From patchwork Tue Jan 28 15:54:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 13952754 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8CCD9C0218A for ; Tue, 28 Jan 2025 16:22:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=mVJlcce+giFFgC0K0td7aAOyoO86mzET0bZP9rSFcjg=; b=s9ZWM5Sq70hE/ntMY3OqDnJcZ3 1KfHqmQi97u+znX3jtEJz07+aDBfx+Jfo7pGRmGVSHh4Ea+x71gI+ERgIP2Et5BNCVJpSKpEn/PC5 JJ205Wu1u+wXXklURcnLXa8o550WYTIYWtUxgbipQTVNY1th0Hag0DoeII9uaC4nBNJEDvPzHMydC PJPrpGUpxdRtgwVkZLx89cTZ+7FgGstrfCzUtTx/Bs2FDz0MQN65MPXPkURfsxLf/9l8TSdi/jEcV N2onbtHKXlO2hp4loCLTU7WhoEGAT6pHqTZreW1hrNbrIBgOIqJWcCxzC3fRUClUIxhTrlzJ9hDuD pf40Ba+Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcoM0-00000005J6W-0CeM; Tue, 28 Jan 2025 16:22:20 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcnwJ-00000005E7T-29vc for linux-arm-kernel@lists.infradead.org; Tue, 28 Jan 2025 15:55:48 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5E2EC497; Tue, 28 Jan 2025 07:56:13 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 30EA63F694; Tue, 28 Jan 2025 07:55:45 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, joey.gouly@arm.com, kvmarm@lists.linux.dev, mark.rutland@arm.com, maz@kernel.org, oliver.upton@linux.dev, suzuki.poulose@arm.com, will@kernel.org, yuzenghui@huawei.com Subject: [PATCH 1/4] arm64: cpufeature: rename unmap_kernel_at_el0() -> needs_kpti() Date: Tue, 28 Jan 2025 15:54:25 +0000 Message-Id: <20250128155428.210645-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250128155428.210645-1-mark.rutland@arm.com> References: <20250128155428.210645-1-mark.rutland@arm.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250128_075547_607300_7D65BEC3 X-CRM114-Status: GOOD ( 12.90 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Most arm64_cpu_capabilities::matches callbacks are named to indicate that they test a boolean condition, e.g. runs_at_el2() or has_nested_virt_support(). This isn't clear for unmap_kernel_at_el0(), which can be read as an action rather than a boolean condition, and it's not immediately clear that this is related to KPTI. Rename unmap_kernel_at_el0() to needs_kpti() to make this clearer. There should be no functional change as a result of this patch. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon --- arch/arm64/kernel/cpufeature.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 6ce71f444ed84..8fdcff3722696 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1758,8 +1758,7 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope) static bool __meltdown_safe = true; static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ -static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, - int scope) +static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) { /* List of CPUs that are not vulnerable and don't need KPTI */ static const struct midr_range kpti_safe_list[] = { @@ -2545,11 +2544,10 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .capability = ARM64_UNMAP_KERNEL_AT_EL0, .type = ARM64_CPUCAP_BOOT_RESTRICTED_CPU_LOCAL_FEATURE, .cpu_enable = cpu_enable_kpti, - .matches = unmap_kernel_at_el0, + .matches = needs_kpti, /* - * The ID feature fields below are used to indicate that - * the CPU doesn't need KPTI. See unmap_kernel_at_el0 for - * more details. + * The ID feature fields below are used to indicate that the + * CPU doesn't need KPTI. See needs_kpti for more details. */ ARM64_CPUID_FIELDS(ID_AA64PFR0_EL1, CSV3, IMP) }, From patchwork Tue Jan 28 15:54:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 13952755 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1F152C0218A for ; Tue, 28 Jan 2025 16:23:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Q2AtEGRg5bljsI9AagA1TqdJWOOKC8iw0D+1jOP6GMw=; b=xSyWTmt9pHfpobSA7hf9FYCJIM PEwcmq0lCGajuADaIuW4wQJSOWbHcV9JyY+rspfdZC6FgqOQPNxAZFs0XeGmSMisQ6dmfq+EAYoZX /GkJDQE3VBvDSIHLD5yYVaCoDKuLU6Ik2o0sp0tWh+xCPWkk4sHJPDNVxWL6dJf0re1PqP1yAnm3y 4IJ0LQ5oCd4oIK0kv0lAl7V99A7VXvxDDf51gcvRWzRl7rQHq5scV+6kXeMSOlDIObYU5ijNL2DT5 K6HMyhDnt/LTWCR9j1Nkmuky80OrdYdU51aKuwFAOjOBoT274pFf2f3gNKYB8u2gF5Magm7ODF76Q yTUxcBjw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcoNI-00000005JFG-30sB; Tue, 28 Jan 2025 16:23:40 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcnwX-00000005E8d-4Bla for linux-arm-kernel@lists.infradead.org; Tue, 28 Jan 2025 15:56:03 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0FEC5497; Tue, 28 Jan 2025 07:56:28 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D6CB53F694; Tue, 28 Jan 2025 07:55:59 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, joey.gouly@arm.com, kvmarm@lists.linux.dev, mark.rutland@arm.com, maz@kernel.org, oliver.upton@linux.dev, suzuki.poulose@arm.com, will@kernel.org, yuzenghui@huawei.com Subject: [PATCH 2/4] arm64: cpufeature: factor out cpu_is_meltdown_safe() Date: Tue, 28 Jan 2025 15:54:26 +0000 Message-Id: <20250128155428.210645-3-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250128155428.210645-1-mark.rutland@arm.com> References: <20250128155428.210645-1-mark.rutland@arm.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250128_075602_129042_95BD2DFD X-CRM114-Status: GOOD ( 14.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Currently needs_kpti() checks whether a CPU is immune to meltdown. The ID_AA64PFR0_EL1.CSV3 ID register field allows a CPU to self report that it is immune, and kpti_safe_list contains CPUs which are known to be immune but predate the existence of ID_AA64PFR0_EL1.CSV3. In future there may be additional reasons to enable KPTI for a CPU regardless of whether that CPU is immune to meltdown. Factor out the existing meltdown checks into a new cpu_is_meltdown_safe() helper function. The ID_AA64PFR0_EL1.CSV3 field description is removed from the capability structure and made explicit within cpu_is_meltdown_safe(). As needs_kpti() is only called with SCOPE_LOCAL, this should not result in any functional change. Signed-off-by: Mark Rutland Cc: Catalin Marins Cc: Will Deacon --- arch/arm64/kernel/cpufeature.c | 43 +++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 8fdcff3722696..b746bb16ee785 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1755,13 +1755,12 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope) return has_cpuid_feature(entry, scope); } -static bool __meltdown_safe = true; -static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ - -static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) +static bool cpu_is_meltdown_safe(void) { - /* List of CPUs that are not vulnerable and don't need KPTI */ - static const struct midr_range kpti_safe_list[] = { + u64 pfr0; + + /* List of CPUs that are not vulnerable to meltdown */ + static const struct midr_range meltdown_safe_list[] = { MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), @@ -1779,15 +1778,32 @@ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER), { /* sentinel */ } }; + + if (is_midr_in_range_list(read_cpuid_id(), meltdown_safe_list)) + return true; + + /* + * ID_AA64PFR0_EL1.CSV3 > 0 indicates that this CPU is not vulnerable + * to meltdown. + */ + pfr0 = __read_sysreg_by_encoding(SYS_ID_AA64PFR0_EL1); + if (cpuid_feature_extract_unsigned_field(pfr0, ID_AA64PFR0_EL1_CSV3_SHIFT)) + return true; + + return false; +} + +static bool __meltdown_safe = true; +static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ + +static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) +{ char const *str = "kpti command line option"; bool meltdown_safe; - meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list); - - /* Defer to CPU feature registers */ - if (has_cpuid_feature(entry, scope)) - meltdown_safe = true; + WARN_ON(scope != SCOPE_LOCAL_CPU); + meltdown_safe = cpu_is_meltdown_safe(); if (!meltdown_safe) __meltdown_safe = false; @@ -2545,11 +2561,6 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .type = ARM64_CPUCAP_BOOT_RESTRICTED_CPU_LOCAL_FEATURE, .cpu_enable = cpu_enable_kpti, .matches = needs_kpti, - /* - * The ID feature fields below are used to indicate that the - * CPU doesn't need KPTI. See needs_kpti for more details. - */ - ARM64_CPUID_FIELDS(ID_AA64PFR0_EL1, CSV3, IMP) }, { .capability = ARM64_HAS_FPSIMD, From patchwork Tue Jan 28 15:54:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 13952759 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 35195C0218A for ; Tue, 28 Jan 2025 16:25:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=GTka41L8UbtgM0LcSMKDSxm92A38MrDHwuKBkus/vHU=; b=f6YdZVGbhezU/pUgo9x294f0ik Jo0mMZcXDaIhGb1XuU+f3UgsY1Goi+5BLZclj43X7tZJoKX9YNo3U155EKnqZfMg3hpQAviIqGupx i12kroxnFSaUTe0cqjimCvPAvK0tbAZ+ZI4ukKt8s+myGou3IDShA2ObybEYknFSwr5bkQUTi25JN Wajms5NN/EumURIAoDKsDEJFroEPuHXbJRXIuD6F1/KQLlrympXhkiTk9tCcSBLRg/8fjisfkDpkI IAlrlL2+CHBimjZxKuJ58rag+FS9WwX3gLDHTBDatBaYSaAnW31LH0/pJyHV531u9fveoi+8o+DvY 7HwF2Lcw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcoOc-00000005JMz-1enF; Tue, 28 Jan 2025 16:25:02 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcnwi-00000005EA4-3rzP for linux-arm-kernel@lists.infradead.org; Tue, 28 Jan 2025 15:56:14 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F1CAD497; Tue, 28 Jan 2025 07:56:38 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id C47F73F694; Tue, 28 Jan 2025 07:56:10 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, joey.gouly@arm.com, kvmarm@lists.linux.dev, mark.rutland@arm.com, maz@kernel.org, oliver.upton@linux.dev, suzuki.poulose@arm.com, will@kernel.org, yuzenghui@huawei.com Subject: [PATCH 3/4] arm64: cpufeature: mitigate CVE-2024-7881 Date: Tue, 28 Jan 2025 15:54:27 +0000 Message-Id: <20250128155428.210645-4-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250128155428.210645-1-mark.rutland@arm.com> References: <20250128155428.210645-1-mark.rutland@arm.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250128_075613_049709_E54B86C4 X-CRM114-Status: GOOD ( 19.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On some CPUs from Arm Ltd, it is possible for unprivileged code to cause a hardware prefetcher to form an address using the contents of a memory location which is accessible by privileged accesses in the active translation regime, potentially leaking the contents of this memory location via a side channel. This has been assigned CVE-2024-7881: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881 Arm's recommended mitigation is that firmware configures an IMPLEMENTATION DEFINED control bit (CPUACTLR6_EL1[41]) to disable the affected prefetcher, and updates to Trusted Firmware-A are available to do this. Presence of the firmware mitigation is indicated by the presence of a new SMCCC call, SMCCC_ARCH_WORKAROUND_4, which is documented in the SMCCC 1.6 G BET0 specification: https://developer.arm.com/documentation/den0028/gbet0/?lang=en Note that SMCCC_ARCH_WORKAROUND_4 has no return value, and exists solely such that it can be detected via SMCCC_ARCH_FEATURES. On systems which have not yet received a firmware update, enabling KPTI will help to mitigate the issue. This patch enables KPTI on affected parts where the lack of SMCCC_ARCH_WORKAROUND_4 indicates the absence of the firmware workaround. This will implicitly disable SPE and/or TRBE if either of these are present. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon --- arch/arm64/kernel/cpufeature.c | 34 +++++++++++++++++++++++++++++++++- include/linux/arm-smccc.h | 5 +++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index b746bb16ee785..e90bf4dcb6f1c 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1793,6 +1793,35 @@ static bool cpu_is_meltdown_safe(void) return false; } +static bool cpu_has_leaky_prefetcher(void) +{ + struct arm_smccc_res res; + + /* CPUs which are affected by CVE-2024-7881 */ + static const struct midr_range leaky_prefetcher_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + { /* sentinel */ } + }; + + if (!is_midr_in_range_list(read_cpuid_id(), leaky_prefetcher_list)) + return false; + + /* + * If ARCH_WORKAROUND_4 is implemented, then the firmware mitigation is + * present. There is no need to call ARCH_WORKAROUND_4 itself. + */ + arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, + ARM_SMCCC_ARCH_WORKAROUND_4, &res); + if (res.a0 == SMCCC_RET_SUCCESS) + return false; + + return true; +} + static bool __meltdown_safe = true; static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ @@ -1800,6 +1829,7 @@ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) { char const *str = "kpti command line option"; bool meltdown_safe; + bool prefetcher_safe; WARN_ON(scope != SCOPE_LOCAL_CPU); @@ -1807,6 +1837,8 @@ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) if (!meltdown_safe) __meltdown_safe = false; + prefetcher_safe = !cpu_has_leaky_prefetcher(); + /* * For reasons that aren't entirely clear, enabling KPTI on Cavium * ThunderX leads to apparent I-cache corruption of kernel text, which @@ -1846,7 +1878,7 @@ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) return __kpti_forced > 0; } - return !meltdown_safe; + return !meltdown_safe || !prefetcher_safe; } static bool has_nv1(const struct arm64_cpu_capabilities *entry, int scope) diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h index 67f6fdf2e7cd8..e77103ab2adfd 100644 --- a/include/linux/arm-smccc.h +++ b/include/linux/arm-smccc.h @@ -100,6 +100,11 @@ ARM_SMCCC_SMC_32, \ 0, 0x3fff) +#define ARM_SMCCC_ARCH_WORKAROUND_4 \ + ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, \ + ARM_SMCCC_SMC_32, \ + 0, 0x0004) + #define ARM_SMCCC_VENDOR_HYP_CALL_UID_FUNC_ID \ ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, \ ARM_SMCCC_SMC_32, \ From patchwork Tue Jan 28 15:54:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 13952760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E798BC02190 for ; Tue, 28 Jan 2025 16:26:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=DrRFR5XPx41NH+asf0iae28MARDT5swbIxwPRrcOQ24=; b=ccvxouWk7xdpCs0Ue3gwWZfagF Uk+yIXLxdQV1e+JoTbln27f0VS8qrqcRO/zq4mPq59MXbumXhQEc/jtG+7h2yJNH6JYc0qyAvlRWq 0ZuBd04zKsaOdlVfsdTnHDSVNOO9xG470BCU/16O/QcuLNIYtpBnpJVlCWhMTul1+6wK7KJa+xixw lyL0sK0jsKUFcvX3k0XNQLpK4bS24pFiGWhsaHwKzl2syldvtIyNhdDFz51m0T1rSuhzHH5AolrXY oTnsDr6VOUpSg94SIZ7dcfuNSa5jl7WBytIfcXZLwI+Zu4uer2X+TAv8t3AfDslQNhqfRBReyxtVH r6gRuPlw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcoPv-00000005JYS-0S5L; Tue, 28 Jan 2025 16:26:23 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tcnwo-00000005EAf-1sPT for linux-arm-kernel@lists.infradead.org; Tue, 28 Jan 2025 15:56:19 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 62F9C153B; Tue, 28 Jan 2025 07:56:44 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 35B6D3F694; Tue, 28 Jan 2025 07:56:16 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, joey.gouly@arm.com, kvmarm@lists.linux.dev, mark.rutland@arm.com, maz@kernel.org, oliver.upton@linux.dev, suzuki.poulose@arm.com, will@kernel.org, yuzenghui@huawei.com Subject: [PATCH 4/4] KVM: arm64: expose SMCCC_ARCH_WORKAROUND_4 to guests Date: Tue, 28 Jan 2025 15:54:28 +0000 Message-Id: <20250128155428.210645-5-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250128155428.210645-1-mark.rutland@arm.com> References: <20250128155428.210645-1-mark.rutland@arm.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250128_075618_579227_C05E065B X-CRM114-Status: GOOD ( 14.32 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Wire up KVM support so that guests can detect the presence of SMCCC_ARCH_WORKAROUND_4 and determine whether firmware has mitigated CVE-2024-7881. SMCCC_ARCH_WORKAROUND_4 is documented in the SMCCC 1.6 G BET0 specification, which can be found at: https://developer.arm.com/documentation/den0028/gbet0/?lang=en Note that SMCCC_ARCH_WORKAROUND_4 has no return value, and exists solely such that it can be detected via SMCCC_ARCH_FEATURES. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Joey Gouly Cc: Marc Zyngier Cc: Oliver Upton Cc: Suzuki K Poulose Cc: Will Deacon Cc: Zenghui Yu Cc: kvmarm@lists.linux.dev --- arch/arm64/include/asm/spectre.h | 2 ++ arch/arm64/include/uapi/asm/kvm.h | 4 ++++ arch/arm64/kernel/cpufeature.c | 14 ++++++++++++++ arch/arm64/kvm/hypercalls.c | 21 +++++++++++++++++++++ 4 files changed, 41 insertions(+) diff --git a/arch/arm64/include/asm/spectre.h b/arch/arm64/include/asm/spectre.h index 0c4d9045c31f4..365e5d7199f90 100644 --- a/arch/arm64/include/asm/spectre.h +++ b/arch/arm64/include/asm/spectre.h @@ -95,6 +95,8 @@ void spectre_v4_enable_task_mitigation(struct task_struct *tsk); enum mitigation_state arm64_get_meltdown_state(void); +enum mitigation_state arm64_get_cve_2024_7881_state(void); + enum mitigation_state arm64_get_spectre_bhb_state(void); bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); u8 spectre_bhb_loop_affected(int scope); diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h index 66736ff04011e..aa207c633b115 100644 --- a/arch/arm64/include/uapi/asm/kvm.h +++ b/arch/arm64/include/uapi/asm/kvm.h @@ -304,6 +304,10 @@ struct kvm_arm_counter_offset { #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3_AVAIL 1 #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3_NOT_REQUIRED 2 +#define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4 KVM_REG_ARM_FW_REG(4) +#define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4_NOT_AVAIL 0 +#define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4_AVAIL 1 + /* SVE registers */ #define KVM_REG_ARM64_SVE (0x15 << KVM_REG_ARM_COPROC_SHIFT) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index e90bf4dcb6f1c..50536abcdfac3 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1823,6 +1823,7 @@ static bool cpu_has_leaky_prefetcher(void) } static bool __meltdown_safe = true; +static bool __leaky_prefetch_safe = true; static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) @@ -1838,6 +1839,8 @@ static bool needs_kpti(const struct arm64_cpu_capabilities *entry, int scope) __meltdown_safe = false; prefetcher_safe = !cpu_has_leaky_prefetcher(); + if (!prefetcher_safe) + __leaky_prefetch_safe = false; /* * For reasons that aren't entirely clear, enabling KPTI on Cavium @@ -3945,3 +3948,14 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, return sprintf(buf, "Vulnerable\n"); } } + +enum mitigation_state arm64_get_cve_2024_7881_state(void) +{ + if (__leaky_prefetch_safe) + return SPECTRE_UNAFFECTED; + + if (arm64_kernel_unmapped_at_el0()) + return SPECTRE_MITIGATED; + + return SPECTRE_VULNERABLE; +} diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c index 27ce4cb449049..876e6f29a73e0 100644 --- a/arch/arm64/kvm/hypercalls.c +++ b/arch/arm64/kvm/hypercalls.c @@ -337,6 +337,16 @@ int kvm_smccc_call_handler(struct kvm_vcpu *vcpu) break; } break; + case ARM_SMCCC_ARCH_WORKAROUND_4: + switch (arm64_get_cve_2024_7881_state()) { + case SPECTRE_UNAFFECTED: + val[0] = SMCCC_RET_SUCCESS; + break; + case SPECTRE_VULNERABLE: + case SPECTRE_MITIGATED: + break; + } + break; case ARM_SMCCC_HV_PV_TIME_FEATURES: if (test_bit(KVM_REG_ARM_STD_HYP_BIT_PV_TIME, &smccc_feat->std_hyp_bmap)) @@ -387,6 +397,7 @@ static const u64 kvm_arm_fw_reg_ids[] = { KVM_REG_ARM_STD_BMAP, KVM_REG_ARM_STD_HYP_BMAP, KVM_REG_ARM_VENDOR_HYP_BMAP, + KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4, }; void kvm_arm_init_hypercalls(struct kvm *kvm) @@ -468,6 +479,14 @@ static int get_kernel_wa_level(struct kvm_vcpu *vcpu, u64 regid) return KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3_NOT_REQUIRED; } return KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3_NOT_AVAIL; + case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4: + switch (arm64_get_cve_2024_7881_state()) { + case SPECTRE_VULNERABLE: + case SPECTRE_MITIGATED: + return KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4_NOT_AVAIL; + case SPECTRE_UNAFFECTED: + return KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4_AVAIL; + } } return -EINVAL; @@ -486,6 +505,7 @@ int kvm_arm_get_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1: case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2: case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3: + case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4: val = get_kernel_wa_level(vcpu, reg->id) & KVM_REG_FEATURE_LEVEL_MASK; break; case KVM_REG_ARM_STD_BMAP: @@ -587,6 +607,7 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1: case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_3: + case KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_4: if (val & ~KVM_REG_FEATURE_LEVEL_MASK) return -EINVAL;