Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/arch Add support for Privileged Access Never (ARMv8.1-PAN).
details: https://anonhg.NetBSD.org/src/rev/1a501a9a0e81
branches: trunk
changeset: 974521:1a501a9a0e81
user: maxv <maxv%NetBSD.org@localhost>
date: Sun Aug 02 06:58:16 2020 +0000
description:
Add support for Privileged Access Never (ARMv8.1-PAN).
PAN provides the same functionality as SMAP on x86: it forbids kernel
access to userland pages when PSTATE.PAN=1, and allows such accesses when
PSTATE.PAN=0.
We clear SCTLR_SPAN, to guarantee that PAN=1 each time the kernel is
entered. We catch PAN faults and panic right away without further
processing. In copyin, copyout, etc, we temporarily authorize access to
userland pages.
PAN is a very useful exploit mitigation. Reviewed by ryo@, thanks. Tested
on Qemu. Enabled by default.
diffstat:
sys/arch/aarch64/aarch64/aarch64_machdep.c | 12 ++++++++-
sys/arch/aarch64/aarch64/copyinout.S | 26 ++++++++++++++++++++-
sys/arch/aarch64/aarch64/cpufunc.c | 35 ++++++++++++++++++++++++++++-
sys/arch/aarch64/aarch64/db_interface.c | 10 ++++++-
sys/arch/aarch64/aarch64/fault.c | 20 +++++++++++++++-
sys/arch/aarch64/aarch64/fusu.S | 27 +++++++++++++++++++++-
sys/arch/aarch64/aarch64/locore.S | 12 ++++++++-
sys/arch/aarch64/aarch64/trap.c | 9 ++++++-
sys/arch/aarch64/include/armreg.h | 6 ++++-
sys/arch/aarch64/include/asm.h | 10 ++++++--
sys/arch/aarch64/include/cpufunc.h | 4 ++-
sys/arch/arm/conf/files.arm | 3 +-
sys/arch/evbarm/conf/GENERIC64 | 5 +++-
13 files changed, 156 insertions(+), 23 deletions(-)
diffs (truncated from 501 to 300 lines):
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/aarch64_machdep.c
--- a/sys/arch/aarch64/aarch64/aarch64_machdep.c Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/aarch64_machdep.c Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: aarch64_machdep.c,v 1.45 2020/07/16 11:36:35 skrll Exp $ */
+/* $NetBSD: aarch64_machdep.c,v 1.46 2020/08/02 06:58:16 maxv Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: aarch64_machdep.c,v 1.45 2020/07/16 11:36:35 skrll Exp $");
+__KERNEL_RCSID(1, "$NetBSD: aarch64_machdep.c,v 1.46 2020/08/02 06:58:16 maxv Exp $");
#include "opt_arm_debug.h"
#include "opt_cpuoptions.h"
@@ -480,6 +480,14 @@
sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT,
+ CTLTYPE_INT, "pan",
+ SYSCTL_DESCR("Whether Privileged Access Never is enabled"),
+ NULL, 0,
+ &aarch64_pan_enabled, 0,
+ CTL_MACHDEP, CTL_CREATE, CTL_EOL);
+
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT,
CTLTYPE_INT, "pac",
SYSCTL_DESCR("Whether Pointer Authentication is enabled"),
NULL, 0,
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/copyinout.S
--- a/sys/arch/aarch64/aarch64/copyinout.S Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/copyinout.S Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: copyinout.S,v 1.10 2020/06/30 16:20:00 maxv Exp $ */
+/* $NetBSD: copyinout.S,v 1.11 2020/08/02 06:58:16 maxv Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,27 @@
#include <aarch64/asm.h>
#include "assym.h"
-RCSID("$NetBSD: copyinout.S,v 1.10 2020/06/30 16:20:00 maxv Exp $");
+RCSID("$NetBSD: copyinout.S,v 1.11 2020/08/02 06:58:16 maxv Exp $");
+
+#ifdef ARMV81_PAN
+#define PAN_ENABLE \
+ adrl x9, _C_LABEL(aarch64_pan_enabled) ; \
+ ldr w9, [x9] ; \
+ cbz w9, 666f ; \
+ msr pan, #1 ; \
+666:
+#define PAN_DISABLE \
+ adrl x9, _C_LABEL(aarch64_pan_enabled) ; \
+ ldr w9, [x9] ; \
+ cbz w9, 666f ; \
+ msr pan, #0 ; \
+666:
+#else
+#define PAN_ENABLE /* nothing */
+#define PAN_DISABLE /* nothing */
+#endif
+
+ ARMV8_DEFINE_OPTIONS
.macro enter_cpu_onfault
stp fp, lr, [sp, #-16]! /* save fp, lr */
@@ -55,6 +75,7 @@
mov x0, x19 /* x0 = x19 = arg0 */
mov x1, x20 /* x1 = x20 = arg1 */
+ PAN_DISABLE /* disable PAN */
.endm
.macro exit_cpu_onfault
@@ -63,6 +84,7 @@
ldr x0, [x0, #CI_CURLWP] /* x0 = curlwp */
str xzr, [x0, #L_MD_ONFAULT] /* lwp->l_md_onfault = NULL */
9:
+ PAN_ENABLE /* enable PAN */
add sp, sp, #FB_T_SIZE /* pop stack */
ldp x19, x20, [sp], #16 /* restore x19, x20 */
ldp fp, lr, [sp], #16 /* restore fp, lr */
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/cpufunc.c
--- a/sys/arch/aarch64/aarch64/cpufunc.c Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/cpufunc.c Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cpufunc.c,v 1.23 2020/07/04 04:59:36 rin Exp $ */
+/* $NetBSD: cpufunc.c,v 1.24 2020/08/02 06:58:16 maxv Exp $ */
/*
* Copyright (c) 2017 Ryo Shimizu <ryo%nerv.org@localhost>
@@ -30,7 +30,7 @@
#include "opt_multiprocessor.h"
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cpufunc.c,v 1.23 2020/07/04 04:59:36 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cpufunc.c,v 1.24 2020/08/02 06:58:16 maxv Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -50,6 +50,7 @@
u_int aarch64_cache_vindexsize;
u_int aarch64_cache_prefer_mask;
+int aarch64_pan_enabled __read_mostly;
int aarch64_pac_enabled __read_mostly;
/* cache info per cluster. the same cluster has the same cache configuration? */
@@ -474,6 +475,36 @@
return 0;
}
+void
+aarch64_pan_init(int primary)
+{
+#ifdef ARMV81_PAN
+ uint64_t reg, sctlr;
+
+ /* CPU0 does the detection. */
+ if (primary) {
+ reg = reg_id_aa64mmfr1_el1_read();
+ if (__SHIFTOUT(reg, ID_AA64MMFR1_EL1_PAN) !=
+ ID_AA64MMFR1_EL1_PAN_NONE)
+ aarch64_pan_enabled = 1;
+ }
+
+ if (!aarch64_pan_enabled)
+ return;
+
+ /*
+ * On an exception to EL1, have the CPU set the PAN bit automatically.
+ * This ensures PAN is enabled each time the kernel is entered.
+ */
+ sctlr = reg_sctlr_el1_read();
+ sctlr &= ~SCTLR_SPAN;
+ reg_sctlr_el1_write(sctlr);
+
+ /* Set the PAN bit right now. */
+ reg_pan_write(1);
+#endif
+}
+
/*
* In order to avoid inconsistencies with pointer authentication
* in this function itself, the caller must enable PAC according
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/db_interface.c
--- a/sys/arch/aarch64/aarch64/db_interface.c Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/db_interface.c Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: db_interface.c,v 1.7 2019/01/27 02:08:36 pgoyette Exp $ */
+/* $NetBSD: db_interface.c,v 1.8 2020/08/02 06:58:16 maxv Exp $ */
/*
* Copyright (c) 2017 Ryo Shimizu <ryo%nerv.org@localhost>
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.7 2019/01/27 02:08:36 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.8 2020/08/02 06:58:16 maxv Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -67,6 +67,9 @@
}
lastpage = atop((vaddr_t)src);
+ if (aarch64_pan_enabled)
+ reg_pan_write(0); /* disable PAN */
+
tmp = (uintptr_t)src | (uintptr_t)data;
if ((size >= 8) && ((tmp & 7) == 0)) {
*(uint64_t *)data = *(const uint64_t *)src;
@@ -87,6 +90,9 @@
*data++ = *src++;
size--;
}
+
+ if (aarch64_pan_enabled)
+ reg_pan_write(1); /* enable PAN */
}
}
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/fault.c
--- a/sys/arch/aarch64/aarch64/fault.c Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/fault.c Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fault.c,v 1.14 2020/07/08 03:45:13 ryo Exp $ */
+/* $NetBSD: fault.c,v 1.15 2020/08/02 06:58:16 maxv Exp $ */
/*
* Copyright (c) 2017 Ryo Shimizu <ryo%nerv.org@localhost>
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fault.c,v 1.14 2020/07/08 03:45:13 ryo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fault.c,v 1.15 2020/08/02 06:58:16 maxv Exp $");
#include "opt_compat_netbsd32.h"
#include "opt_ddb.h"
@@ -136,6 +136,7 @@
vm_prot_t ftype;
int error = 0, len;
const bool user = IS_SPSR_USER(tf->tf_spsr) ? true : false;
+ bool is_pan_trap = false;
bool fatalabort;
const char *faultstr;
@@ -191,6 +192,16 @@
}
#endif
+ if (__predict_false(!user && (map != kernel_map) &&
+ (tf->tf_spsr & SPSR_PAN))) {
+ /*
+ * We were in kernel mode, faulted on a user address,
+ * and had PAN enabled. This is a fatal fault.
+ */
+ is_pan_trap = true;
+ goto handle_fault;
+ }
+
/* reference/modified emulation */
if (pmap_fault_fixup(map->pmap, va, ftype, user)) {
UVMHIST_LOG(pmaphist, "fixed: va=%016llx", tf->tf_far, 0, 0, 0);
@@ -218,6 +229,7 @@
return;
}
+ handle_fault:
fsc = __SHIFTOUT(esr, ESR_ISS_DATAABORT_DFSC); /* also IFSC */
if (user) {
if (!fatalabort) {
@@ -326,6 +338,10 @@
len += snprintf(panicinfo + len, sizeof(panicinfo) - len,
", State 2 Fault");
+ if (is_pan_trap)
+ len += snprintf(panicinfo + len, sizeof(panicinfo) - len,
+ ", PAN Set");
+
len += snprintf(panicinfo + len, sizeof(panicinfo) - len,
": pc %016"PRIxREGISTER, tf->tf_pc);
diff -r 4c33a781c33e -r 1a501a9a0e81 sys/arch/aarch64/aarch64/fusu.S
--- a/sys/arch/aarch64/aarch64/fusu.S Sun Aug 02 06:51:47 2020 +0000
+++ b/sys/arch/aarch64/aarch64/fusu.S Sun Aug 02 06:58:16 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fusu.S,v 1.6 2019/04/06 03:06:24 thorpej Exp $ */
+/* $NetBSD: fusu.S,v 1.7 2020/08/02 06:58:16 maxv Exp $ */
/*-
* Copyright (c) 2014, 2019 The NetBSD Foundation, Inc.
@@ -32,7 +32,27 @@
#include <aarch64/asm.h>
#include "assym.h"
-RCSID("$NetBSD: fusu.S,v 1.6 2019/04/06 03:06:24 thorpej Exp $");
+RCSID("$NetBSD: fusu.S,v 1.7 2020/08/02 06:58:16 maxv Exp $");
+
+#ifdef ARMV81_PAN
+#define PAN_ENABLE \
+ adrl x9, _C_LABEL(aarch64_pan_enabled) ; \
+ ldr w9, [x9] ; \
+ cbz w9, 666f ; \
+ msr pan, #1 ; \
+666:
+#define PAN_DISABLE \
+ adrl x9, _C_LABEL(aarch64_pan_enabled) ; \
+ ldr w9, [x9] ; \
+ cbz w9, 666f ; \
+ msr pan, #0 ; \
+666:
+#else
+#define PAN_ENABLE /* nothing */
+#define PAN_DISABLE /* nothing */
+#endif
+
+ ARMV8_DEFINE_OPTIONS
.macro enter_cpu_onfault
stp fp, lr, [sp, #-16]! /* save fp, lr */
@@ -47,6 +67,8 @@
mov x0, sp /* x0 = faultbuf */
bl cpu_set_onfault /* x0 = cpu_set_onfault() */
cbnz x0, 9f /* return if error */
+
+ PAN_DISABLE /* disable PAN */
.endm
.macro exit_cpu_onfault
@@ -55,6 +77,7 @@
ldr x1, [x1, #CI_CURLWP] /* x1 = curlwp */
str xzr, [x1, #L_MD_ONFAULT] /* lwp->l_md_onfault = NULL */
Home |
Main Index |
Thread Index |
Old Index