@@ -392,6 +392,8 @@
#define DEXCR_PR_IBRTPD 0x10000000UL /* 3: Indirect Branch Recurrent Target Prediction Disable */
#define DEXCR_PR_SRAPD 0x08000000UL /* 4: Subroutine Return Address Prediction Disable */
#define DEXCR_PR_NPHIE 0x04000000UL /* 5: Non-Privileged Hash Instruction Enable */
+#define DEXCR_PR_PHIE 0x02000000UL /* 6: Privileged Hash Instruction Enable */
+#define DEXCR_PNH_PHIE (DEXCR_PR_PHIE << 32)
#define DEXCR_INIT DEXCR_PR_NPHIE /* Fixed DEXCR value to initialise all CPUs with */
#define SPRN_IC 0x350 /* Virtual Instruction Count */
#define SPRN_VTB 0x351 /* Virtual Time Base */
@@ -1011,6 +1011,16 @@ start_here_multiplatform:
mtctr r12
bctrl /* also sets r13 and SPRG_PACA */
+#ifdef CONFIG_PPC_KERNEL_ROP_PROTECT
+BEGIN_FTR_SECTION
+ mfspr r3,SPRN_DEXCR
+ LOAD_REG_IMMEDIATE(r4,DEXCR_PNH_PHIE)
+ or r3,r3,r4
+ mtspr SPRN_DEXCR,r3
+ isync
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_31)
+#endif
+
LOAD_REG_ADDR(r3, start_here_common)
ld r4,PACAKMSR(r13)
mtspr SPRN_SRR0,r3
@@ -1620,6 +1620,12 @@ void start_secondary(void *unused)
{
unsigned int cpu = raw_smp_processor_id();
+ /* Enable hash instructions on this CPU in case not already enabled by the hypervisor */
+ if (IS_ENABLED(CONFIG_PPC_KERNEL_ROP_PROTECT) && cpu_has_feature(CPU_FTR_ARCH_31)) {
+ mtspr(SPRN_DEXCR, mfspr(SPRN_DEXCR) | DEXCR_PNH_PHIE);
+ isync();
+ }
+
/* PPC64 calls setup_kup() in early_setup_secondary() */
if (IS_ENABLED(CONFIG_PPC32))
setup_kup();
While we can now compile the kernel with ROP protection, it's possible the hash instructions are acting as NOPs. Enable the PHIE aspect at an appropriate stage in boot so as to maximise coverage without requiring certain functions be compiled without ROP protection. For the boot CPU, there are no arch defined functions that do not return and get called before we start spawning tasks. Therefore we insert the PHIE enablement as a feature section after we call early_setup() where CPU feature detection takes place. For secondary CPUs, we can enable PHIE in start_secondary(). Signed-off-by: Benjamin Gray <bgray@linux.ibm.com> --- This patch is probably incompatible with the per-task DEXCR tracking in the userspace DEXCR series, but I'll fix up whichever one lands last. I tested on a Power10 (TCG and KVM) and Power9. I also tried enabling ftrace; no apparent issues, and the trace probes were definitely triggering. The default config enables ROP protection when the dependencies are satisfied but perhaps we might want to phase it in slower by disabling it? Finally, I've tied together inserting the hash instructions and enabling the PHIE aspect. It might be preferable for distros to have the option to boot without enabling PHIE for performance comparisons. This would be with a command line option I guess? --- arch/powerpc/include/asm/reg.h | 2 ++ arch/powerpc/kernel/head_64.S | 10 ++++++++++ arch/powerpc/kernel/smp.c | 6 ++++++ 3 files changed, 18 insertions(+)