Cve 2017 5715 2 #2055
Cve 2017 5715 2 #2055
Conversation
There was a problem hiding this comment.
With or without my comment addressed, and for "core: arm32: thread: invalidate branch predictor" only:
Reviewed-by: Jerome Forissier <[email protected]>
core/arch/arm/kernel/thread_a32.S
Outdated
| * The idea is to form a specific bit pattern in the lowest three | ||
| * bits of SP depending on which entry in the vector we enter via. | ||
| * This is done by adding 1 to SP in each entry but the last. | ||
| */ |
There was a problem hiding this comment.
I think this deserves a few words to explain that the BPIALL has to be executed before any branch instruction is executed, hence the slightly convoluted code. I know I could/should have made the same comment for the sm commit ;-)
There was a problem hiding this comment.
I'll add something.
There was a problem hiding this comment.
minor stuff: s/doesn't/does not/ , s/it's/it is/.
Sentence seems wrong to me: It doesn't matter if it's a conditional or an unconditional branch speculation can still occur..
There was a problem hiding this comment.
Perhaps it's a missing comma. How about:
It doesn't matter if it's a conditional or an unconditional branch, speculation can still occur.
|
What about 64-bits? |
|
You're right I forgot about the 64-bit stuff. I'll add another patch here taking care of that. |
|
Hmm, the 64-bit branch predictor invalidation is a bit more complicated. I'll take that in a separate pull request. |
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
58effc5
to
c7f8f75
Compare
|
Commit updated, tag applied to |
core/arch/arm/include/mm/core_mmu.h
Outdated
| @@ -74,6 +77,11 @@ | |||
| #define CFG_TEE_RAM_VA_SIZE CORE_MMU_PGDIR_SIZE | |||
| #endif | |||
|
|
|||
| #ifdef CFG_WITH_LPAE | |||
| #define CORE_MMU_L1_TBL_OFFSET (CFG_TEE_CORE_NB_CORE * 4 * 8) | |||
There was a problem hiding this comment.
* 4 * 8 looks like magic, especially compared to how NUM_L1_ENTRIES is defined in core_mmu_lpae.c. Deserves a bit of explanation: why 4 64bit wide mmu descriptors ?
Regarding the armv7, the comment is straightforward: we need a full L1 table.
There was a problem hiding this comment.
Please make these comments in #2048 instead
core/arch/arm/kernel/thread.c
Outdated
|
|
||
| v = (vaddr_t)thread_vect_table; | ||
| thread_user_kcode_va = ROUNDDOWN(v, CORE_MMU_USER_CODE_SIZE); | ||
| thread_user_kcode_size = CORE_MMU_USER_CODE_SIZE * 2; |
There was a problem hiding this comment.
why 2 regions (likely pages)?
There was a problem hiding this comment.
Please make these comments in #2048 instead
core/arch/arm/kernel/thread_a32.S
Outdated
| @@ -748,6 +748,56 @@ END_FUNC thread_unwind_user_mode | |||
| FUNC thread_vect_table , : | |||
| UNWIND( .fnstart) | |||
| UNWIND( .cantunwind) | |||
| #ifdef CFG_CORE_WORKAROUND_SPECTRE_BP | |||
There was a problem hiding this comment.
I'm wondering if we shouldn't use a different config option here as we're protecting against a different attack and also the defense will be quite expensive in AArch64.
There was a problem hiding this comment.
Agreed. CFG_CORE_WORKAROUND_SPECTRE_BP_SEC maybe? (rationale: still Spectre branch prediction attack but entirely within secure world hence _SEC).
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
c7f8f75
to
e985cb1
Compare
|
Commit |
|
Fine with me |
|
We've discovered that the BPIALL workaround is not effective in invalidating the branch predictor for Cortex-A15. An alternative workaround is described in the updated TF security advisory: That will affect your implementation here. Note we plan to push an example implementation of this in our SP_MIN payload in the coming days. Also, it would be good if this workaround was not applied to unaffected CPUs (e.g. Cortex-A32, Cortex-A7 and Cortex-A5). |
Thanks for letting us know Dan, this means it's worth for us wait a bit before merging this.
Agree! |
|
Sounds like we may have to use runtime detection in order to install the proper exception vector. Otherwise, we can't properly support mixed configurations like big.LITTLE. |
|
Can't we do something about it using the core/arch/arm/cpus/xxx.mk? |
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
e985cb1
to
d63a923
Compare
|
Rebased on master, updated for runtime configuration. |
There was a problem hiding this comment.
With the movs fixed:
Reviewed-by: Jerome Forissier <[email protected]>
Tested-by: Jerome Forissier <[email protected]> (HiKey)
Tested-by: Jerome Forissier <[email protected]> (HiKey960)
core/arch/arm/kernel/thread_a32.S
Outdated
| cmpne r2, r3 | ||
| movne r3, #CORTEX_A75_PART_NUM | ||
| cmpne r2, r3 | ||
| ldreq r0, =exception_vector_bpial |
| ldreq r0, =exception_vector_a15 | ||
| beq 2f | ||
| #endif | ||
| 1: ldr r0, =thread_vect_table |
There was a problem hiding this comment.
Minor thing: now we have two wordings, "exception vector" and "thread vector table". I'd rather s/thread_vect_table/exception_vector/ but that's probably out of scope for this PR.
There was a problem hiding this comment.
Yes, let's take that cleanup in a later PR.
core/arch/arm/kernel/thread_a32.S
Outdated
| cmp_spsr_user_mode r0 | ||
| bne 1f | ||
| /* Invalidate the branch predictor for the current processor. */ | ||
| write_iciallu |
There was a problem hiding this comment.
Could you add a note to emphasise that BPIALL doesn't fit here and ICIALLU is indeed required? I'm referring to the statement: "Note that the BPIALL instruction is not effective in invalidating the branch predictor on Cortex-A15. For that CPU, set ACTLR[0] to 1 during early processor initialisation, and invalidate the branch predictor by performing an ICIALLU instruction." from the Arm-TF page https://github.com/ARM-software/arm-trusted-firmware/wiki/Arm-Trusted-Firmware-Security-Advisory-TFV-6#variant-2-cve-2017-5715.
core/arch/arm/kernel/thread_a32.S
Outdated
| ubfx r2, r1, #MIDR_PRIMARY_PART_NUM_SHIFT, \ | ||
| #MIDR_PRIMARY_PART_NUM_WIDTH | ||
|
|
||
| mov r3, #CORTEX_A8_PART_NUM |
There was a problem hiding this comment.
core/arch/arm/kernel/thread_a32.S: Assembler messages:
core/arch/arm/kernel/thread_a32.S:477: Error: invalid constant (c08) after fixup
core/arch/arm/kernel/thread_a32.S:479: Error: invalid constant (c09) after fixup
core/arch/arm/kernel/thread_a32.S:481: Error: invalid constant (c0e) after fixup
core/arch/arm/kernel/thread_a32.S:483: Error: invalid constant (d07) after fixup
core/arch/arm/kernel/thread_a32.S:485: Error: invalid constant (d08) after fixup
core/arch/arm/kernel/thread_a32.S:487: Error: invalid constant (d09) after fixup
core/arch/arm/kernel/thread_a32.S:489: Error: invalid constant (d0a) after fixup
core/arch/arm/kernel/thread_a32.S:494: Error: invalid constant (c0f) after fixup
s/mov/movw/ and s/movne/movwne/ fixes the issues
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
2fd6261
to
0f2d789
Compare
|
Updated as requested, rebased, squashed and tags applied. |
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
0f2d789
to
41c381c
Compare
|
Pushed updates (commit message and a spell error in a comment) for two checkpatch warnings. |
|
Please wait with merging this, this PR requires ACTLR[0] set to 1 for Cortex-A15 platforms. I'm preparing another PR to take care of that. |
|
@jenswi-linaro sure |
|
Needs #2071 |
With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use the minimal kernel mapping during user space execution. With this patch vbar is updated relative to previous value in vbar to allow different exception vectors for different cpu types. Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch predictor on all secure world exceptions. Fixes CVE-2017-5715 Tested-by: Jerome Forissier <[email protected]> (HiKey) Tested-by: Jerome Forissier <[email protected]> (HiKey960) Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
jenswi-linaro
force-pushed
the
cve-2017-5715-2
branch
from
41c381c
to
7d1a49c
Compare
|
Rebased on master |
This pull request is done on top of #2048 to avoid unnecessary conflicts when finally merging everything. The commit to review here is
core: arm32: thread: invalidate branch predictor.