2019-06-03 12:44:50 +07:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2012-03-05 18:49:27 +07:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2012 ARM Ltd.
|
|
|
|
*/
|
|
|
|
#ifndef __ASM_MMU_H
|
|
|
|
#define __ASM_MMU_H
|
|
|
|
|
2019-01-08 23:19:01 +07:00
|
|
|
#include <asm/cputype.h>
|
|
|
|
|
2017-08-20 17:20:47 +07:00
|
|
|
#define MMCF_AARCH32 0x1 /* mm context flag for AArch32 executables */
|
2018-01-08 22:38:18 +07:00
|
|
|
#define USER_ASID_BIT 48
|
|
|
|
#define USER_ASID_FLAG (UL(1) << USER_ASID_BIT)
|
2017-12-02 00:33:48 +07:00
|
|
|
#define TTBR_ASID_MASK (UL(0xffff) << 48)
|
2017-08-20 17:20:47 +07:00
|
|
|
|
2018-03-13 19:40:39 +07:00
|
|
|
#define BP_HARDEN_EL2_SLOTS 4
|
|
|
|
|
2017-11-14 20:58:08 +07:00
|
|
|
#ifndef __ASSEMBLY__
|
|
|
|
|
2012-03-05 18:49:27 +07:00
|
|
|
typedef struct {
|
2015-10-07 00:46:24 +07:00
|
|
|
atomic64_t id;
|
|
|
|
void *vdso;
|
2016-11-02 16:10:45 +07:00
|
|
|
unsigned long flags;
|
2012-03-05 18:49:27 +07:00
|
|
|
} mm_context_t;
|
|
|
|
|
2015-10-07 00:46:24 +07:00
|
|
|
/*
|
|
|
|
* This macro is only used by the TLBI code, which cannot race with an
|
|
|
|
* ASID change and therefore doesn't need to reload the counter using
|
|
|
|
* atomic64_read.
|
|
|
|
*/
|
|
|
|
#define ASID(mm) ((mm)->context.id.counter & 0xffff)
|
2012-03-05 18:49:27 +07:00
|
|
|
|
2017-11-14 20:58:08 +07:00
|
|
|
static inline bool arm64_kernel_unmapped_at_el0(void)
|
|
|
|
{
|
2017-11-14 21:38:19 +07:00
|
|
|
return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0) &&
|
|
|
|
cpus_have_const_cap(ARM64_UNMAP_KERNEL_AT_EL0);
|
2017-11-14 20:58:08 +07:00
|
|
|
}
|
|
|
|
|
2019-01-08 23:19:01 +07:00
|
|
|
static inline bool arm64_kernel_use_ng_mappings(void)
|
|
|
|
{
|
|
|
|
bool tx1_bug;
|
|
|
|
|
|
|
|
/* What's a kpti? Use global mappings if we don't know. */
|
|
|
|
if (!IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note: this function is called before the CPU capabilities have
|
|
|
|
* been configured, so our early mappings will be global. If we
|
|
|
|
* later determine that kpti is required, then
|
|
|
|
* kpti_install_ng_mappings() will make them non-global.
|
|
|
|
*/
|
arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
Since commit b89d82ef01b3 ("arm64: kpti: Avoid rewriting early page
tables when KASLR is enabled"), a kernel built with CONFIG_RANDOMIZE_BASE
can decide early whether to use non-global mappings by checking the
kaslr_offset().
A kernel built without CONFIG_RANDOMIZE_BASE, instead checks the
cpufeature static-key.
This leaves a gap where CONFIG_RANDOMIZE_BASE was enabled, no
kaslr seed was provided, but kpti was forced on using the cmdline
option.
When the decision is made late, kpti_install_ng_mappings() will re-write
the page tables, but arm64_kernel_use_ng_mappings()'s value does not
change as it only tests the cpufeature static-key if
CONFIG_RANDOMIZE_BASE is disabled.
This function influences PROT_DEFAULT via PTE_MAYBE_NG, and causes
pgattr_change_is_safe() to catch nG->G transitions when the unchanged
PROT_DEFAULT is used as part of PAGE_KERNEL_RO:
[ 1.942255] alternatives: patching kernel code
[ 1.998288] ------------[ cut here ]------------
[ 2.000693] kernel BUG at arch/arm64/mm/mmu.c:165!
[ 2.019215] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 2.020257] Modules linked in:
[ 2.020807] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2 #51
[ 2.021917] Hardware name: linux,dummy-virt (DT)
[ 2.022790] pstate: 40000005 (nZcv daif -PAN -UAO)
[ 2.023742] pc : __create_pgd_mapping+0x508/0x6d0
[ 2.024671] lr : __create_pgd_mapping+0x500/0x6d0
[ 2.058059] Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
[ 2.059369] Call trace:
[ 2.059845] __create_pgd_mapping+0x508/0x6d0
[ 2.060684] update_mapping_prot+0x48/0xd0
[ 2.061477] mark_linear_text_alias_ro+0xdc/0xe4
[ 2.070502] smp_cpus_done+0x90/0x98
[ 2.071216] smp_init+0x100/0x114
[ 2.071878] kernel_init_freeable+0xd4/0x220
[ 2.072750] kernel_init+0x10/0x100
[ 2.073455] ret_from_fork+0x10/0x18
[ 2.075414] ---[ end trace 3572f3a7782292de ]---
[ 2.076389] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
If arm64_kernel_unmapped_at_el0() is true, arm64_kernel_use_ng_mappings()
should also be true.
Signed-off-by: James Morse <james.morse@arm.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
CC: John Garry <john.garry@huawei.com>
CC: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
2019-01-16 01:49:17 +07:00
|
|
|
if (arm64_kernel_unmapped_at_el0())
|
|
|
|
return true;
|
|
|
|
|
2019-01-08 23:19:01 +07:00
|
|
|
if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE))
|
arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
Since commit b89d82ef01b3 ("arm64: kpti: Avoid rewriting early page
tables when KASLR is enabled"), a kernel built with CONFIG_RANDOMIZE_BASE
can decide early whether to use non-global mappings by checking the
kaslr_offset().
A kernel built without CONFIG_RANDOMIZE_BASE, instead checks the
cpufeature static-key.
This leaves a gap where CONFIG_RANDOMIZE_BASE was enabled, no
kaslr seed was provided, but kpti was forced on using the cmdline
option.
When the decision is made late, kpti_install_ng_mappings() will re-write
the page tables, but arm64_kernel_use_ng_mappings()'s value does not
change as it only tests the cpufeature static-key if
CONFIG_RANDOMIZE_BASE is disabled.
This function influences PROT_DEFAULT via PTE_MAYBE_NG, and causes
pgattr_change_is_safe() to catch nG->G transitions when the unchanged
PROT_DEFAULT is used as part of PAGE_KERNEL_RO:
[ 1.942255] alternatives: patching kernel code
[ 1.998288] ------------[ cut here ]------------
[ 2.000693] kernel BUG at arch/arm64/mm/mmu.c:165!
[ 2.019215] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 2.020257] Modules linked in:
[ 2.020807] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2 #51
[ 2.021917] Hardware name: linux,dummy-virt (DT)
[ 2.022790] pstate: 40000005 (nZcv daif -PAN -UAO)
[ 2.023742] pc : __create_pgd_mapping+0x508/0x6d0
[ 2.024671] lr : __create_pgd_mapping+0x500/0x6d0
[ 2.058059] Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
[ 2.059369] Call trace:
[ 2.059845] __create_pgd_mapping+0x508/0x6d0
[ 2.060684] update_mapping_prot+0x48/0xd0
[ 2.061477] mark_linear_text_alias_ro+0xdc/0xe4
[ 2.070502] smp_cpus_done+0x90/0x98
[ 2.071216] smp_init+0x100/0x114
[ 2.071878] kernel_init_freeable+0xd4/0x220
[ 2.072750] kernel_init+0x10/0x100
[ 2.073455] ret_from_fork+0x10/0x18
[ 2.075414] ---[ end trace 3572f3a7782292de ]---
[ 2.076389] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
If arm64_kernel_unmapped_at_el0() is true, arm64_kernel_use_ng_mappings()
should also be true.
Signed-off-by: James Morse <james.morse@arm.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
CC: John Garry <john.garry@huawei.com>
CC: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
2019-01-16 01:49:17 +07:00
|
|
|
return false;
|
2019-01-08 23:19:01 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* KASLR is enabled so we're going to be enabling kpti on non-broken
|
|
|
|
* CPUs regardless of their susceptibility to Meltdown. Rather
|
|
|
|
* than force everybody to go through the G -> nG dance later on,
|
|
|
|
* just put down non-global mappings from the beginning.
|
|
|
|
*/
|
|
|
|
if (!IS_ENABLED(CONFIG_CAVIUM_ERRATUM_27456)) {
|
|
|
|
tx1_bug = false;
|
|
|
|
#ifndef MODULE
|
|
|
|
} else if (!static_branch_likely(&arm64_const_caps_ready)) {
|
|
|
|
extern const struct midr_range cavium_erratum_27456_cpus[];
|
|
|
|
|
|
|
|
tx1_bug = is_midr_in_range_list(read_cpuid_id(),
|
|
|
|
cavium_erratum_27456_cpus);
|
|
|
|
#endif
|
|
|
|
} else {
|
|
|
|
tx1_bug = __cpus_have_const_cap(ARM64_WORKAROUND_CAVIUM_27456);
|
|
|
|
}
|
|
|
|
|
|
|
|
return !tx1_bug && kaslr_offset() > 0;
|
|
|
|
}
|
|
|
|
|
2018-01-03 18:17:58 +07:00
|
|
|
typedef void (*bp_hardening_cb_t)(void);
|
|
|
|
|
|
|
|
struct bp_hardening_data {
|
|
|
|
int hyp_vectors_slot;
|
|
|
|
bp_hardening_cb_t fn;
|
|
|
|
};
|
|
|
|
|
2018-02-15 18:47:14 +07:00
|
|
|
#if (defined(CONFIG_HARDEN_BRANCH_PREDICTOR) || \
|
|
|
|
defined(CONFIG_HARDEN_EL2_VECTORS))
|
2018-01-03 18:17:58 +07:00
|
|
|
extern char __bp_harden_hyp_vecs_start[], __bp_harden_hyp_vecs_end[];
|
2018-03-13 19:40:39 +07:00
|
|
|
extern atomic_t arm64_el2_vector_last_slot;
|
2018-02-15 18:47:14 +07:00
|
|
|
#endif /* CONFIG_HARDEN_BRANCH_PREDICTOR || CONFIG_HARDEN_EL2_VECTORS */
|
2018-01-03 18:17:58 +07:00
|
|
|
|
2018-02-15 18:47:14 +07:00
|
|
|
#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
|
2018-01-03 18:17:58 +07:00
|
|
|
DECLARE_PER_CPU_READ_MOSTLY(struct bp_hardening_data, bp_hardening_data);
|
|
|
|
|
|
|
|
static inline struct bp_hardening_data *arm64_get_bp_hardening_data(void)
|
|
|
|
{
|
|
|
|
return this_cpu_ptr(&bp_hardening_data);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void arm64_apply_bp_hardening(void)
|
|
|
|
{
|
|
|
|
struct bp_hardening_data *d;
|
|
|
|
|
|
|
|
if (!cpus_have_const_cap(ARM64_HARDEN_BRANCH_PREDICTOR))
|
|
|
|
return;
|
|
|
|
|
|
|
|
d = arm64_get_bp_hardening_data();
|
|
|
|
if (d->fn)
|
|
|
|
d->fn();
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline struct bp_hardening_data *arm64_get_bp_hardening_data(void)
|
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void arm64_apply_bp_hardening(void) { }
|
|
|
|
#endif /* CONFIG_HARDEN_BRANCH_PREDICTOR */
|
|
|
|
|
2019-01-14 21:22:24 +07:00
|
|
|
extern void arm64_memblock_init(void);
|
2012-03-05 18:49:27 +07:00
|
|
|
extern void paging_init(void);
|
2016-04-09 05:50:26 +07:00
|
|
|
extern void bootmem_init(void);
|
2012-10-23 20:55:08 +07:00
|
|
|
extern void __iomem *early_io_map(phys_addr_t phys, unsigned long virt);
|
2014-04-08 05:39:51 +07:00
|
|
|
extern void init_mem_pgprot(void);
|
2014-10-20 20:42:07 +07:00
|
|
|
extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys,
|
|
|
|
unsigned long virt, phys_addr_t size,
|
2016-10-21 18:22:57 +07:00
|
|
|
pgprot_t prot, bool page_mappings_only);
|
2019-08-23 13:24:50 +07:00
|
|
|
extern void *fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot);
|
2017-03-10 03:52:01 +07:00
|
|
|
extern void mark_linear_text_alias_ro(void);
|
2012-03-05 18:49:27 +07:00
|
|
|
|
arm64/mm: Separate boot-time page tables from swapper_pg_dir
Since the address of swapper_pg_dir is fixed for a given kernel image,
it is an attractive target for manipulation via an arbitrary write. To
mitigate this we'd like to make it read-only by moving it into the
rodata section.
We require that swapper_pg_dir is at a fixed offset from tramp_pg_dir
and reserved_ttbr0, so these will also need to move into rodata.
However, swapper_pg_dir is allocated along with some transient page
tables used for boot which we do not want to move into rodata.
As a step towards this, this patch separates the boot-time page tables
into a new init_pg_dir, and reduces swapper_pg_dir to the single page it
needs to be. This allows us to retain the relationship between
swapper_pg_dir, tramp_pg_dir, and swapper_pg_dir, while cleanly
separating these from the boot-time page tables.
The init_pg_dir holds all of the pgd/pud/pmd/pte levels needed during
boot, and all of these levels will be freed when we switch to the
swapper_pg_dir, which is initialized by the existing code in
paging_init(). Since we start off on the init_pg_dir, we no longer need
to allocate a transient page table in paging_init() in order to ensure
that swapper_pg_dir isn't live while we initialize it.
There should be no functional change as a result of this patch.
Signed-off-by: Jun Yao <yaojun8558363@gmail.com>
Reviewed-by: James Morse <james.morse@arm.com>
[Mark: place init_pg_dir after BSS, fold mm changes, commit message]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-09-24 21:47:49 +07:00
|
|
|
#define INIT_MM_CONTEXT(name) \
|
|
|
|
.pgd = init_pg_dir,
|
|
|
|
|
2017-11-14 20:58:08 +07:00
|
|
|
#endif /* !__ASSEMBLY__ */
|
2012-03-05 18:49:27 +07:00
|
|
|
#endif
|