elfloader: Set Exec-Never for Device Memory

Type PTE. The ARM spec (ARM DDI 0487J.a) says on page B2-216 ("Aarch64 Application Level Memory Model"): "Hardware does not prevent speculative instruction fetches from a memory location with any of the Device memory attributes unless the memory location is also marked as execute-never for all Exception levels." and "Failure to mark a memory location with any Device memory attribute as execute-never for all Exception levels is a programming error." Similar statements can be found in the chapter about the Aarch32 Application Level Memory Model for aarch32 mode. Signed-off-by: Andy Bui <[email protected]>
seL4 · Feb 28, 2024 · 3166422 · 3166422
1 parent c3c5e49
commit 3166422
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/elfloader-tool/include/arch-arm/64/mode/aarch64.h b/elfloader-tool/include/arch-arm/64/mode/aarch64.h
@@ -63,3 +63,5 @@
 #define MT_NORMAL         4
 #define MT_NORMAL_WT      5
 #define MAIR(_attr, _mt)  ((_attr) << ((_mt) * 8))
+
+#define IS_DEV_MEM_INDEX(_idx) ((_idx) <= MT_DEVICE_GRE)
diff --git a/elfloader-tool/include/elfloader_common.h b/elfloader-tool/include/elfloader_common.h
@@ -14,7 +14,7 @@ typedef uintptr_t vaddr_t;
 
 #define PAGE_BITS           12
 
-#define BIT(x)              (1 << (x))
+#define BIT(x)              (1ul << (x))
 #define MASK(n)             (BIT(n) - 1)
 #define MIN(a, b)           (((a) < (b)) ? (a) : (b))
 #define IS_ALIGNED(n, b)    (!((n) & MASK(b)))

diff --git a/elfloader-tool/src/arch-arm/64/mmu.c b/elfloader-tool/src/arch-arm/64/mmu.c
@@ -30,7 +30,11 @@ void init_boot_vspace(struct image_info *kernel_info)
     _boot_pgd_down[0] = ((uintptr_t)_boot_pud_down) | BIT(1) | BIT(0); /* its a page table */
 
     for (i = 0; i < BIT(PUD_BITS); i++) {
+        /* For exec-never bit(s), see Table D8-46 for EL2 translation regime (TR)
+         * and Table D8-45 for all others.*/
         _boot_pud_down[i] = (i << ARM_1GB_BLOCK_BITS)
+                            | BIT(54) /* UXN */
+                            | BIT(53) /* PXN */
                             | BIT(10) /* access flag */
                             | (MT_DEVICE_nGnRnE << 2) /* strongly ordered memory */
                             | BIT(0); /* 1G block */
@@ -68,7 +72,10 @@ void init_hyp_boot_vspace(struct image_info *kernel_info)
     _boot_pgd_down[0] = ((uintptr_t)_boot_pud_down) | BIT(1) | BIT(0);
 
     for (i = 0; i < BIT(PUD_BITS); i++) {
+        /* For exec-never bit(s), see Table D8-46 for EL2 translation regime (TR)
+         * and Table D8-45 for all others. Note: for EL2 TR, PXN (bit 53) is RES0. */
         _boot_pud_down[i] = (i << ARM_1GB_BLOCK_BITS)
+                            | BIT(54) /* UXN */
                             | BIT(10) /* access flag */
                             | (MT_DEVICE_nGnRnE << 2) /* strongly ordered memory */
                             | BIT(0); /* 1G block */