[apple/xnu.git] / osfmk / arm64 / pinst.s

/*
 * Copyright (c) 2016 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include <pexpert/arm64/board_config.h>
#include <arm64/proc_reg.h>

/*
 * Compare two instructions with constant, spin on mismatch.
 *   arg0 - Constant scratch register
 *   arg1 - Instruction address scratch register
 *   arg2 - Instruction location
 *   arg3 - Instruction constant
 */
.macro check_instruction
	// construct 64-bit constant inline to make sure it is non-executable
	movz	$0, #(($3 >> 48) & 0xffff), lsl #48
	movk	$0, #(($3 >> 32) & 0xffff), lsl #32
	movk	$0, #(($3 >> 16) & 0xffff), lsl #16
	movk	$0, #(($3) & 0xffff)
	// fetch instructions from "untrusted" memory
	adrp	$1, $2@page
	add		$1, $1, $2@pageoff
	ldr		$1, [$1]
	// spin forever if we do not find what we expect
	cmp		$0, $1
	b.ne	.
.endmacro

#if defined(KERNEL_INTEGRITY_KTRR)

/* AMCC only KTRR protected text, non-executable once the MMU is enabled */
	.text
	.section	__LAST,__pinst
	.align 2

__pinst_set_ttbr1:
	msr		TTBR1_EL1, x0
	ret

__pinst_set_vbar:
	msr		VBAR_EL1, x0
	ret

__pinst_set_tcr:
	msr		TCR_EL1, x0
	ret

	.globl _pinst_set_sctlr_trap_addr
__pinst_set_sctlr:
	msr		SCTLR_EL1, x0
_pinst_set_sctlr_trap_addr:
	ret


/* MMU and AMCC KTRR protected text */
	.text
	.section	__TEXT_EXEC,__text
	.align 2

	.globl _pinst_set_ttbr1
_pinst_set_ttbr1:
	check_instruction x2, x3, __pinst_set_ttbr1, 0xd65f03c0d5182020
	b __pinst_set_ttbr1

	.globl _pinst_set_vbar
_pinst_set_vbar:
	check_instruction x2, x3, __pinst_set_vbar, 0xd65f03c0d518c000
	b __pinst_set_vbar

	.globl _pinst_set_tcr
_pinst_set_tcr:
	check_instruction x2, x3, __pinst_set_tcr, 0xd65f03c0d5182040
	b __pinst_set_tcr

	.globl _pinst_set_sctlr
_pinst_set_sctlr:
	check_instruction x2, x3, __pinst_set_sctlr, 0xd65f03c0d5181000
	b __pinst_set_sctlr

#endif /* defined(KERNEL_INTEGRITY_KTRR) */

#if defined(KERNEL_INTEGRITY_KTRR) || defined(KERNEL_INTEGRITY_CTRR)

	.text
	.section	__LAST,__pinst
	.align 2

__pinst_spsel_1:
	msr		SPSel, #1
	ret

	.text
	.section	__TEXT_EXEC,__text
	.align 2

	.globl _pinst_spsel_1
_pinst_spsel_1:
	check_instruction x2, x3, __pinst_spsel_1, 0xd65f03c0d50041bf
	b __pinst_spsel_1

#if __APRR_SUPPORTED__

/*
 * APRR registers aren't covered by VMSA lockdown, so we'll keep these
 * gadgets in pinst for protection against undesired execution. 
 */

	.text
	.section	__LAST,__pinst
	.align 2

__pinst_set_aprr_el0:
	msr		APRR_EL0, x0
	ret

__pinst_set_aprr_el1:
	msr		APRR_EL1, x0
	ret

__pinst_set_aprr_shadow_mask_en_el1:
	msr		APRR_SHADOW_MASK_EN_EL1, x0

	ret

	.text
	.section	__TEXT_EXEC,__text
	.align 2

	.globl _pinst_set_aprr_el0
_pinst_set_aprr_el0:
	check_instruction x2, x3, __pinst_set_aprr_el0, 0xd65f03c0d51cf200
	b __pinst_set_aprr_el0

	.globl _pinst_set_aprr_el1
_pinst_set_aprr_el1:
	check_instruction x2, x3, __pinst_set_aprr_el1, 0xd65f03c0d51cf220
	b __pinst_set_aprr_el1

	.globl _pinst_set_aprr_shadow_mask_en_el1
_pinst_set_aprr_shadow_mask_en_el1:
	check_instruction x2, x3, __pinst_set_aprr_shadow_mask_en_el1, 0xd65f03c0d51cf2c0
	b __pinst_set_aprr_shadow_mask_en_el1
#endif /* __APRR_SUPPORTED__ */
#endif /* defined(KERNEL_INTEGRITY_KTRR) || defined(KERNEL_INTEGRITY_CTRR) */
Commit	Line	Data
5ba3f43e A	1	/*
	2	* Copyright (c) 2016 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#include <pexpert/arm64/board_config.h>
	30	#include <arm64/proc_reg.h>
	31
	32	/*
	33	* Compare two instructions with constant, spin on mismatch.
	34	* arg0 - Constant scratch register
	35	* arg1 - Instruction address scratch register
	36	* arg2 - Instruction location
	37	* arg3 - Instruction constant
	38	*/
	39	.macro check_instruction
	40	// construct 64-bit constant inline to make sure it is non-executable
	41	movz $0, #(($3 >> 48) & 0xffff), lsl #48
	42	movk $0, #(($3 >> 32) & 0xffff), lsl #32
	43	movk $0, #(($3 >> 16) & 0xffff), lsl #16
	44	movk $0, #(($3) & 0xffff)
	45	// fetch instructions from "untrusted" memory
	46	adrp $1, $2@page
	47	add $1, $1, $2@pageoff
	48	ldr $1, [$1]
	49	// spin forever if we do not find what we expect
	50	cmp $0, $1
	51	b.ne .
	52	.endmacro
	53
	54	#if defined(KERNEL_INTEGRITY_KTRR)
	55
	56	/* AMCC only KTRR protected text, non-executable once the MMU is enabled */
	57	.text
	58	.section __LAST,__pinst
	59	.align 2
	60
	61	__pinst_set_ttbr1:
	62	msr TTBR1_EL1, x0
	63	ret
	64
65	__pinst_set_vbar:
66	msr VBAR_EL1, x0
67	ret
68
69	__pinst_set_tcr:
70	msr TCR_EL1, x0
71	ret
72
73	.globl _pinst_set_sctlr_trap_addr
74	__pinst_set_sctlr:
75	msr SCTLR_EL1, x0
76	_pinst_set_sctlr_trap_addr:
77	ret
78
79
80	/* MMU and AMCC KTRR protected text */
81	.text
82	.section __TEXT_EXEC,__text
83	.align 2
84
85	.globl _pinst_set_ttbr1
86	_pinst_set_ttbr1:
87	check_instruction x2, x3, __pinst_set_ttbr1, 0xd65f03c0d5182020
88	b __pinst_set_ttbr1
89
90	.globl _pinst_set_vbar
91	_pinst_set_vbar:
92	check_instruction x2, x3, __pinst_set_vbar, 0xd65f03c0d518c000
93	b __pinst_set_vbar
94
95	.globl _pinst_set_tcr
96	_pinst_set_tcr:
97	check_instruction x2, x3, __pinst_set_tcr, 0xd65f03c0d5182040
98	b __pinst_set_tcr
99
100	.globl _pinst_set_sctlr
101	_pinst_set_sctlr:
102	check_instruction x2, x3, __pinst_set_sctlr, 0xd65f03c0d5181000
103	b __pinst_set_sctlr
104
105	#endif /* defined(KERNEL_INTEGRITY_KTRR) */
106
c6bf4f31	107	#if defined(KERNEL_INTEGRITY_KTRR) \|\| defined(KERNEL_INTEGRITY_CTRR)
5ba3f43e A	108
	109	.text
	110	.section __LAST,__pinst
	111	.align 2
	112
	113	__pinst_spsel_1:
	114	msr SPSel, #1
	115	ret
	116
	117	.text
	118	.section __TEXT_EXEC,__text
	119	.align 2
	120
	121	.globl _pinst_spsel_1
	122	_pinst_spsel_1:
	123	check_instruction x2, x3, __pinst_spsel_1, 0xd65f03c0d50041bf
	124	b __pinst_spsel_1
	125
c6bf4f31 A	126	#if __APRR_SUPPORTED__
	127
	128	/*
	129	* APRR registers aren't covered by VMSA lockdown, so we'll keep these
	130	* gadgets in pinst for protection against undesired execution.
	131	*/
	132
	133	.text
	134	.section __LAST,__pinst
	135	.align 2
	136
	137	__pinst_set_aprr_el0:
	138	msr APRR_EL0, x0
	139	ret
	140
	141	__pinst_set_aprr_el1:
	142	msr APRR_EL1, x0
	143	ret
	144
	145	__pinst_set_aprr_shadow_mask_en_el1:
	146	msr APRR_SHADOW_MASK_EN_EL1, x0
	147
	148	ret
	149
	150	.text
	151	.section __TEXT_EXEC,__text
	152	.align 2
	153
	154	.globl _pinst_set_aprr_el0
	155	_pinst_set_aprr_el0:
	156	check_instruction x2, x3, __pinst_set_aprr_el0, 0xd65f03c0d51cf200
	157	b __pinst_set_aprr_el0
	158
	159	.globl _pinst_set_aprr_el1
	160	_pinst_set_aprr_el1:
	161	check_instruction x2, x3, __pinst_set_aprr_el1, 0xd65f03c0d51cf220
	162	b __pinst_set_aprr_el1
	163
	164	.globl _pinst_set_aprr_shadow_mask_en_el1
	165	_pinst_set_aprr_shadow_mask_en_el1:
	166	check_instruction x2, x3, __pinst_set_aprr_shadow_mask_en_el1, 0xd65f03c0d51cf2c0
	167	b __pinst_set_aprr_shadow_mask_en_el1
	168	#endif /* __APRR_SUPPORTED__ */
	169	#endif /* defined(KERNEL_INTEGRITY_KTRR) \|\| defined(KERNEL_INTEGRITY_CTRR) */
5ba3f43e	170