Define an alternative exit vector. This exit vector will be used if SMCCC_ARCH_WORKAROUND_1 is available, and makes the assumption that mitigations are required if the workaround is available.
Technically, the mitigations takes place in the monitor, its implementation depends on the processor. Refer [1]. Similarly to KVM, Jailhouse calls the monitor's mitigation on each exit: IRQs and guest aborts. [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability Signed-off-by: Ralf Ramsauer <[email protected]> --- .../arch/arm-common/include/asm/smccc.h | 4 +++ hypervisor/arch/arm64/entry.S | 36 +++++++++++++++++++ hypervisor/arch/arm64/include/asm/entry.h | 2 ++ hypervisor/arch/arm64/setup.c | 11 +++++- 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/hypervisor/arch/arm-common/include/asm/smccc.h b/hypervisor/arch/arm-common/include/asm/smccc.h index 6c490fad..069beecb 100644 --- a/hypervisor/arch/arm-common/include/asm/smccc.h +++ b/hypervisor/arch/arm-common/include/asm/smccc.h @@ -35,7 +35,11 @@ #define SMCCC_IS_CONV_64(function_id) !!(function_id & (1 << 30)) +#ifndef __ASSEMBLY__ + struct trap_context; void smccc_discover(void); enum trap_return handle_smc(struct trap_context *ctx); + +#endif /* !__ASSEMBLY__ */ diff --git a/hypervisor/arch/arm64/entry.S b/hypervisor/arch/arm64/entry.S index f5abee3e..360cf801 100644 --- a/hypervisor/arch/arm64/entry.S +++ b/hypervisor/arch/arm64/entry.S @@ -15,6 +15,7 @@ #include <asm/asm-defines.h> #include <asm/paging.h> +#include <asm/smccc.h> #include <asm/jailhouse_hypercall.h> #include <jailhouse/header.h> @@ -321,6 +322,17 @@ bootstrap_vectors: handle_vmexit_late \handler .endm +.macro handle_vmexit_hardened handler + .align 7 + handle_vmexit_early + + /* Mitigate CVE 2017-5715 (aka Spectre v2) */ + mov w0, #SMCCC_ARCH_WORKAROUND_1 + smc #0 + + handle_vmexit_late \handler +.endm + /* * These are the default vectors. They are used on early startup and if no * Spectre v2 mitigation is available. @@ -348,6 +360,30 @@ hyp_vectors: ventry . + .align 11 + .globl hyp_vectors_hardened +hyp_vectors_hardened: + ventry . + ventry . + ventry . + ventry . + + handle_vmexit arch_el2_abt /* no mitigation, we're doomed anyway... */ + ventry . + ventry . + ventry . + + handle_vmexit_hardened arch_handle_trap + handle_vmexit_hardened irqchip_handle_irq + ventry . + ventry . + + ventry . + ventry . + ventry . + ventry . + + .pushsection .trampoline, "ax" .globl enable_mmu_el2 enable_mmu_el2: diff --git a/hypervisor/arch/arm64/include/asm/entry.h b/hypervisor/arch/arm64/include/asm/entry.h index 670c6965..335ac607 100644 --- a/hypervisor/arch/arm64/include/asm/entry.h +++ b/hypervisor/arch/arm64/include/asm/entry.h @@ -14,6 +14,8 @@ #include <jailhouse/percpu.h> +extern unsigned long hyp_vectors_hardened; + void enable_mmu_el2(u64 ttbr0_el2); void __attribute__((noreturn)) shutdown_el2(struct per_cpu *cpu_data); diff --git a/hypervisor/arch/arm64/setup.c b/hypervisor/arch/arm64/setup.c index 251acad1..264b3d14 100644 --- a/hypervisor/arch/arm64/setup.c +++ b/hypervisor/arch/arm64/setup.c @@ -19,6 +19,7 @@ #include <asm/entry.h> #include <asm/irqchip.h> #include <asm/setup.h> +#include <asm/smccc.h> extern u8 __trampoline_start[]; @@ -60,7 +61,15 @@ int arch_cpu_init(struct per_cpu *cpu_data) /* Setup guest traps */ arm_write_sysreg(HCR_EL2, hcr); - return arm_cpu_init(cpu_data); + err = arm_cpu_init(cpu_data); + if (err) + return err; + + /* Conditionally switch to hardened vectors */ + if (this_cpu_data()->smccc_has_workaround_1) + arm_write_sysreg(vbar_el2, &hyp_vectors_hardened); + + return 0; } void __attribute__((noreturn)) arch_cpu_activate_vmm(void) -- 2.20.1 -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
