arch/arm64/kvm/pauth.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (C) 2024 - Google LLC
  * Author: Marc Zyngier <maz@kernel.org>
  *
  * Primitive PAuth emulation for ERETAA/ERETAB.
  *
  * This code assumes that is is run from EL2, and that it is part of
  * the emulation of ERETAx for a guest hypervisor. That's a lot of
  * baked-in assumptions and shortcuts.
  *
  * Do no reuse for anything else!
  */

 #include <linux/kvm_host.h>

 #include <asm/gpr-num.h>
 #include <asm/kvm_emulate.h>
 #include <asm/pointer_auth.h>

 /* PACGA Xd, Xn, Xm */
 #define PACGA(d,n,m)					\
 	asm volatile(__DEFINE_ASM_GPR_NUMS		\
 		     ".inst 0x9AC03000          |"	\
 		     "(.L__gpr_num_%[Rd] << 0)  |"	\
 		     "(.L__gpr_num_%[Rn] << 5)  |"	\
 		     "(.L__gpr_num_%[Rm] << 16)\n"	\
 		     : [Rd] "=r" ((d))			\
 		     : [Rn] "r" ((n)), [Rm] "r" ((m)))

 static u64 compute_pac(struct kvm_vcpu *vcpu, u64 ptr,
 		       struct ptrauth_key ikey)
 {
 	struct ptrauth_key gkey;
 	u64 mod, pac = 0;

 	preempt_disable();

 	if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU))
 		mod = __vcpu_sys_reg(vcpu, SP_EL2);
 	else
 		mod = read_sysreg(sp_el1);

 	gkey.lo = read_sysreg_s(SYS_APGAKEYLO_EL1);
 	gkey.hi = read_sysreg_s(SYS_APGAKEYHI_EL1);

 	__ptrauth_key_install_nosync(APGA, ikey);
 	isb();

 	PACGA(pac, ptr, mod);
 	isb();

 	__ptrauth_key_install_nosync(APGA, gkey);

 	preempt_enable();

 	/* PAC in the top 32bits */
 	return pac;
 }

 static bool effective_tbi(struct kvm_vcpu *vcpu, bool bit55)
 {
 	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
 	bool tbi, tbid;

 	/*
 	 * Since we are authenticating an instruction address, we have
 	 * to take TBID into account. If E2H==0, ignore VA[55], as
 	 * TCR_EL2 only has a single TBI/TBID. If VA[55] was set in
 	 * this case, this is likely a guest bug...
 	 */
 	if (!vcpu_el2_e2h_is_set(vcpu)) {
 		tbi = tcr & BIT(20);
 		tbid = tcr & BIT(29);
 	} else if (bit55) {
 		tbi = tcr & TCR_TBI1;
 		tbid = tcr & TCR_TBID1;
 	} else {
 		tbi = tcr & TCR_TBI0;
 		tbid = tcr & TCR_TBID0;
 	}

 	return tbi && !tbid;
 }

 static int compute_bottom_pac(struct kvm_vcpu *vcpu, bool bit55)
 {
 	static const int maxtxsz = 39; // Revisit these two values once
 	static const int mintxsz = 16; // (if) we support TTST/LVA/LVA2
 	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
 	int txsz;

 	if (!vcpu_el2_e2h_is_set(vcpu) || !bit55)
 		txsz = FIELD_GET(TCR_T0SZ_MASK, tcr);
 	else
 		txsz = FIELD_GET(TCR_T1SZ_MASK, tcr);

 	return 64 - clamp(txsz, mintxsz, maxtxsz);
 }

 static u64 compute_pac_mask(struct kvm_vcpu *vcpu, bool bit55)
 {
 	int bottom_pac;
 	u64 mask;

 	bottom_pac = compute_bottom_pac(vcpu, bit55);

 	mask = GENMASK(54, bottom_pac);
 	if (!effective_tbi(vcpu, bit55))
 		mask |= GENMASK(63, 56);

 	return mask;
 }

 static u64 to_canonical_addr(struct kvm_vcpu *vcpu, u64 ptr, u64 mask)
 {
 	bool bit55 = !!(ptr & BIT(55));

 	if (bit55)
 		return ptr | mask;

 	return ptr & ~mask;
 }

 static u64 corrupt_addr(struct kvm_vcpu *vcpu, u64 ptr)
 {
 	bool bit55 = !!(ptr & BIT(55));
 	u64 mask, error_code;
 	int shift;

 	if (effective_tbi(vcpu, bit55)) {
 		mask = GENMASK(54, 53);
 		shift = 53;
 	} else {
 		mask = GENMASK(62, 61);
 		shift = 61;
 	}

 	if (esr_iss_is_eretab(kvm_vcpu_get_esr(vcpu)))
 		error_code = 2 << shift;
 	else
 		error_code = 1 << shift;

 	ptr &= ~mask;
 	ptr |= error_code;

 	return ptr;
 }

 /*
  * Authenticate an ERETAA/ERETAB instruction, returning true if the
  * authentication succeeded and false otherwise. In all cases, *elr
  * contains the VA to ERET to. Potential exception injection is left
  * to the caller.
  */
 bool kvm_auth_eretax(struct kvm_vcpu *vcpu, u64 *elr)
 {
 	u64 sctlr = vcpu_read_sys_reg(vcpu, SCTLR_EL2);
 	u64 esr = kvm_vcpu_get_esr(vcpu);
 	u64 ptr, cptr, pac, mask;
 	struct ptrauth_key ikey;

 	*elr = ptr = vcpu_read_sys_reg(vcpu, ELR_EL2);

 	/* We assume we're already in the context of an ERETAx */
 	if (esr_iss_is_eretab(esr)) {
 		if (!(sctlr & SCTLR_EL1_EnIB))
 			return true;

 		ikey.lo = __vcpu_sys_reg(vcpu, APIBKEYLO_EL1);
 		ikey.hi = __vcpu_sys_reg(vcpu, APIBKEYHI_EL1);
 	} else {
 		if (!(sctlr & SCTLR_EL1_EnIA))
 			return true;

 		ikey.lo = __vcpu_sys_reg(vcpu, APIAKEYLO_EL1);
 		ikey.hi = __vcpu_sys_reg(vcpu, APIAKEYHI_EL1);
 	}

 	mask = compute_pac_mask(vcpu, !!(ptr & BIT(55)));
 	cptr = to_canonical_addr(vcpu, ptr, mask);

 	pac = compute_pac(vcpu, cptr, ikey);

 	/*
 	 * Slightly deviate from the pseudocode: if we have a PAC
 	 * match with the signed pointer, then it must be good.
 	 * Anything after this point is pure error handling.
 	 */
 	if ((pac & mask) == (ptr & mask)) {
 		*elr = cptr;
 		return true;
 	}

 	/*
 	 * Authentication failed, corrupt the canonical address if
 	 * PAuth2 isn't implemented, or some XORing if it is.
 	 */
 	if (!kvm_has_pauth(vcpu->kvm, PAuth2))
 		cptr = corrupt_addr(vcpu, cptr);
 	else
 		cptr = ptr ^ (pac & mask);

 	*elr = cptr;
 	return false;
 }
	// SPDX-License-Identifier: GPL-2.0-only
	/*
	* Copyright (C) 2024 - Google LLC
	* Author: Marc Zyngier <maz@kernel.org>
	*
	* Primitive PAuth emulation for ERETAA/ERETAB.
	*
	* This code assumes that is is run from EL2, and that it is part of
	* the emulation of ERETAx for a guest hypervisor. That's a lot of
	* baked-in assumptions and shortcuts.
	*
	* Do no reuse for anything else!
	*/

	#include <linux/kvm_host.h>

	#include <asm/gpr-num.h>
	#include <asm/kvm_emulate.h>
	#include <asm/pointer_auth.h>

	/* PACGA Xd, Xn, Xm */
	#define PACGA(d,n,m) \
	asm volatile(__DEFINE_ASM_GPR_NUMS \
	".inst 0x9AC03000 \|" \
	"(.L__gpr_num_%[Rd] << 0) \|" \
	"(.L__gpr_num_%[Rn] << 5) \|" \
	"(.L__gpr_num_%[Rm] << 16)\n" \
	: [Rd] "=r" ((d)) \
	: [Rn] "r" ((n)), [Rm] "r" ((m)))

	static u64 compute_pac(struct kvm_vcpu *vcpu, u64 ptr,
	struct ptrauth_key ikey)
	{
	struct ptrauth_key gkey;
	u64 mod, pac = 0;

	preempt_disable();

	if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU))
	mod = __vcpu_sys_reg(vcpu, SP_EL2);
	else
	mod = read_sysreg(sp_el1);

	gkey.lo = read_sysreg_s(SYS_APGAKEYLO_EL1);
	gkey.hi = read_sysreg_s(SYS_APGAKEYHI_EL1);

	__ptrauth_key_install_nosync(APGA, ikey);
	isb();

	PACGA(pac, ptr, mod);
	isb();

	__ptrauth_key_install_nosync(APGA, gkey);

	preempt_enable();

	/* PAC in the top 32bits */
	return pac;
	}

	static bool effective_tbi(struct kvm_vcpu *vcpu, bool bit55)
	{
	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
	bool tbi, tbid;

	/*
	* Since we are authenticating an instruction address, we have
	* to take TBID into account. If E2H==0, ignore VA[55], as
	* TCR_EL2 only has a single TBI/TBID. If VA[55] was set in
	* this case, this is likely a guest bug...
	*/
	if (!vcpu_el2_e2h_is_set(vcpu)) {
	tbi = tcr & BIT(20);
	tbid = tcr & BIT(29);
	} else if (bit55) {
	tbi = tcr & TCR_TBI1;
	tbid = tcr & TCR_TBID1;
	} else {
	tbi = tcr & TCR_TBI0;
	tbid = tcr & TCR_TBID0;
	}

	return tbi && !tbid;
	}

	static int compute_bottom_pac(struct kvm_vcpu *vcpu, bool bit55)
	{
	static const int maxtxsz = 39; // Revisit these two values once
	static const int mintxsz = 16; // (if) we support TTST/LVA/LVA2
	u64 tcr = vcpu_read_sys_reg(vcpu, TCR_EL2);
	int txsz;

	if (!vcpu_el2_e2h_is_set(vcpu) \|\| !bit55)
	txsz = FIELD_GET(TCR_T0SZ_MASK, tcr);
	else
	txsz = FIELD_GET(TCR_T1SZ_MASK, tcr);

	return 64 - clamp(txsz, mintxsz, maxtxsz);
	}

	static u64 compute_pac_mask(struct kvm_vcpu *vcpu, bool bit55)
	{
	int bottom_pac;
	u64 mask;

	bottom_pac = compute_bottom_pac(vcpu, bit55);

	mask = GENMASK(54, bottom_pac);
	if (!effective_tbi(vcpu, bit55))
	mask \|= GENMASK(63, 56);

	return mask;
	}

	static u64 to_canonical_addr(struct kvm_vcpu *vcpu, u64 ptr, u64 mask)
	{
	bool bit55 = !!(ptr & BIT(55));

	if (bit55)
	return ptr \| mask;

	return ptr & ~mask;
	}

	static u64 corrupt_addr(struct kvm_vcpu *vcpu, u64 ptr)
	{
	bool bit55 = !!(ptr & BIT(55));
	u64 mask, error_code;
	int shift;

	if (effective_tbi(vcpu, bit55)) {
	mask = GENMASK(54, 53);
	shift = 53;
	} else {
	mask = GENMASK(62, 61);
	shift = 61;
	}

	if (esr_iss_is_eretab(kvm_vcpu_get_esr(vcpu)))
	error_code = 2 << shift;
	else
	error_code = 1 << shift;

	ptr &= ~mask;
	ptr \|= error_code;

	return ptr;
	}

	/*
	* Authenticate an ERETAA/ERETAB instruction, returning true if the
	* authentication succeeded and false otherwise. In all cases, *elr
	* contains the VA to ERET to. Potential exception injection is left
	* to the caller.
	*/
	bool kvm_auth_eretax(struct kvm_vcpu vcpu, u64 elr)
	{
	u64 sctlr = vcpu_read_sys_reg(vcpu, SCTLR_EL2);
	u64 esr = kvm_vcpu_get_esr(vcpu);
	u64 ptr, cptr, pac, mask;
	struct ptrauth_key ikey;

	*elr = ptr = vcpu_read_sys_reg(vcpu, ELR_EL2);

	/* We assume we're already in the context of an ERETAx */
	if (esr_iss_is_eretab(esr)) {
	if (!(sctlr & SCTLR_EL1_EnIB))
	return true;

	ikey.lo = __vcpu_sys_reg(vcpu, APIBKEYLO_EL1);
	ikey.hi = __vcpu_sys_reg(vcpu, APIBKEYHI_EL1);
	} else {
	if (!(sctlr & SCTLR_EL1_EnIA))
	return true;

	ikey.lo = __vcpu_sys_reg(vcpu, APIAKEYLO_EL1);
	ikey.hi = __vcpu_sys_reg(vcpu, APIAKEYHI_EL1);
	}

	mask = compute_pac_mask(vcpu, !!(ptr & BIT(55)));
	cptr = to_canonical_addr(vcpu, ptr, mask);

	pac = compute_pac(vcpu, cptr, ikey);

	/*
	* Slightly deviate from the pseudocode: if we have a PAC
	* match with the signed pointer, then it must be good.
	* Anything after this point is pure error handling.
	*/
	if ((pac & mask) == (ptr & mask)) {
	*elr = cptr;
	return true;
	}

	/*
	* Authentication failed, corrupt the canonical address if
	* PAuth2 isn't implemented, or some XORing if it is.
	*/
	if (!kvm_has_pauth(vcpu->kvm, PAuth2))
	cptr = corrupt_addr(vcpu, cptr);
	else
	cptr = ptr ^ (pac & mask);

	*elr = cptr;
	return false;
	}