Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp123016ybm; Tue, 26 May 2020 12:20:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwmbJxckp6QZ0ltmvpUzwzM/6KY1GO/sRuoj568OoP9RipyVoevTkOVNhf0BioTS2A3Imz0 X-Received: by 2002:a50:ee1a:: with SMTP id g26mr20836706eds.18.1590520845642; Tue, 26 May 2020 12:20:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590520845; cv=none; d=google.com; s=arc-20160816; b=zr0U1wGSTqXK0W4U/jwV89BXtKD0pUPfexEIPgV+uymjrHAABSnH7+CFj0BcI6WGua BlWMVEX+l8mxcQxmF6KaqsDVv7c/J+LxB6JmKU29PkboDB/KRgWh+gCyZm91SK42+zgY TEbaxZEx4525AOzvyuCi8RXosNmk5QBKSuVbEiHOWDhrw0m+M3VNOPz6bEVRqbjc7aDn ZD55b4i1acA+gtXRde3Gu+bvjyzMafCn6L/y30MMbXLglOuZRTD5IHAfnlS4H9JQMvr4 70XOjzvvPaxBf4U0LoRpppn90WIYOlZe9TyHoRtntbIN5uq/dR5zG/Y+1zvaRRdb3964 u0kA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:date:from :dkim-signature; bh=AGRR8LANYx1vusOdI6o+XaJhETZ0bUiJLjthC+zTia0=; b=Za+onLxRir32S020W1I2xCgOWlJRVrdqvoSWmpF91KF9jOSp241TZuqRL/0M2u5UmU 2aqLdBtE8ZMEYcwFfnr6LxEsRGebpoR+9s8Gp7nRhjk4RzrEswvu1l339GUPpr4PlgBC UzFutyURsKh1VkTtQCAWnYb5SFPW1OSSMp3ZRhpGtaU4hpJbADikEfsIxefhPTXyEa5h R35tJNdHeZKP1cxUPhJLwcu1vC/bEqyyySm/7kpVoqmW7l1C23LQESA5Fq1oJP5+jVfV w2amIG7k8n+xarUuNfh9Dp2UHFOoeVgFBn5puAusYVTllC8Nrj4WTgth9rGOd9ze/+zQ inpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=GXiRcXq7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n23si443682eju.98.2020.05.26.12.20.22; Tue, 26 May 2020 12:20:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=GXiRcXq7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392340AbgEZTRu (ORCPT + 99 others); Tue, 26 May 2020 15:17:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404340AbgEZTOP (ORCPT ); Tue, 26 May 2020 15:14:15 -0400 Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24202C03E96D for ; Tue, 26 May 2020 12:14:15 -0700 (PDT) Received: by mail-qk1-x744.google.com with SMTP id s1so21804360qkf.9 for ; Tue, 26 May 2020 12:14:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=AGRR8LANYx1vusOdI6o+XaJhETZ0bUiJLjthC+zTia0=; b=GXiRcXq7i/cErYLHCq2gWMPsKOylH2aGDJEIV7Uhwi9bH+Zw1q2xJ6HIHpg7h/RYh/ fu/kV5ovtxbDpl9I1XJp5tPbvjLeV2hGQM3UIdn+rUbWyfVuqMABnPDAkzhL7KKaPhNr /Uy75wCN01T3pYMtm4uAe0pbK69uImIgaDZSXxIhGj3Wo+PhoqilcAjODsxCUYFudx2b +84U/xXoYyEIoH5OGgATjHTPgW1k9XsbK7que7w3YRpe3foCZWTn6Iqgf512r5kx8uJm e0sYKjbtoAbxTnhev2hHBDT5TYW49rjlI0WyFFghepBqpFE86ad5dolsngXk6lk0iR4P ulKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:date:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=AGRR8LANYx1vusOdI6o+XaJhETZ0bUiJLjthC+zTia0=; b=DQ2pA96+ci6vJ9zeel+t2t0TnU+2eZd5lcjIJXwCOoUc93m5Ipyj0Y2hqQao68BOsI sdbJRSoJOUSv/8H0xJi5pHAS6C8zfG04BJBAYlSnx18s+J0h8odJwpqfAM2ubRWHRH2/ J9hxVAc32wlgbmsIyEybGFx9Fg7JVqhTkA7pwwv2KDynV9jWyy1usRYjnCdbBFD29ccB kFQ23F+VC6aRYgQoarREXW3J6na0GVUZ29edk6BryxjS0UX+uI7Bpdcm6u+kuHunlSVl bNi13uhsG2MktiY2LXD+J6BFM+jE09oLnKkg2oJydt1Q3f9FKHcmxjHeZbawo//KBifx wesg== X-Gm-Message-State: AOAM531JtrHt+5DtC97ogeVXl0le8oeCJoTVY2eFnRaJyrnijZ0q9GNK 4XpVvdTTbn3tK1TrQf20Jf4PAgye X-Received: by 2002:a05:620a:1261:: with SMTP id b1mr288614qkl.377.1590520454251; Tue, 26 May 2020 12:14:14 -0700 (PDT) Received: from rani.riverdale.lan ([2001:470:1f07:5f3::b55f]) by smtp.gmail.com with ESMTPSA id c17sm454252qtw.48.2020.05.26.12.14.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 May 2020 12:14:13 -0700 (PDT) From: Arvind Sankar X-Google-Original-From: Arvind Sankar Date: Tue, 26 May 2020 15:14:11 -0400 To: Fangrui Song Cc: Arvind Sankar , Ard Biesheuvel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , Nick Desaulniers , Dmitry Golovin , clang-built-linux , Masahiro Yamada , Daniel Kiper , Linux Kernel Mailing List Subject: Re: [PATCH v2 4/4] x86/boot: Check that there are no runtime relocations Message-ID: <20200526191411.GA2380966@rani.riverdale.lan> References: <20200524212816.243139-1-nivedita@alum.mit.edu> <20200525225918.1624470-5-nivedita@alum.mit.edu> <20200526151623.GB2190602@rani.riverdale.lan> <20200526171340.pdbautbix5ygdvgp@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200526171340.pdbautbix5ygdvgp@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 26, 2020 at 10:13:40AM -0700, Fangrui Song wrote: > > On 2020-05-26, Arvind Sankar wrote: > >On Tue, May 26, 2020 at 08:11:56AM +0200, Ard Biesheuvel wrote: > >> On Tue, 26 May 2020 at 00:59, Arvind Sankar wrote: > >> > # Compressed kernel should be built as PIE since it may be loaded at any > >> > # address by the bootloader. > >> > -KBUILD_LDFLAGS += $(call ld-option, -pie) $(call ld-option, --no-dynamic-linker) > >> > +KBUILD_LDFLAGS += -pie $(call ld-option, --no-dynamic-linker) > >> > >> Do we still need -pie linking with these changes applied? > >> > > > >I think it's currently not strictly necessary -- eg the 64bit kernel > >doesn't get linked as pie right now with LLD or old binutils. However, > >it is safer to do so to ensure that the result remains PIC with future > >versions of the linker. There are linker optimizations that can convert > >certain PIC instructions when PIE is disabled. While I think they > >currently all focus on eliminating indirection through the GOT (and thus > >wouldn't be applicable any more), > > There are 3 forms described by x86-64 psABI B.2 Optimize GOTPCRELX Relocations > > (1) movq foo@GOTPCREL(%rip), %reg -> leaq foo(%rip), %reg > (2) call *foo@GOTPCREL(%rip) -> nop; call foo > (3) jmp *foo@GOTPCREL(%rip) -> jmp foo; nop > > ld.bfd and gold perform (1) even for R_X86_64_GOTPCREL. LLD requires R_X86_64_[REX_]GOTPCRELX The psABI says (1) can be relaxed into mov $foo, %reg if PIC is disabled and foo lives below 4Gb. Similarly for the "test and binop" cases. Such a relaxation would produce code that's not PIC any more, and wouldn't boot. > > >it's easy to imagine that they could > >get extended to, for eg, convert > > leaq foo(%rip), %rax > >to > > movl $foo, %eax > >with some nop padding, etc. > > Not with NOP padding, but probably with instruction prefixes. It is > unclear the rewriting will be beneficial. Rewriting instructions definitely requires a > dedicated relocation type like R_X86_64_[REX_]GOTPCRELX. It ought to be faster: according to Agner Fog's tables, upto 4x higher throughput than the RIP-relative LEA, and movq $foo, %rax is actually the same size. To take a step back, there isn't any *point* in not specifying -pie after these changes: it would be lying to the toolchain just for the sake of lying. It is inherently fragile, and would work only because the toolchain isn't sophisticated enough to do some optimizations. Eg, consider that if you ask for the address of an external function, the compiler will generate movq f@GOTPCREL(%rip), %reg if f has default visibility, and leaq f(%rip), %reg if f has hidden visibility. If you then link without -pie, the former gets relaxed into the non-PIC movq $f, %reg by the BFD linker, but the latter isn't relaxed. This is a missed optimization, which happens because there's the GOTPCRELX to tell the linker that the first form can be relaxed, and there's no special relaxable relocation type for the second form. The 64-bit kernel actually contains one of these relocations, prior to Ard's patches to add hiddden visibility for everything. It currently works with LLD (which can't use -pie) only because LLD doesn't appear to perform the relaxation of movq f@GOTPCREL(%rip), %reg all the way to movq $f, %reg Binutils-2.34, which does do that relaxation, produces an unbootable kernel if you leave out the -pie. > > >Also, the relocation check that's being added here would only work with > >PIE linking.