arm64: Unconditionally enable PAN support

-17

arch/arm64/Kconfig

··· 1680 1680 config ARM64_SW_TTBR0_PAN 1681 1681 bool "Emulate Privileged Access Never using TTBR0_EL1 switching" 1682 1682 depends on !KCSAN 1683 - select ARM64_PAN 1684 1683 help 1685 1684 Enabling this option prevents the kernel from accessing 1686 1685 user-space memory directly by pointing TTBR0_EL1 to a reserved ··· 1857 1858 Kernels built with this configuration option enabled continue 1858 1859 to work on pre-ARMv8.1 hardware and the performance impact is 1859 1860 minimal. If unsure, say Y. 1860 - 1861 - config ARM64_PAN 1862 - bool "Enable support for Privileged Access Never (PAN)" 1863 - default y 1864 - help 1865 - Privileged Access Never (PAN; part of the ARMv8.1 Extensions) 1866 - prevents the kernel or hypervisor from accessing user-space (EL0) 1867 - memory directly. 1868 - 1869 - Choosing this option will cause any unprotected (not using 1870 - copy_to_user et al) memory access to fail with a permission fault. 1871 - 1872 - The feature is detected at runtime, and will remain as a 'nop' 1873 - instruction if the cpu does not implement the feature. 1874 1861 1875 1862 endmenu # "ARMv8.1 architectural features" 1876 1863 ··· 2094 2109 depends on ARM64_AS_HAS_MTE && ARM64_TAGGED_ADDR_ABI 2095 2110 depends on AS_HAS_ARMV8_5 2096 2111 # Required for tag checking in the uaccess routines 2097 - select ARM64_PAN 2098 2112 select ARCH_HAS_SUBPAGE_FAULTS 2099 2113 select ARCH_USES_HIGH_VMA_FLAGS 2100 2114 select ARCH_USES_PG_ARCH_2 ··· 2125 2141 config ARM64_EPAN 2126 2142 bool "Enable support for Enhanced Privileged Access Never (EPAN)" 2127 2143 default y 2128 - depends on ARM64_PAN 2129 2144 help 2130 2145 Enhanced Privileged Access Never (EPAN) allows Privileged 2131 2146 Access Never to be used with Execute-only mappings.

-2

arch/arm64/include/asm/cpucaps.h

··· 19 19 "cap must be < ARM64_NCAPS"); 20 20 21 21 switch (cap) { 22 - case ARM64_HAS_PAN: 23 - return IS_ENABLED(CONFIG_ARM64_PAN); 24 22 case ARM64_HAS_EPAN: 25 23 return IS_ENABLED(CONFIG_ARM64_EPAN); 26 24 case ARM64_SVE:

+2 -4

arch/arm64/include/asm/uaccess.h

··· 124 124 125 125 static inline void __uaccess_disable_hw_pan(void) 126 126 { 127 - asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, 128 - CONFIG_ARM64_PAN)); 127 + asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN)); 129 128 } 130 129 131 130 static inline void __uaccess_enable_hw_pan(void) 132 131 { 133 - asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, 134 - CONFIG_ARM64_PAN)); 132 + asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN)); 135 133 } 136 134 137 135 static inline void uaccess_disable_privileged(void)

-4

arch/arm64/kernel/cpufeature.c

··· 2164 2164 return cpu_supports_bbml2_noabort(); 2165 2165 } 2166 2166 2167 - #ifdef CONFIG_ARM64_PAN 2168 2167 static void cpu_enable_pan(const struct arm64_cpu_capabilities *__unused) 2169 2168 { 2170 2169 /* ··· 2175 2176 sysreg_clear_set(sctlr_el1, SCTLR_EL1_SPAN, 0); 2176 2177 set_pstate_pan(1); 2177 2178 } 2178 - #endif /* CONFIG_ARM64_PAN */ 2179 2179 2180 2180 #ifdef CONFIG_ARM64_RAS_EXTN 2181 2181 static void cpu_clear_disr(const struct arm64_cpu_capabilities *__unused) ··· 2539 2541 .matches = has_cpuid_feature, 2540 2542 ARM64_CPUID_FIELDS(ID_AA64MMFR0_EL1, ECV, CNTPOFF) 2541 2543 }, 2542 - #ifdef CONFIG_ARM64_PAN 2543 2544 { 2544 2545 .desc = "Privileged Access Never", 2545 2546 .capability = ARM64_HAS_PAN, ··· 2547 2550 .cpu_enable = cpu_enable_pan, 2548 2551 ARM64_CPUID_FIELDS(ID_AA64MMFR1_EL1, PAN, IMP) 2549 2552 }, 2550 - #endif /* CONFIG_ARM64_PAN */ 2551 2553 #ifdef CONFIG_ARM64_EPAN 2552 2554 { 2553 2555 .desc = "Enhanced Privileged Access Never",

+1 -1

arch/arm64/kvm/hyp/entry.S

··· 126 126 127 127 add x1, x1, #VCPU_CONTEXT 128 128 129 - ALTERNATIVE(nop, SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN) 129 + ALTERNATIVE(nop, SET_PSTATE_PAN(1), ARM64_HAS_PAN) 130 130 131 131 // Store the guest regs x2 and x3 132 132 stp x2, x3, [x1, #CPU_XREG_OFFSET(2)]

Configure Feed

Configure Feed