Re: [PATCH v2 00/25] Apple M1 SoC platform bring-up

From: Hector Martin
Date: Wed Feb 24 2021 - 11:08:59 EST

Next message: Vincent Guittot: "Re: [PATCH 0/7 v4] move update blocked load outside newidle_balance"
Previous message: Álvaro Fernández Rojas: "Re: [PATCH v2 0/2] leds: bcm63x8: improve read and write functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22/02/2021 00.20, Hector Martin wrote:

I haven't tested things at EL0 yet, but it looks like the stateful
instructions known to be usable in EL0 (AMX) already default to trap on
this platform, so we should be safe there. Everything else looks like it
probably either shouldn't work in EL0 (I sure hope the address
translation one doesn't...) or is probably stateless. I'll dig deeper
and test EL0 in the future, but so far things look OK (for some
questionable values of OK :) ).

Follow-up: I have EL0 testing scaffolding now, and I found some more mutable state (an IMP-DEF, pre-standard version of FEAT_AFP, using a separate status register for the bits), but thankfully it traps at EL0 by default.

And then I found some other mutable IMP-DEF state that does not trap at EL0. And which is a 0-day CVE in macOS, because it doesn't save/restore/clear it either, nor does it trap there.

E-mailing security@xxxxxxxxx...

--
Hector Martin (marcan@xxxxxxxxx)
Public Key: https://mrcn.st/pub

Next message: Vincent Guittot: "Re: [PATCH 0/7 v4] move update blocked load outside newidle_balance"
Previous message: Álvaro Fernández Rojas: "Re: [PATCH v2 0/2] leds: bcm63x8: improve read and write functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]