• Mark Rutland's avatar
    arm64: Avoid cpus_have_const_cap() for ARM64_UNMAP_KERNEL_AT_EL0 · c2ef5f1e
    Mark Rutland authored
    In arm64_kernel_unmapped_at_el0() we use cpus_have_const_cap() to check
    for ARM64_UNMAP_KERNEL_AT_EL0, but this is only necessary so that
    arm64_get_bp_hardening_vector() and this_cpu_set_vectors() can run prior
    to alternatives being patched. Otherwise this is not necessary and
    alternative_has_cap_*() would be preferable.
    
    For historical reasons, cpus_have_const_cap() is more complicated than
    it needs to be. Before cpucaps are finalized, it will perform a bitmap
    test of the system_cpucaps bitmap, and once cpucaps are finalized it
    will use an alternative branch. This used to be necessary to handle some
    race conditions in the window between cpucap detection and the
    subsequent patching of alternatives and static branches, where different
    branches could be out-of-sync with one another (or w.r.t. alternative
    sequences). Now that we use alternative branches instead of static
    branches, these are all patched atomically w.r.t. one another, and there
    are only a handful of cases that need special care in the window between
    cpucap detection and alternative patching.
    
    Due to the above, it would be nice to remove cpus_have_const_cap(), and
    migrate callers over to alternative_has_cap_*(), cpus_have_final_cap(),
    or cpus_have_cap() depending on when their requirements. This will
    remove redundant instructions and improve code generation, and will make
    it easier to determine how each callsite will behave before, during, and
    after alternative patching.
    
    The ARM64_UNMAP_KERNEL_AT_EL0 cpucap is a system-wide feature that is
    detected and patched before any translation tables are created for
    userspace. In the window between detecting the ARM64_UNMAP_KERNEL_AT_EL0
    cpucap and patching alternatives, most users of
    arm64_kernel_unmapped_at_el0() do not need to know that the cpucap has
    been detected:
    
    * As KVM is initialized after cpucaps are finalized, no usaef of
      arm64_kernel_unmapped_at_el0() in the KVM code is reachable during
      this window.
    
    * The arm64_mm_context_get() function in arch/arm64/mm/context.c is only
      called after the SMMU driver is brought up after alternatives have
      been patched. Thus this can safely use cpus_have_final_cap() or
      alternative_has_cap_*().
    
      Similarly the asids_update_limit() function is called after
      alternatives have been patched as an arch_initcall, and this can
      safely use cpus_have_final_cap() or alternative_has_cap_*().
    
      Similarly we do not expect an ASID rollover to occur between cpucaps
      being detected and patching alternatives. Thus
      set_reserved_asid_bits() can safely use cpus_have_final_cap() or
      alternative_has_cap_*().
    
    * The __tlbi_user() and __tlbi_user_level() macros are not used during
      this window, and only need to invalidate additional entries once
      userspace translation tables have been active on a CPU. Thus these can
      safely use alternative_has_cap_*().
    
    * The xen_kernel_unmapped_at_usr() function is not used during this
      window as it is only used in a late_initcall. Thus this can safely use
      cpus_have_final_cap() or alternative_has_cap_*().
    
    * The arm64_get_meltdown_state() function is not used during this
      window. It only used by arm64_get_meltdown_state() and KVM code, both
      of which are only used after cpucaps have been finalized. Thus this
      can safely use cpus_have_final_cap() or alternative_has_cap_*().
    
    * The tls_thread_switch() uses arm64_kernel_unmapped_at_el0() as an
      optimization to avoid zeroing tpidrro_el0 when KPTI is enabled
      and this will be trampled by the KPTI trampoline. It doesn't matter if
      this continues to zero the register during the window between
      detecting the cpucap and patching alternatives, so this can safely use
      alternative_has_cap_*().
    
    * The sdei_arch_get_entry_point() and do_sdei_event() functions aren't
      reachable at this time as the SDEI driver is registered later by
      acpi_init() -> acpi_ghes_init() -> sdei_init(), where acpi_init is a
      subsys_initcall. Thus these can safely use cpus_have_final_cap() or
      alternative_has_cap_*().
    
    * The uses under drivers/ aren't reachable at this time as the drivers
      are registered later:
    
      - TRBE is registered via module_init()
      - SMMUv3 is registred via module_driver()
      - SPE is registred via module_init()
    
    * The arm64_get_bp_hardening_vector() and this_cpu_set_vectors()
      functions need to run on boot CPUs prior to patching alternatives.
      As these are only called during the onlining of a CPU, it's fine to
      perform a system_cpucaps bitmap test using cpus_have_cap().
    
    This patch modifies this_cpu_set_vectors() to use cpus_have_cap(), and
    replaced all other use of cpus_have_const_cap() with
    alternative_has_cap_unlikely(), which will avoid generating code to test
    the system_cpucaps bitmap and should be better for all subsequent calls
    at runtime. The ARM64_UNMAP_KERNEL_AT_EL0 cpucap is added to
    cpucap_is_possible() so that code can be elided entirely when this is
    not possible.
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Cc: Ard Biesheuvel <ardb@kernel.org>
    Cc: James Morse <james.morse@arm.com>
    Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    c2ef5f1e
vectors.h 1.74 KB