Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp7778886rwl; Fri, 30 Dec 2022 14:40:34 -0800 (PST) X-Google-Smtp-Source: AMrXdXtdDU+2Gmh0soOwTGMNMaiaan2V+DiSpwJ+0QlidMXMf80bRCSjc/EcN6x3Q1KrEEIdKhoC X-Received: by 2002:a05:6402:538d:b0:487:2ce6:2b80 with SMTP id ew13-20020a056402538d00b004872ce62b80mr12322260edb.8.1672440034545; Fri, 30 Dec 2022 14:40:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672440034; cv=none; d=google.com; s=arc-20160816; b=Y4CsSCUj90uURI5/YsFybt4g6LYXyZePMhX1zVydwPycBlwHgddZ0iIqus+tTXeAYw DbezdEM5Ko/b4Xy2qPJ82SLAjgjH0kyRDX8/QZSfKKfH/+6jEYXJYZDNU+/uAif64Naw 7zGChFRuvUzzoeqv4uY/wU87nnLOLlBq6rOeSfHjLWZWTiAaYmsHl8jGX0S9wVHYu2/k +mn3qE06B5iQO3RVbnkTxAefKtHpSQ7pCZgFfmYa3tj35jx477leYmV5dy4w6Eemh+Ma YVjFhYE6oKTraUB40IPienJkR5TOHrQNtMl8NND+FKoPSIoNds0q8e+6/uOV7Kh76IPa vm/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:references:in-reply-to:user-agent:subject:cc:to:from :date:dkim-signature:dkim-filter; bh=5mHwRJkoGXPFOj6AeA/b5ADGAertCv6FWoM0j9lKKqY=; b=0LhPMqyVkqlybmcnQo9b75O48pueUiIdPrs7BVNYS/KFxvDpNXCh+zzngSw6BZfqCi UHgdpHmGOcNFEDWRZEUr2pQszSE63dAurK7a9wuHngjzP3vAE8MTjqSCNJwNgUDrbGMn RP/SJRhEipXUEB0InP80Gwthpn4NfnQ//U5+50V0GRX9dRaS4NoPcs3Z5vIfhMjxs91E Zc+c+cYwgish9LCroz2EMrKB8wNIUyuT6kz3b0o5RBNgNFZYrGZW8C+d+QQWgag3NCSZ anef/5LLXxtzXZAtUeh6GPTi5SWcfspkyMcBKUan2o7xiFtXPVjil8MDCFdyiUERnL2L Hi6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zytor.com header.s=2022120601 header.b="I6m/C03G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dk25-20020a0564021d9900b00484a42c8233si11368367edb.444.2022.12.30.14.40.19; Fri, 30 Dec 2022 14:40:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zytor.com header.s=2022120601 header.b="I6m/C03G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235490AbiL3V7A (ORCPT + 62 others); Fri, 30 Dec 2022 16:59:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229536AbiL3V65 (ORCPT ); Fri, 30 Dec 2022 16:58:57 -0500 Received: from mail.zytor.com (unknown [IPv6:2607:7c80:54:3::138]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BBFE1CFE8 for ; Fri, 30 Dec 2022 13:58:56 -0800 (PST) Received: from [127.0.0.1] ([50.193.22.81]) (authenticated bits=0) by mail.zytor.com (8.17.1/8.17.1) with ESMTPSA id 2BULwdhn1419253 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 30 Dec 2022 13:58:40 -0800 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.zytor.com 2BULwdhn1419253 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2022120601; t=1672437521; bh=5mHwRJkoGXPFOj6AeA/b5ADGAertCv6FWoM0j9lKKqY=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=I6m/C03GS8+E25iheyQCyVkw8i6FbDwXumhf0zJmMDwhc9pfcFtFXbsclwH7xqxcy OV5iuevn4x9Ep/0FoiYh9pK4LRCA2I4LY/4DXqfFkFaJ+flRX9Neg8qmBgLvzjcXiQ VBlS22tCpkVY2/PplcRMyM9iY7K+RjFL3d26xuMShQJSfgfLa7aRV8QJC9X1l4PPK2 yWGAXpgWNu8ZvUKhaOr4SUQFPYbRnedWD5b+ml1uC/KMMqlOqEZUt0Q9QeRTuYnvwT Q5GpJIXzDvBk0Zz7/a38pOS+p0fcfRv/dlUQCnH1BzISEksRyMfzi2kIahrcA/1Kt4 nq4Jau4ML+Ecg== Date: Fri, 30 Dec 2022 13:58:39 -0800 From: "H. Peter Anvin" To: Borislav Petkov , "Jason A. Donenfeld" CC: pbonzini@redhat.com, ebiggers@kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, qemu-devel@nongnu.org, ardb@kernel.org, kraxel@redhat.com, philmd@linaro.org Subject: =?US-ASCII?Q?Re=3A_=5BPATCH_qemu=5D_x86=3A_don=27t_let_decomp?= =?US-ASCII?Q?ressed_kernel_image_clobber_setup=5Fdata?= User-Agent: K-9 Mail for Android In-Reply-To: References: <6cab26b5-06ae-468d-ac79-ecdecb86ef07@linaro.org> <9188EEE9-2759-4389-B39E-0FEBBA3FA57D@zytor.com> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On December 30, 2022 11:54:11 AM PST, Borislav Petkov wrot= e: >On Fri, Dec 30, 2022 at 06:07:24PM +0100, Jason A=2E Donenfeld wrote: >> Look closer at the boot process=2E The compressed image is initially at >> 0x100000, but it gets relocated to a safer area at the end of >> startup_64: > >That is the address we're executing here from, rip here looks like 0x100x= xx=2E > >> /* >> * Copy the compressed kernel to the end of our buffer >> * where decompression in place becomes safe=2E >> */ >> pushq %rsi >> leaq (_bss-8)(%rip), %rsi >> leaq rva(_bss-8)(%rbx), %rdi > >when you get to here, it looks something like this: > > leaq (_bss-8)(%rip), %rsi # 0x9e7ff8 > leaq rva(_bss-8)(%rbx), %rdi # 0xc6eeff8 > >so the source address is that _bss thing and we copy=2E=2E=2E > >> movl $(_bss - startup_32), %ecx >> shrl $3, %ecx >> std > >=2E=2E=2E backwards since DF=3D1=2E > >Up to: > ># rsi =3D 0xffff8 ># rdi =3D 0xbe06ff8 > >Ok, so the source address is 0x100000=2E Good=2E > >> HOWEVER, qemu currently appends setup_data to the end of the >> compressed kernel image, > >Yeah, you mean the kernel which starts executing at 0x100000, i=2Ee=2E, t= hat part >which is compressed/head_64=2ES and which does the above and the relocati= on etc=2E > >> and this part isn't moved, and setup_data links aren't walked/relocated= =2E So >> that means the original address remains, of 0x100000=2E > >See above: when it starts copying the kernel image backwards to a higher >address, that last byte is at 0x9e7ff8 so I'm guessing qemu has put setup= _data >*after* that address=2E And that doesn't get copied ofc=2E > >So far, so good=2E > >Now later, we extract the compressed kernel created with the mkpiggy magi= c: > >input_data: >=2Eincbin "arch/x86/boot/compressed/vmlinux=2Ebin=2Egz" >input_data_end: > >by doing > >/* > * Do the extraction, and jump to the new kernel=2E=2E > */ > > pushq %rsi /* Save the real mode argument */= 0x13d00 > movq %rsi, %rdi /* real mode address */ 0x13d00 > leaq boot_heap(%rip), %rsi /* malloc area for uncompression = */ 0xc6ef000 > leaq input_data(%rip), %rdx /* input_data */ 0xbe073a8 > movl input_len(%rip), %ecx /* input_len */ 0x8cfe13 > movq %rbp, %r8 /* output target address */ 0x10= 00000 > movl output_len(%rip), %r9d /* decompressed length, end of re= locs */ > call extract_kernel /* returns kernel location in %ra= x */ > popq %rsi > >(actual addresses at the end=2E) > >Now, when you say you triplefault somewhere in initialize_identity_maps()= when >trying to access setup_data, then if you look a couple of lines before th= at call >we do > > call load_stage2_idt > >which sets up a boottime #PF handler do_boot_page_fault() and it actually= does >call kernel_add_identity_map() so *actually* it should map any unmapped >setup_data addresses=2E > >So why doesn't it do that and why do you triplefault? > >Hmmm=2E > See the other thread fork=2E They have identified the problem already=2E