From nobody Sat May 18 07:09:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80981+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80981+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1632327605; cv=none; d=zohomail.com; s=zohoarc; b=CzMAh1bQ6BMc/cYsimmuOTx7/l6V6HO4lDTzy5t6G9Hw8AhhuLmiuOThdN3YF+y9bCdcXTXqXNM/aKnZFsw6TrAqzmCezXaGMg9CLzUOI5Gj7LfN1UqMS35q0RFcTdo9DlRamMN/htvVXJNTkXsjovxWvHNKTjwXdwxuZLNdJVY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1632327605; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=iquDHdzvhD9f8xbNlLzJfGt1hgbrk+RrG3dUYhjpU2c=; b=iyBuOH7svDZAL4Oe6hXEuLvOrrQb2oWTZ4DV4J2IR2vneWYgAfcagXWoZCI8cEVheeYakHzaR34gMz2vc/3dyWWffq16D/q1LcyfywvaVjUw4P3wXwH9hFATvKGKh69VZ7+6O0d35oAyyoNnigp91Ti4WDN/4sIYHdkeWlnkhcA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80981+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1632327605372995.7223572896626; Wed, 22 Sep 2021 09:20:05 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id gkpvYY1788612x79tOgo6pOE; Wed, 22 Sep 2021 09:20:05 -0700 X-Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mx.groups.io with SMTP id smtpd.web08.2725.1632327604598383778 for ; Wed, 22 Sep 2021 09:20:04 -0700 X-Received: by mail.kernel.org (Postfix) with ESMTPSA id CC75C611CA; Wed, 22 Sep 2021 16:20:02 +0000 (UTC) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: leif@nuviainc.com, agraf@csgraf.de, peter.maydell@linaro.org, Ard Biesheuvel Subject: [edk2-devel] [PATCH] ArmPkg/ArmMmuLib AARCH64: avoid EL0 accessible mappings Date: Wed, 22 Sep 2021 18:19:54 +0200 Message-Id: <20210922161954.627616-1-ardb@kernel.org> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org X-Gm-Message-State: MCk296yZ01lAiMRo9ritO8zCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1632327605; bh=P2c8DJK22Vu/i8XTPQPByGy6v5VvE4g6YMr481k+1po=; h=Cc:Date:From:Reply-To:Subject:To; b=XY9KSvKYFwkI5Wo8DrlsAJyBAP8JLFMAPzsgJlR0PFAh1mbXuRlCigBCBKHMW8vYW30 TLqbERZuImuc91G0m1OdU++de95aAsV/bDp1Qj6Y3t3XFyvI4ZpWLbtNffvQ5Vv9yAlsv KdQzYmc99hmsuTJdd69Xmf8pBxqelxSyYyE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1632327607581100002 Content-Type: text/plain; charset="utf-8" We never run any code at EL0, and so it would seem that any access permissions set for EL0 (via the AP[1] attribute in the page tables) are irrelevant. We currently set EL0 and EL1 permissions to the same value arbitrarily. However, this causes problems on hardware like the Apple M1 running the hypervisor framework, which enters EL1 with SCTLR_EL1.SPAN enabled, which causes the Privileged Access Never (PAN) feature to be enabled on any exception taken to EL1, including the IRQ exceptions that handle our timer interrupt. When PAN is enabled, EL1 has no access to any mappings that are also accessible to EL0, causing the firmware to crash if it attempts to access such a mapping. Even though it is debatable whether or not SCTLR_EL1.SPAN should be disabled at entry or whether the firmware should put all UNKNOWN bits in all system registers in a consistent state (which it should), using EL0 permissions serves no purpose whatsoever so let's fix that regardless. Signed-off-by: Ard Biesheuvel Acked-by: Leif Lindholm Tested-by: Alexander Graf --- ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c | 2 +- ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c b/ArmPkg/Drivers/CpuDxe/AA= rch64/Mmu.c index 838803aa9b44..56ce84f37e8a 100644 --- a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c +++ b/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c @@ -283,7 +283,7 @@ EfiAttributeToArmAttribute ( =20 // Determine protection attributes if ((EfiAttributes & EFI_MEMORY_RO) !=3D 0) { - ArmAttributes |=3D TT_AP_RO_RO; + ArmAttributes |=3D TT_AP_NO_RO; } =20 // Process eXecute Never attribute diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Libr= ary/ArmMmuLib/AArch64/ArmMmuLibCore.c index 8c736d25bb80..512801c88638 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -356,7 +356,7 @@ GcdAttributeToPageAttribute ( } =20 if ((GcdAttributes & EFI_MEMORY_RO) !=3D 0) { - PageAttributes |=3D TT_AP_RO_RO; + PageAttributes |=3D TT_AP_NO_RO; } =20 return PageAttributes | TT_AF; @@ -449,7 +449,7 @@ ArmSetMemoryRegionReadOnly ( return SetMemoryRegionAttribute ( BaseAddress, Length, - TT_AP_RO_RO, + TT_AP_NO_RO, ~TT_ADDRESS_MASK_BLOCK_ENTRY); } =20 @@ -462,7 +462,7 @@ ArmClearMemoryRegionReadOnly ( return SetMemoryRegionAttribute ( BaseAddress, Length, - TT_AP_RW_RW, + TT_AP_NO_RW, ~(TT_ADDRESS_MASK_BLOCK_ENTRY | TT_AP_MASK)); } =20 --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80981): https://edk2.groups.io/g/devel/message/80981 Mute This Topic: https://groups.io/mt/85793856/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-