From nobody Thu Feb 22 16:28:03 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tgdq82CsMz59wPh; Thu, 22 Feb 2024 16:28:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tgdq806Ssz4JhC; Thu, 22 Feb 2024 16:28:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708619284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=e+NAsISze0ielcyJ8yWim/swGxC20K89xeqh440xfoE=; b=UlZ7PWjlEbV24tSAGh3QAzkktTLCbeXrJmBKkEMKD9iuKfYqrmOuYxWImS//JMP74WBQc8 4/9peDFV42vO/NHq28ncENhRf41A4OV4cEIK/3P17BKdFIngNsl3o/uPfKNSL1wwz0GcxC xIzEZUZnxgsPFmvl2dtvrmG8Mu2lvITZsCMZUGXAlrAuYAc3BcwrAarGZ+rX7UmXJTZBx4 MGgXKBO81jInGPaWD3LydCiPosxWsJSTFg6nEwkyF8Q9ie9estbrFiuasNQzKLMV6XtY4i 42pmvjIEs6f2JpGbqwvZReBxAIFj3gzTK+WCvcjmx9kxe9AS8JHDelgxJ5cPEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708619284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=e+NAsISze0ielcyJ8yWim/swGxC20K89xeqh440xfoE=; b=iW74IHPAxwxoOlBueYyfRdQIXTisdr01HFXAwEEaA5fAfSmSJ03KM4ldCe8v8Pqg4GOwg9 o8MYZxyHpFeQMa90pH4uo4hY1ngjIL8H4DbWHBUA8qSxG8PetwRoL4UmUjneKvGV6QyhcO WCp1cGg2wJICh/Ozqg1fELJK2x8pDDwpgNqfI7kFMOSvsYW1FBa49sM4rrzWZ/HHFsmvdL lXM0M0pJqrqNILk21YOJ7UCEs1YHMoXDCkIEaTnOehBQE+MAzcbft/cRSDV0/SMGFeGr75 mwtaxIWnE9j/HHo6Cg+kiPUpU3d0PutEIaQg8GTavtQ3RI90cEjIrKsMVkKHQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708619284; a=rsa-sha256; cv=none; b=KUwd3DyX0ziM4oRxPoh8aWDeLCe6G+wBq0fBEwFmnlXWkmJek/RFCJX/XL7LoKPcGiBUfT Jh4vLMKx4cdySg8l6iEaQYKxoclWdQk+G1wCr+Rxc7iTd/3XhBR7BcI5D9dp/UFywzJsin UyDFLveZIUTQtG4Q6Ult5xSCUipYX6r/HZTQoCQgR5hmyX+2/7UNH2mfvK6eJqLQ89Y8lP 1YXzisiYRlXsaDddlEbV5kNKiRAda3blTzc8vXOBLGmVl6VsOKN+qhEawKRVYYqxiBjXGd GIwgqXppbLxZRXhQfobxxGOMAozWxH3wQTkpCEdlUcyRMo/VO+hbIICt+7NUTQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tgdq76JtwzfGL; Thu, 22 Feb 2024 16:28:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41MGS3En015332; Thu, 22 Feb 2024 16:28:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41MGS3cb015329; Thu, 22 Feb 2024 16:28:03 GMT (envelope-from git) Date: Thu, 22 Feb 2024 16:28:03 GMT Message-Id: <202402221628.41MGS3cb015329@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Andrew Turner Subject: git: d3eae160b21f - main - arm64: Add BTI support to pmap List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: andrew X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d3eae160b21f12c769f1e275901ad8ef18901744 Auto-Submitted: auto-generated The branch main has been updated by andrew: URL: https://cgit.FreeBSD.org/src/commit/?id=d3eae160b21f12c769f1e275901ad8ef18901744 commit d3eae160b21f12c769f1e275901ad8ef18901744 Author: Andrew Turner AuthorDate: 2023-04-05 12:31:41 +0000 Commit: Andrew Turner CommitDate: 2024-02-22 16:27:47 +0000 arm64: Add BTI support to pmap Add a rangeset to the arm64 pmap to describe which address space needs the Branch Target Identification (BTI) Guard Page flag set in the page table. On hardware that supports BTI the Guard Page flag tells the hardware to raise an exception if the target of a BR* and BLR* instruction is not an appropriate landing pad instruction. To support this in userspace we need to know which address space should be guarded. For this add a rangeset to the arm64 pmap when the hardware supports BTI. The kernel can then use pmap_bti_set and pmap_bti_clear mark and unmark which address space is guarded. Sponsored by: Arm Ltd Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42328 --- sys/arm64/arm64/pmap.c | 270 ++++++++++++++++++++++++++++++++++++++++++++--- sys/arm64/include/pmap.h | 13 +-- 2 files changed, 263 insertions(+), 20 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index d9b6425cc20e..21912535bb6a 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -119,6 +119,7 @@ #include #include #include +#include #include #include #include @@ -432,6 +433,12 @@ SYSCTL_INT(_vm_pmap, OID_AUTO, superpages_enabled, CTLFLAG_RDTUN | CTLFLAG_NOFETCH, &superpages_enabled, 0, "Are large page mappings enabled?"); +/* + * True when Branch Target Identification should be used by userspace. This + * allows pmap to mark pages as guarded with ATTR_S1_GP. + */ +__read_mostly static bool pmap_bti_support = false; + /* * Internal flags for pmap_enter()'s helper functions. */ @@ -478,7 +485,14 @@ static void _pmap_unwire_l3(pmap_t pmap, vm_offset_t va, vm_page_t m, static int pmap_unuse_pt(pmap_t, vm_offset_t, pd_entry_t, struct spglist *); static __inline vm_page_t pmap_remove_pt_page(pmap_t pmap, vm_offset_t va); +static uma_zone_t pmap_bti_ranges_zone; +static bool pmap_bti_same(pmap_t pmap, vm_offset_t sva, vm_offset_t eva); static pt_entry_t pmap_pte_bti(pmap_t pmap, vm_offset_t va); +static void pmap_bti_on_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva); +static void *bti_dup_range(void *ctx, void *data); +static void bti_free_range(void *ctx, void *node); +static int pmap_bti_copy(pmap_t dst_pmap, pmap_t src_pmap); +static void pmap_bti_deassign_all(pmap_t pmap); /* * These load the old table data and store the new value. @@ -2320,6 +2334,7 @@ pmap_pinit0(pmap_t pmap) pmap->pm_levels = 4; pmap->pm_ttbr = pmap->pm_l0_paddr; pmap->pm_asid_set = &asids; + pmap->pm_bti = NULL; PCPU_SET(curpmap, pmap); } @@ -2345,9 +2360,16 @@ pmap_pinit_stage(pmap_t pmap, enum pmap_stage stage, int levels) MPASS(levels == 3 || levels == 4); pmap->pm_levels = levels; pmap->pm_stage = stage; + pmap->pm_bti = NULL; switch (stage) { case PM_STAGE1: pmap->pm_asid_set = &asids; + if (pmap_bti_support) { + pmap->pm_bti = malloc(sizeof(struct rangeset), M_DEVBUF, + M_ZERO | M_WAITOK); + rangeset_init(pmap->pm_bti, bti_dup_range, + bti_free_range, pmap, M_NOWAIT); + } break; case PM_STAGE2: pmap->pm_asid_set = &vmids; @@ -2652,7 +2674,7 @@ void pmap_release(pmap_t pmap) { bool rv __diagused; - struct spglist free; + struct spglist freelist; struct asid_set *set; vm_page_t m; int asid; @@ -2665,13 +2687,13 @@ pmap_release(pmap_t pmap) KASSERT((pmap->pm_l0[0] & ATTR_DESCR_VALID) == ATTR_DESCR_VALID, ("pmap_release: Invalid l0 entry: %lx", pmap->pm_l0[0])); - SLIST_INIT(&free); + SLIST_INIT(&freelist); m = PHYS_TO_VM_PAGE(pmap->pm_ttbr); PMAP_LOCK(pmap); - rv = pmap_unwire_l3(pmap, 0, m, &free); + rv = pmap_unwire_l3(pmap, 0, m, &freelist); PMAP_UNLOCK(pmap); MPASS(rv == true); - vm_page_free_pages_toq(&free, true); + vm_page_free_pages_toq(&freelist, true); } KASSERT(pmap->pm_stats.resident_count == 0, @@ -2699,6 +2721,11 @@ pmap_release(pmap_t pmap) bit_clear(set->asid_set, asid); } mtx_unlock_spin(&set->asid_set_mutex); + + if (pmap->pm_bti != NULL) { + rangeset_fini(pmap->pm_bti); + free(pmap->pm_bti, M_DEVBUF); + } } m = PHYS_TO_VM_PAGE(pmap->pm_l0_paddr); @@ -3631,14 +3658,8 @@ pmap_remove_l3_range(pmap_t pmap, pd_entry_t l2e, vm_offset_t sva, pmap_invalidate_range(pmap, va, sva, true); } -/* - * Remove the given range of addresses from the specified map. - * - * It is assumed that the start and end are properly - * rounded to the page size. - */ -void -pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +static void +pmap_remove1(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, bool map_delete) { struct rwlock *lock; vm_offset_t va_next; @@ -3655,6 +3676,8 @@ pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) SLIST_INIT(&free); PMAP_LOCK(pmap); + if (map_delete) + pmap_bti_on_remove(pmap, sva, eva); lock = NULL; for (; sva < eva; sva = va_next) { @@ -3737,6 +3760,18 @@ pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) vm_page_free_pages_toq(&free, true); } +/* + * Remove the given range of addresses from the specified map. + * + * It is assumed that the start and end are properly + * rounded to the page size. + */ +void +pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +{ + pmap_remove1(pmap, sva, eva, false); +} + /* * Remove the given range of addresses as part of a logical unmap * operation. This has the effect of calling pmap_remove(), but @@ -3746,7 +3781,7 @@ pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) void pmap_map_delete(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) { - pmap_remove(pmap, sva, eva); + pmap_remove1(pmap, sva, eva, true); } /* @@ -4355,6 +4390,8 @@ pmap_enter_largepage(pmap_t pmap, vm_offset_t va, pt_entry_t newpte, int flags, PTE_TO_PHYS(newpte), newpte, psind)); restart: + if (!pmap_bti_same(pmap, va, va + pagesizes[psind])) + return (KERN_PROTECTION_FAILURE); if (psind == 2) { PMAP_ASSERT_L1_BLOCKS_SUPPORTED; @@ -4848,6 +4885,14 @@ pmap_enter_l2(pmap_t pmap, vm_offset_t va, pd_entry_t new_l2, u_int flags, return (KERN_RESOURCE_SHORTAGE); } + /* + * If bti is not the same for the whole l2 range, return failure + * and let vm_fault() cope. Check after l2 allocation, since + * it could sleep. + */ + if (!pmap_bti_same(pmap, va, va + L2_SIZE)) + return (KERN_PROTECTION_FAILURE); + /* * If there are existing mappings, either abort or remove them. */ @@ -5496,6 +5541,38 @@ out: PMAP_UNLOCK(dst_pmap); } +int +pmap_vmspace_copy(pmap_t dst_pmap, pmap_t src_pmap) +{ + int error; + + if (dst_pmap->pm_stage != src_pmap->pm_stage) + return (EINVAL); + + if (dst_pmap->pm_stage != PM_STAGE1 || src_pmap->pm_bti == NULL) + return (0); + + for (;;) { + if (dst_pmap < src_pmap) { + PMAP_LOCK(dst_pmap); + PMAP_LOCK(src_pmap); + } else { + PMAP_LOCK(src_pmap); + PMAP_LOCK(dst_pmap); + } + error = pmap_bti_copy(dst_pmap, src_pmap); + /* Clean up partial copy on failure due to no memory. */ + if (error == ENOMEM) + pmap_bti_deassign_all(dst_pmap); + PMAP_UNLOCK(src_pmap); + PMAP_UNLOCK(dst_pmap); + if (error != ENOMEM) + break; + vm_wait(NULL); + } + return (error); +} + /* * pmap_zero_page zeros the specified hardware page by mapping * the page into KVM and using bzero to clear its contents. @@ -5907,6 +5984,7 @@ pmap_remove_pages(pmap_t pmap) if (lock != NULL) rw_wunlock(lock); pmap_invalidate_all(pmap); + pmap_bti_deassign_all(pmap); free_pv_chunk_batch(free_chunks); PMAP_UNLOCK(pmap); vm_page_free_pages_toq(&free, true); @@ -7436,6 +7514,29 @@ pmap_set_cnp(void *arg) isb(); } +/* + * Defer enabling some features until we have read the ID registers to know + * if they are supported on all CPUs. + */ +static void +pmap_init_mp(void *dummy __unused) +{ + uint64_t reg; + + if (get_kernel_reg(ID_AA64PFR1_EL1, ®)) { + if (ID_AA64PFR1_BT_VAL(reg) != ID_AA64PFR1_BT_NONE) { + if (bootverbose) + printf("Enabling BTI\n"); + pmap_bti_support = true; + + pmap_bti_ranges_zone = uma_zcreate("BTI ranges", + sizeof(struct rs_el), NULL, NULL, NULL, NULL, + UMA_ALIGN_PTR, 0); + } + } +} +SYSINIT(pmap_init_mp, SI_SUB_CPU, SI_ORDER_ANY, pmap_init_mp, NULL); + /* * Defer enabling CnP until we have read the ID registers to know if it's * supported on all CPUs. @@ -7871,8 +7972,85 @@ pmap_is_valid_memattr(pmap_t pmap __unused, vm_memattr_t mode) return (mode >= VM_MEMATTR_DEVICE && mode <= VM_MEMATTR_WRITE_THROUGH); } +static void * +bti_dup_range(void *ctx __unused, void *data) +{ + struct rs_el *node, *new_node; + + new_node = uma_zalloc(pmap_bti_ranges_zone, M_NOWAIT); + if (new_node == NULL) + return (NULL); + node = data; + memcpy(new_node, node, sizeof(*node)); + return (new_node); +} + +static void +bti_free_range(void *ctx __unused, void *node) +{ + + uma_zfree(pmap_bti_ranges_zone, node); +} + +static int +pmap_bti_assign(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +{ + struct rs_el *rs; + int error; + + PMAP_LOCK_ASSERT(pmap, MA_OWNED); + PMAP_ASSERT_STAGE1(pmap); + MPASS(pmap->pm_bti != NULL); + rs = uma_zalloc(pmap_bti_ranges_zone, M_NOWAIT); + if (rs == NULL) + return (ENOMEM); + error = rangeset_insert(pmap->pm_bti, sva, eva, rs); + if (error != 0) + uma_zfree(pmap_bti_ranges_zone, rs); + return (error); +} + +static void +pmap_bti_deassign_all(pmap_t pmap) +{ + + PMAP_LOCK_ASSERT(pmap, MA_OWNED); + if (pmap->pm_bti != NULL) + rangeset_remove_all(pmap->pm_bti); +} + +static bool +pmap_bti_same(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +{ + struct rs_el *prev_rs, *rs; + vm_offset_t va; + + PMAP_LOCK_ASSERT(pmap, MA_OWNED); + KASSERT(ADDR_IS_CANONICAL(sva), + ("%s: Start address not in canonical form: %lx", __func__, sva)); + KASSERT(ADDR_IS_CANONICAL(eva), + ("%s: End address not in canonical form: %lx", __func__, eva)); + + if (pmap->pm_bti == NULL || ADDR_IS_KERNEL(sva)) + return (true); + MPASS(!ADDR_IS_KERNEL(eva)); + for (va = sva; va < eva; prev_rs = rs) { + rs = rangeset_lookup(pmap->pm_bti, va); + if (va == sva) + prev_rs = rs; + else if ((rs == NULL) ^ (prev_rs == NULL)) + return (false); + if (rs == NULL) { + va += PAGE_SIZE; + continue; + } + va = rs->re_end; + } + return (true); +} + static pt_entry_t -pmap_pte_bti(pmap_t pmap, vm_offset_t va __diagused) +pmap_pte_bti(pmap_t pmap, vm_offset_t va) { PMAP_LOCK_ASSERT(pmap, MA_OWNED); MPASS(ADDR_IS_CANONICAL(va)); @@ -7881,9 +8059,73 @@ pmap_pte_bti(pmap_t pmap, vm_offset_t va __diagused) return (0); if (pmap == kernel_pmap) return (ATTR_KERN_GP); + if (pmap->pm_bti != NULL && rangeset_lookup(pmap->pm_bti, va) != NULL) + return (ATTR_S1_GP); return (0); } +static void +pmap_bti_on_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +{ + + PMAP_LOCK_ASSERT(pmap, MA_OWNED); + if (pmap->pm_bti != NULL) + rangeset_remove(pmap->pm_bti, sva, eva); +} + +static int +pmap_bti_copy(pmap_t dst_pmap, pmap_t src_pmap) +{ + + PMAP_LOCK_ASSERT(dst_pmap, MA_OWNED); + PMAP_LOCK_ASSERT(src_pmap, MA_OWNED); + MPASS(src_pmap->pm_stage == dst_pmap->pm_stage); + MPASS(src_pmap->pm_bti != NULL); + MPASS(dst_pmap->pm_bti != NULL); + if (src_pmap->pm_bti->rs_data_ctx == NULL) + return (0); + return (rangeset_copy(dst_pmap->pm_bti, src_pmap->pm_bti)); +} + +static void +pmap_bti_update_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, bool set) +{ + PMAP_LOCK_ASSERT(pmap, MA_OWNED); + PMAP_ASSERT_STAGE1(pmap); + + pmap_mask_set_locked(pmap, sva, eva, ATTR_S1_GP, set ? ATTR_S1_GP : 0, + true); +} + +int +pmap_bti_set(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) +{ + int error; + + if (pmap->pm_bti == NULL) + return (0); + if (!ADDR_IS_CANONICAL(sva) || !ADDR_IS_CANONICAL(eva)) + return (EINVAL); + if (pmap->pm_stage != PM_STAGE1) + return (EINVAL); + if (eva <= sva || ADDR_IS_KERNEL(eva)) + return (EFAULT); + + sva = trunc_page(sva); + eva = round_page(eva); + for (;;) { + PMAP_LOCK(pmap); + error = pmap_bti_assign(pmap, sva, eva); + if (error == 0) + pmap_bti_update_range(pmap, sva, eva, true); + PMAP_UNLOCK(pmap); + if (error != ENOMEM) + break; + vm_wait(NULL); + } + return (error); +} + #if defined(KASAN) || defined(KMSAN) static pd_entry_t *pmap_san_early_l2; diff --git a/sys/arm64/include/pmap.h b/sys/arm64/include/pmap.h index 4b4d47ccc7af..d69924080610 100644 --- a/sys/arm64/include/pmap.h +++ b/sys/arm64/include/pmap.h @@ -63,6 +63,8 @@ void pmap_page_set_memattr(vm_page_t m, vm_memattr_t ma); * Pmap stuff */ +struct rangeset; + struct md_page { TAILQ_HEAD(,pv_entry) pv_list; int pv_gen; @@ -97,7 +99,8 @@ struct pmap { struct asid_set *pm_asid_set; /* The ASID/VMID set to use */ enum pmap_stage pm_stage; int pm_levels; - uint64_t pm_reserved[4]; + struct rangeset *pm_bti; + uint64_t pm_reserved[3]; }; typedef struct pmap *pmap_t; @@ -182,12 +185,10 @@ extern void (*pmap_stage2_invalidate_range)(uint64_t, vm_offset_t, vm_offset_t, bool); extern void (*pmap_stage2_invalidate_all)(uint64_t); -static inline int -pmap_vmspace_copy(pmap_t dst_pmap __unused, pmap_t src_pmap __unused) -{ +int pmap_vmspace_copy(pmap_t, pmap_t); - return (0); -} +int pmap_bti_set(pmap_t, vm_offset_t, vm_offset_t); +int pmap_bti_clear(pmap_t, vm_offset_t, vm_offset_t); #if defined(KASAN) || defined(KMSAN) struct arm64_bootparams;