1 #ifndef _ASM_X86_KAISER_H
2 #define _ASM_X86_KAISER_H
3
4 #include <uapi/asm/processor-flags.h> /* For PCID constants */
5
6 /*
7 * This file includes the definitions for the KAISER feature.
8 * KAISER is a counter measure against x86_64 side channel attacks on
9 * the kernel virtual memory. It has a shadow pgd for every process: the
10 * shadow pgd has a minimalistic kernel-set mapped, but includes the whole
11 * user memory. Within a kernel context switch, or when an interrupt is handled,
12 * the pgd is switched to the normal one. When the system switches to user mode,
13 * the shadow pgd is enabled. By this, the virtual memory caches are freed,
14 * and the user may not attack the whole kernel memory.
15 *
16 * A minimalistic kernel mapping holds the parts needed to be mapped in user
17 * mode, such as the entry/exit functions of the user space, or the stacks.
18 */
19
20 #define KAISER_SHADOW_PGD_OFFSET 0x1000
21
22 #ifdef __ASSEMBLY__
23 #ifdef CONFIG_PAGE_TABLE_ISOLATION
24
25 .macro _SWITCH_TO_KERNEL_CR3 reg
26 movq %cr3, \reg
27 andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), \reg
28 /* If PCID enabled, set X86_CR3_PCID_NOFLUSH_BIT */
29 ALTERNATIVE "", "bts $63, \reg", X86_FEATURE_PCID
30 movq \reg, %cr3
31 .endm
32
33 .macro _SWITCH_TO_USER_CR3 reg regb
34 /*
35 * regb must be the low byte portion of reg: because we have arranged
36 * for the low byte of the user PCID to serve as the high byte of NOFLUSH
37 * (0x80 for each when PCID is enabled, or 0x00 when PCID and NOFLUSH are
38 * not enabled): so that the one register can update both memory and cr3.
39 */
40 movq %cr3, \reg
41 orq PER_CPU_VAR(x86_cr3_pcid_user), \reg
42 js 9f
43 /* If PCID enabled, FLUSH this time, reset to NOFLUSH for next time */
44 movb \regb, PER_CPU_VAR(x86_cr3_pcid_user+7)
45 9:
46 movq \reg, %cr3
47 .endm
48
49 .macro SWITCH_KERNEL_CR3
50 ALTERNATIVE "jmp 8f", "pushq %rax", X86_FEATURE_KAISER
51 _SWITCH_TO_KERNEL_CR3 %rax
52 popq %rax
53 8:
54 .endm
55
56 .macro SWITCH_USER_CR3
57 ALTERNATIVE "jmp 8f", "pushq %rax", X86_FEATURE_KAISER
58 _SWITCH_TO_USER_CR3 %rax %al
59 popq %rax
60 8:
61 .endm
62
63 .macro SWITCH_KERNEL_CR3_NO_STACK
64 ALTERNATIVE "jmp 8f", \
65 __stringify(movq %rax, PER_CPU_VAR(unsafe_stack_register_backup)), \
66 X86_FEATURE_KAISER
67 _SWITCH_TO_KERNEL_CR3 %rax
68 movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
69 8:
70 .endm
71
72 #else /* CONFIG_PAGE_TABLE_ISOLATION */
73
74 .macro SWITCH_KERNEL_CR3
75 .endm
76 .macro SWITCH_USER_CR3
77 .endm
78 .macro SWITCH_KERNEL_CR3_NO_STACK
79 .endm
80
81 #endif /* CONFIG_PAGE_TABLE_ISOLATION */
82
83 #else /* __ASSEMBLY__ */
84
85 #ifdef CONFIG_PAGE_TABLE_ISOLATION
86 /*
87 * Upon kernel/user mode switch, it may happen that the address
88 * space has to be switched before the registers have been
89 * stored. To change the address space, another register is
90 * needed. A register therefore has to be stored/restored.
91 */
92 DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
93
94 DECLARE_PER_CPU(unsigned long, x86_cr3_pcid_user);
95
96 extern char __per_cpu_user_mapped_start[], __per_cpu_user_mapped_end[];
97
98 extern int kaiser_enabled;
99 extern void __init kaiser_check_boottime_disable(void);
100 #else
101 #define kaiser_enabled 0
kaiser_check_boottime_disable(void)102 static inline void __init kaiser_check_boottime_disable(void) {}
103 #endif /* CONFIG_PAGE_TABLE_ISOLATION */
104
105 /*
106 * Kaiser function prototypes are needed even when CONFIG_PAGE_TABLE_ISOLATION is not set,
107 * so as to build with tests on kaiser_enabled instead of #ifdefs.
108 */
109
110 /**
111 * kaiser_add_mapping - map a virtual memory part to the shadow (user) mapping
112 * @addr: the start address of the range
113 * @size: the size of the range
114 * @flags: The mapping flags of the pages
115 *
116 * The mapping is done on a global scope, so no bigger
117 * synchronization has to be done. the pages have to be
118 * manually unmapped again when they are not needed any longer.
119 */
120 extern int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
121
122 /**
123 * kaiser_remove_mapping - unmap a virtual memory part of the shadow mapping
124 * @addr: the start address of the range
125 * @size: the size of the range
126 */
127 extern void kaiser_remove_mapping(unsigned long start, unsigned long size);
128
129 /**
130 * kaiser_init - Initialize the shadow mapping
131 *
132 * Most parts of the shadow mapping can be mapped upon boot
133 * time. Only per-process things like the thread stacks
134 * or a new LDT have to be mapped at runtime. These boot-
135 * time mappings are permanent and never unmapped.
136 */
137 extern void kaiser_init(void);
138
139 #endif /* __ASSEMBLY */
140
141 #endif /* _ASM_X86_KAISER_H */
142