1*65d6c884SBenjamin Gray.. SPDX-License-Identifier: GPL-2.0-or-later 2*65d6c884SBenjamin Gray 3*65d6c884SBenjamin Gray========================================== 4*65d6c884SBenjamin GrayDEXCR (Dynamic Execution Control Register) 5*65d6c884SBenjamin Gray========================================== 6*65d6c884SBenjamin Gray 7*65d6c884SBenjamin GrayOverview 8*65d6c884SBenjamin Gray======== 9*65d6c884SBenjamin Gray 10*65d6c884SBenjamin GrayThe DEXCR is a privileged special purpose register (SPR) introduced in 11*65d6c884SBenjamin GrayPowerPC ISA 3.1B (Power10) that allows per-cpu control over several dynamic 12*65d6c884SBenjamin Grayexecution behaviours. These behaviours include speculation (e.g., indirect 13*65d6c884SBenjamin Graybranch target prediction) and enabling return-oriented programming (ROP) 14*65d6c884SBenjamin Grayprotection instructions. 15*65d6c884SBenjamin Gray 16*65d6c884SBenjamin GrayThe execution control is exposed in hardware as up to 32 bits ('aspects') in 17*65d6c884SBenjamin Graythe DEXCR. Each aspect controls a certain behaviour, and can be set or cleared 18*65d6c884SBenjamin Grayto enable/disable the aspect. There are several variants of the DEXCR for 19*65d6c884SBenjamin Graydifferent purposes: 20*65d6c884SBenjamin Gray 21*65d6c884SBenjamin GrayDEXCR 22*65d6c884SBenjamin Gray A privileged SPR that can control aspects for userspace and kernel space 23*65d6c884SBenjamin GrayHDEXCR 24*65d6c884SBenjamin Gray A hypervisor-privileged SPR that can control aspects for the hypervisor and 25*65d6c884SBenjamin Gray enforce aspects for the kernel and userspace. 26*65d6c884SBenjamin GrayUDEXCR 27*65d6c884SBenjamin Gray An optional ultravisor-privileged SPR that can control aspects for the ultravisor. 28*65d6c884SBenjamin Gray 29*65d6c884SBenjamin GrayUserspace can examine the current DEXCR state using a dedicated SPR that 30*65d6c884SBenjamin Grayprovides a non-privileged read-only view of the userspace DEXCR aspects. 31*65d6c884SBenjamin GrayThere is also an SPR that provides a read-only view of the hypervisor enforced 32*65d6c884SBenjamin Grayaspects, which ORed with the userspace DEXCR view gives the effective DEXCR 33*65d6c884SBenjamin Graystate for a process. 34*65d6c884SBenjamin Gray 35*65d6c884SBenjamin Gray 36*65d6c884SBenjamin GrayConfiguration 37*65d6c884SBenjamin Gray============= 38*65d6c884SBenjamin Gray 39*65d6c884SBenjamin GrayThe DEXCR is currently unconfigurable. All threads are run with the 40*65d6c884SBenjamin GrayNPHIE aspect enabled. 41*65d6c884SBenjamin Gray 42*65d6c884SBenjamin Gray 43*65d6c884SBenjamin Graycoredump and ptrace 44*65d6c884SBenjamin Gray=================== 45*65d6c884SBenjamin Gray 46*65d6c884SBenjamin GrayThe userspace values of the DEXCR and HDEXCR (in this order) are exposed under 47*65d6c884SBenjamin Gray``NT_PPC_DEXCR``. These are each 64 bits and readonly, and are intended to 48*65d6c884SBenjamin Grayassist with core dumps. The DEXCR may be made writable in future. The top 32 49*65d6c884SBenjamin Graybits of both registers (corresponding to the non-userspace bits) are masked off. 50*65d6c884SBenjamin Gray 51*65d6c884SBenjamin GrayIf the kernel config ``CONFIG_CHECKPOINT_RESTORE`` is enabled, then 52*65d6c884SBenjamin Gray``NT_PPC_HASHKEYR`` is available and exposes the HASHKEYR value of the process 53*65d6c884SBenjamin Grayfor reading and writing. This is a tradeoff between increased security and 54*65d6c884SBenjamin Graycheckpoint/restore support: a process should normally have no need to know its 55*65d6c884SBenjamin Graysecret key, but restoring a process requires setting its original key. The key 56*65d6c884SBenjamin Graytherefore appears in core dumps, and an attacker may be able to retrieve it from 57*65d6c884SBenjamin Graya coredump and effectively bypass ROP protection on any threads that share this 58*65d6c884SBenjamin Graykey (potentially all threads from the same parent that have not run ``exec()``). 59