Some near-term arm64 hardening patches

Posted Nov 18, 2019 20:35 UTC (Mon) by MarkRutland (subscriber, #74197)
Parent article: Some near-term arm64 hardening patches

The latest ARMv8-A manual describes E0PD in the section titled "Preventing EL0 access to halves of the address map", which summarises the feature:

If ARMv8.5-E0PD is implemented and enabled, the TCR_ELx.{E0PD0, E0PD1} fields can prevent unprivileged access to the addresses translated by TTBR0_ELx or TTBR1_ELx. If access is prevented, the fault is reported as a level 0 fault, and should take the same time to generate, whether the address is present in the TLB or not, to mitigate attacks that use fault timing.

Setting TCR_ELx.E0PD0 should prevent userspace (EL0) accesses to the kernel half of the address space (which is mapped via TTBR1_ELx), speculative or otherwise. The constant-time faulting behaviour should prevent page table depth probing attacks that can be used against KASLR.

Some near-term arm64 hardening patches

Posted Nov 18, 2019 23:58 UTC (Mon) by nivedita76 (subscriber, #121790) [Link] (1 responses)

The documentation and the commit message should probably make that first bit more explicit -- i.e. that /speculative/ accesses are indeed prevented.

Reading the commit message as it stands doesn't give any indication as to why E0PD would prevent Meltdown, as it only mentions constant-time faulting.

Some near-term arm64 hardening patches

Posted Apr 6, 2020 17:50 UTC (Mon) by mwsealey (subscriber, #71282) [Link]

Speculative accesses aren't permitted to cause exceptions, so constant time or not to cause a 'level 0 fault' makes no difference.