df-25d1-c7e80fab49dc@arm.com> <20181019113556.ljbdmjo5pdw7muvz@mbp> <20181019151029.GD3985@arrakis.emea.arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181019151029.GD3985@arrakis.emea.arm.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 19, 2018 at 04:10:29PM +0100, Catalin Marinas wrote: > On Fri, Oct 19, 2018 at 03:42:23PM +0100, Kristina Martsenko wrote: > > On 19/10/2018 12:35, Catalin Marinas wrote: > > > On Tue, Oct 16, 2018 at 05:14:39PM +0100, Kristina Martsenko wrote: > > >> On 05/10/2018 10:04, Ramana Radhakrishnan wrote: > > >>> On 05/10/2018 09:47, Kristina Martsenko wrote: > > >>>> +Virtualization > > >>>> +-------------- > > >>>> + > > >>>> +Pointer authentication is not currently supported in KVM guests. KVM > > >>>> +will mask the feature bits from ID_AA64ISAR1_EL1, and attempted use of > > >>>> +the feature will result in an UNDEFINED exception being injected into > > >>>> +the guest. > > >>> > > >>> However applications using instructions from the hint space will > > >>> continue to work albeit without any protection (as they would just be > > >>> nops) ? > > >> > > >> Mostly, yes. If the guest leaves SCTLR_EL1.EnIA unset (and > > >> EnIB/EnDA/EnDB), then PAC* and AUT* instructions in the HINT space will > > >> execute as NOPs. If the guest sets EnIA, then PAC*/AUT* instructions > > >> will trap and KVM will inject an "Unknown reason" exception into the > > >> guest (which will cause a Linux guest to send a SIGILL to the application). > > > > > > I think that part is fine. If KVM (a fairly recent version with CPUID > > > sanitisation) does not enable ptr auth, the CPUID should not advertise > > > this feature either so the guest kernel should not enable it. For the > > > above instructions in the HINT space, they will just be NOPs. If the > > > guest kernel enables the feature regardless of the CPUID information, it > > > deserves to get an "Unknown reason" exception. > > > > > >> In the latter case we could instead pretend the instruction was a NOP > > >> and not inject an exception, but trapping twice per every function would > > >> probably be terrible for performance. The guest shouldn't be setting > > >> EnIA anyway if ID_AA64ISAR1_EL1 reports that pointer authentication is > > >> not present (because KVM has hidden it). > > > > > > I don't think we should. The SCTLR_EL1 bits are RES0 unless you know > > > that the feature is present via CPUID. > > > > > >> The other special case is the XPACLRI instruction, which is also in the > > >> HINT space. Currently it will trap and KVM will inject an exception into > > >> the guest. We should probably change this to NOP instead, as that's what > > >> applications will expect. Unfortunately there is no EnIA-like control to > > >> make it NOP. > > > > > > Very good catch. Basically if EL2 doesn't know about ptr auth (older > > > distro), EL1 may or may not know but leaves SCTLR_EL1 disabled (based on > > > CPUID), the default HCR_EL2 is to trap (I'm ignoring EL3 as that's like > > > to have ptr auth enabled, being built for the specific HW). So a user > > > app considering XPACLRI a NOP (or inoffensive) will get a SIGILL > > > (injected by the guest kernel following the injection of "Unknown > > > reason" exception by KVM). > > > > > > Ramana, is XPACLRI commonly generated by gcc and expects it to be a NOP? > > > Could we restrict it to only being used at run-time if the corresponding > > > HWCAP is set? This means redefining this instruction as no longer in the > > > NOP space. > > > > I think an alternative solution is to just disable trapping of pointer > > auth instructions in KVM. This will mean that the instructions will > > behave the same in the guest as they do in the host. HINT-space > > instructions (including XPACLRI) will behave as NOPs (or perform their > > function, if enabled by the guest), and will not trap. > > OK, so this means disabling the trap (during early EL2 setup) but still > sanitizing the CPUID not to report the feature to EL1 unless fully > supported on all CPUs. ... which is perfectly sensible, but not actually my main concern here. I'm worried about the possibility of distributions shipping *now* with userspace that's built with these instructions. That stuff is going to break if/when it encounters v8.3 hardware, and I don't think we can do much about it other than alert them to the potential issue. Will