Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Something seems wrong with ktrr #1

Open
onlinefchen opened this issue Aug 18, 2019 · 2 comments
Open

Something seems wrong with ktrr #1

onlinefchen opened this issue Aug 18, 2019 · 2 comments

Comments

@onlinefchen
Copy link

And it's seem's wrong for meltdown with krtt https://siguza.github.io/KTRR/
at el1 T1SZ is set to 25 :
first range from 0xffffff8000000000 eg:vbar_el1?
second range from 0xffffffc000000000 the rest_kernel ?
at el0 T1SZ is increased to 26:
ttbr_el1 from 0xffffffc000000000 to 0xffffffffffffffff
So at el0 it can meltdown to 0xffffffc000000000

Does this is the truth?
Seems vbar at 0xffffffc000000000 ~ 0xffffffffffffffff
and reset_kernel at 0xffffff8000000000 ~ 0xffffffc000000000
makes more sense?

Thanks
@Siguza
Copy link
Owner

Siguza commented Aug 19, 2019

I think what you don't see is that, for ttbr1_el1, when you change T1SZ, you also change the base address for translation.

Imagine if you had only 16-bit addresses - 14 bits for the page, and 2 bits for the page table index. That would give you a single L3 table with four entries, and under ttbr0_el1 it would be mapped like this:

- Index 0 -> 0x0000
- Index 1 -> 0x4000
- Index 2 -> 0x8000
- Index 3 -> 0xc000

And under ttbr1_el1 it would look like this:

- Index 0 -> 0xffffffffffff0000
- Index 1 -> 0xffffffffffff4000
- Index 2 -> 0xffffffffffff8000
- Index 3 -> 0xffffffffffffc000

So now when you reduce the address size to 15 bits (by adding one to T0SZ/T1SZ), with ttbr0 you just cut off the upper half of the address space:

- Index 0 -> 0x0000
- Index 1 -> 0x4000
- Index 2 -> not mapped anymore
- Index 3 -> not mapped anymore

But with ttbr1, you cut off the upper half and move the lower half to higher addresses:

- Index 0 -> 0xffffffffffff8000
- Index 1 -> 0xffffffffffffc000
- Index 2 -> not mapped anymore
- Index 3 -> not mapped anymore

So with the Spectre mitigation, in EL0 you have an address space that only has the vbar page mapped, at 0xffffffc000000000. But when you switch to EL1, that moves down to 0xffffff8000000000, because that's simply what happens when the base address of ttbr1 changes.

Hope that answers your question.

@onlinefchen
Copy link
Author

But in your post:

They split the kernel’s address space into two ranges. The first conatining only the bare minimum >to switch between EL0 and EL1, the second containing the entire rest of the kernel.
At boot, T1SZ is set to 25, thus mapping the first range at 0xffffff8000000000 and the second >one at 0xffffffc000000000 (for comparison, the unslid kernel base is 0xfffffff007004000).

I mean here is the vbar should be the second not the first. Do we agree?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Siguza @onlinefchen