[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 14/22] target/arm: Handle no-execute for Realm and Root regimes
From: |
Richard Henderson |
Subject: |
[PATCH 14/22] target/arm: Handle no-execute for Realm and Root regimes |
Date: |
Mon, 23 Jan 2023 14:00:19 -1000 |
While Root and Realm may read and write data from other spaces,
neither may execute from other pa spaces.
This happens for Stage1 EL3, EL2, EL2&0, but stage2 EL1&0.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
target/arm/ptw.c | 66 ++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 58 insertions(+), 8 deletions(-)
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 849f5e89ca..6b6f8195eb 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -909,7 +909,7 @@ do_fault:
* @xn: XN (execute-never) bits
* @s1_is_el0: true if this is S2 of an S1+2 walk for EL0
*/
-static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
+static int get_S2prot_noexecute(int s2ap)
{
int prot = 0;
@@ -919,6 +919,12 @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn,
bool s1_is_el0)
if (s2ap & 2) {
prot |= PAGE_WRITE;
}
+ return prot;
+}
+
+static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
+{
+ int prot = get_S2prot_noexecute(s2ap);
if (cpu_isar_feature(any_tts2uxn, env_archcpu(env))) {
switch (xn) {
@@ -956,12 +962,14 @@ static int get_S2prot(CPUARMState *env, int s2ap, int xn,
bool s1_is_el0)
* @mmu_idx: MMU index indicating required translation regime
* @is_aa64: TRUE if AArch64
* @ap: The 2-bit simple AP (AP[2:1])
- * @ns: NS (non-secure) bit
* @xn: XN (execute-never) bit
* @pxn: PXN (privileged execute-never) bit
+ * @in_pa: The original input pa space
+ * @out_pa: The output pa space, modified by NSTable, NS, and NSE
*/
static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
- int ap, int ns, int xn, int pxn)
+ int ap, int xn, int pxn,
+ ARMSecuritySpace in_pa, ARMSecuritySpace out_pa)
{
bool is_user = regime_is_user(env, mmu_idx);
int prot_rw, user_rw;
@@ -982,8 +990,39 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx,
bool is_aa64,
}
}
- if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
- return prot_rw;
+ if (in_pa != out_pa) {
+ switch (in_pa) {
+ case ARMSS_Root:
+ /*
+ * R_ZWRVD: permission fault for insn fetched from non-Root,
+ * I_WWBFB: SIF has no effect in EL3.
+ */
+ return prot_rw;
+ case ARMSS_Realm:
+ /*
+ * R_PKTDS: permission fault for insn fetched from non-Realm,
+ * for Realm EL2 or EL2&0. The corresponding fault for EL1&0
+ * happens during any stage2 translation.
+ */
+ switch (mmu_idx) {
+ case ARMMMUIdx_E2:
+ case ARMMMUIdx_E20_0:
+ case ARMMMUIdx_E20_2:
+ case ARMMMUIdx_E20_2_PAN:
+ return prot_rw;
+ default:
+ break;
+ }
+ break;
+ case ARMSS_Secure:
+ if (env->cp15.scr_el3 & SCR_SIF) {
+ return prot_rw;
+ }
+ break;
+ default:
+ /* Input NonSecure must have output NonSecure. */
+ g_assert_not_reached();
+ }
}
/* TODO have_wxn should be replaced with
@@ -1556,12 +1595,16 @@ static bool get_phys_addr_lpae(CPUARMState *env,
S1Translate *ptw,
/*
* R_GYNXY: For stage2 in Realm security state, bit 55 is NS.
* The bit remains ignored for other security states.
+ * R_YMCSL: Executing an insn fetched from non-Realm causes
+ * a stage2 permission fault.
*/
if (out_space == ARMSS_Realm && extract64(attrs, 55, 1)) {
out_space = ARMSS_NonSecure;
+ result->f.prot = get_S2prot_noexecute(ap);
+ } else {
+ xn = extract64(attrs, 53, 2);
+ result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
}
- xn = extract64(attrs, 53, 2);
- result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
} else {
int ns = extract32(attrs, 5, 1);
switch (out_space) {
@@ -1613,7 +1656,14 @@ static bool get_phys_addr_lpae(CPUARMState *env,
S1Translate *ptw,
}
xn = extract64(attrs, 54, 1);
pxn = extract64(attrs, 53, 1);
- result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
+
+ /*
+ * Note that we modified ptw->in_space earlier for NSTable,
+ * and result->f.attrs was initialized by get_phys_addr, so
+ * that retains a copy of the original security space.
+ */
+ result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, xn, pxn,
+ result->f.attrs.space, out_space);
}
if (!(result->f.prot & (1 << access_type))) {
--
2.34.1
- [PATCH 04/22] target/arm: Update SCR and HCR for RME, (continued)
- [PATCH 04/22] target/arm: Update SCR and HCR for RME, Richard Henderson, 2023/01/23
- [PATCH 05/22] target/arm: SCR_EL3.NS may be RES1, Richard Henderson, 2023/01/23
- [PATCH 06/22] target/arm: Add RME cpregs, Richard Henderson, 2023/01/23
- [PATCH 07/22] target/arm: Introduce ARMSecuritySpace, Richard Henderson, 2023/01/23
- [PATCH 08/22] include/exec/memattrs: Add two bits of space to MemTxAttrs, Richard Henderson, 2023/01/23
- [PATCH 09/22] target/arm: Adjust the order of Phys and Stage2 ARMMMUIdx, Richard Henderson, 2023/01/23
- [PATCH 10/22] target/arm: Introduce ARMMMUIdx_Phys_{Realm,Root}, Richard Henderson, 2023/01/23
- [PATCH 11/22] target/arm: Pipe ARMSecuritySpace through ptw.c, Richard Henderson, 2023/01/23
- [PATCH 12/22] target/arm: NSTable is RES0 for the RME EL3 regime, Richard Henderson, 2023/01/23
- [PATCH 13/22] target/arm: Handle Block and Page bits for security space, Richard Henderson, 2023/01/23
- [PATCH 14/22] target/arm: Handle no-execute for Realm and Root regimes,
Richard Henderson <=
- [PATCH 15/22] target/arm: Use get_phys_addr_with_struct in S1_ptw_translate, Richard Henderson, 2023/01/23
- [PATCH 16/22] target/arm: Move s1_is_El0 into S1Translate, Richard Henderson, 2023/01/23
- [PATCH 17/22] target/arm: Use get_phys_addr_with_struct for stage2, Richard Henderson, 2023/01/23
- [PATCH 18/22] target/arm: Add GPC syndrome, Richard Henderson, 2023/01/23
- [PATCH 20/22] target/arm: Implement the granule protection check, Richard Henderson, 2023/01/23
- [PATCH 19/22] target/arm: Implement GPC exceptions, Richard Henderson, 2023/01/23
- [RFC PATCH 22/22] hw/arm/virt: Add some memory for Realm Management Monitor, Richard Henderson, 2023/01/23
- [PATCH 21/22] target/arm: Enable RME for -cpu max, Richard Henderson, 2023/01/23