forked from Minki/linux
bf904d2762
The SYSCALL64 trampoline has a couple of nice properties: - The usual sequence of SWAPGS followed by two GS-relative accesses to set up RSP is somewhat slow because the GS-relative accesses need to wait for SWAPGS to finish. The trampoline approach allows RIP-relative accesses to set up RSP, which avoids the stall. - The trampoline avoids any percpu access before CR3 is set up, which means that no percpu memory needs to be mapped in the user page tables. This prevents using Meltdown to read any percpu memory outside the cpu_entry_area and prevents using timing leaks to directly locate the percpu areas. The downsides of using a trampoline may outweigh the upsides, however. It adds an extra non-contiguous I$ cache line to system calls, and it forces an indirect jump to transfer control back to the normal kernel text after CR3 is set up. The latter is because x86 lacks a 64-bit direct jump instruction that could jump from the trampoline to the entry text. With retpolines enabled, the indirect jump is extremely slow. Change the code to map the percpu TSS into the user page tables to allow the non-trampoline SYSCALL64 path to work under PTI. This does not add a new direct information leak, since the TSS is readable by Meltdown from the cpu_entry_area alias regardless. It does allow a timing attack to locate the percpu area, but KASLR is more or less a lost cause against local attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned, on current hardware, KASLR is only useful to mitigate remote attacks that try to attack the kernel without first gaining RCE against a vulnerable user process. On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall overhead from ~237ns to ~228ns. There is a possible alternative approach: Move the trampoline within 2G of the entry text and make a separate copy for each CPU. This would allow a direct jump to rejoin the normal entry path. There are pro's and con's for this approach: + It avoids a pipeline stall - It executes from an extra page and read from another extra page during the syscall. The latter is because it needs to use a relative addressing mode to find sp1 -- it's the same *cacheline*, but accessed using an alias, so it's an extra TLB entry. - Slightly more memory. This would be one page per CPU for a simple implementation and 64-ish bytes per CPU or one page per node for a more complex implementation. - More code complexity. The current approach is chosen for simplicity and because the alternative does not provide a significant benefit, which makes it worth. [ tglx: Added the alternative discussion to the changelog ] Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Joerg Roedel <joro@8bytes.org> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Andi Kleen <ak@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
182 lines
5.6 KiB
C
182 lines
5.6 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
#include <linux/spinlock.h>
|
|
#include <linux/percpu.h>
|
|
#include <linux/kallsyms.h>
|
|
#include <linux/kcore.h>
|
|
|
|
#include <asm/cpu_entry_area.h>
|
|
#include <asm/pgtable.h>
|
|
#include <asm/fixmap.h>
|
|
#include <asm/desc.h>
|
|
|
|
static DEFINE_PER_CPU_PAGE_ALIGNED(struct entry_stack_page, entry_stack_storage);
|
|
|
|
#ifdef CONFIG_X86_64
|
|
static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
|
|
[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);
|
|
#endif
|
|
|
|
struct cpu_entry_area *get_cpu_entry_area(int cpu)
|
|
{
|
|
unsigned long va = CPU_ENTRY_AREA_PER_CPU + cpu * CPU_ENTRY_AREA_SIZE;
|
|
BUILD_BUG_ON(sizeof(struct cpu_entry_area) % PAGE_SIZE != 0);
|
|
|
|
return (struct cpu_entry_area *) va;
|
|
}
|
|
EXPORT_SYMBOL(get_cpu_entry_area);
|
|
|
|
void cea_set_pte(void *cea_vaddr, phys_addr_t pa, pgprot_t flags)
|
|
{
|
|
unsigned long va = (unsigned long) cea_vaddr;
|
|
pte_t pte = pfn_pte(pa >> PAGE_SHIFT, flags);
|
|
|
|
/*
|
|
* The cpu_entry_area is shared between the user and kernel
|
|
* page tables. All of its ptes can safely be global.
|
|
* _PAGE_GLOBAL gets reused to help indicate PROT_NONE for
|
|
* non-present PTEs, so be careful not to set it in that
|
|
* case to avoid confusion.
|
|
*/
|
|
if (boot_cpu_has(X86_FEATURE_PGE) &&
|
|
(pgprot_val(flags) & _PAGE_PRESENT))
|
|
pte = pte_set_flags(pte, _PAGE_GLOBAL);
|
|
|
|
set_pte_vaddr(va, pte);
|
|
}
|
|
|
|
static void __init
|
|
cea_map_percpu_pages(void *cea_vaddr, void *ptr, int pages, pgprot_t prot)
|
|
{
|
|
for ( ; pages; pages--, cea_vaddr+= PAGE_SIZE, ptr += PAGE_SIZE)
|
|
cea_set_pte(cea_vaddr, per_cpu_ptr_to_phys(ptr), prot);
|
|
}
|
|
|
|
static void percpu_setup_debug_store(int cpu)
|
|
{
|
|
#ifdef CONFIG_CPU_SUP_INTEL
|
|
int npages;
|
|
void *cea;
|
|
|
|
if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
|
|
return;
|
|
|
|
cea = &get_cpu_entry_area(cpu)->cpu_debug_store;
|
|
npages = sizeof(struct debug_store) / PAGE_SIZE;
|
|
BUILD_BUG_ON(sizeof(struct debug_store) % PAGE_SIZE != 0);
|
|
cea_map_percpu_pages(cea, &per_cpu(cpu_debug_store, cpu), npages,
|
|
PAGE_KERNEL);
|
|
|
|
cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers;
|
|
/*
|
|
* Force the population of PMDs for not yet allocated per cpu
|
|
* memory like debug store buffers.
|
|
*/
|
|
npages = sizeof(struct debug_store_buffers) / PAGE_SIZE;
|
|
for (; npages; npages--, cea += PAGE_SIZE)
|
|
cea_set_pte(cea, 0, PAGE_NONE);
|
|
#endif
|
|
}
|
|
|
|
/* Setup the fixmap mappings only once per-processor */
|
|
static void __init setup_cpu_entry_area(int cpu)
|
|
{
|
|
#ifdef CONFIG_X86_64
|
|
/* On 64-bit systems, we use a read-only fixmap GDT and TSS. */
|
|
pgprot_t gdt_prot = PAGE_KERNEL_RO;
|
|
pgprot_t tss_prot = PAGE_KERNEL_RO;
|
|
#else
|
|
/*
|
|
* On native 32-bit systems, the GDT cannot be read-only because
|
|
* our double fault handler uses a task gate, and entering through
|
|
* a task gate needs to change an available TSS to busy. If the
|
|
* GDT is read-only, that will triple fault. The TSS cannot be
|
|
* read-only because the CPU writes to it on task switches.
|
|
*
|
|
* On Xen PV, the GDT must be read-only because the hypervisor
|
|
* requires it.
|
|
*/
|
|
pgprot_t gdt_prot = boot_cpu_has(X86_FEATURE_XENPV) ?
|
|
PAGE_KERNEL_RO : PAGE_KERNEL;
|
|
pgprot_t tss_prot = PAGE_KERNEL;
|
|
#endif
|
|
|
|
cea_set_pte(&get_cpu_entry_area(cpu)->gdt, get_cpu_gdt_paddr(cpu),
|
|
gdt_prot);
|
|
|
|
cea_map_percpu_pages(&get_cpu_entry_area(cpu)->entry_stack_page,
|
|
per_cpu_ptr(&entry_stack_storage, cpu), 1,
|
|
PAGE_KERNEL);
|
|
|
|
/*
|
|
* The Intel SDM says (Volume 3, 7.2.1):
|
|
*
|
|
* Avoid placing a page boundary in the part of the TSS that the
|
|
* processor reads during a task switch (the first 104 bytes). The
|
|
* processor may not correctly perform address translations if a
|
|
* boundary occurs in this area. During a task switch, the processor
|
|
* reads and writes into the first 104 bytes of each TSS (using
|
|
* contiguous physical addresses beginning with the physical address
|
|
* of the first byte of the TSS). So, after TSS access begins, if
|
|
* part of the 104 bytes is not physically contiguous, the processor
|
|
* will access incorrect information without generating a page-fault
|
|
* exception.
|
|
*
|
|
* There are also a lot of errata involving the TSS spanning a page
|
|
* boundary. Assert that we're not doing that.
|
|
*/
|
|
BUILD_BUG_ON((offsetof(struct tss_struct, x86_tss) ^
|
|
offsetofend(struct tss_struct, x86_tss)) & PAGE_MASK);
|
|
BUILD_BUG_ON(sizeof(struct tss_struct) % PAGE_SIZE != 0);
|
|
cea_map_percpu_pages(&get_cpu_entry_area(cpu)->tss,
|
|
&per_cpu(cpu_tss_rw, cpu),
|
|
sizeof(struct tss_struct) / PAGE_SIZE, tss_prot);
|
|
|
|
#ifdef CONFIG_X86_32
|
|
per_cpu(cpu_entry_area, cpu) = get_cpu_entry_area(cpu);
|
|
#endif
|
|
|
|
#ifdef CONFIG_X86_64
|
|
BUILD_BUG_ON(sizeof(exception_stacks) % PAGE_SIZE != 0);
|
|
BUILD_BUG_ON(sizeof(exception_stacks) !=
|
|
sizeof(((struct cpu_entry_area *)0)->exception_stacks));
|
|
cea_map_percpu_pages(&get_cpu_entry_area(cpu)->exception_stacks,
|
|
&per_cpu(exception_stacks, cpu),
|
|
sizeof(exception_stacks) / PAGE_SIZE, PAGE_KERNEL);
|
|
#endif
|
|
percpu_setup_debug_store(cpu);
|
|
}
|
|
|
|
static __init void setup_cpu_entry_area_ptes(void)
|
|
{
|
|
#ifdef CONFIG_X86_32
|
|
unsigned long start, end;
|
|
|
|
BUILD_BUG_ON(CPU_ENTRY_AREA_PAGES * PAGE_SIZE < CPU_ENTRY_AREA_MAP_SIZE);
|
|
BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK);
|
|
|
|
start = CPU_ENTRY_AREA_BASE;
|
|
end = start + CPU_ENTRY_AREA_MAP_SIZE;
|
|
|
|
/* Careful here: start + PMD_SIZE might wrap around */
|
|
for (; start < end && start >= CPU_ENTRY_AREA_BASE; start += PMD_SIZE)
|
|
populate_extra_pte(start);
|
|
#endif
|
|
}
|
|
|
|
void __init setup_cpu_entry_areas(void)
|
|
{
|
|
unsigned int cpu;
|
|
|
|
setup_cpu_entry_area_ptes();
|
|
|
|
for_each_possible_cpu(cpu)
|
|
setup_cpu_entry_area(cpu);
|
|
|
|
/*
|
|
* This is the last essential update to swapper_pgdir which needs
|
|
* to be synchronized to initial_page_table on 32bit.
|
|
*/
|
|
sync_initial_page_table();
|
|
}
|