Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3777842rdg; Wed, 18 Oct 2023 06:02:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGfIoWdjtRs5XiNr0m9GlUudjPgfsSj53D+7IfThhE4WNOxI5e9rmkW8daoV75pguVI7Vjm X-Received: by 2002:a17:90b:4a0e:b0:27c:fa10:fc82 with SMTP id kk14-20020a17090b4a0e00b0027cfa10fc82mr5271357pjb.28.1697634171717; Wed, 18 Oct 2023 06:02:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697634171; cv=none; d=google.com; s=arc-20160816; b=VDh1BO64aoGKt4TzgX/TVGd+ONoeXIpTyFnkgh52AD84KA2zs9Gw1DyAZOcnYTQGtp 1f/WDbXsqnIp0cvNWHFf//vVTVzOL9v5TKycV6vo79zw3hl2JQ7kSiIgA0g31BCRt/a+ 7VVEdjJ+0qnm2gbodS4Y9lHJK5FtVu9Ijf5CK7cu/z9A5fBd8m9FgVwiV3kixI5bAJKJ a1G0ycC5Vw/8Py8fxYnbr/m8oNpKcavL7fgSK5cvPKHK94VB5CeCnkEBUtZhIVR/vbC0 yM/y6ip2zk6VScjeEOPQ7hiEs0l3XH/yKecOw8p3I3xKoNw6ecs7SdmRNRZvfi+MBv5i vA/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=zpS1kzLTGM4T5UWmQcPBmq1ysRb6fLPeYubha3lcHcw=; fh=hCPobr24DmA9maJD9j0iJQVs2bF3FJ0EU8dYUrAN60Y=; b=p/LSPWHZcSSdPxckr8WQV43kcfhFkhg7Wq7sn1InorthOGFQXe+6+EVE0e6tj3oZlv eIh3LLHDIrRyA0aAG5OWdYFlv1IV7/fSge6ezgS/Aib+cjidiQoUhQSfQxUDyPQy4ayK 2XsrSHSSgpOaB+Vfpw8naqQfdWgGU8cgEX9AQfNvp23o6eiPn84jfUypqebJJ+Gct01A dfilUpkSpLHLH4B6unudOTByu0br3lykPjBlT0I7UPS7vZH0jXp3JQnjCqv9QIulKudC ogrnkAzUpxIN2Q1LxMxrtOgxAO1J7H7NkUSkJWhDrghbBVSMDQlTjV85B6+PyvAJ0fSM RGzg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id e13-20020a170902d38d00b001c62e42ad8bsi3977005pld.72.2023.10.18.06.02.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 06:02:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id D85BA81C0C9D; Wed, 18 Oct 2023 06:02:48 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230509AbjJRNCe (ORCPT + 99 others); Wed, 18 Oct 2023 09:02:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230296AbjJRNCd (ORCPT ); Wed, 18 Oct 2023 09:02:33 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 72C6CA3 for ; Wed, 18 Oct 2023 06:02:31 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3DCA12F4; Wed, 18 Oct 2023 06:03:12 -0700 (PDT) Received: from FVFF77S0Q05N.cambridge.arm.com (FVFF77S0Q05N.cambridge.arm.com [10.1.31.158]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 44B493F762; Wed, 18 Oct 2023 06:02:30 -0700 (PDT) Date: Wed, 18 Oct 2023 14:02:27 +0100 From: Mark Rutland To: Andrea della Porta Cc: Catalin Marinas , Will Deacon , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, nik.borisov@suse.com Subject: Re: [PATCH 4/4] arm64: Make Aarch32 emulation boot time configurable Message-ID: References: <1029761eb218702d4aafa58d83c4bf9d3a760264.1697614386.git.andrea.porta@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1029761eb218702d4aafa58d83c4bf9d3a760264.1697614386.git.andrea.porta@suse.com> X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 18 Oct 2023 06:02:49 -0700 (PDT) On Wed, Oct 18, 2023 at 01:13:22PM +0200, Andrea della Porta wrote: > Distributions would like to reduce their attack surface as much as > possible but at the same time they'd want to retain flexibility to > cater to a variety of legacy software. This stems from the conjecture > that compat layer is likely rarely tested and could have latent > security bugs. Ideally distributions will set their default policy > and also give users the ability to override it as appropriate. > > To enable this use case, introduce CONFIG_AARCH32_EMULATION_DEFAULT_DISABLED > compile time option, which controls whether 32bit processes/syscalls > should be allowed or not. This option is aimed mainly at distributions > to set their preferred default behavior in their kernels. > > To allow users to override the distro's policy, introduce the > 'aarch32_emulation' parameter which allows overriding > CONFIG_AARCH32_EMULATION_DEFAULT_DISABLED state at boot time. > > Signed-off-by: Andrea della Porta > --- > Documentation/admin-guide/kernel-parameters.txt | 7 +++++++ > arch/arm64/Kconfig | 9 +++++++++ > arch/arm64/kernel/entry-common.c | 8 +++++++- > 3 files changed, 23 insertions(+), 1 deletion(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 0a1731a0f0ef..a41c5e6f5d2e 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -1,3 +1,10 @@ > + aarch32_emulation= [ARM64] > + Format: > + When true, allows loading 32-bit programs and executing > + 32-bit syscalls, essentially overriding > + AARCH32_EMULATION_DEFAULT_DISABLED at boot time. when false, > + unconditionally disables AARCH32 emulation. Can we please drop the 'emulation' part of the name? We don't use that terminology on arm64 for regular execution of compat tasks, and only use that to refer to true emulation of deprecated instructions. We already have the 'allow_mismatched_32bit_el0' option; can we please us a name that aligns with that? e.g. 'allow_32bit_el0=false' to disable support. Mark. > + > acpi= [HW,ACPI,X86,ARM64,RISCV64] > Advanced Configuration and Power Interface > Format: { force | on | off | strict | noirq | rsdt | > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index b10515c0200b..66c4cb273550 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -1725,6 +1725,15 @@ config SETEND_EMULATION > If unsure, say Y > endif # ARMV8_DEPRECATED > > +config AARCH32_EMULATION_DEFAULT_DISABLED > + bool "Aarch32 emulation disabled by default" > + default n > + depends on COMPAT > + help > + Make Aarch32 emulation disabled by default. This prevents loading 32-bit > + processes and access to 32-bit syscalls. > + > + If unsure, leave it to its default value. > endif # COMPAT > > menu "ARMv8.1 architectural features" > diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c > index 32761760d9dd..07f2b4e632b8 100644 > --- a/arch/arm64/kernel/entry-common.c > +++ b/arch/arm64/kernel/entry-common.c > @@ -897,7 +897,13 @@ asmlinkage void noinstr el0t_32_error_handler(struct pt_regs *regs) > __el0_error_handler_common(regs); > } > > -bool __aarch32_enabled __ro_after_init = true; > +bool __aarch32_enabled __ro_after_init = !IS_ENABLED(CONFIG_AARCH32_EMULATION_DEFAULT_DISABLED); > + > +static int aarch32_emulation_override_cmdline(char *arg) > +{ > + return kstrtobool(arg, &__aarch32_enabled); > +} > +early_param("aarch32_emulation", aarch32_emulation_override_cmdline); > #else /* CONFIG_COMPAT */ > UNHANDLED(el0t, 32, sync) > UNHANDLED(el0t, 32, irq) > -- > 2.35.3 >