Contributors: 2
Author Tokens Token Proportion Commits Commit Proportion
Marc Zyngier 781 99.62% 2 66.67%
Christoffer Dall 3 0.38% 1 33.33%
Total 784 3 


// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (C) 2024 - Google LLC
 * Author: Marc Zyngier <maz@kernel.org>
 *
 * Primitive PAuth emulation for ERETAA/ERETAB.
 *
 * This code assumes that is is run from EL2, and that it is part of
 * the emulation of ERETAx for a guest hypervisor. That's a lot of
 * baked-in assumptions and shortcuts.
 *
 * Do no reuse for anything else!
 */

#include <linux/kvm_host.h>

#include <asm/gpr-num.h>
#include <asm/kvm_emulate.h>
#include <asm/pointer_auth.h>

/* PACGA Xd, Xn, Xm */
#define PACGA(d,n,m)					\
	asm volatile(__DEFINE_ASM_GPR_NUMS		\
		     ".inst 0x9AC03000          |"	\
		     "(.L__gpr_num_%[Rd] << 0)  |"	\
		     "(.L__gpr_num_%[Rn] << 5)  |"	\
		     "(.L__gpr_num_%[Rm] << 16)\n"	\
		     : [Rd] "=r" ((d))			\
		     : [Rn] "r" ((n)), [Rm] "r" ((m)))

static u64 compute_pac(struct kvm_vcpu *vcpu, u64 ptr,
		       struct ptrauth_key ikey)
{
	struct ptrauth_key gkey;
	u64 mod, pac = 0;

	preempt_disable();

	if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU))
		mod = __vcpu_sys_reg(vcpu, SP_EL2);
	else
		mod = read_sysreg(sp_el1);

	gkey.lo = read_sysreg_s(SYS_APGAKEYLO_EL1);
	gkey.hi = read_sysreg_s(SYS_APGAKEYHI_EL1);

	__ptrauth_key_install_nosync(APGA, ikey);
	isb();

	PACGA(pac, ptr, mod);
	isb();

	__ptrauth_key_install_nosync(APGA, gkey);

	preempt_enable();

	/* PAC in the top 32bits */
	return pac;
}

static bool effective_tbi(struct kvm_vcpu *vcpu, bool bit55)
{
	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
	bool tbi, tbid;

	/*
	 * Since we are authenticating an instruction address, we have
	 * to take TBID into account. If E2H==0, ignore VA[55], as
	 * TCR_EL2 only has a single TBI/TBID. If VA[55] was set in
	 * this case, this is likely a guest bug...
	 */
	if (!vcpu_el2_e2h_is_set(vcpu)) {
		tbi = tcr & BIT(20);
		tbid = tcr & BIT(29);
	} else if (bit55) {
		tbi = tcr & TCR_TBI1;
		tbid = tcr & TCR_TBID1;
	} else {
		tbi = tcr & TCR_TBI0;
		tbid = tcr & TCR_TBID0;
	}

	return tbi && !tbid;
}

static int compute_bottom_pac(struct kvm_vcpu *vcpu, bool bit55)
{
	static const int maxtxsz = 39; // Revisit these two values once
	static const int mintxsz = 16; // (if) we support TTST/LVA/LVA2
	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
	int txsz;

	if (!vcpu_el2_e2h_is_set(vcpu) || !bit55)
		txsz = FIELD_GET(TCR_T0SZ_MASK, tcr);
	else
		txsz = FIELD_GET(TCR_T1SZ_MASK, tcr);

	return 64 - clamp(txsz, mintxsz, maxtxsz);
}

static u64 compute_pac_mask(struct kvm_vcpu *vcpu, bool bit55)
{
	int bottom_pac;
	u64 mask;

	bottom_pac = compute_bottom_pac(vcpu, bit55);

	mask = GENMASK(54, bottom_pac);
	if (!effective_tbi(vcpu, bit55))
		mask |= GENMASK(63, 56);

	return mask;
}

static u64 to_canonical_addr(struct kvm_vcpu *vcpu, u64 ptr, u64 mask)
{
	bool bit55 = !!(ptr & BIT(55));

	if (bit55)
		return ptr | mask;

	return ptr & ~mask;
}

static u64 corrupt_addr(struct kvm_vcpu *vcpu, u64 ptr)
{
	bool bit55 = !!(ptr & BIT(55));
	u64 mask, error_code;
	int shift;

	if (effective_tbi(vcpu, bit55)) {
		mask = GENMASK(54, 53);
		shift = 53;
	} else {
		mask = GENMASK(62, 61);
		shift = 61;
	}

	if (esr_iss_is_eretab(kvm_vcpu_get_esr(vcpu)))
		error_code = 2 << shift;
	else
		error_code = 1 << shift;

	ptr &= ~mask;
	ptr |= error_code;

	return ptr;
}

/*
 * Authenticate an ERETAA/ERETAB instruction, returning true if the
 * authentication succeeded and false otherwise. In all cases, *elr
 * contains the VA to ERET to. Potential exception injection is left
 * to the caller.
 */
bool kvm_auth_eretax(struct kvm_vcpu *vcpu, u64 *elr)
{
	u64 sctlr = vcpu_read_sys_reg(vcpu, SCTLR_EL2);
	u64 esr = kvm_vcpu_get_esr(vcpu);
	u64 ptr, cptr, pac, mask;
	struct ptrauth_key ikey;

	*elr = ptr = vcpu_read_sys_reg(vcpu, ELR_EL2);

	/* We assume we're already in the context of an ERETAx */
	if (esr_iss_is_eretab(esr)) {
		if (!(sctlr & SCTLR_EL1_EnIB))
			return true;

		ikey.lo = __vcpu_sys_reg(vcpu, APIBKEYLO_EL1);
		ikey.hi = __vcpu_sys_reg(vcpu, APIBKEYHI_EL1);
	} else {
		if (!(sctlr & SCTLR_EL1_EnIA))
			return true;

		ikey.lo = __vcpu_sys_reg(vcpu, APIAKEYLO_EL1);
		ikey.hi = __vcpu_sys_reg(vcpu, APIAKEYHI_EL1);
	}

	mask = compute_pac_mask(vcpu, !!(ptr & BIT(55)));
	cptr = to_canonical_addr(vcpu, ptr, mask);

	pac = compute_pac(vcpu, cptr, ikey);

	/*
	 * Slightly deviate from the pseudocode: if we have a PAC
	 * match with the signed pointer, then it must be good.
	 * Anything after this point is pure error handling.
	 */
	if ((pac & mask) == (ptr & mask)) {
		*elr = cptr;
		return true;
	}

	/*
	 * Authentication failed, corrupt the canonical address if
	 * PAuth2 isn't implemented, or some XORing if it is.
	 */
	if (!kvm_has_pauth(vcpu->kvm, PAuth2))
		cptr = corrupt_addr(vcpu, cptr);
	else
		cptr = ptr ^ (pac & mask);

	*elr = cptr;
	return false;
}