For x64 it was already implemented in: https://github.com/torvalds/linux/commit/71368af
The rationale is the same as for the x64 implementation. Signed-off-by: Anthony Steinhauser <asteinhau...@google.com> --- It's actively attempted by OpenJDK on arm64 CentOS and Fedora: https://git.centos.org/rpms/java-11-openjdk/blob/c8s/f/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch arch/arm64/include/asm/ssbd.h | 28 ++++++++++++++++++++++++++++ arch/arm64/kernel/process.c | 13 +++++++++++++ arch/arm64/kernel/ssbd.c | 34 +++++++++++++++++----------------- 3 files changed, 58 insertions(+), 17 deletions(-) create mode 100644 arch/arm64/include/asm/ssbd.h diff --git a/arch/arm64/include/asm/ssbd.h b/arch/arm64/include/asm/ssbd.h new file mode 100644 index 000000000000..68c716dc5811 --- /dev/null +++ b/arch/arm64/include/asm/ssbd.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Copyright (C) 2020 Google LLC. + */ +#ifndef __ASM_SSBD_H +#define __ASM_SSBD_H + +#include <linux/compat.h> +#include <linux/sched/task_stack.h> +#include <linux/thread_info.h> + +static inline void ssbd_ssbs_enable(struct task_struct *task) +{ + u64 val = is_compat_thread(task_thread_info(task)) ? + PSR_AA32_SSBS_BIT : PSR_SSBS_BIT; + + task_pt_regs(task)->pstate |= val; +} + +static inline void ssbd_ssbs_disable(struct task_struct *task) +{ + u64 val = is_compat_thread(task_thread_info(task)) ? + PSR_AA32_SSBS_BIT : PSR_SSBS_BIT; + + task_pt_regs(task)->pstate &= ~val; +} + +#endif /* __ASM_SSBD_H */ diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 6089638c7d43..ad3c67c86c4c 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -54,6 +54,7 @@ #include <asm/mmu_context.h> #include <asm/processor.h> #include <asm/pointer_auth.h> +#include <asm/ssbd.h> #include <asm/stacktrace.h> #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK) @@ -588,6 +589,18 @@ void arch_setup_new_exec(void) current->mm->context.flags = is_compat_task() ? MMCF_AARCH32 : 0; ptrauth_thread_init_user(current); + + /* + * Don't inherit TIF_SSBD across exec boundary when + * PR_SPEC_DISABLE_NOEXEC is used. + */ + if (test_thread_flag(TIF_SSBD) && + task_spec_ssb_noexec(current)) { + clear_thread_flag(TIF_SSBD); + task_clear_spec_ssb_disable(current); + task_clear_spec_ssb_noexec(current); + ssbd_ssbs_enable(current); + } } #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI diff --git a/arch/arm64/kernel/ssbd.c b/arch/arm64/kernel/ssbd.c index b26955f56750..e936b7ee700b 100644 --- a/arch/arm64/kernel/ssbd.c +++ b/arch/arm64/kernel/ssbd.c @@ -3,7 +3,6 @@ * Copyright (C) 2018 ARM Ltd, All Rights Reserved. */ -#include <linux/compat.h> #include <linux/errno.h> #include <linux/prctl.h> #include <linux/sched.h> @@ -11,22 +10,7 @@ #include <linux/thread_info.h> #include <asm/cpufeature.h> - -static void ssbd_ssbs_enable(struct task_struct *task) -{ - u64 val = is_compat_thread(task_thread_info(task)) ? - PSR_AA32_SSBS_BIT : PSR_SSBS_BIT; - - task_pt_regs(task)->pstate |= val; -} - -static void ssbd_ssbs_disable(struct task_struct *task) -{ - u64 val = is_compat_thread(task_thread_info(task)) ? - PSR_AA32_SSBS_BIT : PSR_SSBS_BIT; - - task_pt_regs(task)->pstate &= ~val; -} +#include <asm/ssbd.h> /* * prctl interface for SSBD @@ -43,6 +27,7 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl) if (state == ARM64_SSBD_MITIGATED) { switch (ctrl) { case PR_SPEC_ENABLE: + case PR_SPEC_DISABLE_NOEXEC: return -EPERM; case PR_SPEC_DISABLE: case PR_SPEC_FORCE_DISABLE: @@ -62,6 +47,7 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl) task_spec_ssb_force_disable(task)) return -EPERM; task_clear_spec_ssb_disable(task); + task_clear_spec_ssb_noexec(task); clear_tsk_thread_flag(task, TIF_SSBD); ssbd_ssbs_enable(task); break; @@ -69,6 +55,7 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl) if (state == ARM64_SSBD_FORCE_DISABLE) return -EPERM; task_set_spec_ssb_disable(task); + task_clear_spec_ssb_noexec(task); set_tsk_thread_flag(task, TIF_SSBD); ssbd_ssbs_disable(task); break; @@ -76,10 +63,21 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl) if (state == ARM64_SSBD_FORCE_DISABLE) return -EPERM; task_set_spec_ssb_disable(task); + task_clear_spec_ssb_noexec(task); task_set_spec_ssb_force_disable(task); set_tsk_thread_flag(task, TIF_SSBD); ssbd_ssbs_disable(task); break; + case PR_SPEC_DISABLE_NOEXEC: + if (state == ARM64_SSBD_FORCE_ENABLE || + state == ARM64_SSBD_FORCE_DISABLE || + task_spec_ssb_force_disable(task)) + return -EPERM; + task_set_spec_ssb_disable(task); + task_set_spec_ssb_noexec(task); + set_tsk_thread_flag(task, TIF_SSBD); + ssbd_ssbs_disable(task); + break; default: return -ERANGE; } @@ -108,6 +106,8 @@ static int ssbd_prctl_get(struct task_struct *task) case ARM64_SSBD_KERNEL: if (task_spec_ssb_force_disable(task)) return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; + if (task_spec_ssb_noexec(task)) + return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC; if (task_spec_ssb_disable(task)) return PR_SPEC_PRCTL | PR_SPEC_DISABLE; return PR_SPEC_PRCTL | PR_SPEC_ENABLE; -- 2.18.4
