Message ID | 20221107033202.1375238-3-rmclure@linux.ibm.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | [v2,1/4] powerpc/64: Add INTERRUPT_SANITIZE_REGISTERS Kconfig | expand |
On Mon Nov 7, 2022 at 1:32 PM AEST, Rohan McLure wrote: > Zero GPRS r14-r31 on entry into the kernel for interrupt sources to > limit influence of user-space values in potential speculation gadgets. > Prior to this commit, all other GPRS are reassigned during the common > prologue to interrupt handlers and so need not be zeroised explicitly. > > This may be done safely, without loss of register state prior to the > interrupt, as the common prologue saves the initial values of > non-volatiles, which are unconditionally restored in interrupt_64.S. In the case of ret_from_crit_except and ret_from_mc_except, it looks like those are restored by ret_from_level_except, so that's fine. And fast_interrupt_return you added NVGPRS restore in the previous patch too. Maybe actually you could move that interrupt_64.h code that applies to both 64s and 64e in patch 1. So then the 64s/e enablement patches are independent and apply to exactly that subarch. But code-wise I think this looks good. Reviewed-by: Nicholas Piggin <npiggin@gmail.com> > Mitigation defaults to enabled by INTERRUPT_SANITIZE_REGISTERS. > > Signed-off-by: Rohan McLure <rmclure@linux.ibm.com> > --- > Resubmitting patches as their own series after v6 partially merged: > Link: https://lore.kernel.org/all/166488988686.779920.13794870102696416283.b4-ty@ellerman.id.au/t/ > --- > arch/powerpc/kernel/exceptions-64e.S | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S > index 2f68fb2ee4fc..91d8019123c2 100644 > --- a/arch/powerpc/kernel/exceptions-64e.S > +++ b/arch/powerpc/kernel/exceptions-64e.S > @@ -358,6 +358,11 @@ ret_from_mc_except: > std r14,PACA_EXMC+EX_R14(r13); \ > std r15,PACA_EXMC+EX_R15(r13) > > +#ifdef CONFIG_INTERRUPT_SANITIZE_REGISTERS > +#define SANITIZE_ZEROIZE_NVGPRS() ZEROIZE_NVGPRS() > +#else > +#define SANITIZE_ZEROIZE_NVGPRS() > +#endif Could possibly share these macros. > > /* Core exception code for all exceptions except TLB misses. */ > #define EXCEPTION_COMMON_LVL(n, scratch, excf) \ > @@ -394,7 +399,8 @@ exc_##n##_common: \ > std r12,STACK_FRAME_OVERHEAD-16(r1); /* mark the frame */ \ > std r3,_TRAP(r1); /* set trap number */ \ > std r0,RESULT(r1); /* clear regs->result */ \ > - SAVE_NVGPRS(r1); > + SAVE_NVGPRS(r1); \ > + SANITIZE_ZEROIZE_NVGPRS(); /* minimise speculation influence */ > > #define EXCEPTION_COMMON(n) \ > EXCEPTION_COMMON_LVL(n, SPRN_SPRG_GEN_SCRATCH, PACA_EXGEN) > -- > 2.34.1
diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S index 2f68fb2ee4fc..91d8019123c2 100644 --- a/arch/powerpc/kernel/exceptions-64e.S +++ b/arch/powerpc/kernel/exceptions-64e.S @@ -358,6 +358,11 @@ ret_from_mc_except: std r14,PACA_EXMC+EX_R14(r13); \ std r15,PACA_EXMC+EX_R15(r13) +#ifdef CONFIG_INTERRUPT_SANITIZE_REGISTERS +#define SANITIZE_ZEROIZE_NVGPRS() ZEROIZE_NVGPRS() +#else +#define SANITIZE_ZEROIZE_NVGPRS() +#endif /* Core exception code for all exceptions except TLB misses. */ #define EXCEPTION_COMMON_LVL(n, scratch, excf) \ @@ -394,7 +399,8 @@ exc_##n##_common: \ std r12,STACK_FRAME_OVERHEAD-16(r1); /* mark the frame */ \ std r3,_TRAP(r1); /* set trap number */ \ std r0,RESULT(r1); /* clear regs->result */ \ - SAVE_NVGPRS(r1); + SAVE_NVGPRS(r1); \ + SANITIZE_ZEROIZE_NVGPRS(); /* minimise speculation influence */ #define EXCEPTION_COMMON(n) \ EXCEPTION_COMMON_LVL(n, SPRN_SPRG_GEN_SCRATCH, PACA_EXGEN)
Zero GPRS r14-r31 on entry into the kernel for interrupt sources to limit influence of user-space values in potential speculation gadgets. Prior to this commit, all other GPRS are reassigned during the common prologue to interrupt handlers and so need not be zeroised explicitly. This may be done safely, without loss of register state prior to the interrupt, as the common prologue saves the initial values of non-volatiles, which are unconditionally restored in interrupt_64.S. Mitigation defaults to enabled by INTERRUPT_SANITIZE_REGISTERS. Signed-off-by: Rohan McLure <rmclure@linux.ibm.com> --- Resubmitting patches as their own series after v6 partially merged: Link: https://lore.kernel.org/all/166488988686.779920.13794870102696416283.b4-ty@ellerman.id.au/t/ --- arch/powerpc/kernel/exceptions-64e.S | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)