From patchwork Fri Feb 10 10:00:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 13135638 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9AF7DC05027 for ; Fri, 10 Feb 2023 10:01:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=nOWlCLqhx7ATBgyDDDKMS8OSIV/TdhxVUePzDDoGJQ4=; b=YnHm+nnsUVnv0d kF25C3iH9cpdai6IVQcOLEY5XucGOEpIDdbjZcRs7GJA8SWYGx7loNqXdAw3b1ohMX/ARPswbJgDl 2OJPWpuoqePPKVqlHn3WLpGLEH8g0E4jFyg3tskuORtiu4yWcens2l0eQCjFtKMhdAPjGeShDDMYK 1Im7M974FQc0Z5Xq6f3qcC6qlCv8Hfm4yeyfuottebW7EkPPSAIxPMYfOyBMFYU8cE4iIQEOVTASW gHIWkV+iFZkPvqQSLpTikQXBmx42yWaBG53j25bicSFJQSZpCcaNUo988JAeYYshqJWIo9l0HVVj9 6RyHuoEp9LVAbC82Wmfg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pQQCc-005Ba4-R0; Fri, 10 Feb 2023 10:00:22 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pQQCY-005BYv-NM for linux-arm-kernel@lists.infradead.org; Fri, 10 Feb 2023 10:00:21 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 9DA13CE2824; Fri, 10 Feb 2023 10:00:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A17FC4339B; Fri, 10 Feb 2023 10:00:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676023214; bh=Cpd/6iPdpdXy5CyEYkrZDYjwDDeu9YHlD3EICArcUbA=; h=From:To:Cc:Subject:Date:From; b=e9lMzyewzx9ozuOvycKtFMmUGO8H7WLn8mJA2m2GCfWReBuQ2VoSPrOuKAATasjdT vDPz7+gKPjXwiOrUQ/QFHa9fyY6tkCRAXv6bUQxX1813C/dagI4aSMoueRes6VRr6+ W/FIo6acC6isXankRibJnx6rFZVjDKYOYsnosV4HHN8BSvHrkD8hnFOidiAMfDMaVm ysyc7i2cWaokhDgZDz/FPkr2ZYN8p4e7XgOnjITWuNoW/j7ZrKHdAlyYoRDaKDCr6t Z3rDVZuS5XBcFQmAVzaBbL2ugCewkvpLXujRMpJsxHBiIAgzQ2Q7JNJv8e5EW4f2yD kteIpa91TWqiA== From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: Ard Biesheuvel , Marc Zyngier , Will Deacon , Catalin Marinas , Mark Rutland , Peter Zijlstra , Quentin Perret , Kees Cook Subject: [RFC PATCH] arm64: Move HYP text out of kernel mapping Date: Fri, 10 Feb 2023 11:00:06 +0100 Message-Id: <20230210100006.1161696-1-ardb@kernel.org> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3092; i=ardb@kernel.org; h=from:subject; bh=Cpd/6iPdpdXy5CyEYkrZDYjwDDeu9YHlD3EICArcUbA=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBj5hWlxZMlLJb10JvFZsjCl36aK/FJEiGcJyxpb 6sRV8+ciJOJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY+YVpQAKCRDDTyI5ktmP JLi9C/4kqVTjkOPXul19mbj8foPX9ppIL1kle3n+FQ1TVQXEGkhbKs8EQYO5uY5Wd0TG6HShRi4 P+hHpyO9KTat3Ilq+A2fIcyGvyP9IdubKgnOiE61wmzp1GtJ+h9pGdAGs5CCdaTosl/m7awJ00q 2RdMXjoXMlvCvIgzzqX9l1f5MYE3jChbxy29hbl/sVTJytqU8os5ONYYWYt3Olo5czHqaAEeljE fQrfaaFlx5KjipiV08gD4ojs5FeNEis1c/bEy90251B6MafbSqUTtViP1J1bUoHrCFgNmMs4Mc4 Db2Izf+Lqr7byoVaksAAETIxRGKvcg+8C16Vzz1X07Hqgi1kwB8XjTMHzqmxA/b/ooI3+FwBr1Q 8WxSC89k6picC4cuU+cfwpARrzjfAcKYFjXL3F9Fqac8j/4lU6RKyEJasyuFcxCY90xSKSQqV/M NHj2AIzAo4ilFXkJ8cUydmy2wEDjBpWZxaM6ysDGeRGqJxWtzzXirtUhyGomP9KvzbD8A= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230210_020019_123451_0734E963 X-CRM114-Status: GOOD ( 19.49 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The HYP text region contains the code that the hypervisor runs when running KVM at EL2. This code is never called by the kernel running at EL1, regardless of whether it booted at EL2 or whether it runs KVM in VHE mode or not. This means that this code has no need to be mapped with executable permissions in the kernel's address space, and should therefore be moved out of it. That way, any gadgets that may exist in this code are no longer exploitable at the kernel's exception level (speculative or otherwise). Cc: Marc Zyngier Cc: Will Deacon Cc: Catalin Marinas Cc: Mark Rutland Cc: Peter Zijlstra Cc: Quentin Perret Cc: Kees Cook Signed-off-by: Ard Biesheuvel --- arch/arm64/kernel/vmlinux.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) This change currently results in the following warnings*: (kvm_arm_pmu_available) can't patch jump_label at __kvm_nvhe___kvm_vcpu_run+0x16c/0x570 (kvm_arm_pmu_available) can't patch jump_label at __kvm_nvhe___deactivate_traps+0x40/0x144 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe___kvm_vcpu_run+0x380/0x570 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe_hyp_panic+0x54/0xf8 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe___kvm_tlb_flush_vmid_ipa+0xc0/0x1b8 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe___kvm_tlb_flush_vmid+0x84/0x150 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe___kvm_flush_cpu_context+0x84/0x150 (kvm_protected_mode_initialized) can't patch jump_label at __kvm_nvhe_handle_trap+0x80/0x128 The warnings are due to the fact that the jump label code refuses to patch sections that are not kernel text. So the questions are: a) Mark pointed out off-list that he has been getting rid of static keys in favor of alternatives in the arch code, as those are guaranteed to be patched only once. Should we try to get rid of these as well? b) These look like they are set only once and never turned off again. The pKVM one is definitely only set at boot time, but I couldn't figure out whether the same applies to the PMU one? c) for Peter: could we relax this check (kernel/jump_label.c:446) to permit jump labels in .rodata as well? (* after changing the WARN_ONCE() to pr_warn() and tweaking the output) diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index 1a43df27a20461ca..f42c070c3b4530c6 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -180,7 +180,6 @@ SECTIONS CPUIDLE_TEXT LOCK_TEXT KPROBES_TEXT - HYPERVISOR_TEXT *(.gnu.warning) . = ALIGN(16); *(.got) /* Global offset table */ @@ -208,6 +207,7 @@ SECTIONS HIBERNATE_TEXT KEXEC_TEXT IDMAP_TEXT + HYPERVISOR_TEXT . = ALIGN(PAGE_SIZE); }