The hypervisor is expected to create a value for the HASHPKEY SPR for
each partition. Currently it uses zero for all partitions, use a
random number instead, which in theory might make kernel ROP protection
more secure.
Signed-of-by: Nicholas Piggin <npiggin@gmail.com>
---
include/hw/ppc/spapr.h | 1 +
hw/ppc/spapr.c | 3 +++
hw/ppc/spapr_cpu_core.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index af4aa1cb0fb..db44893689b 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -201,6 +201,7 @@ struct SpaprMachineState {
uint32_t fdt_initial_size;
void *fdt_blob;
uint8_t fdt_rng_seed[32];
+ uint64_t hashpkey_val;
long kernel_size;
bool kernel_le;
uint64_t kernel_addr;
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index fa05e0c5156..34934afd551 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2888,6 +2888,9 @@ static void spapr_machine_init(MachineState *machine)
spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
}
+ qemu_guest_getrandom_nofail(&spapr->hashpkey_val,
+ sizeof(spapr->hashpkey_val));
+
/* init CPUs */
spapr_init_cpus(spapr);
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 88d743a3c3f..bf9f29f4ff3 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -273,6 +273,8 @@ static bool spapr_realize_vcpu(PowerPCCPU *cpu, SpaprMachineState *spapr,
env->spr_cb[SPR_PIR].default_value = cs->cpu_index;
env->spr_cb[SPR_TIR].default_value = thread_index;
+ env->spr_cb[SPR_HASHPKEYR].default_value = spapr->hashpkey_val;
+
cpu_ppc_set_1lpar(cpu);
/* Set time-base frequency to 512 MHz. vhyp must be set first. */
--
2.45.2On 19/12/24 04:40, Nicholas Piggin wrote: > The hypervisor is expected to create a value for the HASHPKEY SPR for > each partition. Currently it uses zero for all partitions, use a > random number instead, which in theory might make kernel ROP protection > more secure. > > Signed-of-by: Nicholas Piggin <npiggin@gmail.com> > --- > include/hw/ppc/spapr.h | 1 + > hw/ppc/spapr.c | 3 +++ > hw/ppc/spapr_cpu_core.c | 2 ++ > 3 files changed, 6 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
On 12/19/24 09:10, Nicholas Piggin wrote:
> The hypervisor is expected to create a value for the HASHPKEY SPR for
> each partition. Currently it uses zero for all partitions, use a
> random number instead, which in theory might make kernel ROP protection
> more secure.
>
> Signed-of-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
> ---
> include/hw/ppc/spapr.h | 1 +
> hw/ppc/spapr.c | 3 +++
> hw/ppc/spapr_cpu_core.c | 2 ++
> 3 files changed, 6 insertions(+)
>
> diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
> index af4aa1cb0fb..db44893689b 100644
> --- a/include/hw/ppc/spapr.h
> +++ b/include/hw/ppc/spapr.h
> @@ -201,6 +201,7 @@ struct SpaprMachineState {
> uint32_t fdt_initial_size;
> void *fdt_blob;
> uint8_t fdt_rng_seed[32];
> + uint64_t hashpkey_val;
> long kernel_size;
> bool kernel_le;
> uint64_t kernel_addr;
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index fa05e0c5156..34934afd551 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -2888,6 +2888,9 @@ static void spapr_machine_init(MachineState *machine)
> spapr_ovec_set(spapr->ov5, OV5_XIVE_EXPLOIT);
> }
>
> + qemu_guest_getrandom_nofail(&spapr->hashpkey_val,
> + sizeof(spapr->hashpkey_val));
> +
> /* init CPUs */
> spapr_init_cpus(spapr);
>
> diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> index 88d743a3c3f..bf9f29f4ff3 100644
> --- a/hw/ppc/spapr_cpu_core.c
> +++ b/hw/ppc/spapr_cpu_core.c
> @@ -273,6 +273,8 @@ static bool spapr_realize_vcpu(PowerPCCPU *cpu, SpaprMachineState *spapr,
> env->spr_cb[SPR_PIR].default_value = cs->cpu_index;
> env->spr_cb[SPR_TIR].default_value = thread_index;
>
> + env->spr_cb[SPR_HASHPKEYR].default_value = spapr->hashpkey_val;
> +
> cpu_ppc_set_1lpar(cpu);
>
> /* Set time-base frequency to 512 MHz. vhyp must be set first. */
© 2016 - 2025 Red Hat, Inc.