elfloader: Set Exec-Never for Device Memory

Type PTE. The ARM spec (ARM DDI 0487J.a) says on page B2-216 ("Aarch64 Application Level Memory Model"): "Hardware does not prevent speculative instruction fetches from a memory location with any of the Device memory attributes unless the memory location is also marked as execute-never for all Exception levels." and "Failure to mark a memory location with any Device memory attribute as execute-never for all Exception levels is a programming error." Similar statements can be found in the chapter about the Aarch32 Application Level Memory Model for aarch32 mode. Signed-off-by: Andy Bui <andy.bui@nio.io>
seL4 · Feb 25, 2024 · 16ea8ef · 16ea8ef
1 parent 0e0a99d
commit 16ea8ef
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/elfloader-tool/include/arch-arm/64/mode/aarch64.h b/elfloader-tool/include/arch-arm/64/mode/aarch64.h
@@ -63,3 +63,5 @@
 #define MT_NORMAL         4
 #define MT_NORMAL_WT      5
 #define MAIR(_attr, _mt)  ((_attr) << ((_mt) * 8))
+
+#define IS_DEV_MEM_INDEX(_idx) ((_idx) <= MT_DEVICE_GRE)
diff --git a/elfloader-tool/include/elfloader_common.h b/elfloader-tool/include/elfloader_common.h
@@ -14,7 +14,7 @@ typedef uintptr_t vaddr_t;
 
 #define PAGE_BITS           12
 
-#define BIT(x)              (1 << (x))
+#define BIT(x)              (1ul << (x))
 #define MASK(n)             (BIT(n) - 1)
 #define MIN(a, b)           (((a) < (b)) ? (a) : (b))
 #define IS_ALIGNED(n, b)    (!((n) & MASK(b)))

diff --git a/elfloader-tool/src/arch-arm/64/mmu.c b/elfloader-tool/src/arch-arm/64/mmu.c
@@ -142,14 +142,19 @@ static inline uint64_t make_pde_from_ptr(pte_t *pagetable_target)
     return make_pde(va_to_pa((uintptr_t)pagetable_target));
 }
 
-/* ARM DDI 0487I.a, section D8.5.2 */
+/* ARM DDI 0487J.a, section D8.5.2 */
 #define INNER_SHAREABLE   3
 static inline uint64_t make_pte(paddr_t pa, uint8_t mem_attr_index)
 {
-    /* Note: As per R_PYFVQ from the ARM spec, we can always safely set the
-     *       shareability to inner, even for device-type memory.
+    /* As per R_PYFVQ from the ARM spec, we can always safely set the shareability
+     * to inner, even for Device memory type.
+     * For exec-never bit(s), see Table D8-46 for EL2 translation regime (TR)
+     * and Table D8-45 for all others.
+     * PXN (bit 53) is RES0 for EL2 TR (Figure D8-16), so we simply always set it.
      */
-    return mask_pa(pa)
+    uint64_t xn = (IS_DEV_MEM_INDEX(mem_attr_index)) ? (BIT(54) | BIT(53)) : 0;
+    return xn
+           | mask_pa(pa)
            | BIT(10) /* access flag */
 #if CONFIG_MAX_NUM_NODES > 1
            | (INNER_SHAREABLE << 8)