Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / d40ff91f658df0a8abd33458673599ba728fe7f6^! / .
commitd40ff91f658df0a8abd33458673599ba728fe7f6[log] [tgz]
authorPierre-Clément Tosi <ptosi@google.com>Thu Jun 30 16:11:33 2022 +0100
committerPierre-Clément Tosi <ptosi@google.com>Thu Jun 30 17:52:28 2022 +0100
treef49e49c5a77b22d0536a1f84e4cc59e5faaf93cc
parent6decdfa2c6fa4e856af50c6052dd3ca1791a7619 [diff]
vmbase: Handle very early exceptions

Introduce a vector table to provide a predictable behavior when
exceptions are raised before the Rust runtime is ready i.e. before
vector_table_el1 may be used. With this table, exceptions are "handled"
by attempting a PSCI_SYSTEM_RESET call and hanging if that returns. For
example, this may prevent a malicious host from triggering a fault when
entry.S accesses .data or .bss in entry.S and getting arbitrary code
execution from VBAR_EL1.

Bug: 237659918
Test: atest vmbase_example.integration_test
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Change-Id: I5106e32b3118ec691ea6a7a80516d8c29918563c

diff --git a/vmbase/Android.bp b/vmbase/Android.bp
index 473103e..68b6b7e 100644
--- a/vmbase/Android.bp
+++ b/vmbase/Android.bp

@@ -26,6 +26,7 @@
     srcs: [
         "entry.S",
         "exceptions.S",
+        "exceptions_panic.S",
     ],
     nocrt: true,
     no_libcrt: true,

diff --git a/vmbase/entry.S b/vmbase/entry.S
index 490e841..490c2f3 100644
--- a/vmbase/entry.S
+++ b/vmbase/entry.S

@@ -84,6 +84,9 @@
 entry:
 	/* Load and apply the memory management configuration, ready to enable MMU and caches. */
 
+	adr x30, vector_table_panic
+	msr vbar_el1, x30
+
 	adrp x30, idmap
 	msr ttbr0_el1, x30
 

diff --git a/vmbase/exceptions_panic.S b/vmbase/exceptions_panic.S
new file mode 100644
index 0000000..6f73da8
--- /dev/null
+++ b/vmbase/exceptions_panic.S

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * The following table is intended to trap any fault resulting from the very
+ * first memory accesses. They assume that PSCI v0.2 is available and provides
+ * the PSCI_SYSTEM_RESET call in an attempt to gracefully exit but otherwise
+ * results in the core busy-looping.
+ */
+
+.macro exception_panic
+	mov	x0, 0x80400000
+	add	x0, x0, 9
+	mov	x1, 0
+	mov	x2, 0
+	mov	x3, 0
+	hvc	0
+0:	wfi
+	b	0b
+.endm
+
+.section .text.vector_table_panic, "ax"
+.global vector_table_panic
+.balign 0x800
+vector_table_panic:
+sync_cur_sp0_panic:
+	exception_panic
+
+.balign 0x80
+irq_cur_sp0_panic:
+	exception_panic
+
+.balign 0x80
+fiq_cur_sp0_panic:
+	exception_panic
+
+.balign 0x80
+serr_cur_sp0_panic:
+	exception_panic
+
+.balign 0x80
+sync_cur_spx_panic:
+	exception_panic
+
+.balign 0x80
+irq_cur_spx_panic:
+	exception_panic
+
+.balign 0x80
+fiq_cur_spx_panic:
+	exception_panic
+
+.balign 0x80
+serr_cur_spx_panic:
+	exception_panic
+
+.balign 0x80
+sync_lower_64_panic:
+	exception_panic
+
+.balign 0x80
+irq_lower_64_panic:
+	exception_panic
+
+.balign 0x80
+fiq_lower_64_panic:
+	exception_panic
+
+.balign 0x80
+serr_lower_64_panic:
+	exception_panic
+
+.balign 0x80
+sync_lower_32_panic:
+	exception_panic
+
+.balign 0x80
+irq_lower_32_panic:
+	exception_panic
+
+.balign 0x80
+fiq_lower_32_panic:
+	exception_panic
+
+.balign 0x80
+serr_lower_32_panic:
+	exception_panic