From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.web09.3294.1632329849876940875 for ; Wed, 22 Sep 2021 09:57:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@nuviainc-com.20210112.gappssmtp.com header.s=20210112 header.b=wnuSlZeo; spf=pass (domain: nuviainc.com, ip: 209.85.221.45, mailfrom: leif@nuviainc.com) Received: by mail-wr1-f45.google.com with SMTP id w29so8815584wra.8 for ; Wed, 22 Sep 2021 09:57:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nuviainc-com.20210112.gappssmtp.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=kvWj3MUsFPUgRop+0v7rhp/y5hdS2q+5ufNxyLisVQE=; b=wnuSlZeoEzoIA77A4Rz2VpGM6F8HXwWZLHDRNtOmt+9hQagRCqrfte0JMyOc8lqcxp IFM7w52nGKJAIen49SqAXuJOJkt6hXzkxOVT3YFs9NvP03hf2mxKvoJrZfhCrzqM1TqP 3QBCH/w0uHLnESlWnr6XXF5jUTUjsRN5FIguYpI52NM2JQb9qbV2EaZhul2RS+xwYAuh Ef06UG0YoRl9kOb1GkalGwvgbuzdhtr85jGbun4vNa394ip9JsBomnaux0dUifb82M9g mVUkjr7kS2gBPgp8xlWFY/LDqR9dy0M8E+GJL03NrG4Sb513zbiTLorlhgo1da7Us40+ INAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=kvWj3MUsFPUgRop+0v7rhp/y5hdS2q+5ufNxyLisVQE=; b=JNa92F7kq31mR49v2cCQ68VJAkWXn8IrHs2SlukJv7PR48s9S530JXzJY28UL9idCL AJcouhRuKOQefsRZP69QVM/h7iEM+9u3F04VUIbtw86buf/bDr/PyKdflC0mXuoFl0r7 OH0M/0FukA3YpK2l5cdU+/vaKm/0RTwMxDaep82EA+92H86nkRF9NzIsdbqJLFQIhVO+ Fm0jdK+p41s5rOF47DesbJQQBb7u+Q6v/9VfqAAbH5ScxqVwDX5OCs7v9REHKtvyUbUi iD75L/93i3NAqflTvEzHwUKkZDU/q0AuopUr4CX964pVUJtpG9ky3TBYJZu76qsn5FoE UXag== X-Gm-Message-State: AOAM532VCJRMbTZwX9caa36f2XCF0v6ngIU9oDUnNvTwKKyIQIfMhtcS v/ZBomsEQzNeqGdhaL7VjTAU/Q== X-Google-Smtp-Source: ABdhPJzaJOmH8Me/CbtYp0h0RPXOQrRdgKV8bKnfN/g6HXIiQUHeVJ2SrIQGURKklsw1UzJchRec2A== X-Received: by 2002:a1c:ed0a:: with SMTP id l10mr65144wmh.140.1632329848399; Wed, 22 Sep 2021 09:57:28 -0700 (PDT) Return-Path: Received: from leviathan (cpc92314-cmbg19-2-0-cust559.5-4.cable.virginm.net. [82.11.186.48]) by smtp.gmail.com with ESMTPSA id n7sm2832355wra.37.2021.09.22.09.57.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 09:57:28 -0700 (PDT) Date: Wed, 22 Sep 2021 17:57:26 +0100 From: "Leif Lindholm" To: Ard Biesheuvel Cc: devel@edk2.groups.io, agraf@csgraf.de, peter.maydell@linaro.org Subject: Re: [PATCH] ArmPkg/ArmMmuLib AARCH64: avoid EL0 accessible mappings Message-ID: <20210922165726.vebex7yitea364pp@leviathan> References: <20210922161954.627616-1-ardb@kernel.org> MIME-Version: 1.0 In-Reply-To: <20210922161954.627616-1-ardb@kernel.org> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Sep 22, 2021 at 18:19:54 +0200, Ard Biesheuvel wrote: > We never run any code at EL0, and so it would seem that any access > permissions set for EL0 (via the AP[1] attribute in the page tables) are > irrelevant. We currently set EL0 and EL1 permissions to the same value > arbitrarily. > > However, this causes problems on hardware like the Apple M1 running the > hypervisor framework, which enters EL1 with SCTLR_EL1.SPAN enabled, > which causes the Privileged Access Never (PAN) feature to be enabled on > any exception taken to EL1, including the IRQ exceptions that handle our > timer interrupt. When PAN is enabled, EL1 has no access to any mappings > that are also accessible to EL0, causing the firmware to crash if it > attempts to access such a mapping. > > Even though it is debatable whether or not SCTLR_EL1.SPAN should be > disabled at entry or whether the firmware should put all UNKNOWN bits in > all system registers in a consistent state (which it should), using EL0 > permissions serves no purpose whatsoever so let's fix that regardless. > > Signed-off-by: Ard Biesheuvel Acked-by: Leif Lindholm Do we want to mirror this for (ARMv8) AArch32? / Leif > --- > ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c | 2 +- > ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 6 +++--- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c b/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c > index 838803aa9b44..56ce84f37e8a 100644 > --- a/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c > +++ b/ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c > @@ -283,7 +283,7 @@ EfiAttributeToArmAttribute ( > > // Determine protection attributes > if ((EfiAttributes & EFI_MEMORY_RO) != 0) { > - ArmAttributes |= TT_AP_RO_RO; > + ArmAttributes |= TT_AP_NO_RO; > } > > // Process eXecute Never attribute > diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > index 8c736d25bb80..512801c88638 100644 > --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c > @@ -356,7 +356,7 @@ GcdAttributeToPageAttribute ( > } > > if ((GcdAttributes & EFI_MEMORY_RO) != 0) { > - PageAttributes |= TT_AP_RO_RO; > + PageAttributes |= TT_AP_NO_RO; > } > > return PageAttributes | TT_AF; > @@ -449,7 +449,7 @@ ArmSetMemoryRegionReadOnly ( > return SetMemoryRegionAttribute ( > BaseAddress, > Length, > - TT_AP_RO_RO, > + TT_AP_NO_RO, > ~TT_ADDRESS_MASK_BLOCK_ENTRY); > } > > @@ -462,7 +462,7 @@ ArmClearMemoryRegionReadOnly ( > return SetMemoryRegionAttribute ( > BaseAddress, > Length, > - TT_AP_RW_RW, > + TT_AP_NO_RW, > ~(TT_ADDRESS_MASK_BLOCK_ENTRY | TT_AP_MASK)); > } > > -- > 2.30.2 >