Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp1482700rdb; Wed, 20 Sep 2023 10:15:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE3x7LyR2XG07L3XtMXxa5qvOpQ7k7MZvB9fl8Q/sSpjP4qRUw6dUe4p3bBbNLm+ycSxSH7 X-Received: by 2002:a05:6a21:3394:b0:13c:988c:e885 with SMTP id yy20-20020a056a21339400b0013c988ce885mr3440909pzb.56.1695230134249; Wed, 20 Sep 2023 10:15:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695230134; cv=none; d=google.com; s=arc-20160816; b=uxqxrFfCn6Syt8reG6S53gByhEFb22HJO7O8J9T0QbY1Pb49KRhHPrQiHYXakJ/aUD AvNW1woRE5uWpo2H+Nj7MIyLacgIOgOwutJU9eGTIdz5r3p+UmjR0xcODZlYCe/xv3Fi S3k5DCKjkWRmzRDxXLc97khark9I+9b4e0UtecjGOR6xht+hPjN2fTCGpCSBDzq69omF 6h5iNNgSJz6IcNt3Yxfue1hR1NL/NO66rDUPlQn+0784wsAC+VMaX6nTMrjoBaNTVDx4 upDZEHdQUcCsDTpCmmMAyTBHxs0WkOv2/doxENLCuP3sjsyIFgZiOwvtpzTtR965qfT5 QZ5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=r30aIpQQhCZ4Z6suXNj6hTQWuZkVh/YVJ+fHWZJ6sQk=; fh=X7i+ZbDyCfuBq1TmKamMaFG8tRmfNzdhmR4Vdsek0iU=; b=GXd3vP0bPWM65opnEWwblrP9WwLz9/L92SD4ZI3kHUdUBrhuch9pK9Lp3w56b3bERq FeqlCi2ZMH3Q76eMkRTuJd294Mw5h+paf0IGaKbRMCmU6eryaV3bn7LizokSOoxajY2q kQr0TFTLARR8LhIOgO8vUW/U54qdRaoVUvv8fKiRl1FphgTQhtVtHhNd43qOi6P0/HQ4 75HwKBpGIGf70no7+YhayrN99NWzujKBYWQaOYuM683ASVEif20cGATLdatSD4mPShhT mYt52iT7SEbVaWeeTqHVD+FdrOEMCh0l/tpWl3GKx2RSfEaEStSJ9OK6y5G39bUW8EEb cdNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fF8JZ9AC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id m18-20020a170902c45200b001c3e9170068si11483588plm.61.2023.09.20.10.15.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 10:15:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fF8JZ9AC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 14D638335B0A; Wed, 20 Sep 2023 09:47:57 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234588AbjITQr4 (ORCPT + 99 others); Wed, 20 Sep 2023 12:47:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234502AbjITQrz (ORCPT ); Wed, 20 Sep 2023 12:47:55 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27D01AD; Wed, 20 Sep 2023 09:47:50 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6308C433C8; Wed, 20 Sep 2023 16:47:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1695228469; bh=r30aIpQQhCZ4Z6suXNj6hTQWuZkVh/YVJ+fHWZJ6sQk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=fF8JZ9ACKhwCgLuGteyztXl/KlDWOzEfe2T3hkxdt9bYqiwgnokNcFdKhEi+menH8 tULXp1XABocr2Xl+qPXnN/lZGHenoZL8k+yovjEwHb1+8AK8wlJSL7z4jPcyiOrC2J NTd+ZjSjfzeZplDBAFSzpTQNUuTXvBB5PFvCuhsyvgIdBcYc+AAS3J0v075JtyagtN nBI3jiTId2CBc+Jls9/aDqTBHOyRo1FvpkJ7hjCqHHniUuvLcTQ5mcJl+ZVpgRurb3 yRFgY1+N+jWl2N8hEvlk/B9WxwRqt5YV8Vie72zpq21foU70HPf/nV3mqkAiqocv/K Qxyu2HLJB+Dug== Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-50335f6b48dso83983e87.3; Wed, 20 Sep 2023 09:47:49 -0700 (PDT) X-Gm-Message-State: AOJu0YwXPQkhys82Kh2Q5wOd6c1azMamqwBI/bJQf02u53usV5pjxBdm ALZ8FvgSo2GZH/95bIc89rrt3SN/KAESigjnpQ== X-Received: by 2002:a05:6512:329c:b0:503:3781:ac32 with SMTP id p28-20020a056512329c00b005033781ac32mr3030609lfe.41.1695228468007; Wed, 20 Sep 2023 09:47:48 -0700 (PDT) MIME-Version: 1.0 References: <20230912121120.380420-1-robh@kernel.org> <20230912121120.380420-2-robh@kernel.org> <20230918100102.GA17472@willie-the-truck> <86zg1icop8.wl-maz@kernel.org> In-Reply-To: <86zg1icop8.wl-maz@kernel.org> From: Rob Herring Date: Wed, 20 Sep 2023 11:47:35 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 2/2] arm64: errata: Add Cortex-A520 speculative unprivileged load workaround To: Marc Zyngier Cc: Will Deacon , Catalin Marinas , Jonathan Corbet , James Morse , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 20 Sep 2023 09:47:57 -0700 (PDT) On Tue, Sep 19, 2023 at 7:50=E2=80=AFAM Marc Zyngier wrote= : > > On Tue, 19 Sep 2023 13:29:07 +0100, > Rob Herring wrote: > > > > On Mon, Sep 18, 2023 at 5:18=E2=80=AFAM Marc Zyngier wrote: > > > > > > On 2023-09-18 11:01, Will Deacon wrote: > > > > On Tue, Sep 12, 2023 at 07:11:15AM -0500, Rob Herring wrote: > > > >> Implement the workaround for ARM Cortex-A520 erratum 2966298. On a= n > > > >> affected Cortex-A520 core, a speculatively executed unprivileged l= oad > > > >> might leak data from a privileged level via a cache side channel. > > > >> > > > >> The workaround is to execute a TLBI before returning to EL0. A > > > >> non-shareable TLBI to any address is sufficient. > > > > > > > > Can you elaborate at all on how this works, please? A TLBI addressi= ng a > > > > cache side channel feels weird (or is "cache" referring to some TLB > > > > structures rather than e.g. the data cache here?). > > > > > > > > Assuming there's some vulnerable window between the speculative > > > > unprivileged load and the completion of the TLBI, what prevents ano= ther > > > > CPU from observing the side-channel during that time? Also, does th= e > > > > TLBI need to be using the same ASID as the unprivileged load? If so= , > > > > then > > > > a context-switch could widen the vulnerable window quite significan= tly. > > > > > > Another 'interesting' case is the KVM world switch. If EL0 is > > > affected, what about EL1? Can such a data leak exist cross-EL1, > > > or from EL2 to El1? Asking for a friend... > > > > I'm checking for a definitive answer, but page table isolation also > > avoids the issue. Wouldn't these scenarios all be similar to page > > table isolation in that the EL2 or prior EL1 context is unmapped? > > No, EL2 is always mapped, and we don't have anything like KPTI there. > > Maybe the saving grace is that EL2 and EL2&0 are different translation > regimes from EL1&0, but there's nothing in the commit message that > indicates it. As for EL1-to-EL1 leaks, it again completely depends on > how the TLBs are tagged. Different translation regimes are not affected. It must be the same regime and same translation. > You'd hope that having different VMIDs would save the bacon, but if > you can leak EL1 translations into EL0, it means that the associated > permission and/or tags do not contain all the required information... The VMID is part of the equation. See here[1]. Rob [1] https://developer.arm.com/documentation/102517/0001/Memory-management/T= ranslation-Lookaside-Buffer-match-process?lang=3Den