Received: by 2002:a05:7412:8d1c:b0:fa:4c10:6cad with SMTP id bj28csp382275rdb; Wed, 17 Jan 2024 05:07:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IE7zc6WvU5j6wN1WfPtuAM2JvF5zD7N8BJuNXA2gFNc4YP3rKS5uktYyR3Qb6RcGN9b1mY1 X-Received: by 2002:a2e:9c09:0:b0:2cc:bfd3:e206 with SMTP id s9-20020a2e9c09000000b002ccbfd3e206mr4231221lji.73.1705496830191; Wed, 17 Jan 2024 05:07:10 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705496830; cv=pass; d=google.com; s=arc-20160816; b=tggac55UAg2FUAd+UPjOH+cQU1BcQc+FJHb0AHvHlp2GWg0XIvR/cxT5i90wgmTUsf hpx8CvKYlchv3vL9gkHBAKJLiMe9hMnleCJSi21hcTJ+AMuLdyiyyiq5mdJCe6B5gZ7+ 90NJ8qDHGR1kcBv4JLY7coVA6W31dMOIKOAPyvOv4036nooD5kIJ5+epclTLWPzOipNR +LOpgpIwmxU2w7y/GHpuXTL6Fb7yqGsHNfTh71p+J986qc4iHcJWu0FQQJeNQy5HRY+m dKHqfy61quyJltCWeGVBuB0feanfcUrTmKbSFfMTwd9glBPkA7tu6j5vjfy0qh7ClI+k s1RQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=XtdEgP6dOqkMXgOKRwFSLg/wNuK24wOiZgQ/zzNNgN8=; fh=LrB8KlFvJTjdZZ+SBMiM3kDLhbB4gX2LHRYYQk3WP6c=; b=nPegla2XXH9YJaTm07PIOgvZ6EWxd/bBcPneQ00y9APUxmXj8HNd/OjRF2JGuzk2Gb nIVeBuB/TeAZJ/JZpRFqZKXUB4vop9yzuYqNuAYXMRd/XBFkXpauZcjQlcpdM3oH9jNr kk+Yu0sqMDffgANydv4Jkwz2a+6KS9O5i4DY/vsDiPZNcBaFDOVWc+IEGyOBFO6Qb9Yi /01vbkWv+Bb/WFwhkoJX1dYIC+3L0dJIFkhZ0kB4zRwLxnZYxEqvRANGQl+OIPkEGPBt Da3WcD8WEdbpwAScpeAEeB/T92EyyQw2hTULSxaYQjXNx9ZbMQxCAXhViIowjNVEIady agKA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@alien8.de header.s=alien8 header.b="EgN/ZODz"; arc=pass (i=1 spf=pass spfdomain=alien8.de dkim=pass dkdomain=alien8.de dmarc=pass fromdomain=alien8.de); spf=pass (google.com: domain of linux-kernel+bounces-29003-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-29003-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id z13-20020a05640235cd00b0055946277eafsi2975584edc.651.2024.01.17.05.07.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jan 2024 05:07:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-29003-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=alien8 header.b="EgN/ZODz"; arc=pass (i=1 spf=pass spfdomain=alien8.de dkim=pass dkdomain=alien8.de dmarc=pass fromdomain=alien8.de); spf=pass (google.com: domain of linux-kernel+bounces-29003-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-29003-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id BD5331F24F9A for ; Wed, 17 Jan 2024 13:07:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A17771EB38; Wed, 17 Jan 2024 13:07:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (4096-bit key) header.d=alien8.de header.i=@alien8.de header.b="EgN/ZODz" Received: from mail.alien8.de (mail.alien8.de [65.109.113.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66B9B1DDC9 for ; Wed, 17 Jan 2024 13:06:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=65.109.113.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705496820; cv=none; b=sKrYxCoToF9Tx58rzAX9dx5i5ahE0FJVSE97h+1n17ewu3PWlYswLj1ethYBOMVXzRK+R45m5sTuJhsRRl20hsNd1AJocMKWHGX7RUqMx6wXsafAIaf9MUFaexHEABKm1vbWYCJWI0YATIi2xb2adRGcHZvNABE7Lry41VWzD6Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705496820; c=relaxed/simple; bh=+iccQ9RDRKo+U5kOojUc8XJKb8fhdLp9mgj0tdfmQ0k=; h=Received:X-Virus-Scanned:Received:DKIM-Signature:Received:Date: From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type: Content-Disposition:In-Reply-To; b=kpNu11zbrkvg5MfmwmyXyHedZcK4rCuWawsjqGWeJqjNdIC5ASclmPVr9xc1peCGjjOcVVTZFoMYVPOjKfsIBDc3o+nliGVgeS7hNk6aGZlDw284IZInuYQHY4BpcNg4g82By8eD9BYyOXHqP9fqWc7FT6gKn6+ZL8egpr5yaAc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=alien8.de; spf=pass smtp.mailfrom=alien8.de; dkim=pass (4096-bit key) header.d=alien8.de header.i=@alien8.de header.b=EgN/ZODz; arc=none smtp.client-ip=65.109.113.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=alien8.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=alien8.de Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.alien8.de (SuperMail on ZX Spectrum 128k) with ESMTP id 8187840E01F9; Wed, 17 Jan 2024 13:06:50 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at mail.alien8.de Authentication-Results: mail.alien8.de (amavisd-new); dkim=pass (4096-bit key) header.d=alien8.de Received: from mail.alien8.de ([127.0.0.1]) by localhost (mail.alien8.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0UjbuZsisOSy; Wed, 17 Jan 2024 13:06:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=alien8; t=1705496808; bh=XtdEgP6dOqkMXgOKRwFSLg/wNuK24wOiZgQ/zzNNgN8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EgN/ZODzUr25dK36lZC4hinfYq3WyZn7sM3FM0/QtznryZKJKHIYoRX5jYsKGU+TM wnpu4IxCGrerzDsmqTTP00384xIY9c1cB2YkT7fEFJ1Uv/TauCzURZQE/Pyn1jT0Xz XGLvvbNUz3Niw5zzGVJIDgzsnSa4yvYbeJR2XAlPlSTe2goswsySiC1crcxMn0I7V+ 86nzV6682Pos3k6D8iwZeN0QQPQLmXghfjOKU/s4t1JgTgVK1dcKGE1BxMNGjeM+y2 pSEhLepePpTPqscWXMLrzr2dyySlSY24YXeQ+p+7ATNaorcw3NeUFGuVeer1rFP349 /zREIybjklViYwKGK5Bwp9Vu+9CJ03NO+WRfM/TBZL3JGgL26gU7UuqqMyH/TyNdr6 qB2GUx+BqMrWy354WXbvpNPXoTzBjtLJFYZ6aFUi5BKDxF/8ep79xU7H3nPGR/v0Gx cQQeObpn5VA2YjUbZ5inPvbSerNXQtr1bQFy1JQ1s8EkY2i7H3xEd8bSil/fwzCIul h6MElaoZ5znMuv4CEbHC/sW03BZ5/daAl2qEVJwjrFOwNhK/MsqJ9bt6meUUKo0KuN 57fBl2DNO3Nkcc9VGpLTygX0Zf8FYEB9qubRYa+PLRlb0/igeW7Ef+krpNAIXx65R0 GFBWdqA3GAqJ0cyAjXak8Hjc= Received: from zn.tnic (pd9530f8c.dip0.t-ipconnect.de [217.83.15.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail.alien8.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id A7CC840E01A9; Wed, 17 Jan 2024 13:06:03 +0000 (UTC) Date: Wed, 17 Jan 2024 14:05:57 +0100 From: Borislav Petkov To: Ard Biesheuvel Cc: Kevin Loughlin , Thomas Gleixner , Ingo Molnar , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Tom Lendacky , Michael Kelley , Pankaj Gupta , Stephen Rothwell , Arnd Bergmann , Steve Rutherford , Alexander Shishkin , Hou Wenlong , Vegard Nossum , Josh Poimboeuf , Yuntao Wang , Wang Jinchao , David Woodhouse , Brian Gerst , Hugh Dickins , Joerg Roedel , Randy Dunlap , Bjorn Helgaas , Dionna Glaze , Brijesh Singh , Michael Roth , "Kirill A. Shutemov" , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-coco@lists.linux.dev, Ashish Kalra , Andi Kleen , Adam Dunlap , Peter Gonda , Jacob Xu , Sidharth Telang Subject: Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code Message-ID: <20240117130557.GDZafQtfRyeVFbBUXA@fat_crate.local> References: <20240111223650.3502633-1-kevinloughlin@google.com> <20240115204634.GHZaWZqsVyU_fvn_RW@fat_crate.local> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Wed, Jan 17, 2024 at 11:59:14AM +0100, Ard Biesheuvel wrote: > Fully agree. All this fiddling with RIP relative references from C > code is going to be a maintenance burden going forward. Yah. > The proper way to do this is use PIC codegen for the objects that > matter. And we have arch/x86/mm/mem_encrypt_identity.c which is supposed to deal with stuff running from the ident mappings and PA == VA. We could put the rest of those special SEV things there or do a separate TU to be built using something like PIE_FLAGS, as in your patch. > I had a stab [0] at this a while ago (for the purpose of increasing > the KASLR range, which requires PIE linking) but I didn't pursue it in > the end. FWIW, that looks a lot more like a natural kernel code with __va_symbol() etc. Definitely better and we talked about it at some point already as it does ring a bell. > On arm64, we use a separate pseudo-namespace for code that can run > safely at any offset, using the __pi_ prefix (for Position > Independent). Using symbol prefixing at the linker level, we ensure > that __pi_ code can only call other __pi_ code, or code that has been > made available to it via an explicit __pi_ prefixed alias. (Happy to > elaborate more but we should find a smaller audience - your cc list is > a tad long). Perhaps this is something we should explore on x86 as > well (note that the EFI stub does something similar for architectures > that link the EFI stub into the core kernel rather than into the > decompressor) Grepping through the tree, is __pi_memcpy one example for that? It sure looks like it with the alias and all. From a quick scan, that is not that bad either. It gives you the clear distinction what that symbol is and who can call it. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette