Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp2105922rdb; Sun, 21 Jan 2024 07:39:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IFks7Vd/JS2xFtVJuFYYbg9Vc5Pu5CxZXVoBJyVxYN6yTObHFg/ZCxwPfrmqrOIznzhAqtY X-Received: by 2002:a05:600c:1f0b:b0:40e:a327:af28 with SMTP id bd11-20020a05600c1f0b00b0040ea327af28mr1032952wmb.115.1705851551956; Sun, 21 Jan 2024 07:39:11 -0800 (PST) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id fi10-20020a170906da0a00b00a2adba36504si9798287ejb.927.2024.01.21.07.39.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Jan 2024 07:39:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-32096-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@alien8.de header.s=alien8 header.b=A8KQKEVm; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-32096-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-32096-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 8BFDE1F22ECF for ; Sun, 21 Jan 2024 15:39:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D1D9F2AF08; Sun, 21 Jan 2024 15:38:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (4096-bit key) header.d=alien8.de header.i=@alien8.de header.b="A8KQKEVm" Received: from mail.alien8.de (mail.alien8.de [65.109.113.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F10938F83 for ; Sun, 21 Jan 2024 15:37:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=65.109.113.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705851480; cv=none; b=oA7ejzXtO1I5YQdb1HXF/r1IVbBM/W3vRCFkik1LAP1508vOyHIOwLNpimueQcWfd6lNH1Zs9ihbHlCDRZ7CnTjnVb6pJvT6LcXjTATkautMPe4wbrSYrmKoT8rnCokqSiUHChuZZnCMWCTUGaKu5Qwrq178qr1DjZ6hkZNeV8g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705851480; c=relaxed/simple; bh=sk89c5wAA9T/eEk0jssFTcZ1m2eTx2B+mBNMYr5joLc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qQYTDKemioj9o1cAU940HrFq/3IO0ASYqEKd46wjXpnz9mLuAt5if52kE+mbV8LMjg6eSfH1JRlpgexFxoQj6GH93/AfUzKlYwOLNsYUIdAtswCUQVdSrhV5bOe94v7HonWjvG+I6FaFkZUqL/2LxWLRDARC05ak346aVPnmo7g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=alien8.de; spf=pass smtp.mailfrom=alien8.de; dkim=pass (4096-bit key) header.d=alien8.de header.i=@alien8.de header.b=A8KQKEVm; arc=none smtp.client-ip=65.109.113.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=alien8.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=alien8.de Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.alien8.de (SuperMail on ZX Spectrum 128k) with ESMTP id 7163540E01B2; Sun, 21 Jan 2024 15:37:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at mail.alien8.de Authentication-Results: mail.alien8.de (amavisd-new); dkim=pass (4096-bit key) header.d=alien8.de Received: from mail.alien8.de ([127.0.0.1]) by localhost (mail.alien8.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id QxjcWj3ZGZWC; Sun, 21 Jan 2024 15:37:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=alien8; t=1705851473; bh=zSxrQvmiuFKpwroAA+fwUMokTVMV35wjeMP3GTqLHvo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=A8KQKEVmmfyozyZtGrC0TCKQrRzZb0/O9wkh6sHG5V/j9vKmeBCQFYlhnqeKRyYgG ejyEAD6OD5tnuUhB7rzAGLwh9wR0r/4l6rd/I5RM9J8TWcFEcRNOk/HAzd2LGFm3SI 5TvRGICkNYeSIJSb3xREMYYmTRfOMUUfdPSHxLjr3hiCi6L3WQ8SpV7LA+fxM6t+k8 PVZ6GZr8zuVxsJCunRWtfIQ2zFZJtTs9BRWKtsmQNPCJ8Cg7froQPHW6SRMv4I7w7b niUX1q9UE6SfBW+gkvgBdOiMnBjNHWYaQwMAhX3a5kDmgqA+GseckbVgS3gGmDMAqF nY8OnUK4SpUq5dcVIjLWxKI3TDreLLL+P02n3TO4PumL/1q9lkZTWwJKs6yBvvcTuE 3dWeIuoCi5xT8NE2QSR2wXQQQJWcQ3brKMZaR91n/y1ZeODaaAEiSy/w3TCZ0f7Ub9 Dkv0Iutx6IrbjvW9NNiQligRVhFIH8ClnpLEwyz6kn/uU2TnbxW43r8Sh0U0Bm6KFu ZEOJJUIdne7C6PSXaTdqDnS8c9zBH/+oAmGcb4d0sy0AQ2RIcNdaymtltcM60I8UaA bliFNoNOl7f312tOpybQ3I530lF3TqHP2/Z3byBRpmq4/DqWjW8gULDqDudT9nPFQu BGtkzzAUp2OnQ5X0wrszQRcE= Received: from zn.tnic (pd953099d.dip0.t-ipconnect.de [217.83.9.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail.alien8.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id D96C740E0196; Sun, 21 Jan 2024 15:37:08 +0000 (UTC) Date: Sun, 21 Jan 2024 16:37:02 +0100 From: Borislav Petkov To: Ard Biesheuvel Cc: Kevin Loughlin , Thomas Gleixner , Ingo Molnar , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Tom Lendacky , Michael Kelley , Pankaj Gupta , Stephen Rothwell , Arnd Bergmann , Steve Rutherford , Alexander Shishkin , Hou Wenlong , Vegard Nossum , Josh Poimboeuf , Yuntao Wang , Wang Jinchao , David Woodhouse , Brian Gerst , Hugh Dickins , Joerg Roedel , Randy Dunlap , Bjorn Helgaas , Dionna Glaze , Brijesh Singh , Michael Roth , "Kirill A. Shutemov" , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-coco@lists.linux.dev, Ashish Kalra , Andi Kleen , Adam Dunlap , Peter Gonda , Jacob Xu , Sidharth Telang Subject: Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code Message-ID: <20240121153702.GAZa06Hvt8b0hQ4LjR@fat_crate.local> References: <20240111223650.3502633-1-kevinloughlin@google.com> <20240115204634.GHZaWZqsVyU_fvn_RW@fat_crate.local> <20240117130557.GDZafQtfRyeVFbBUXA@fat_crate.local> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Sun, Jan 21, 2024 at 03:12:56PM +0100, Ard Biesheuvel wrote: > My preliminary conclusion confirms that the SEV code is quite > problematic in this regard (which is the reason for this patch, so we > already knew that, of course). So we can try to improve the situation gradually so that we don't break current usages. > TL;DR I think we will need a way to build certain objects with -fPIC > (as we do in other places and on other architectures), but we should > add instrumentation to ensure that these issues can be detected at > build time. The SEV boot code is especially tricky here as very few > people can even test it, No worries about that - us, the Google cloud folks, AWS and a bunch of others are people I could think of who could help out. :-) > so applying this patch and hoping that the compiler will never > generate reachable code paths that only work correctly when executed > via the ordinary kernel virtual mapping is not sufficient. .. > 1) > WARNING: modpost: vmlinux: section mismatch in reference: > startup_64_pi+0x33 (section: .pi.text) -> sme_enable (section: > .init.text) sme_enable() is in the 1:1 mapping TU arch/x86/mm/mem_encrypt_identity.c, see 1cd9c22fee3a ("x86/mm/encrypt: Move page table helpers into separate translation unit") so might as well move it to .pi.text The rest below look like they'd need more serious untangling. Btw, I just had another idea: we could remove -mcmodel=kernel from the build flags of the whole kernel once -fPIC is enabled so that gcc can be forced to do rIP-relative addressing. I'm being told the reason it doesn't allow mcmodel=kernel with -fPIC is only a matter of removing that check and that it *should* otherwise work but someone needs to try that. And then there are older gccs which we cannot fix. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette