~cascardo/ubuntu/+source/linux/+git/artful:arm64_kpti_v4

Last commit made on 2018-02-05
Get this branch:
git clone -b arm64_kpti_v4 https://git.launchpad.net/~cascardo/ubuntu/+source/linux/+git/artful
Only Thadeu Lima de Souza Cascardo can upload to this branch. If you are Thadeu Lima de Souza Cascardo please log in for upload directions.

Branch merges

Branch information

Name:
arm64_kpti_v4
Repository:
lp:~cascardo/ubuntu/+source/linux/+git/artful

Recent commits

7453a65... by Paolo Pisati

UBUNTU: [Config] UNMAP_KERNEL_AT_EL0=y && HARDEN_BRANCH_PREDICTOR=y

CVE-2017-5754 ARM64 KPTI fixes

Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

2edb838... by Jayachandran C <email address hidden>

UBUNTU: SAUCE: arm64: Branch predictor hardening for Cavium ThunderX2

When upstream applied this commit, the existing hardening function was used
instead of the new one. This commit applies the delta between upstream and
vendor commit.

CVE-2017-5754 ARM64 KPTI fixes

Use PSCI based mitigation for speculative execution attacks targeting
the branch predictor. The approach is similar to the one used for
Cortex-A CPUs, but in case of ThunderX2 we add another SMC call to
test if the firmware supports the capability.

If the secure firmware has been updated with the mitigation code to
invalidate the branch target buffer, we use the PSCI version call to
invoke it.

Signed-off-by: Jayachandran C <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

468ffe4... by Shanker Donthineni <email address hidden>

UBUNTU: SAUCE: arm64: Implement branch predictor hardening for Falkor

When upstream applied this commit, FALKOR_V1 was missing and only FALKOR
support was added. This commit applies the delta between upstream and vendor
commit.

CVE-2017-5754 ARM64 KPTI fixes

Falkor is susceptible to branch predictor aliasing and can
theoretically be attacked by malicious code. This patch
implements a mitigation for these attacks, preventing any
malicious entries from affecting other victim contexts.

Signed-off-by: Shanker Donthineni <email address hidden>
[will: fix label name when !CONFIG_KVM]
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

f1d0df2... by Mark Rutland

UBUNTU: SAUCE: bpf: inhibit speculated out-of-bounds pointers

CVE-2017-5754 ARM64 KPTI fixes

Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
memory accesses under a bounds check may be speculated even if the
bounds check fails, providing a primitive for building a side channel.

The EBPF map code has a number of such bounds-checks accesses in
map_lookup_elem implementations. This patch modifies these to use the
nospec helpers to inhibit such side channels.

The JITted lookup_elem implementations remain potentially vulnerable,
and are disabled (with JITted code falling back to the C
implementations).

Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

c566bf8... by Mark Rutland

UBUNTU: SAUCE: arm: implement nospec_ptr()

CVE-2017-5754 ARM64 KPTI fixes

This patch implements nospec_ptr() for arm, following the recommended
architectural sequences for the arm and thumb instruction sets.

Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Dan Williams <email address hidden>
Signed-off-by: Catalin Marinas <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

6528f19... by Mark Rutland

UBUNTU: SAUCE: arm64: implement nospec_{load,ptr}()

CVE-2017-5754 ARM64 KPTI fixes

This patch implements nospec_load() and nospec_ptr() for arm64,
following the recommended architectural sequence.

Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

a1181b2... by Mark Rutland

UBUNTU: SAUCE: Documentation: document nospec helpers

CVE-2017-5754 ARM64 KPTI fixes

Document the rationale and usage of the new nospec*() helpers.

Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

87012e8... by Mark Rutland

UBUNTU: SAUCE: asm-generic/barrier: add generic nospec helpers

CVE-2017-5754 ARM64 KPTI fixes

Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
memory accesses under a bounds check may be speculated even if the
bounds check fails, providing a primitive for building a side channel.

This patch adds helpers which can be used to inhibit the use of
out-of-bounds pointers and/or valeus read from these under speculation.

A generic implementation is provided for compatibility, but does not
guarantee safety under speculation. Architectures are expected to
override these helpers as necessary.

Signed-off-by: Mark Rutland <email address hidden>
Signed-off-by: Will Deacon <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

0fff1fb... by Marc Zyngier

UBUNTU: SAUCE: arm: KVM: Invalidate icache on guest exit for Cortex-A15

CVE-2017-5754 ARM64 KPTI fixes

In order to avoid aliasing attacks against the branch predictor
on Cortex-A15, let's invalidate the BTB on guest exit, which can
only be done by invalidating the icache (with ACTLR[0] being set).

We use the same hack as for A12/A17 to perform the vector decoding.

Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Catalin Marinas <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

d934340... by Marc Zyngier

UBUNTU: SAUCE: arm: Invalidate icache on prefetch abort outside of user mapping on Cortex-A15

CVE-2017-5754 ARM64 KPTI fixes

In order to prevent aliasing attacks on the branch predictor,
invalidate the icache on Cortex-A15, which has the side effect
of invalidating the BTB. This requires ACTLR[0] to be set to 1
(secure operation).

Signed-off-by: Marc Zyngier <email address hidden>
Signed-off-by: Catalin Marinas <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>