Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4251628ybp; Mon, 7 Oct 2019 05:48:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqxtuRkBnHGhgyM/Ue5WuZdcqjjrOe0SwXwovgIrz258zrPgH/h6JzDgyml5/d8KQYwWA3Pi X-Received: by 2002:a17:906:4d0f:: with SMTP id r15mr23352104eju.147.1570452485226; Mon, 07 Oct 2019 05:48:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570452485; cv=none; d=google.com; s=arc-20160816; b=DvomBxnKD2ILopSctD8XcSfamBdmHXWefphj/IZjUmdktTc079c0a8n+W9UKH2mlSu UFhuDF7h86Rrkhfymn8tXQWtXra4YqIprevP3s2iC1cuBAztUcIJIkmI3qoI9pljEqXg A8h9Suqqp1EnbcjMpvDyW9Jqcz3lAHQikh1qFEhwGzOQCFqcFHIUTfohqafP+0OLxvmT UVg4q4iz4XW6Ucb8363pi3gVg11n+UZ/cGnBJio2zXV1rWvxEP5od32XZ7lJXEDQTed/ owki/ckEUkcdOaxmcwqxWEHFYQXnYZjcCCvGGJfchZj+Q74vn10xm5eKIhMsvYZw8u3i iwlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=x1fkq45t3C8RkrGvul77X+nMBMVXXXxTYvwqYHtXfac=; b=GSejcpJadn4u1/tE0hqm01Nz7k/7NPdNbj4owHzlUeoovQ7VCgKSYpanPK9R1Bf4Pn yQXpNqQP24tRHFTfLovv/FF7/mOpPssBN4T5eGxsmvlzqcGv9y8aDbUXV1eJloiCGT9M iFCI7JpcfsuXT7m2TBGEpMPHvbWViYAAAJovY59UNNlSYpCw0P5YoXdmba6GDBDu5Dzb lIfHfDXtXEFGFo2F6g1LLtzFazjuGHVWny/+OTZ3aOocEBCs0fvpDH9Bwkah8BYSDack NsS4mQzpaBjy76JPZoPKbEhQIglkwDSfHOIP5hUulEDe7nQNxj5pGIN7poQcGFD1kp6M bZtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oth-regensburg.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q4si6816677eji.152.2019.10.07.05.47.41; Mon, 07 Oct 2019 05:48:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oth-regensburg.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728034AbfJGMpJ (ORCPT + 99 others); Mon, 7 Oct 2019 08:45:09 -0400 Received: from mtaout.hs-regensburg.de ([194.95.104.10]:60532 "EHLO mtaout.hs-regensburg.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727490AbfJGMpE (ORCPT ); Mon, 7 Oct 2019 08:45:04 -0400 Received: from pluto.lfdr (im-mob-039.hs-regensburg.de [172.20.37.154]) by mtaout.hs-regensburg.de (Postfix) with ESMTP id 46n0Q462mPzy7G; Mon, 7 Oct 2019 14:38:20 +0200 (CEST) From: Ralf Ramsauer To: Jan Kiszka , Borislav Petkov , x86@kernel.org, jailhouse-dev@googlegroups.com, linux-kernel@vger.kernel.org Cc: Ingo Molnar , "H . Peter Anvin" , Ralf Ramsauer Subject: [PATCH v5 1/2] x86/jailhouse: improve setup data version comparison Date: Mon, 7 Oct 2019 14:38:18 +0200 Message-Id: <20191007123819.161432-2-ralf.ramsauer@oth-regensburg.de> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191007123819.161432-1-ralf.ramsauer@oth-regensburg.de> References: <20191007123819.161432-1-ralf.ramsauer@oth-regensburg.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-PMX-Version: 6.3.3.2656215, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.10.7.123317, AntiVirus-Engine: 5.65.0, AntiVirus-Data: 2019.10.7.5650001 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODY_SIZE_6000_6999 0, BODY_SIZE_7000_LESS 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, MULTIPLE_REAL_RCPTS 0, NO_URI_HTTPS 0, REFERENCES 0, __ANY_URI 0, __BODY_NO_MAILTO 0, __CC_NAME 0, __CC_NAME_DIFF_FROM_ACC 0, __CC_REAL_NAMES 0, __CTE 0, __FROM_DOMAIN_IN_ANY_CC1 0, __FROM_DOMAIN_IN_RCPT 0, __HAS_CC_HDR 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_REFERENCES 0, __HAS_X_MAILER 0, __INVOICE_MULTILINGUAL 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __MULTIPLE_RCPTS_TO_X5 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0, __TO_REAL_NAMES 0, __URI_NO_WWW 0, __URI_NS ' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We will soon introduce a new setup_data version and extend the structure. This requires some preparational work for the sanity check of the header and the check of the version. Use the following strategy: 1. Ensure that the header declares at least enough space for the version and the compatible_version as we must hold that fields for any version. Furthermore, the location and semantics of those fields will never change. 2. Copy over data -- as much as we can. The length is either limited by the header length, or the length of setup_data. 3. Things are now in place -- sanity check if the header length complies the actual version. For future versions of the setup_data, only step 3 requires alignment. Signed-off-by: Ralf Ramsauer Reviewed-by: Jan Kiszka --- arch/x86/include/uapi/asm/bootparam.h | 22 +++++++----- arch/x86/kernel/jailhouse.c | 50 +++++++++++++++++---------- 2 files changed, 44 insertions(+), 28 deletions(-) diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h index c895df5482c5..43be437c9c71 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -139,15 +139,19 @@ struct boot_e820_entry { * setup data structure. */ struct jailhouse_setup_data { - __u16 version; - __u16 compatible_version; - __u16 pm_timer_address; - __u16 num_cpus; - __u64 pci_mmconfig_base; - __u32 tsc_khz; - __u32 apic_khz; - __u8 standard_ioapic; - __u8 cpu_ids[255]; + struct { + __u16 version; + __u16 compatible_version; + } __attribute__((packed)) hdr; + struct { + __u16 pm_timer_address; + __u16 num_cpus; + __u64 pci_mmconfig_base; + __u32 tsc_khz; + __u32 apic_khz; + __u8 standard_ioapic; + __u8 cpu_ids[255]; + } __attribute__((packed)) v1; } __attribute__((packed)); /* The so-called "zeropage" */ diff --git a/arch/x86/kernel/jailhouse.c b/arch/x86/kernel/jailhouse.c index 3ad34f01de2a..b9647add0063 100644 --- a/arch/x86/kernel/jailhouse.c +++ b/arch/x86/kernel/jailhouse.c @@ -22,6 +22,8 @@ #include static __initdata struct jailhouse_setup_data setup_data; +#define SETUP_DATA_V1_LEN (sizeof(setup_data.hdr) + sizeof(setup_data.v1)) + static unsigned int precalibrated_tsc_khz; static uint32_t jailhouse_cpuid_base(void) @@ -45,7 +47,7 @@ static void jailhouse_get_wallclock(struct timespec64 *now) static void __init jailhouse_timer_init(void) { - lapic_timer_period = setup_data.apic_khz * (1000 / HZ); + lapic_timer_period = setup_data.v1.apic_khz * (1000 / HZ); } static unsigned long jailhouse_get_tsc(void) @@ -88,14 +90,14 @@ static void __init jailhouse_get_smp_config(unsigned int early) register_lapic_address(0xfee00000); - for (cpu = 0; cpu < setup_data.num_cpus; cpu++) { - generic_processor_info(setup_data.cpu_ids[cpu], + for (cpu = 0; cpu < setup_data.v1.num_cpus; cpu++) { + generic_processor_info(setup_data.v1.cpu_ids[cpu], boot_cpu_apic_version); } smp_found_config = 1; - if (setup_data.standard_ioapic) { + if (setup_data.v1.standard_ioapic) { mp_register_ioapic(0, 0xfec00000, gsi_top, &ioapic_cfg); /* Register 1:1 mapping for legacy UART IRQs 3 and 4 */ @@ -126,9 +128,9 @@ static int __init jailhouse_pci_arch_init(void) pcibios_last_bus = 0xff; #ifdef CONFIG_PCI_MMCONFIG - if (setup_data.pci_mmconfig_base) { + if (setup_data.v1.pci_mmconfig_base) { pci_mmconfig_add(0, 0, pcibios_last_bus, - setup_data.pci_mmconfig_base); + setup_data.v1.pci_mmconfig_base); pci_mmcfg_arch_init(); } #endif @@ -139,6 +141,7 @@ static int __init jailhouse_pci_arch_init(void) static void __init jailhouse_init_platform(void) { u64 pa_data = boot_params.hdr.setup_data; + unsigned long setup_data_len; struct setup_data header; void *mapping; @@ -163,16 +166,8 @@ static void __init jailhouse_init_platform(void) memcpy(&header, mapping, sizeof(header)); early_memunmap(mapping, sizeof(header)); - if (header.type == SETUP_JAILHOUSE && - header.len >= sizeof(setup_data)) { - pa_data += offsetof(struct setup_data, data); - - mapping = early_memremap(pa_data, sizeof(setup_data)); - memcpy(&setup_data, mapping, sizeof(setup_data)); - early_memunmap(mapping, sizeof(setup_data)); - + if (header.type == SETUP_JAILHOUSE) break; - } pa_data = header.next; } @@ -180,13 +175,26 @@ static void __init jailhouse_init_platform(void) if (!pa_data) panic("Jailhouse: No valid setup data found"); - if (setup_data.compatible_version > JAILHOUSE_SETUP_REQUIRED_VERSION) - panic("Jailhouse: Unsupported setup data structure"); + /* setup data must at least contain the header */ + if (header.len < sizeof(setup_data.hdr)) + goto unsupported; - pmtmr_ioport = setup_data.pm_timer_address; + pa_data += offsetof(struct setup_data, data); + setup_data_len = min(sizeof(setup_data), (unsigned long)header.len); + mapping = early_memremap(pa_data, setup_data_len); + memcpy(&setup_data, mapping, setup_data_len); + early_memunmap(mapping, setup_data_len); + + if (setup_data.hdr.version == 0 || + setup_data.hdr.compatible_version != + JAILHOUSE_SETUP_REQUIRED_VERSION || + (setup_data.hdr.version >= 1 && header.len < SETUP_DATA_V1_LEN)) + goto unsupported; + + pmtmr_ioport = setup_data.v1.pm_timer_address; pr_debug("Jailhouse: PM-Timer IO Port: %#x\n", pmtmr_ioport); - precalibrated_tsc_khz = setup_data.tsc_khz; + precalibrated_tsc_khz = setup_data.v1.tsc_khz; setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); pci_probe = 0; @@ -196,6 +204,10 @@ static void __init jailhouse_init_platform(void) * are none in a non-root cell. */ disable_acpi(); + return; + +unsupported: + panic("Jailhouse: Unsupported setup data structure"); } bool jailhouse_paravirt(void) -- 2.23.0