| Message ID | 20221128024458.46121-1-bgray@linux.ibm.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp5399380wrr;
Sun, 27 Nov 2022 18:47:51 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf4NPTVYLou+GZ4g8TstHIFBvqEvI2626F4frGGJ2Jd6EuYrNPuqofB84jwh28ZYpyJoVzCw
X-Received: by 2002:a05:6402:419:b0:461:e82b:bdff with SMTP id
q25-20020a056402041900b00461e82bbdffmr27203555edv.370.1669603671439;
Sun, 27 Nov 2022 18:47:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669603671; cv=none;
d=google.com; s=arc-20160816;
b=Fh+D6fX9XScdI+FHBweaF3qBqVFPixBqLUeGvhOEGODDlw2YPEbJR57c9kTpw5F4db
NK/18BnEaLejtFCNwosLZwZHcuQj6r9jpQ8evLv71fyIbGZlC6tvjOfDOC/xRjDE2S3N
u/0Hv6XgqiaUcsjleDVHToYeoLOX27Bspe+MO0CR0BBf8zR3aCdL2GYk/LzmIJY5dKj6
QpnzZeaJ6BlRoXSMTl+lEZVlFYBgAr/DG7NxbqJ1ZwLgXpN5Mcdrxy03qNhFFf6DEw1+
drsbWEWTWipst8hFY4+f4wc10scvAw+TGIvEPvZzSCOYXqGkkCetoI7387dIh0QhhOz3
sABQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:message-id:date:subject:cc:to:from:dkim-signature;
bh=kkb8XBGNZ820tIgYC+hmxCyuaKOq5Y0MliPb3LujOtI=;
b=OflIy8bMsedUbHxSGZ9ZbNAk9bXtJotR5mQovAPHuPoB+NEzSQj0KmAt5k9hpFVQsB
mmg6QvF38052KP+sUkuLPDgoSu8WjcWK8FGSGMG2LUhWq8AHSMa5x4kq9VFHPoHEGyFN
HTGgHAv8QxHrMzqxP7LariElI7IAGYOEx652HBVBXVJQfPLnJ49brX4lRTHfMDXICG/D
xvD9HNFdBgD9YDuaqWsb3lxsJBeXx0z6uZ3Fl2NcQzrVbpavZhb/sVmIHCW4Fk1KEq6q
zvP1Tx5UYzDWZ+kStpIpP51icY8GXEvrBe8Q0jsrqfhlf9V9CY6NNKxh3aFbz3ej0n2M
p/WA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=GdsO7kZ7;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
g20-20020a1709065d1400b007b5ce4a4360si9392263ejt.151.2022.11.27.18.47.28;
Sun, 27 Nov 2022 18:47:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=GdsO7kZ7;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229850AbiK1CqZ (ORCPT <rfc822;gah0developer@gmail.com>
+ 99 others); Sun, 27 Nov 2022 21:46:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45652 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229727AbiK1CqD (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 27 Nov 2022 21:46:03 -0500
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
[148.163.156.1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C17A4A18D;
Sun, 27 Nov 2022 18:46:01 -0800 (PST)
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
2AS0WYvO024065;
Mon, 28 Nov 2022 02:45:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
h=from : to : cc : subject
: date : message-id : content-transfer-encoding : mime-version; s=pp1;
bh=kkb8XBGNZ820tIgYC+hmxCyuaKOq5Y0MliPb3LujOtI=;
b=GdsO7kZ7ueUqPnkvEmao1OKxNKKLuQH1ya3u8T3zPaopYdGAexA6iMO49Totz4HlpCbo
Af84Bru7SCI1+rQYpLKtMRTKUVs82ws34fdJboJLbcTE8s5xlvh0Ws69ieWbLCyT1e2o
r+zVkN25EJMYXBsdSV/8LBRDSN9ArDJDknKuiFb7sLPV88QXg68FfDxIKOMPXOhzr+D1
MTiRA1b2pxAzJ8ptDfWU0NdZRdX40uGlv+/Kk/ZVrQY5kluZMnBAVTl02AMW5+KDmTkj
rKJj7nGnzNlMsZdrxV5+tch11RRByRDZ7rQJh8QYcIRbZ73AMxs6nVcY7q/PKI3y+e4B SQ==
Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com
[169.51.49.102])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3m3v8j4c35-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 28 Nov 2022 02:45:47 +0000
Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1])
by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id
2AS2axim000612;
Mon, 28 Nov 2022 02:45:45 GMT
Received: from b06avi18626390.portsmouth.uk.ibm.com
(b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192])
by ppma06ams.nl.ibm.com with ESMTP id 3m3a2hsurn-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 28 Nov 2022 02:45:45 +0000
Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com
[9.149.105.58])
by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
ESMTP id 2AS2dJ1t58720600
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Mon, 28 Nov 2022 02:39:19 GMT
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 742494C04E;
Mon, 28 Nov 2022 02:45:43 +0000 (GMT)
Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id C89B94C044;
Mon, 28 Nov 2022 02:45:42 +0000 (GMT)
Received: from ozlabs.au.ibm.com (unknown [9.192.253.14])
by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP;
Mon, 28 Nov 2022 02:45:42 +0000 (GMT)
Received: from li-0d7fa1cc-2c9d-11b2-a85c-aed20764436d.ibm.com
(haven.au.ibm.com [9.192.254.114])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ozlabs.au.ibm.com (Postfix) with ESMTPSA id 8BB00600D5;
Mon, 28 Nov 2022 13:45:37 +1100 (AEDT)
From: Benjamin Gray <bgray@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org
Cc: ajd@linux.ibm.com, ruscur@russell.cc, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, cmr@bluescreens.de,
Benjamin Gray <bgray@linux.ibm.com>
Subject: [RFC PATCH 00/13] Add DEXCR support
Date: Mon, 28 Nov 2022 13:44:45 +1100
Message-Id: <20221128024458.46121-1-bgray@linux.ibm.com>
X-Mailer: git-send-email 2.38.1
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: a-7nEkAIqaiILGrryBIa6W8--vDGTblJ
X-Proofpoint-ORIG-GUID: a-7nEkAIqaiILGrryBIa6W8--vDGTblJ
Content-Transfer-Encoding: 8bit
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
definitions=2022-11-28_02,2022-11-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
lowpriorityscore=0
bulkscore=0 impostorscore=0 mlxlogscore=956 malwarescore=0
priorityscore=1501 spamscore=0 suspectscore=0 adultscore=0 clxscore=1015
mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2210170000 definitions=main-2211280018
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750706339084389277?=
X-GMAIL-MSGID: =?utf-8?q?1750706339084389277?=
|
| Series |
Add DEXCR support
|
|
Message
Benjamin Gray
Nov. 28, 2022, 2:44 a.m. UTC
This series is based on initial work by Chris Riedl that was not sent
to the list.
Adds a kernel interface for userspace to interact with the DEXCR.
The DEXCR is a SPR that allows control over various execution
'aspects', such as indirect branch prediction and enabling the
hashst/hashchk instructions. Further details are in ISA 3.1B
Book 3 chapter 12.
This RFC proposes an interface for users to interact with the DEXCR.
It aims to support
* Querying supported aspects
* Getting/setting aspects on a per-process level
* Allowing global overrides across all processes
There are some parts that I'm not sure on the best way to approach (hence RFC):
* The feature names in arch/powerpc/kernel/dt_cpu_ftrs.c appear to be unimplemented
in skiboot, so are being defined by this series. Is being so verbose fine?
* What aspects should be editable by a process? E.g., SBHE has
effects that potentially bleed into other processes. Should
it only be system wide configurable?
* Should configuring certain aspects for the process be non-privileged? E.g.,
Is there harm in always allowing configuration of IBRTPD, SRAPD? The *FORCE_SET*
action prevents further process local changes regardless of privilege.
* The tests fail Patchwork CI because of the new prctl macros, and the CI
doesn't run headers_install and add -isystem <buildpath>/usr/include to
the make command.
* On handling an exception, I don't check if the NPHIE bit is enabled in the DEXCR.
To do so would require reading both the DEXCR and HDEXCR, for little gain (it
should only matter that the current instruction was a hashchk. If so, the only
reason it would cause an exception is the failed check. If the instruction is
rewritten between exception and check we'd be wrong anyway).
The series is based on the earlier selftest utils series[1], so the tests won't build
at all without applying that first. The kernel side should build fine on ppc/next
247f34f7b80357943234f93f247a1ae6b6c3a740 though.
[1]: https://patchwork.ozlabs.org/project/linuxppc-dev/cover/20221122231103.15829-1-bgray@linux.ibm.com/
Benjamin Gray (13):
powerpc/book3s: Add missing <linux/sched.h> include
powerpc: Add initial Dynamic Execution Control Register (DEXCR)
support
powerpc/dexcr: Handle hashchk exception
powerpc/dexcr: Support userspace ROP protection
prctl: Define PowerPC DEXCR interface
powerpc/dexcr: Add prctl implementation
powerpc/dexcr: Add sysctl entry for SBHE system override
powerpc/dexcr: Add enforced userspace ROP protection config
selftests/powerpc: Add more utility macros
selftests/powerpc: Add hashst/hashchk test
selftests/powerpc: Add DEXCR prctl, sysctl interface test
selftests/powerpc: Add DEXCR status utility lsdexcr
Documentation: Document PowerPC kernel DEXCR interface
Documentation/powerpc/dexcr.rst | 183 +++++++++++
Documentation/powerpc/index.rst | 1 +
arch/powerpc/Kconfig | 5 +
arch/powerpc/include/asm/book3s/64/kexec.h | 6 +
arch/powerpc/include/asm/book3s/64/kup.h | 1 +
arch/powerpc/include/asm/cputable.h | 8 +-
arch/powerpc/include/asm/ppc-opcode.h | 1 +
arch/powerpc/include/asm/processor.h | 33 ++
arch/powerpc/include/asm/reg.h | 7 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/dexcr.c | 310 ++++++++++++++++++
arch/powerpc/kernel/dt_cpu_ftrs.c | 4 +
arch/powerpc/kernel/process.c | 31 +-
arch/powerpc/kernel/prom.c | 4 +
arch/powerpc/kernel/traps.c | 6 +
include/uapi/linux/prctl.h | 14 +
kernel/sys.c | 16 +
tools/testing/selftests/powerpc/Makefile | 1 +
.../selftests/powerpc/dexcr/.gitignore | 3 +
.../testing/selftests/powerpc/dexcr/Makefile | 11 +
tools/testing/selftests/powerpc/dexcr/cap.c | 72 ++++
tools/testing/selftests/powerpc/dexcr/cap.h | 18 +
tools/testing/selftests/powerpc/dexcr/dexcr.c | 118 +++++++
tools/testing/selftests/powerpc/dexcr/dexcr.h | 54 +++
.../selftests/powerpc/dexcr/dexcr_test.c | 241 ++++++++++++++
.../selftests/powerpc/dexcr/hashchk_test.c | 229 +++++++++++++
.../testing/selftests/powerpc/dexcr/lsdexcr.c | 178 ++++++++++
tools/testing/selftests/powerpc/include/reg.h | 4 +
.../testing/selftests/powerpc/include/utils.h | 44 +++
29 files changed, 1602 insertions(+), 2 deletions(-)
create mode 100644 Documentation/powerpc/dexcr.rst
create mode 100644 arch/powerpc/kernel/dexcr.c
create mode 100644 tools/testing/selftests/powerpc/dexcr/.gitignore
create mode 100644 tools/testing/selftests/powerpc/dexcr/Makefile
create mode 100644 tools/testing/selftests/powerpc/dexcr/cap.c
create mode 100644 tools/testing/selftests/powerpc/dexcr/cap.h
create mode 100644 tools/testing/selftests/powerpc/dexcr/dexcr.c
create mode 100644 tools/testing/selftests/powerpc/dexcr/dexcr.h
create mode 100644 tools/testing/selftests/powerpc/dexcr/dexcr_test.c
create mode 100644 tools/testing/selftests/powerpc/dexcr/hashchk_test.c
create mode 100644 tools/testing/selftests/powerpc/dexcr/lsdexcr.c
base-commit: 9dc58a6040662faaf24c8932861f485670fce7ff
--
2.38.1
Comments
On Mon, 2022-11-28 at 13:44 +1100, Benjamin Gray wrote: > This series is based on initial work by Chris Riedl that was not sent > to the list. > > Adds a kernel interface for userspace to interact with the DEXCR. > The DEXCR is a SPR that allows control over various execution > 'aspects', such as indirect branch prediction and enabling the > hashst/hashchk instructions. Further details are in ISA 3.1B > Book 3 chapter 12. > > This RFC proposes an interface for users to interact with the DEXCR. > It aims to support > > * Querying supported aspects > * Getting/setting aspects on a per-process level > * Allowing global overrides across all processes > > There are some parts that I'm not sure on the best way to approach > (hence RFC): > > * The feature names in arch/powerpc/kernel/dt_cpu_ftrs.c appear to be > unimplemented > in skiboot, so are being defined by this series. Is being so > verbose fine? These are going to need to be added to skiboot before they can be referenced in the kernel. Inclusion in skiboot makes them ABI, the kernel is just a consumer. > * What aspects should be editable by a process? E.g., SBHE has > effects that potentially bleed into other processes. Should > it only be system wide configurable? For context, ISA 3.1B p1358 says: In some micro-architectures, the execution behav- ior controlled by aspect 0 is difficult to change with any degree of timing precision. The change may also bleed over into other threads on the same pro- cessor. Any environment that has a dependence on the more secure setting of aspect 0 should not change the value, and ideally should share a pro- cessor only with similar threads. For other environ- ments, changes to the effective value of aspect 0 represent a relative risk tolerance for its aspect of execution behavior, with the understanding that there will be significant hysteresis in the execution behavior. If a process sets SBHE for itself and all it takes is context switching from a process with SBHE unset to cause exposure, then yeah I think it should just be global. I doubt branch hints have enough impact for process granularity to be especially desirable anyway. > * Should configuring certain aspects for the process be non- > privileged? E.g., > Is there harm in always allowing configuration of IBRTPD, SRAPD? > The *FORCE_SET* > action prevents further process local changes regardless of > privilege. I'm not aware of a reason why it would be a problem to allow unprivileged configuration as long as there's a way to prevent further changes. The concerning case is if a mitigation is set by a trusted process context, and then untrusted code is executed that manages to turn the mitigation off again. > * The tests fail Patchwork CI because of the new prctl macros, and > the CI > doesn't run headers_install and add -isystem > <buildpath>/usr/include to > the make command. The CI runs on x86 and cross compiles the kernel and selftests, and boots are done in qemu tcg. Maybe we can skip the build if the symbols are undefined or do something like #ifndef PR_PPC_DEXCR_... return KSFT_SKIP; #endif in the test itself? > * On handling an exception, I don't check if the NPHIE bit is enabled > in the DEXCR. > To do so would require reading both the DEXCR and HDEXCR, for > little gain (it > should only matter that the current instruction was a hashchk. If > so, the only > reason it would cause an exception is the failed check. If the > instruction is > rewritten between exception and check we'd be wrong anyway). For context, the hashst and hashchk instructions are implemented using previously reserved nops. I'm not aware of any reason a nop could trap (i.e. we could check for a trap that came from hashchk even if NPHIE is not set), but afaik that'd be the only reason we would have to check. > > The series is based on the earlier selftest utils series[1], so the > tests won't build > at all without applying that first. The kernel side should build fine > on ppc/next > 247f34f7b80357943234f93f247a1ae6b6c3a740 though. > > [1]: > https://patchwork.ozlabs.org/project/linuxppc-dev/cover/20221122231103.15829-1-bgray@linux.ibm.com/ > > Benjamin Gray (13): > powerpc/book3s: Add missing <linux/sched.h> include > powerpc: Add initial Dynamic Execution Control Register (DEXCR) > support > powerpc/dexcr: Handle hashchk exception > powerpc/dexcr: Support userspace ROP protection > prctl: Define PowerPC DEXCR interface > powerpc/dexcr: Add prctl implementation > powerpc/dexcr: Add sysctl entry for SBHE system override > powerpc/dexcr: Add enforced userspace ROP protection config > selftests/powerpc: Add more utility macros > selftests/powerpc: Add hashst/hashchk test > selftests/powerpc: Add DEXCR prctl, sysctl interface test > selftests/powerpc: Add DEXCR status utility lsdexcr > Documentation: Document PowerPC kernel DEXCR interface > > Documentation/powerpc/dexcr.rst | 183 +++++++++++ > Documentation/powerpc/index.rst | 1 + > arch/powerpc/Kconfig | 5 + > arch/powerpc/include/asm/book3s/64/kexec.h | 6 + > arch/powerpc/include/asm/book3s/64/kup.h | 1 + > arch/powerpc/include/asm/cputable.h | 8 +- > arch/powerpc/include/asm/ppc-opcode.h | 1 + > arch/powerpc/include/asm/processor.h | 33 ++ > arch/powerpc/include/asm/reg.h | 7 + > arch/powerpc/kernel/Makefile | 1 + > arch/powerpc/kernel/dexcr.c | 310 > ++++++++++++++++++ > arch/powerpc/kernel/dt_cpu_ftrs.c | 4 + > arch/powerpc/kernel/process.c | 31 +- > arch/powerpc/kernel/prom.c | 4 + > arch/powerpc/kernel/traps.c | 6 + > include/uapi/linux/prctl.h | 14 + > kernel/sys.c | 16 + > tools/testing/selftests/powerpc/Makefile | 1 + > .../selftests/powerpc/dexcr/.gitignore | 3 + > .../testing/selftests/powerpc/dexcr/Makefile | 11 + > tools/testing/selftests/powerpc/dexcr/cap.c | 72 ++++ > tools/testing/selftests/powerpc/dexcr/cap.h | 18 + > tools/testing/selftests/powerpc/dexcr/dexcr.c | 118 +++++++ > tools/testing/selftests/powerpc/dexcr/dexcr.h | 54 +++ > .../selftests/powerpc/dexcr/dexcr_test.c | 241 ++++++++++++++ > .../selftests/powerpc/dexcr/hashchk_test.c | 229 +++++++++++++ > .../testing/selftests/powerpc/dexcr/lsdexcr.c | 178 ++++++++++ > tools/testing/selftests/powerpc/include/reg.h | 4 + > .../testing/selftests/powerpc/include/utils.h | 44 +++ > 29 files changed, 1602 insertions(+), 2 deletions(-) > create mode 100644 Documentation/powerpc/dexcr.rst > create mode 100644 arch/powerpc/kernel/dexcr.c > create mode 100644 tools/testing/selftests/powerpc/dexcr/.gitignore > create mode 100644 tools/testing/selftests/powerpc/dexcr/Makefile > create mode 100644 tools/testing/selftests/powerpc/dexcr/cap.c > create mode 100644 tools/testing/selftests/powerpc/dexcr/cap.h > create mode 100644 tools/testing/selftests/powerpc/dexcr/dexcr.c > create mode 100644 tools/testing/selftests/powerpc/dexcr/dexcr.h > create mode 100644 > tools/testing/selftests/powerpc/dexcr/dexcr_test.c > create mode 100644 > tools/testing/selftests/powerpc/dexcr/hashchk_test.c > create mode 100644 tools/testing/selftests/powerpc/dexcr/lsdexcr.c > > > base-commit: 9dc58a6040662faaf24c8932861f485670fce7ff > -- > 2.38.1