Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2925854ybl; Sun, 2 Feb 2020 09:59:54 -0800 (PST) X-Google-Smtp-Source: APXvYqzRskwbuX7onMe1CTG9l63yNyDBE+qKNeO4vVkQ/RRrF/7Tubhr0mWBBk81vEDOJQZT8lfG X-Received: by 2002:a9d:4801:: with SMTP id c1mr15524045otf.258.1580666394594; Sun, 02 Feb 2020 09:59:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580666394; cv=none; d=google.com; s=arc-20160816; b=dVRbIfnO7kLvHJP66M1eN3PclWggy7cwa3QB999aO4wPCDHaKRqeWbrmtPZOEOgIyc eMn/I3T/FOwKftbVcbY9jn7OwVbBnGcYT1SzeoZNRO3wWZo9BXXIs3sDA8hD8XYjpR4Z N5isWW6H+m4CpxdJqod3AwE6y3FtVKqpoWpdXRgv7LEirE5VHqH/Ek20h/vwtVSJjTxP MCFoF0w1t3tIc+r8q7CecHd5EcK4m5QhiZnlUQzxp/hJH97xr5zfQvVRmb7DH65bJpmU KFrB7uBitLfmAdS8QsIW0c2VJ+y1/LOkM2NkJ718a5PL3nSsw2VCKv7qYubSHBsYSlFC HgtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=l16/jWBg5TdkuLQMSLdNnEO2hLRau3tU8l2zd5isbi4=; b=M+iKXwXBZKFGrCTCnrTpkLR/RAW+pjt6t3h4BYS0N3DIvqvzVUnzXUHOVRAWnB+QLo DR7MMdSkz23psyFq7bkSMMS93OicRoVhOs2n6O1sZMeKFKnq6uep0wTziT4PyEDybHyX wAVP/075RRUJKU1KWHyp9uApLNHJa2i0G/nRPclEFHDiqOSeR02ccKXIXvz6w3eRa7Af Z4lv5vZw/22MD/MidVSW6hRywjqE2qtaIqMHwgJllIR0xnAxk02dtuETjtRA6oF3DXu6 W6UUS1kw998MDlaNZeSJEQ+vnCHPcLxDMz85L1ayMm/a9/bhJiYRn/1nPCuBe4xAaZLV YzhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TbPtfQQy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1si8421542otk.42.2020.02.02.09.59.15; Sun, 02 Feb 2020 09:59:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TbPtfQQy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726952AbgBBRzD (ORCPT + 99 others); Sun, 2 Feb 2020 12:55:03 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:40187 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726906AbgBBRzD (ORCPT ); Sun, 2 Feb 2020 12:55:03 -0500 Received: by mail-wm1-f68.google.com with SMTP id t14so14384330wmi.5 for ; Sun, 02 Feb 2020 09:55:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l16/jWBg5TdkuLQMSLdNnEO2hLRau3tU8l2zd5isbi4=; b=TbPtfQQyQotPasF9Z3NIeqbz+pg3LRy9qOf3r/F8o0SAuMeEGwyaj1diE1wJHCSiit DjSQ4VJQcEbXLhFs7iAoizPsguYDlcmG7czPm8igOCw8aeRZgNK+n72FnMNYa5iCIXMy 5qxme+/q37VpO36jGjOzrGwmzj+EFr3oKrsBK4n+2+kEes5I2k7cPAoey128xlr1C8/M kj/2QOUZYuuPI/6QlZQAiwnwFVCMsCr83XLwF2BpqILBEWWNZxsg4eLePxR8Y5agiGNj iJpR3uHd+TlnPvTwWTkP6fw7nycKk+/xL6tCnYknnYA8N+DEY6w/4hrk7Eg1N4BZhE6r 3EbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l16/jWBg5TdkuLQMSLdNnEO2hLRau3tU8l2zd5isbi4=; b=fwOB0JC5aeHnzuYgoXRV25UQ4aT92jzV9kF74yMbT5F1+PfMERhy9rz7kGNkfmLsx7 km2rfmQLLUx9O9/CZ3uDICYb3mzN7j0zLIBMzgPTa2xL8UkOCeiTZ1MPZNZn8OsHraVn 7trB3PrWQtv8RH3nORfm+P+ppu19mEEmfn6Ec2HJBo5Blco5FS8+Cl2ripRO2uevHTgn Az7n0FFBrJ7dRUD2N9uKgp4QI85sDXPH5l82HveLrkYAOi288RbNf3yad+qjIOnSRlN9 aluWVP2LLYXQdYRh5ViKWF9/HnA7sbi0gYHdqHP5iRK/kxjX+fnsWLgmIodOiYYPW1dS XbAA== X-Gm-Message-State: APjAAAV8cqlPrk+pMarpu5Xg0dG3Q4z5wR3H5OXI7fkjGlIZ40K+qd+G Ez9GmdLu9JFAAwog6wAVdlsD7RVWL7XeVdh3v4mvBA== X-Received: by 2002:a7b:c4cc:: with SMTP id g12mr26387310wmk.68.1580666101359; Sun, 02 Feb 2020 09:55:01 -0800 (PST) MIME-Version: 1.0 References: <20200130200440.1796058-1-nivedita@alum.mit.edu> <20200202171353.3736319-1-nivedita@alum.mit.edu> <20200202171353.3736319-3-nivedita@alum.mit.edu> In-Reply-To: <20200202171353.3736319-3-nivedita@alum.mit.edu> From: Ard Biesheuvel Date: Sun, 2 Feb 2020 18:54:48 +0100 Message-ID: Subject: Re: [PATCH v2 2/7] efi/x86: Don't depend on firmware GDT layout To: Arvind Sankar Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Ard Biesheuvel , linux-efi , "the arch/x86 maintainers" , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2 Feb 2020 at 18:13, Arvind Sankar wrote: > > At handover entry in efi32_stub_entry, the firmware's GDT is still > installed. We save the GDTR for later use in __efi64_thunk but we are > assuming that descriptor 2 (__KERNEL_CS) is a valid 32-bit code segment > descriptor and that descriptor 3 (__KERNEL_DS/__BOOT_DS) is a valid data > segment descriptor. > > This happens to be true for OVMF (it actually uses descriptor 1 for data > segments, but descriptor 3 is also setup as data), but we shouldn't > depend on this being the case. > > Fix this by saving the code and data selectors in addition to the GDTR > in efi32_stub_entry, and restoring them in __efi64_thunk before calling > the firmware. The UEFI specification guarantees that selectors will be > flat, so using the DS selector for all the segment registers should be > enough. > > We also need to install our own GDT before initializing segment > registers in startup_32, so move the GDT load up to the beginning of the > function. > > Signed-off-by: Arvind Sankar It might be useful to mention /somewhere/ in the commit log that this applies to mixed mode > --- > arch/x86/boot/compressed/efi_thunk_64.S | 29 +++++++++++++++++++----- > arch/x86/boot/compressed/head_64.S | 30 +++++++++++++++---------- > 2 files changed, 42 insertions(+), 17 deletions(-) > > diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S > index 8fb7f6799c52..2b2049259619 100644 > --- a/arch/x86/boot/compressed/efi_thunk_64.S > +++ b/arch/x86/boot/compressed/efi_thunk_64.S > @@ -54,11 +54,16 @@ SYM_FUNC_START(__efi64_thunk) > * Switch to gdt with 32-bit segments. This is the firmware GDT > * that was installed when the kernel started executing. This > * pointer was saved at the EFI stub entry point in head_64.S. > + * > + * Pass the saved DS selector to the 32-bit code, and use far return to > + * restore the saved CS selector. > */ > leaq efi32_boot_gdt(%rip), %rax > lgdt (%rax) > > - pushq $__KERNEL_CS > + movzwl efi32_boot_ds(%rip), %edx > + movzwq efi32_boot_cs(%rip), %rax > + pushq %rax > leaq efi_enter32(%rip), %rax > pushq %rax > lretq > @@ -73,6 +78,10 @@ SYM_FUNC_START(__efi64_thunk) > movl %ebx, %es > pop %rbx > movl %ebx, %ds > + /* Clear out 32-bit selector from FS and GS */ > + xorl %ebx, %ebx > + movl %ebx, %fs > + movl %ebx, %gs > > /* > * Convert 32-bit status code into 64-bit. > @@ -92,10 +101,12 @@ SYM_FUNC_END(__efi64_thunk) > * The stack should represent the 32-bit calling convention. > */ > SYM_FUNC_START_LOCAL(efi_enter32) > - movl $__KERNEL_DS, %eax > - movl %eax, %ds > - movl %eax, %es > - movl %eax, %ss > + /* Load firmware selector into data and stack segment registers */ > + movl %edx, %ds > + movl %edx, %es > + movl %edx, %fs > + movl %edx, %gs > + movl %edx, %ss > > /* Reload pgtables */ > movl %cr3, %eax > @@ -157,6 +168,14 @@ SYM_DATA_START(efi32_boot_gdt) > .quad 0 > SYM_DATA_END(efi32_boot_gdt) > > +SYM_DATA_START(efi32_boot_cs) > + .word 0 > +SYM_DATA_END(efi32_boot_cs) > + > +SYM_DATA_START(efi32_boot_ds) > + .word 0 > +SYM_DATA_END(efi32_boot_ds) > + > SYM_DATA_START(efi_gdt64) > .word efi_gdt64_end - efi_gdt64 > .long 0 /* Filled out by user */ > diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S > index bd44d89540d3..c56b30bd9c7b 100644 > --- a/arch/x86/boot/compressed/head_64.S > +++ b/arch/x86/boot/compressed/head_64.S > @@ -54,10 +54,6 @@ SYM_FUNC_START(startup_32) > */ > cld > cli > - movl $(__BOOT_DS), %eax > - movl %eax, %ds > - movl %eax, %es > - movl %eax, %ss > > /* > * Calculate the delta between where we were compiled to run > @@ -72,10 +68,20 @@ SYM_FUNC_START(startup_32) > 1: popl %ebp > subl $1b, %ebp > > + /* Load new GDT with the 64bit segments using 32bit descriptor */ > + addl %ebp, gdt+2(%ebp) > + lgdt gdt(%ebp) > + > + /* Load segment registers with our descriptors */ > + movl $__BOOT_DS, %eax > + movl %eax, %ds > + movl %eax, %es > + movl %eax, %fs > + movl %eax, %gs > + movl %eax, %ss > + > /* setup a stack and make sure cpu supports long mode. */ > - movl $boot_stack_end, %eax > - addl %ebp, %eax > - movl %eax, %esp > + leal boot_stack_end(%ebp), %esp > > call verify_cpu > testl %eax, %eax > @@ -112,10 +118,6 @@ SYM_FUNC_START(startup_32) > * Prepare for entering 64 bit mode > */ > > - /* Load new GDT with the 64bit segments using 32bit descriptor */ > - addl %ebp, gdt+2(%ebp) > - lgdt gdt(%ebp) > - > /* Enable PAE mode */ > movl %cr4, %eax > orl $X86_CR4_PAE, %eax > @@ -232,9 +234,13 @@ SYM_FUNC_START(efi32_stub_entry) > > movl %ecx, efi32_boot_args(%ebp) > movl %edx, efi32_boot_args+4(%ebp) > - sgdtl efi32_boot_gdt(%ebp) > movb $0, efi_is64(%ebp) > > + /* Save firmware GDTR and code/data selectors */ > + sgdtl efi32_boot_gdt(%ebp) > + movw %cs, efi32_boot_cs(%ebp) > + movw %ds, efi32_boot_ds(%ebp) > + > /* Disable paging */ > movl %cr0, %eax > btrl $X86_CR0_PG_BIT, %eax > -- > 2.24.1 >