• Mostafa Saleh's avatar
    KVM: arm64: Add missing BTI instructions · dcf89d11
    Mostafa Saleh authored
    Some bti instructions were missing from
    commit b53d4a27 ("KVM: arm64: Use BTI for nvhe")
    
    1) kvm_host_psci_cpu_entry
    kvm_host_psci_cpu_entry is called from __kvm_hyp_init_cpu through "br"
    instruction as __kvm_hyp_init_cpu resides in idmap section while
    kvm_host_psci_cpu_entry is in hyp .text so the offset is larger than
    128MB range covered by "b".
    Which means that this function should start with "bti j" instruction.
    
    LLVM which is the only compiler supporting BTI for Linux, adds "bti j"
    for jump tables or by when taking the address of the block [1].
    Same behaviour is observed with GCC.
    
    As kvm_host_psci_cpu_entry is a C function, this must be done in
    assembly.
    
    Another solution is to use X16/X17 with "br", as according to ARM
    ARM DDI0487I.a RLJHCL/IGMGRS, PACIASP has an implicit branch
    target identification instruction that is compatible with
    PSTATE.BTYPE 0b01 which includes "br X16/X17"
    And the kvm_host_psci_cpu_entry has PACIASP as it is an external
    function.
    Although, using explicit "bti" makes it more clear than relying on
    which register is used.
    
    A third solution is to clear SCTLR_EL2.BT, which would make PACIASP
    compatible PSTATE.BTYPE 0b11 ("br" to other registers).
    However this deviates from the kernel behaviour (in bti_enable()).
    
    2) Spectre vector table
    "br" instructions are generated at runtime for the vector table
    (__bp_harden_hyp_vecs).
    These branches would land on vectors in __kvm_hyp_vector at offset 8.
    As all the macros are defined with valid_vect/invalid_vect, it is
    sufficient to add "bti j" at the correct offset.
    
    [1] https://reviews.llvm.org/D52867
    
    Fixes: b53d4a27 ("KVM: arm64: Use BTI for nvhe")
    Signed-off-by: default avatarMostafa Saleh <smostafa@google.com>
    Reported-by: default avatarSudeep Holla <sudeep.holla@arm.com>
    Acked-by: default avatarMarc Zyngier <maz@kernel.org>
    Tested-by: default avatarSudeep Holla <sudeep.holla@arm.com>
    Link: https://lore.kernel.org/r/20230706152240.685684-1-smostafa@google.comSigned-off-by: default avatarOliver Upton <oliver.upton@linux.dev>
    dcf89d11
psci-relay.c 7.98 KB