From: "Pierre-Clément Tosi" <ptosi@google.com>
To: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
kvm@vger.kernel.org
Cc: "Pierre-Clément Tosi" <ptosi@google.com>,
"Marc Zyngier" <maz@kernel.org>,
"Oliver Upton" <oliver.upton@linux.dev>,
"Suzuki K Poulose" <suzuki.poulose@arm.com>,
"Vincent Donnefort" <vdonnefort@google.com>
Subject: [PATCH v3 12/12] KVM: arm64: Improve CONFIG_CFI_CLANG error message
Date: Fri, 10 May 2024 12:26:41 +0100 [thread overview]
Message-ID: <20240510112645.3625702-13-ptosi@google.com> (raw)
In-Reply-To: <20240510112645.3625702-1-ptosi@google.com>
For kCFI, the compiler encodes in the immediate of the BRK (which the
CPU places in ESR_ELx) the indices of the two registers it used to hold
(resp.) the function pointer and expected type. Therefore, the kCFI
handler must be able to parse the contents of the register file at the
point where the exception was triggered.
To achieve this, introduce a new hypervisor panic path that first stores
the CPU context in the per-CPU kvm_hyp_ctxt before calling (directly or
indirectly) hyp_panic() and execute it from all EL2 synchronous
exception handlers i.e.
- call it directly in host_el2_sync_vect (__kvm_hyp_host_vector, EL2t&h)
- call it directly in el2t_sync_invalid (__kvm_hyp_vector, EL2t)
- set ELR_EL2 to it in el2_sync (__kvm_hyp_vector, EL2h), which ERETs
Teach hyp_panic() to decode the kCFI ESR and extract the target and type
from the saved CPU context. In VHE, use that information to panic() with
a specialized error message. In nVHE, only report it if the host (EL1)
has access to the saved CPU context i.e. iff CONFIG_NVHE_EL2_DEBUG=y,
which aligns with the behavior of CONFIG_PROTECTED_NVHE_STACKTRACE.
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
---
arch/arm64/kvm/handle_exit.c | 30 +++++++++++++++++++++++--
arch/arm64/kvm/hyp/entry.S | 24 +++++++++++++++++++-
arch/arm64/kvm/hyp/hyp-entry.S | 2 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 4 ++--
arch/arm64/kvm/hyp/nvhe/host.S | 2 +-
arch/arm64/kvm/hyp/vhe/switch.c | 26 +++++++++++++++++++--
6 files changed, 79 insertions(+), 9 deletions(-)
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index 0db23a6304ce..d76e41a07df1 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -26,6 +26,8 @@
#define CREATE_TRACE_POINTS
#include "trace_handle_exit.h"
+DECLARE_KVM_NVHE_PER_CPU(struct kvm_cpu_context, kvm_hyp_ctxt);
+
typedef int (*exit_handle_fn)(struct kvm_vcpu *);
static void kvm_handle_guest_serror(struct kvm_vcpu *vcpu, u64 esr)
@@ -383,11 +385,35 @@ void handle_exit_early(struct kvm_vcpu *vcpu, int exception_index)
kvm_handle_guest_serror(vcpu, kvm_vcpu_get_esr(vcpu));
}
-static void kvm_nvhe_report_cfi_failure(u64 panic_addr)
+static void kvm_nvhe_report_cfi_target(struct user_pt_regs *regs, u64 esr,
+ u64 hyp_offset)
+{
+ u64 va_mask = GENMASK_ULL(vabits_actual - 1, 0);
+ u8 type_idx = FIELD_GET(CFI_BRK_IMM_TYPE, esr);
+ u8 target_idx = FIELD_GET(CFI_BRK_IMM_TARGET, esr);
+ u32 expected_type = (u32)regs->regs[type_idx];
+ u64 target_addr = (regs->regs[target_idx] & va_mask) + hyp_offset;
+
+ kvm_err(" (target: [<%016llx>] %ps, expected type: 0x%08x)\n",
+ target_addr, (void *)(target_addr + kaslr_offset()),
+ expected_type);
+}
+
+static void kvm_nvhe_report_cfi_failure(u64 panic_addr, u64 esr, u64 hyp_offset)
{
+ struct user_pt_regs *regs = NULL;
+
kvm_err("nVHE hyp CFI failure at: [<%016llx>] %pB!\n", panic_addr,
(void *)(panic_addr + kaslr_offset()));
+ if (IS_ENABLED(CONFIG_NVHE_EL2_DEBUG) || !is_protected_kvm_enabled())
+ regs = &this_cpu_ptr_nvhe_sym(kvm_hyp_ctxt)->regs;
+
+ if (regs)
+ kvm_nvhe_report_cfi_target(regs, esr, hyp_offset);
+ else
+ kvm_err(" (no target information: !CONFIG_NVHE_EL2_DEBUG)\n");
+
if (IS_ENABLED(CONFIG_CFI_PERMISSIVE))
kvm_err(" (CONFIG_CFI_PERMISSIVE ignored for hyp failures)\n");
}
@@ -423,7 +449,7 @@ void __noreturn __cold nvhe_hyp_panic_handler(u64 esr, u64 spsr,
kvm_err("nVHE hyp BUG at: [<%016llx>] %pB!\n", panic_addr,
(void *)(panic_addr + kaslr_offset()));
} else if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr)) {
- kvm_nvhe_report_cfi_failure(panic_addr);
+ kvm_nvhe_report_cfi_failure(panic_addr, esr, hyp_offset);
} else {
kvm_err("nVHE hyp panic at: [<%016llx>] %pB!\n", panic_addr,
(void *)(panic_addr + kaslr_offset()));
diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S
index 6a1ce9d21e5b..8838b453b9be 100644
--- a/arch/arm64/kvm/hyp/entry.S
+++ b/arch/arm64/kvm/hyp/entry.S
@@ -83,7 +83,7 @@ alternative_else_nop_endif
eret
sb
-SYM_INNER_LABEL(__hyp_restore_elr_and_panic, SYM_L_GLOBAL)
+SYM_INNER_LABEL(__hyp_restore_elr_save_context_and_panic, SYM_L_GLOBAL)
// x0-x29,lr: hyp regs
stp x0, x1, [sp, #-16]!
@@ -92,6 +92,28 @@ SYM_INNER_LABEL(__hyp_restore_elr_and_panic, SYM_L_GLOBAL)
msr elr_el2, x0
ldp x0, x1, [sp], #16
+SYM_INNER_LABEL(__hyp_save_context_and_panic, SYM_L_GLOBAL)
+ // x0-x29,lr: hyp regs
+
+ stp x0, x1, [sp, #-16]!
+
+ adr_this_cpu x0, kvm_hyp_ctxt, x1
+
+ stp x2, x3, [x0, #CPU_XREG_OFFSET(2)]
+
+ ldp x2, x3, [sp], #16
+
+ stp x2, x3, [x0, #CPU_XREG_OFFSET(0)]
+ stp x4, x5, [x0, #CPU_XREG_OFFSET(4)]
+ stp x6, x7, [x0, #CPU_XREG_OFFSET(6)]
+ stp x8, x9, [x0, #CPU_XREG_OFFSET(8)]
+ stp x10, x11, [x0, #CPU_XREG_OFFSET(10)]
+ stp x12, x13, [x0, #CPU_XREG_OFFSET(12)]
+ stp x14, x15, [x0, #CPU_XREG_OFFSET(14)]
+ stp x16, x17, [x0, #CPU_XREG_OFFSET(16)]
+
+ save_callee_saved_regs x0
+
SYM_INNER_LABEL(__hyp_panic, SYM_L_GLOBAL)
// x0-x29,lr: vcpu regs
diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S
index 7e65ef738ec9..d0d90d598338 100644
--- a/arch/arm64/kvm/hyp/hyp-entry.S
+++ b/arch/arm64/kvm/hyp/hyp-entry.S
@@ -130,7 +130,7 @@ SYM_CODE_END(\label)
.endm
/* None of these should ever happen */
- invalid_vector el2t_sync_invalid
+ invalid_vector el2t_sync_invalid, __hyp_save_context_and_panic
invalid_vector el2t_irq_invalid
invalid_vector el2t_fiq_invalid
invalid_vector el2t_error_invalid
diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
index 9387e3a0b680..f3d8fbc7a77b 100644
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -753,7 +753,7 @@ static inline bool fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code)
static inline void __kvm_unexpected_el2_exception(void)
{
- extern char __hyp_restore_elr_and_panic[];
+ extern char __hyp_restore_elr_save_context_and_panic[];
unsigned long addr, fixup;
struct kvm_exception_table_entry *entry, *end;
unsigned long elr_el2 = read_sysreg(elr_el2);
@@ -776,7 +776,7 @@ static inline void __kvm_unexpected_el2_exception(void)
/* Trigger a panic after restoring the hyp context. */
this_cpu_ptr(&kvm_hyp_ctxt)->sys_regs[ELR_EL2] = elr_el2;
- write_sysreg(__hyp_restore_elr_and_panic, elr_el2);
+ write_sysreg(__hyp_restore_elr_save_context_and_panic, elr_el2);
}
#endif /* __ARM64_KVM_HYP_SWITCH_H__ */
diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
index 0613b6e35137..ec3e4f5c28cc 100644
--- a/arch/arm64/kvm/hyp/nvhe/host.S
+++ b/arch/arm64/kvm/hyp/nvhe/host.S
@@ -213,7 +213,7 @@ SYM_FUNC_END(__host_hvc)
.endm
.macro host_el2_sync_vect
- __host_el2_vect __hyp_panic
+ __host_el2_vect __hyp_save_context_and_panic
.endm
.macro invalid_host_el1_vect
diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c
index b3268933b093..17df57580c77 100644
--- a/arch/arm64/kvm/hyp/vhe/switch.c
+++ b/arch/arm64/kvm/hyp/vhe/switch.c
@@ -18,6 +18,7 @@
#include <asm/barrier.h>
#include <asm/cpufeature.h>
+#include <asm/esr.h>
#include <asm/kprobes.h>
#include <asm/kvm_asm.h>
#include <asm/kvm_emulate.h>
@@ -308,7 +309,24 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
return ret;
}
-static void __noreturn __hyp_call_panic(u64 spsr, u64 elr, u64 par)
+static void __noreturn __hyp_call_panic_for_cfi(u64 elr, u64 esr)
+{
+ struct user_pt_regs *regs = &this_cpu_ptr(&kvm_hyp_ctxt)->regs;
+ u8 type_idx = FIELD_GET(CFI_BRK_IMM_TYPE, esr);
+ u8 target_idx = FIELD_GET(CFI_BRK_IMM_TARGET, esr);
+ u32 expected_type = (u32)regs->regs[type_idx];
+ u64 target = regs->regs[target_idx];
+
+ panic("VHE hyp CFI failure at: [<%016llx>] %pB (target: [<%016llx>] %ps, expected type: 0x%08x)\n"
+#ifdef CONFIG_CFI_PERMISSIVE
+ " (CONFIG_CFI_PERMISSIVE ignored for hyp failures)\n"
+#endif
+ ,
+ elr, (void *)elr, target, (void *)target, expected_type);
+}
+NOKPROBE_SYMBOL(__hyp_call_panic_for_cfi);
+
+static void __noreturn __hyp_call_panic(u64 spsr, u64 elr, u64 par, u64 esr)
{
struct kvm_cpu_context *host_ctxt;
struct kvm_vcpu *vcpu;
@@ -319,6 +337,9 @@ static void __noreturn __hyp_call_panic(u64 spsr, u64 elr, u64 par)
__deactivate_traps(vcpu);
sysreg_restore_host_state_vhe(host_ctxt);
+ if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr))
+ __hyp_call_panic_for_cfi(elr, esr);
+
panic("HYP panic:\nPS:%08llx PC:%016llx ESR:%08llx\nFAR:%016llx HPFAR:%016llx PAR:%016llx\nVCPU:%p\n",
spsr, elr,
read_sysreg_el2(SYS_ESR), read_sysreg_el2(SYS_FAR),
@@ -331,8 +352,9 @@ void __noreturn hyp_panic(void)
u64 spsr = read_sysreg_el2(SYS_SPSR);
u64 elr = read_sysreg_el2(SYS_ELR);
u64 par = read_sysreg_par();
+ u64 esr = read_sysreg_el2(SYS_ESR);
- __hyp_call_panic(spsr, elr, par);
+ __hyp_call_panic(spsr, elr, par, esr);
}
asmlinkage void kvm_unexpected_el2_exception(void)
--
2.45.0.118.g7fe29c98d7-goog
prev parent reply other threads:[~2024-05-10 11:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-10 11:26 [PATCH v3 00/12] KVM: arm64: Add support for hypervisor kCFI Pierre-Clément Tosi
2024-05-10 11:26 ` [PATCH v3 01/12] KVM: arm64: Fix clobbered ELR in sync abort/SError Pierre-Clément Tosi
2024-05-13 13:55 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 02/12] KVM: arm64: Fix __pkvm_init_switch_pgd C signature Pierre-Clément Tosi
2024-05-13 14:03 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 03/12] KVM: arm64: Pass pointer to __pkvm_init_switch_pgd Pierre-Clément Tosi
2024-05-13 14:17 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 04/12] KVM: arm64: nVHE: Remove __guest_exit_panic path Pierre-Clément Tosi
2024-05-13 14:27 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 05/12] KVM: arm64: nVHE: Add EL2h sync exception handler Pierre-Clément Tosi
2024-05-10 11:26 ` [PATCH v3 06/12] KVM: arm64: nVHE: gen-hyprel: Skip R_AARCH64_ABS32 Pierre-Clément Tosi
2024-05-13 14:33 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 07/12] KVM: arm64: VHE: Mark __hyp_call_panic __noreturn Pierre-Clément Tosi
2024-05-13 14:52 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 08/12] arm64: Move esr_comment() to <asm/esr.h> Pierre-Clément Tosi
2024-05-13 14:57 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 09/12] KVM: arm64: VHE: Add test module for hyp kCFI Pierre-Clément Tosi
2024-05-13 17:21 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 10/12] KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2 Pierre-Clément Tosi
2024-05-13 17:30 ` Will Deacon
2024-05-10 11:26 ` [PATCH v3 11/12] KVM: arm64: nVHE: Support test module for hyp kCFI Pierre-Clément Tosi
2024-05-10 11:26 ` Pierre-Clément Tosi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240510112645.3625702-13-ptosi@google.com \
--to=ptosi@google.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=suzuki.poulose@arm.com \
--cc=vdonnefort@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).