mirror of
https://github.com/torvalds/linux
synced 2024-07-21 02:23:16 +00:00
c98d2ecae0
The uncoupling physical vs virtual address spaces brings
the following benefits to s390:
- virtual memory layout flexibility;
- closes the address gap between kernel and modules, it
caused s390-only problems in the past (e.g. 'perf' bugs);
- allows getting rid of trampolines used for module calls
into kernel;
- allows simplifying BPF trampoline;
- minor performance improvement in branch prediction;
- kernel randomization entropy is magnitude bigger, as it is
derived from the amount of available virtual, not physical
memory;
The whole change could be described in two pictures below:
before and after the change.
Some aspects of the virtual memory layout setup are not
clarified (number of page levels, alignment, DMA memory),
since these are not a part of this change or secondary
with regard to how the uncoupling itself is implemented.
The focus of the pictures is to explain why __va() and __pa()
macros are implemented the way they are.
Memory layout in V==R mode:
| Physical | Virtual |
+- 0 --------------+- 0 --------------+ identity mapping start
| | S390_lowcore | Low-address memory
| +- 8 KB -----------+
| | |
| | identity | phys == virt
| | mapping | virt == phys
| | |
+- AMODE31_START --+- AMODE31_START --+ .amode31 rand. phys/virt start
|.amode31 text/data|.amode31 text/data|
+- AMODE31_END ----+- AMODE31_END ----+ .amode31 rand. phys/virt start
| | |
| | |
+- __kaslr_offset, __kaslr_offset_phys| kernel rand. phys/virt start
| | |
| kernel text/data | kernel text/data | phys == kvirt
| | |
+------------------+------------------+ kernel phys/virt end
| | |
| | |
| | |
| | |
+- ident_map_size -+- ident_map_size -+ identity mapping end
| |
| ... unused gap |
| |
+---- vmemmap -----+ 'struct page' array start
| |
| virtually mapped |
| memory map |
| |
+- __abs_lowcore --+
| |
| Absolute Lowcore |
| |
+- __memcpy_real_area
| |
| Real Memory Copy|
| |
+- VMALLOC_START --+ vmalloc area start
| |
| vmalloc area |
| |
+- MODULES_VADDR --+ modules area start
| |
| modules area |
| |
+------------------+ UltraVisor Secure Storage limit
| |
| ... unused gap |
| |
+KASAN_SHADOW_START+ KASAN shadow memory start
| |
| KASAN shadow |
| |
+------------------+ ASCE limit
Memory layout in V!=R mode:
| Physical | Virtual |
+- 0 --------------+- 0 --------------+
| | S390_lowcore | Low-address memory
| +- 8 KB -----------+
| | |
| | |
| | ... unused gap |
| | |
+- AMODE31_START --+- AMODE31_START --+ .amode31 rand. phys/virt start
|.amode31 text/data|.amode31 text/data|
+- AMODE31_END ----+- AMODE31_END ----+ .amode31 rand. phys/virt end (<2GB)
| | |
| | |
+- __kaslr_offset_phys | kernel rand. phys start
| | |
| kernel text/data | |
| | |
+------------------+ | kernel phys end
| | |
| | |
| | |
| | |
+- ident_map_size -+ |
| |
| ... unused gap |
| |
+- __identity_base + identity mapping start (>= 2GB)
| |
| identity | phys == virt - __identity_base
| mapping | virt == phys + __identity_base
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+---- vmemmap -----+ 'struct page' array start
| |
| virtually mapped |
| memory map |
| |
+- __abs_lowcore --+
| |
| Absolute Lowcore |
| |
+- __memcpy_real_area
| |
| Real Memory Copy|
| |
+- VMALLOC_START --+ vmalloc area start
| |
| vmalloc area |
| |
+- MODULES_VADDR --+ modules area start
| |
| modules area |
| |
+- __kaslr_offset -+ kernel rand. virt start
| |
| kernel text/data | phys == (kvirt - __kaslr_offset) +
| | __kaslr_offset_phys
+- kernel .bss end + kernel rand. virt end
| |
| ... unused gap |
| |
+------------------+ UltraVisor Secure Storage limit
| |
| ... unused gap |
| |
+KASAN_SHADOW_START+ KASAN shadow memory start
| |
| KASAN shadow |
| |
+------------------+ ASCE limit
Unused gaps in the virtual memory layout could be present
or not - depending on how partucular system is configured.
No page tables are created for the unused gaps.
The relative order of vmalloc, modules and kernel image in
virtual memory is defined by following considerations:
- start of the modules area and end of the kernel should reside
within 4GB to accommodate relative 32-bit jumps. The best way
to achieve that is to place kernel next to modules;
- vmalloc and module areas should locate next to each other
to prevent failures and extra reworks in user level tools
(makedumpfile, crash, etc.) which treat vmalloc and module
addresses similarily;
- kernel needs to be the last area in the virtual memory
layout to easily distinguish between kernel and non-kernel
virtual addresses. That is needed to (again) simplify
handling of addresses in user level tools and make __pa()
macro faster (see below);
Concluding the above, the relative order of the considered
virtual areas in memory is: vmalloc - modules - kernel.
Therefore, the only change to the current memory layout is
moving kernel to the end of virtual address space.
With that approach the implementation of __pa() macro is
straightforward - all linear virtual addresses less than
kernel base are considered identity mapping:
phys == virt - __identity_base
All addresses greater than kernel base are kernel ones:
phys == (kvirt - __kaslr_offset) + __kaslr_offset_phys
By contrast, __va() macro deals only with identity mapping
addresses:
virt == phys + __identity_base
.amode31 section is mapped separately and is not covered by
__pa() macro. In fact, it could have been handled easily by
checking whether a virtual address is within the section or
not, but there is no need for that. Thus, let __pa() code
do as little machine cycles as possible.
The KASAN shadow memory is located at the very end of the
virtual memory layout, at addresses higher than the kernel.
However, that is not a linear mapping and no code other than
KASAN instrumentation or API is expected to access it.
When KASLR mode is enabled the kernel base address randomized
within a memory window that spans whole unused virtual address
space. The size of that window depends from the amount of
physical memory available to the system, the limit imposed by
UltraVisor (if present) and the vmalloc area size as provided
by vmalloc= kernel command line parameter.
In case the virtual memory is exhausted the minimum size of
the randomization window is forcefully set to 2GB, which
amounts to in 15 bits of entropy if KASAN is enabled or 17
bits of entropy in default configuration.
The default kernel offset 0x100000 is used as a magic value
both in the decompressor code and vmlinux linker script, but
it will be removed with a follow-up change.
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
199 lines
5.3 KiB
C
199 lines
5.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright IBM Corp. 2019
|
|
*/
|
|
#include <linux/pgtable.h>
|
|
#include <asm/physmem_info.h>
|
|
#include <asm/cpacf.h>
|
|
#include <asm/timex.h>
|
|
#include <asm/sclp.h>
|
|
#include <asm/kasan.h>
|
|
#include "decompressor.h"
|
|
#include "boot.h"
|
|
|
|
#define PRNG_MODE_TDES 1
|
|
#define PRNG_MODE_SHA512 2
|
|
#define PRNG_MODE_TRNG 3
|
|
|
|
struct prno_parm {
|
|
u32 res;
|
|
u32 reseed_counter;
|
|
u64 stream_bytes;
|
|
u8 V[112];
|
|
u8 C[112];
|
|
};
|
|
|
|
struct prng_parm {
|
|
u8 parm_block[32];
|
|
u32 reseed_counter;
|
|
u64 byte_counter;
|
|
};
|
|
|
|
static int check_prng(void)
|
|
{
|
|
if (!cpacf_query_func(CPACF_KMC, CPACF_KMC_PRNG)) {
|
|
sclp_early_printk("KASLR disabled: CPU has no PRNG\n");
|
|
return 0;
|
|
}
|
|
if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_TRNG))
|
|
return PRNG_MODE_TRNG;
|
|
if (cpacf_query_func(CPACF_PRNO, CPACF_PRNO_SHA512_DRNG_GEN))
|
|
return PRNG_MODE_SHA512;
|
|
else
|
|
return PRNG_MODE_TDES;
|
|
}
|
|
|
|
int get_random(unsigned long limit, unsigned long *value)
|
|
{
|
|
struct prng_parm prng = {
|
|
/* initial parameter block for tdes mode, copied from libica */
|
|
.parm_block = {
|
|
0x0F, 0x2B, 0x8E, 0x63, 0x8C, 0x8E, 0xD2, 0x52,
|
|
0x64, 0xB7, 0xA0, 0x7B, 0x75, 0x28, 0xB8, 0xF4,
|
|
0x75, 0x5F, 0xD2, 0xA6, 0x8D, 0x97, 0x11, 0xFF,
|
|
0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0
|
|
},
|
|
};
|
|
unsigned long seed, random;
|
|
struct prno_parm prno;
|
|
__u64 entropy[4];
|
|
int mode, i;
|
|
|
|
mode = check_prng();
|
|
seed = get_tod_clock_fast();
|
|
switch (mode) {
|
|
case PRNG_MODE_TRNG:
|
|
cpacf_trng(NULL, 0, (u8 *) &random, sizeof(random));
|
|
break;
|
|
case PRNG_MODE_SHA512:
|
|
cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED, &prno, NULL, 0,
|
|
(u8 *) &seed, sizeof(seed));
|
|
cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN, &prno, (u8 *) &random,
|
|
sizeof(random), NULL, 0);
|
|
break;
|
|
case PRNG_MODE_TDES:
|
|
/* add entropy */
|
|
*(unsigned long *) prng.parm_block ^= seed;
|
|
for (i = 0; i < 16; i++) {
|
|
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block,
|
|
(u8 *) entropy, (u8 *) entropy,
|
|
sizeof(entropy));
|
|
memcpy(prng.parm_block, entropy, sizeof(entropy));
|
|
}
|
|
random = seed;
|
|
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block, (u8 *) &random,
|
|
(u8 *) &random, sizeof(random));
|
|
break;
|
|
default:
|
|
return -1;
|
|
}
|
|
*value = random % limit;
|
|
return 0;
|
|
}
|
|
|
|
static void sort_reserved_ranges(struct reserved_range *res, unsigned long size)
|
|
{
|
|
struct reserved_range tmp;
|
|
int i, j;
|
|
|
|
for (i = 1; i < size; i++) {
|
|
tmp = res[i];
|
|
for (j = i - 1; j >= 0 && res[j].start > tmp.start; j--)
|
|
res[j + 1] = res[j];
|
|
res[j + 1] = tmp;
|
|
}
|
|
}
|
|
|
|
static unsigned long iterate_valid_positions(unsigned long size, unsigned long align,
|
|
unsigned long _min, unsigned long _max,
|
|
struct reserved_range *res, size_t res_count,
|
|
bool pos_count, unsigned long find_pos)
|
|
{
|
|
unsigned long start, end, tmp_end, range_pos, pos = 0;
|
|
struct reserved_range *res_end = res + res_count;
|
|
struct reserved_range *skip_res;
|
|
int i;
|
|
|
|
align = max(align, 8UL);
|
|
_min = round_up(_min, align);
|
|
for_each_physmem_usable_range(i, &start, &end) {
|
|
if (_min >= end)
|
|
continue;
|
|
start = round_up(start, align);
|
|
if (start >= _max)
|
|
break;
|
|
start = max(_min, start);
|
|
end = min(_max, end);
|
|
|
|
while (start + size <= end) {
|
|
/* skip reserved ranges below the start */
|
|
while (res && res->end <= start) {
|
|
res++;
|
|
if (res >= res_end)
|
|
res = NULL;
|
|
}
|
|
skip_res = NULL;
|
|
tmp_end = end;
|
|
/* has intersecting reserved range */
|
|
if (res && res->start < end) {
|
|
skip_res = res;
|
|
tmp_end = res->start;
|
|
}
|
|
if (start + size <= tmp_end) {
|
|
range_pos = (tmp_end - start - size) / align + 1;
|
|
if (pos_count) {
|
|
pos += range_pos;
|
|
} else {
|
|
if (range_pos >= find_pos)
|
|
return start + (find_pos - 1) * align;
|
|
find_pos -= range_pos;
|
|
}
|
|
}
|
|
if (!skip_res)
|
|
break;
|
|
start = round_up(skip_res->end, align);
|
|
}
|
|
}
|
|
|
|
return pos_count ? pos : 0;
|
|
}
|
|
|
|
/*
|
|
* Two types of decompressor memory allocations/reserves are considered
|
|
* differently.
|
|
*
|
|
* "Static" or "single" allocations are done via physmem_alloc_range() and
|
|
* physmem_reserve(), and they are listed in physmem_info.reserved[]. Each
|
|
* type of "static" allocation can only have one allocation per type and
|
|
* cannot have chains.
|
|
*
|
|
* On the other hand, "dynamic" or "repetitive" allocations are done via
|
|
* physmem_alloc_top_down(). These allocations are tightly packed together
|
|
* top down from the end of online memory. physmem_alloc_pos represents
|
|
* current position where those allocations start.
|
|
*
|
|
* Functions randomize_within_range() and iterate_valid_positions()
|
|
* only consider "dynamic" allocations by never looking above
|
|
* physmem_alloc_pos. "Static" allocations, however, are explicitly
|
|
* considered by checking the "res" (reserves) array. The first
|
|
* reserved_range of a "dynamic" allocation may also be checked along the
|
|
* way, but it will always be above the maximum value anyway.
|
|
*/
|
|
unsigned long randomize_within_range(unsigned long size, unsigned long align,
|
|
unsigned long min, unsigned long max)
|
|
{
|
|
struct reserved_range res[RR_MAX];
|
|
unsigned long max_pos, pos;
|
|
|
|
memcpy(res, physmem_info.reserved, sizeof(res));
|
|
sort_reserved_ranges(res, ARRAY_SIZE(res));
|
|
max = min(max, get_physmem_alloc_pos());
|
|
|
|
max_pos = iterate_valid_positions(size, align, min, max, res, ARRAY_SIZE(res), true, 0);
|
|
if (!max_pos)
|
|
return 0;
|
|
if (get_random(max_pos, &pos))
|
|
return 0;
|
|
return iterate_valid_positions(size, align, min, max, res, ARRAY_SIZE(res), false, pos + 1);
|
|
}
|