[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.10] xen/arm: Always trap AMU system registers
commit 5114e77ef3cbca018fbd4b64c0251a7e7d1d6eeb Author: Julien Grall <jgrall@xxxxxxxxxx> AuthorDate: Mon Nov 9 20:28:59 2020 +0000 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Tue Nov 10 17:51:25 2020 +0000 xen/arm: Always trap AMU system registers The Activity Monitors Unit (AMU) has been introduced by ARMv8.4. It is considered to be unsafe to be expose to guests as they might expose information about code executed by other guests or the host. Arm provided a way to trap all the AMU system registers by setting CPTR_EL2.TAM to 1. Unfortunately, on older revision of the specification, the bit 30 (now CPTR_EL1.TAM) was RES0. Because of that, Xen is setting it to 0 and therefore the system registers would be exposed to the guest when it is run on processors with AMU. As the bit is mark as UNKNOWN at boot in Armv8.4, the only safe solution for us is to always set CPTR_EL1.TAM to 1. Guest trying to access the AMU system registers will now receive an undefined instruction. Unfortunately, this means that even well-behaved guest may fail to boot because we don't sanitize the ID registers. This is a known issues with other Armv8.0+ features (e.g. SVE, Pointer Auth). This will taken care separately. This is part of XSA-351 (or XSA-93 re-born). Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> Reviewed-by: Andre Przywara <andre.przywara@xxxxxxx> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> Reviewed-by: Bertrand Marquis <bertrand.marquis@xxxxxxx> (cherry picked from commit 628e1becb6fb121475a6ce68e3f1cb4499851255) --- xen/arch/arm/traps.c | 3 ++- xen/include/asm-arm/processor.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 9ec5b93dc2..f281013fe0 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -182,7 +182,8 @@ void init_traps(void) * On ARM64 the TCPx bits which we set here (0..9,12,13) are all * RES1, i.e. they would trap whether we did this write or not. */ - WRITE_SYSREG((HCPTR_CP_MASK & ~(HCPTR_CP(10) | HCPTR_CP(11))) | HCPTR_TTA, + WRITE_SYSREG((HCPTR_CP_MASK & ~(HCPTR_CP(10) | HCPTR_CP(11))) | + HCPTR_TTA | HCPTR_TAM, CPTR_EL2); /* Setup hypervisor traps */ diff --git a/xen/include/asm-arm/processor.h b/xen/include/asm-arm/processor.h index 222a02dd99..5755cc6434 100644 --- a/xen/include/asm-arm/processor.h +++ b/xen/include/asm-arm/processor.h @@ -291,6 +291,7 @@ #define VTCR_RES1 (_AC(1,UL)<<31) /* HCPTR Hyp. Coprocessor Trap Register */ +#define HCPTR_TAM ((_AC(1,U)<<30)) #define HCPTR_TTA ((_AC(1,U)<<20)) /* Trap trace registers */ #define HCPTR_CP(x) ((_AC(1,U)<<(x))) /* Trap Coprocessor x */ #define HCPTR_CP_MASK ((_AC(1,U)<<14)-1) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.10
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |