arm64: handle guest-generated EL1 asynchronous abort

In current code, when the hypervisor receives an asynchronous abort
from a guest, the hypervisor will do panic, the host will be down.
We have to prevent such security issue, so, in this patch we crash
the guest, when the hypervisor receives an asynchronous abort from
the guest.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: Julien Grall <Julien.Grall@arm.com>

diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S
index 9cda8f13421913566eb4afa8d340b34510657433..0ed0073267a169941c45d8852b5fe0f798e2939f 100644 (file)
--- a/xen/arch/arm/arm64/entry.S
+++ b/xen/arch/arm/arm64/entry.S
@@ -204,9 +204,12 @@ guest_fiq_invalid:
         entry   hyp=0, compat=0
         invalid BAD_FIQ
 
-guest_error_invalid:
+guest_error:
         entry   hyp=0, compat=0
-        invalid BAD_ERROR
+        msr     daifclr, #2
+        mov     x0, sp
+        bl      do_trap_guest_error
+        exit    hyp=0, compat=0
 
 guest_sync_compat:
         entry   hyp=0, compat=1
@@ -225,9 +228,12 @@ guest_fiq_invalid_compat:
         entry   hyp=0, compat=1
         invalid BAD_FIQ
 
-guest_error_invalid_compat:
+guest_error_compat:
         entry   hyp=0, compat=1
-        invalid BAD_ERROR
+        msr     daifclr, #2
+        mov     x0, sp
+        bl      do_trap_guest_error
+        exit    hyp=0, compat=1
 
 ENTRY(return_to_new_vcpu32)
         exit    hyp=0, compat=1
@@ -286,12 +292,12 @@ ENTRY(hyp_traps_vector)
         ventry  guest_sync                      // Synchronous 64-bit EL0/EL1
         ventry  guest_irq                       // IRQ 64-bit EL0/EL1
         ventry  guest_fiq_invalid               // FIQ 64-bit EL0/EL1
-        ventry  guest_error_invalid             // Error 64-bit EL0/EL1
+        ventry  guest_error                     // Error 64-bit EL0/EL1
 
         ventry  guest_sync_compat               // Synchronous 32-bit EL0/EL1
         ventry  guest_irq_compat                // IRQ 32-bit EL0/EL1
         ventry  guest_fiq_invalid_compat        // FIQ 32-bit EL0/EL1
-        ventry  guest_error_invalid_compat      // Error 32-bit EL0/EL1
+        ventry  guest_error_compat              // Error 32-bit EL0/EL1
 
 /*
  * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 3ac8a707dc8bdf6512c95d823d625f7a0faddbb0..3bbd002370fae3f2c0020e41db4e33523959c5da 100644 (file)
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -2723,6 +2723,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
     }
 }
 
+asmlinkage void do_trap_guest_error(struct cpu_user_regs *regs)
+{
+    enter_hypervisor_head(regs);
+
+    /*
+     * Currently, to ensure hypervisor safety, when we received a
+     * guest-generated vSerror/vAbort, we just crash the guest to protect
+     * the hypervisor. In future we can better handle this by injecting
+     * a vSerror/vAbort to the guest.
+     */
+    gdprintk(XENLOG_WARNING, "Guest(Dom-%u) will be crashed by vSError\n",
+             current->domain->domain_id);
+    domain_crash_synchronous();
+}
+
 asmlinkage void do_trap_irq(struct cpu_user_regs *regs)
 {
     enter_hypervisor_head(regs);