From patchwork Fri Jan 5 14:57:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 123526 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp910721qgn; Fri, 5 Jan 2018 06:58:04 -0800 (PST) X-Google-Smtp-Source: ACJfBouJkqKS1X5G/SmgUNRjXG6H/knQJej/Km+WNABFw9cYfC3vB2WyQYfvCmPuflsYdpa1Lcym X-Received: by 10.101.75.5 with SMTP id r5mr2851741pgq.215.1515164284756; Fri, 05 Jan 2018 06:58:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515164284; cv=none; d=google.com; s=arc-20160816; b=lJssHVH5WMo5+gbCPotckSCHiGntUaZ+uKSCw2/fQmXhtembgAL8tH9dE67VZH34MI 2Gkn+WZ4VBwx0PoshRXR/4hlNC2MwPJL/QscCIK3wRYwZROrCioiHsirAsoWbctOBd96 yDmVe8j3Wry/kZNvkIGjpKaRTXzkiAPho1Oo1FS849n/2yPk70EhP2sWMzEgf12hO9CO QEmTqMbDz1BKKiIlQq/OCcvzuVAy+sk4sy8X2qegihhym6gi7I27HEyr8+wHlYB5X5Eg M5ca6oqy48JWnqVvn5M8Gg0mELnm8XZ7fy8oSwEU2DPw3SfKJSdkLXqIUFGgYz9W6bRJ 7VRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+OK7miBQA1O6hCGPdmiVMevqOJEz/GsBAPHldHmM7OY=; b=fB1XXscbPVRzGz5HqN2wRW+hYj30WFlam+2x+ED6wfGEAz/u8tztQuhffigFmMGsbF LmqRNnxMYE9LQuBwb99rX4zVygMoOHHlTn7OPmsNXxT0OwpaFy6P8AXKUqYbLFNwDnRq WqN84YUkU3co8utzpOFPq3zp07lMU/liPXSROcTkAMrFk4vXAqxLrgGywCM3FcgcYahN WaojsP2nHxf2/otX6jJ+6nlLiagjVyqhf23e5CRE4UeIHiwNMGqoJnu5PIeeL4uD3BgF TgzzSdaG5jKraKuxdIzL7zftb2iEI81pLmBQFQ7ukiXfHGECG179IAhUsqIZuu567oqq tMhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si4077516ply.308.2018.01.05.06.58.04; Fri, 05 Jan 2018 06:58:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752161AbeAEO6C (ORCPT + 26 others); Fri, 5 Jan 2018 09:58:02 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:46026 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751961AbeAEO6A (ORCPT ); Fri, 5 Jan 2018 09:58:00 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 37F141435; Fri, 5 Jan 2018 06:58:00 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 479533F581; Fri, 5 Jan 2018 06:57:58 -0800 (PST) From: Mark Rutland To: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Cc: dan.j.williams@intel.com, elena.reshetova@intel.com, corbet@lwn.net, alan@linux.intel.com, peterz@infradead.org, will.deacon@arm.com, gregkh@linuxfoundation.org, tglx@linutronix.de, Mark Rutland Subject: [RFCv2 0/4] API for inhibiting speculative arbitrary read primitives Date: Fri, 5 Jan 2018 14:57:46 +0000 Message-Id: <20180105145750.53294-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Recently, Google Project Zero discovered several classes of attack against speculative execution. One of these, known as variant-1, allows explicit bounds checks to be bypassed under speculation, providing an arbitrary read gadget. Further details can be found on the GPZ blog [1] and the Documentation patch in this series. There are a number of potential gadgets in the Linux codebase, and mitigations for these are architecture-specific. This RFC attempts to provide a cross-architecture API for inhibiting these primitives. Hopefully, architecture-specific mitigations can be unified behind this. An arm64 implementation is provided following the architecturally recommended sequence laid out in the Arm whitepaper [2]. The API is based on a proposed compiler intrinsic [3]. I've provided a patch to BPF as an example use of the API. I know that this is incomplete and less than optimal. I'd appreciate feedback from other affected architectures as to whether this API is suitable for their required mitigation. I've pushed the series to my kernel.org repo [4]. Since v1 [5]: * Remove the nospec_*load helpers * Added nospec_array_ptr() * Rework asm-generic implementation to fit other architectures * Improve documentation [1] https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html [2] https://developer.arm.com/support/security-update [3] https://developer.arm.com/support/security-update/compiler-support-for-mitigations [4] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git core/nospec [5] https://lkml.kernel.org/r/20180103223827.39601-1-mark.rutland@arm.com Thanks, Mark. Mark Rutland (4): asm-generic/barrier: add generic nospec helpers Documentation: document nospec helpers arm64: implement nospec_{load,ptr}() bpf: inhibit speculated out-of-bounds pointers Documentation/speculation.txt | 166 +++++++++++++++++++++++++++++++++++++++ arch/arm64/include/asm/barrier.h | 55 +++++++++++++ include/asm-generic/barrier.h | 68 ++++++++++++++++ kernel/bpf/arraymap.c | 20 +++-- kernel/bpf/cpumap.c | 5 +- kernel/bpf/devmap.c | 3 +- kernel/bpf/sockmap.c | 3 +- 7 files changed, 308 insertions(+), 12 deletions(-) create mode 100644 Documentation/speculation.txt -- 2.11.0