Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20221027112741.1678057-1-ardb@kernel.org> <Y2TIqcfxFaThC4d5@sol.localdomain>
 <CAMj1kXFv5gyp=jkgHPJPT9nLW16jpBF4rdo6tDCZYAPgkRma3Q@mail.gmail.com> <Y2U7pjN5B9T9KcQr@arm.com>
In-Reply-To: <Y2U7pjN5B9T9KcQr@arm.com>
From:   Ard Biesheuvel <ardb@kernel.org>
Date:   Fri, 4 Nov 2022 17:40:29 +0100
Message-ID: <CAMj1kXGY5P_gnYpeMiucZvEHW-3_tcj4nr9XjgMcZFJXuLB9kw@mail.gmail.com>
Subject: Re: [RFC PATCH] arm64: Enable data independent timing (DIT) in the kernel
To:     Catalin Marinas <catalin.marinas@arm.com>
Cc:     Eric Biggers <ebiggers@kernel.org>, linux-kernel@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org,
        Will Deacon <will@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Marc Zyngier <maz@kernel.org>,
        "Jason A . Donenfeld" <Jason@zx2c4.com>,
        Kees Cook <keescook@chromium.org>,
        Suzuki K Poulose <suzuki.poulose@arm.com>,
        Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Fri, 4 Nov 2022 at 17:19, Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> On Fri, Nov 04, 2022 at 10:29:10AM +0100, Ard Biesheuvel wrote:
> > On Fri, 4 Nov 2022 at 09:09, Eric Biggers <ebiggers@kernel.org> wrote:
> > > On Thu, Oct 27, 2022 at 01:27:41PM +0200, Ard Biesheuvel wrote:
> > > > Given that running privileged code with DIT disabled on a CPU that
> > > > implements support for it may result in a side channel that exposes
> > > > privileged data to unprivileged user space processes, let's enable DIT
> > > > while running in the kernel if supported by all CPUs.
> > >
> > > This patch looks good to me, though I'm not an expert in low-level arm64 stuff.
> > > It's a bit unfortunate that we have to manually create the .inst to enable DIT
> > > instead of just using the assembler.  But it looks like there's a reason for it
> > > (it's done for PAN et al. too), and based on the manual it looks correct.
> >
> > Yes. The reason is that the assembler requires -march=armv8.2-a to be
> > passed when using the DIT register (and similar requirements apply to
> > the other registers). However, doing so may result in object code that
> > can no longer run on pre-v8.2 cores, whereas the DIT accesses
> > themselves are only emitted in a carefully controlled manner anyway,
> > so keeping the arch baseline to v8.0 and using .inst is the cleanest
> > way around this.
>
> We worked around this already by defining asm-arch in
> arch/arm64/Makefile to the latest that the assembler supports while
> keeping the C compiler on armv8.0. Unlike the C compiler, the assembler
> shouldn't generate new instructions unless specifically asked through
> inline asm or .S files. We use this trick for MTE already (and LSE
> atomics), though we needed another __MTE_PREAMBLE as armv8.5-a wasn't
> sufficient for these instructions.
>
> I think we ended up with .inst initially as binutils did not support
> some of those instructions. We could try to clean them up but it's a bit
> of a hassle to check which versions your binutils supports.
>

OK, good to know.

However, I double checked, and DIT needs v8.4-a (not v8.2 as i
mentioned above), and my ubuntu 16.04 toolchain, which has GCC 5.3,
only goes up to v8.2

So I guess we should be able to fix this at /some/ point, but for now,
I'll need to stick with the __inst()