Received: by 2002:a05:7412:8d09:b0:fa:4c10:6cad with SMTP id bj9csp315602rdb; Tue, 16 Jan 2024 00:37:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IG/pevz4Rs65Gbm9i8oEl4VMC9YMOaKflFExSM52/qxlAHZ6OwCwoREDb1ndoH3HCkwHfyL X-Received: by 2002:a17:906:99ce:b0:a2c:ca5c:a546 with SMTP id s14-20020a17090699ce00b00a2cca5ca546mr6214707ejn.70.1705394227969; Tue, 16 Jan 2024 00:37:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705394227; cv=none; d=google.com; s=arc-20160816; b=VzuBASZd4NYIs22eXnS8M2FLZdY+5MbrzhujiwOh4MmQKL7gEb1qrBYUhIUW64YQQv QUfJG/zQDVuuqUOXPenq+N9ezDHRs+5N0MlvWm+1D9WYkUNq7kWgUZx1rhbKCWypMchO yn41NDoGJ1HPEeSYSZNidkj0D7GILEK1aPC+f87V70oZTMhvhPT6Hhicu/ZWKFpOr6ZI sSByO7sUPdXzfpZb0E4OYgtvZ5adoH6TRMZt3VjDxIUq5Yr/wH9tm+WgQnkGt/tP7Ct2 nWv/OmzUaDmFg0LAXB57XuwMxW08UPV/ulSvKJTdYNMpus05gg4Rland50Vif1N+vzIA B9sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=m2bFd0gTESHaDwzYd9CED16PBBw/U4++COBFEWFLItQ=; fh=n20MorCtWsYdrFFZRh9knjHu6oORm29Ywf9a4+SBvUE=; b=vVFt8syyegWeop6rnjix4T71g9Nxb+BH0ivlkXKtA4hy2iS3RW4t5tmiVO5B1g6idq oQsIKkaUcFaPX/MU58W0UEgfjT/s9N12tSivrdYa8nXVX3/iqDOs1mYBJkrC+56++Id3 qYMwiEwdT13Aix/OhxhI7p/iu2Zd8Gg4NtzRv56PLpzTlD7fiAvzpzMsS4rSbBqYCa1A 9XPlWMUiBPqCrjEFDy3vZPOqCMEBD8SUEey2qOsbNK+dhkyNJdv6F893iiVOeZtD3BZT VnIChJ1L4Fo0IiclW+W8pYX1bbBi1MdiX1YwKU7u+d547fFfqWXQZcDT97cYaR9e9UHt g3YQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TbDqMFLn; spf=pass (google.com: domain of linux-kernel+bounces-27131-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27131-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id z22-20020a170906241600b00a2753f69882si4610414eja.807.2024.01.16.00.37.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Jan 2024 00:37:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-27131-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TbDqMFLn; spf=pass (google.com: domain of linux-kernel+bounces-27131-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27131-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id B7AC81F24183 for ; Tue, 16 Jan 2024 08:37:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E57F211CBE; Tue, 16 Jan 2024 08:36:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TbDqMFLn" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0476411C83; Tue, 16 Jan 2024 08:36:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CFF18C43394; Tue, 16 Jan 2024 08:36:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1705394218; bh=+lJ5i0y7ZMZZ0xychi+D6Q1kWJaf02pcZFvyU9rjOuw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=TbDqMFLnW6iJ8tdSJLfPklsFJGmtZ++wejycHlp7kEjfeSJhNc3Qt86nfQ22M8Nc1 coJHKsE3aWYiPc1k5vbqH0vO1qTQbcUJ5dM3f5yLcWTNc1S5eSFBumbFgzIvk4O4tO xf2rzTL+ZiYoAZOilX5VKwmQbW9dYRrfhG25oheGNE4js2utyaw0jUxDmhNHlEb0T2 IHdCLRWbwO11Gg8SnznND9t2Qo6X7f3kJx2DKbKqa4nzcJTD47KbDRDqRXohrhJQlG 0wdS3cCvsJGXV69DIt+4vpmruv71mOT1yqVNulwgGgILQBIB92O3+yPe11IQDlLaAt erToQmQmgQ4Gw== Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-50eab4bf47aso8014952e87.0; Tue, 16 Jan 2024 00:36:58 -0800 (PST) X-Gm-Message-State: AOJu0Yxd8sPXKiVwSNry21e++m4AUJymGR65OJto28Ptrp38KqGqjFy9 pkkdcLsZlvb7Gbd0/mp7mPuTVl51XqR50JA/rzk= X-Received: by 2002:ac2:5f81:0:b0:50e:d5e0:716b with SMTP id r1-20020ac25f81000000b0050ed5e0716bmr4404662lfe.14.1705394216921; Tue, 16 Jan 2024 00:36:56 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <56b52d4e-9dc0-400c-a141-7e70f5c72afa@siemens.com> <578aae7c-4069-4071-ba4b-cc86d3b516c1@siemens.com> In-Reply-To: <578aae7c-4069-4071-ba4b-cc86d3b516c1@siemens.com> From: Ard Biesheuvel Date: Tue, 16 Jan 2024 09:36:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] riscv/efistub: Ensure GP-relative addressing is not used To: Jan Kiszka Cc: Palmer Dabbelt , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" On Tue, 16 Jan 2024 at 06:21, Jan Kiszka wrote: > > On 15.01.24 18:34, Ard Biesheuvel wrote: > > On Sat, 13 Jan 2024 at 11:35, Jan Kiszka wrote: > >> > >> On 12.01.24 19:56, Palmer Dabbelt wrote: > >>> On Fri, 12 Jan 2024 10:51:16 PST (-0800), Ard Biesheuvel wrote: > >>>> Hi Jan, > >>>> > >>>> On Fri, 12 Jan 2024 at 19:37, Jan Kiszka wrote: > >>>>> > >>>>> From: Jan Kiszka > >>>>> > >>>>> The cflags for the RISC-V efistub were missing -mno-relax, thus were > >>>>> under the risk that the compiler could use GP-relative addressing. That > >>>>> happened for _edata with binutils-2.41 and kernel 6.1, causing the > >>>>> relocation to fail due to an invalid kernel_size in handle_kernel_image. > >>>>> It was not yet observed with newer versions, but that may just be luck. > >>>>> > >>>>> Signed-off-by: Jan Kiszka > >>>>> --- > >>>>> > >>>>> Something like this should go to stable as well, but we will need > >>>>> rebased patches. > >>>>> > >>>>> drivers/firmware/efi/libstub/Makefile | 2 +- > >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>>> > >>>>> diff --git a/drivers/firmware/efi/libstub/Makefile > >>>>> b/drivers/firmware/efi/libstub/Makefile > >>>>> index 06964a3c130f..d561d7de46a9 100644 > >>>>> --- a/drivers/firmware/efi/libstub/Makefile > >>>>> +++ b/drivers/firmware/efi/libstub/Makefile > >>>>> @@ -28,7 +28,7 @@ cflags-$(CONFIG_ARM) += -DEFI_HAVE_STRLEN > >>>>> -DEFI_HAVE_STRNLEN \ > >>>>> -DEFI_HAVE_MEMCHR > >>>>> -DEFI_HAVE_STRRCHR \ > >>>>> -DEFI_HAVE_STRCMP -fno-builtin > >>>>> -fpic \ > >>>>> $(call > >>>>> cc-option,-mno-single-pic-base) > >>>>> -cflags-$(CONFIG_RISCV) += -fpic -DNO_ALTERNATIVE > >>>>> +cflags-$(CONFIG_RISCV) += -fpic -DNO_ALTERNATIVE -mno-relax > >>>> > >>>> Can we detect the presence of these references (via the relocation > >>>> type)? We already do something similar for ordinary absolute > >>>> references too. > >>> > >>> If there's no `__global_pointer$` symbol then the linker won't make > >>> GP-relative relaxations (because it doesn't know where GP is). We > >>> usually define that symbol in the linker script, but I'm not entierly > >>> sure how libstub gets its linker script... > >>> > >> > >> The stub seems to be linked together with the rest of the kernel, thus > >> the regular arch/riscv/kernel/vmlinux.lds.S is used. > >> > > > > Indeed - the EFI stub is part of the same executable as vmlinux, we > > just mangle the symbol names to ensure that only code that can be > > safely called from the EFI stub can be linked to it. > > > > If the effect of -mno-relax is to stop emitting R_RISCV_RELAX > > relocations, we should perhaps add those to the STUBCOPY_RELOC-y > > Makefile variable? (in the same file). BTW R_RISCV_HI20 doesn't seem > > like the right value there to begin with: the idea of that is to > > disallow ELF relocations that evaluate to expressions that can only be > > known at runtime (like absolute addresses for global pointer > > variables) > > How to do that best? Simply replace R_RISCV_HI20 with R_RISCV_RELAX? > We'll need to keep the HI20, in fact - I got confused between HI20 and PCREL_HI20, and the former is actually used for 32-bit absolute addresses in 32-bit code. This seems to do the trick: it disallows relaxation relocations and native word sizes absolute references. AFAICT, those are the only ones we should care about. STUBCOPY_RELOC-$(CONFIG_RISCV) := -E R_RISCV_HI20\|R_RISCV_$(BITS)\|R_RISCV_RELAX