DEXCR (Dynamic Execution Control Register)¶
Overview¶
The DEXCR is a privileged special purpose register (SPR) introduced inPowerPC ISA 3.1B (Power10) that allows per-cpu control over several dynamicexecution behaviours. These behaviours include speculation (e.g., indirectbranch target prediction) and enabling return-oriented programming (ROP)protection instructions.
The execution control is exposed in hardware as up to 32 bits (‘aspects’) inthe DEXCR. Each aspect controls a certain behaviour, and can be set or clearedto enable/disable the aspect. There are several variants of the DEXCR fordifferent purposes:
- DEXCR
A privileged SPR that can control aspects for userspace and kernel space
- HDEXCR
A hypervisor-privileged SPR that can control aspects for the hypervisor andenforce aspects for the kernel and userspace.
- UDEXCR
An optional ultravisor-privileged SPR that can control aspects for the ultravisor.
Userspace can examine the current DEXCR state using a dedicated SPR thatprovides a non-privileged read-only view of the userspace DEXCR aspects.There is also an SPR that provides a read-only view of the hypervisor enforcedaspects, which ORed with the userspace DEXCR view gives the effective DEXCRstate for a process.
Configuration¶
prctl¶
A process can control its own userspace DEXCR value using thePR_PPC_GET_DEXCR andPR_PPC_SET_DEXCR pair ofprctl(2) commands. These calls have the form:
prctl(PR_PPC_GET_DEXCR, unsigned long which, 0, 0, 0);prctl(PR_PPC_SET_DEXCR, unsigned long which, unsigned long ctrl, 0, 0);
The possible ‘which’ and ‘ctrl’ values are as follows. Note there is no relationbetween the ‘which’ value and the DEXCR aspect’s index.
| Aspect name | Aspect index |
|---|---|---|
| Speculative Branch Hint Enable (SBHE) | 0 |
| Indirect Branch Recurrent Target Prediction Disable (IBRTPD) | 3 |
| Subroutine Return Address Prediction Disable (SRAPD) | 4 |
| Non-Privileged Hash Instruction Enable (NPHIE) | 5 |
| Meaning |
|---|---|
| This aspect can be configured with PR_PPC_SET_DEXCR (get only) |
| This aspect is set / set this aspect |
| This aspect is clear / clear this aspect |
| This aspect will be set after exec / set this aspect after exec |
| This aspect will be clear after exec / clear this aspect after exec |
Note that
which is a plain value, not a bitmask. Aspects must be worked with individually.
ctrl is a bitmask.
PR_PPC_GET_DEXCRreturns both the current and onexecconfiguration. For example,PR_PPC_GET_DEXCRmay returnPR_PPC_DEXCR_CTRL_EDITABLE|PR_PPC_DEXCR_CTRL_SET|PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC. This would indicate the aspect is currentlyset, it will be cleared when you run exec, and you can change this with thePR_PPC_SET_DEXCRprctl.The set/clear terminology refers to setting/clearing the bit in the DEXCR.For example:
prctl(PR_PPC_SET_DEXCR, PR_PPC_DEXCR_IBRTPD, PR_PPC_DEXCR_CTRL_SET, 0, 0);
will set the IBRTPD aspect bit in the DEXCR, causing indirect branch predictionto be disabled.
The status returned by
PR_PPC_GET_DEXCRrepresents what value the processwould like applied. It does not include any alternative overrides, such as ifthe hypervisor is enforcing the aspect be set. To see the true DEXCR statesoftware should read the appropriate SPRs directly.The aspect state when starting a process is copied from the parent’s state onfork(2). The state is reset to a fixed value onexecve(2). The PR_PPC_SET_DEXCR
prctl()can control both of thesevalues.The
*_ONEXECcontrols do not change the current process’s DEXCR.
UsePR_PPC_SET_DEXCR with one ofPR_PPC_DEXCR_CTRL_SET orPR_PPC_DEXCR_CTRL_CLEAR to edit a given aspect.
Common error codes for both getting and setting the DEXCR are as follows:
Error | Meaning |
|---|---|
| The DEXCR is not supported by the kernel. |
| The aspect is not recognised by the kernel or not supported by thehardware. |
PR_PPC_SET_DEXCR may also report the following error codes:
Error | Meaning |
|---|---|
| The ctrl value contains unrecognised flags. |
| The ctrl value contains mutually conflicting flags (e.g., |
| This aspect cannot be modified with |
| The process does not have sufficient privilege to perform the operation.For example, clearing NPHIE on exec is a privileged operation (a processcan still clear its own NPHIE aspect without privileges). |
This interface allows a process to control its own DEXCR aspects, and also setthe initial DEXCR value for any children in its process tree (up to the nextchild to use an*_ONEXEC control). This allows fine-grained control over thedefault value of the DEXCR, for example allowing containers to run with differentdefault values.
coredump and ptrace¶
The userspace values of the DEXCR and HDEXCR (in this order) are exposed underNT_PPC_DEXCR. These are each 64 bits and readonly, and are intended toassist with core dumps. The DEXCR may be made writable in future. The top 32bits of both registers (corresponding to the non-userspace bits) are masked off.
If the kernel configCONFIG_CHECKPOINT_RESTORE is enabled, thenNT_PPC_HASHKEYR is available and exposes the HASHKEYR value of the processfor reading and writing. This is a tradeoff between increased security andcheckpoint/restore support: a process should normally have no need to know itssecret key, but restoring a process requires setting its original key. The keytherefore appears in core dumps, and an attacker may be able to retrieve it froma coredump and effectively bypass ROP protection on any threads that share thiskey (potentially all threads from the same parent that have not runexec()).