pauth.c source code [linux/arch/arm64/kvm/pauth.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Copyright (C) 2024 - Google LLC
4	* Author: Marc Zyngier <maz@kernel.org>
5	*
6	* Primitive PAuth emulation for ERETAA/ERETAB.
7	*
8	* This code assumes that is is run from EL2, and that it is part of
9	* the emulation of ERETAx for a guest hypervisor. That's a lot of
10	* baked-in assumptions and shortcuts.
11	*
12	* Do no reuse for anything else!
13	*/
14
15	#include <linux/kvm_host.h>
16
17	#include <asm/gpr-num.h>
18	#include <asm/kvm_emulate.h>
19	#include <asm/pointer_auth.h>
20
21	/ PACGA Xd, Xn, Xm /
22	#define PACGA(d,n,m) \
23	asm volatile(__DEFINE_ASM_GPR_NUMS \
24	".inst 0x9AC03000 \|" \
25	"(.L__gpr_num_%[Rd] << 0) \|" \
26	"(.L__gpr_num_%[Rn] << 5) \|" \
27	"(.L__gpr_num_%[Rm] << 16)\n" \
28	: [Rd] "=r" ((d)) \
29	: [Rn] "r" ((n)), [Rm] "r" ((m)))
30
31	static u64 compute_pac(struct kvm_vcpu *vcpu, u64 ptr,
32	struct ptrauth_key ikey)
33	{
34	struct ptrauth_key gkey;
35	u64 mod, pac = `0`;
36
37	preempt_disable();
38
39	if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU))
40	mod = __vcpu_sys_reg(vcpu, SP_EL2);
41	else
42	mod = read_sysreg(sp_el1);
43
44	gkey.lo = read_sysreg_s(SYS_APGAKEYLO_EL1);
45	gkey.hi = read_sysreg_s(SYS_APGAKEYHI_EL1);
46
47	__ptrauth_key_install_nosync(APGA, ikey);
48	isb();
49
50	PACGA(pac, ptr, mod);
51	isb();
52
53	__ptrauth_key_install_nosync(APGA, gkey);
54
55	preempt_enable();
56
57	/ PAC in the top 32bits /
58	return pac;
59	}
60
61	static bool effective_tbi(struct kvm_vcpu *vcpu, bool bit55)
62	{
63	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
64	bool tbi, tbid;
65
66	/*
67	* Since we are authenticating an instruction address, we have
68	* to take TBID into account. If E2H==0, ignore VA[55], as
69	* TCR_EL2 only has a single TBI/TBID. If VA[55] was set in
70	* this case, this is likely a guest bug...
71	*/
72	if (!vcpu_el2_e2h_is_set(vcpu)) {
73	tbi = tcr & BIT(`20`);
74	tbid = tcr & BIT(`29`);
75	} else if (bit55) {
76	tbi = tcr & TCR_TBI1;
77	tbid = tcr & TCR_TBID1;
78	} else {
79	tbi = tcr & TCR_TBI0;
80	tbid = tcr & TCR_TBID0;
81	}
82
83	return tbi && !tbid;
84	}
85
86	static int compute_bottom_pac(struct kvm_vcpu *vcpu, bool bit55)
87	{
88	static const int maxtxsz = `39`; // Revisit these two values once
89	static const int mintxsz = `16`; // (if) we support TTST/LVA/LVA2
90	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
91	int txsz;
92
93	if (!vcpu_el2_e2h_is_set(vcpu) \|\| !bit55)
94	txsz = FIELD_GET(TCR_T0SZ_MASK, tcr);
95	else
96	txsz = FIELD_GET(TCR_T1SZ_MASK, tcr);
97
98	return `64` - clamp(txsz, mintxsz, maxtxsz);
99	}
100
101	static u64 compute_pac_mask(struct kvm_vcpu *vcpu, bool bit55)
102	{
103	int bottom_pac;
104	u64 mask;
105
106	bottom_pac = compute_bottom_pac(vcpu, bit55);
107
108	mask = GENMASK(`54`, bottom_pac);
109	if (!effective_tbi(vcpu, bit55))
110	mask \|= GENMASK(`63`, `56`);
111
112	return mask;
113	}
114
115	static u64 to_canonical_addr(struct kvm_vcpu *vcpu, u64 ptr, u64 mask)
116	{
117	bool bit55 = !!(ptr & BIT(`55`));
118
119	if (bit55)
120	return ptr \| mask;
121
122	return ptr & ~mask;
123	}
124
125	static u64 corrupt_addr(struct kvm_vcpu *vcpu, u64 ptr)
126	{
127	bool bit55 = !!(ptr & BIT(`55`));
128	u64 mask, error_code;
129	int shift;
130
131	if (effective_tbi(vcpu, bit55)) {
132	mask = GENMASK(`54`, `53`);
133	shift = `53`;
134	} else {
135	mask = GENMASK(`62`, `61`);
136	shift = `61`;
137	}
138
139	if (esr_iss_is_eretab(kvm_vcpu_get_esr(vcpu)))
140	error_code = `2` << shift;
141	else
142	error_code = `1` << shift;
143
144	ptr &= ~mask;
145	ptr \|= error_code;
146
147	return ptr;
148	}
149
150	/*
151	* Authenticate an ERETAA/ERETAB instruction, returning true if the
152	* authentication succeeded and false otherwise. In all cases, *elr
153	* contains the VA to ERET to. Potential exception injection is left
154	* to the caller.
155	*/
156	bool kvm_auth_eretax(struct kvm_vcpu vcpu, u64 elr)
157	{
158	u64 sctlr = vcpu_read_sys_reg(vcpu, SCTLR_EL2);
159	u64 esr = kvm_vcpu_get_esr(vcpu);
160	u64 ptr, cptr, pac, mask;
161	struct ptrauth_key ikey;
162
163	*elr = ptr = vcpu_read_sys_reg(vcpu, ELR_EL2);
164
165	/ We assume we're already in the context of an ERETAx /
166	if (esr_iss_is_eretab(esr)) {
167	if (!(sctlr & SCTLR_EL1_EnIB))
168	return true;
169
170	ikey.lo = __vcpu_sys_reg(vcpu, APIBKEYLO_EL1);
171	ikey.hi = __vcpu_sys_reg(vcpu, APIBKEYHI_EL1);
172	} else {
173	if (!(sctlr & SCTLR_EL1_EnIA))
174	return true;
175
176	ikey.lo = __vcpu_sys_reg(vcpu, APIAKEYLO_EL1);
177	ikey.hi = __vcpu_sys_reg(vcpu, APIAKEYHI_EL1);
178	}
179
180	mask = compute_pac_mask(vcpu, bit55: !!(ptr & BIT(`55`)));
181	cptr = to_canonical_addr(vcpu, ptr, mask);
182
183	pac = compute_pac(vcpu, ptr: cptr, ikey: ikey);
184
185	/*
186	* Slightly deviate from the pseudocode: if we have a PAC
187	* match with the signed pointer, then it must be good.
188	* Anything after this point is pure error handling.
189	*/
190	if ((pac & mask) == (ptr & mask)) {
191	*elr = cptr;
192	return true;
193	}
194
195	/*
196	* Authentication failed, corrupt the canonical address if
197	* PAuth2 isn't implemented, or some XORing if it is.
198	*/
199	if (!kvm_has_pauth(vcpu->kvm, PAuth2))
200	cptr = corrupt_addr(vcpu, ptr: cptr);
201	else
202	cptr = ptr ^ (pac & mask);
203
204	*elr = cptr;
205	return false;
206	}
207

source code of linux/arch/arm64/kvm/pauth.c