diff mbox series

[v1,1/2] powerpc64/dexcr: Compile kernel with privileged hash instructions

Message ID 20240325050629.832497-1-bgray@linux.ibm.com (mailing list archive)
State New
Headers show
Series [v1,1/2] powerpc64/dexcr: Compile kernel with privileged hash instructions | expand

Commit Message

Benjamin Gray March 25, 2024, 5:06 a.m. UTC 
There are dedicated hashstp and hashchkp instructions that
can be inserted into a guest kernel to give it hypervisor
managed ROP protection (the hypervisor sets the secret hash
key and handles hashstp exceptions).

In testing, the kernel appears to handle the compiler generated
hash protection just fine, without any changes. This makes sense,
as any 'weird' stack interactions will normally be done in hand
written assembly. We can expect that a compiler generated function
prologue will be matched with a compiler generated function epilogue
with the stack as expected by the compiler (in some sense, the hash
value stored on the stack is just like any other local variable).

GCC requires ELF ABI v2, and Clang only works with ELF ABI v2
anyway, so add it as a dependency.

GCC will only insert these instructions if the target CPU is
specified to be Power10 (possibly a bug; the documentation says
they are inserted for Power8 or higher).

Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
---
 arch/powerpc/Makefile                  |  3 +++
 arch/powerpc/platforms/Kconfig.cputype | 12 ++++++++++++
 2 files changed, 15 insertions(+)
diff mbox series

Patch

diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
index 65261cbe5bfd..bfaa3c754ae2 100644
--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -168,6 +168,9 @@  endif
 CFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU)
 AFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU)
 
+CFLAGS-$(CONFIG_PPC_KERNEL_ROP_PROTECT) += $(call cc-option,-mrop-protect)
+CFLAGS-$(CONFIG_PPC_KERNEL_ROP_PROTECT) += $(call cc-option,-mprivileged)
+
 CFLAGS-y += $(CONFIG_TUNE_CPU)
 
 asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1)
diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype
index b2d8c0da2ad9..a95b11782379 100644
--- a/arch/powerpc/platforms/Kconfig.cputype
+++ b/arch/powerpc/platforms/Kconfig.cputype
@@ -517,6 +517,18 @@  config PPC_KUAP_DEBUG
 	  Add extra debugging for Kernel Userspace Access Protection (KUAP)
 	  If you're unsure, say N.
 
+config PPC_KERNEL_ROP_PROTECT
+	bool "Kernel ROP Protection"
+	default y
+	depends on PPC64_ELF_ABI_V2
+	depends on !CC_IS_GCC || TARGET_CPU = "power10"
+	help
+	  This tells the compiler to insert hashstp/hashckp instructions
+	  in the prologue and epilogue of every kernel function. The kernel
+	  also turns on the DEXCR[PHIE] aspect to cause an exception if the
+	  hashchkp does not agree with the hash calculated by the matching
+	  hashstp.
+
 config PPC_PKEY
 	def_bool y
 	depends on PPC_BOOK3S_64