Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp556425rdb; Mon, 29 Jan 2024 10:15:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IEmcz0VJ/XABNRQteV5PaC7fQS2kbYiKS4kUPiK6jQ0C5JBxJu2XDyQxKi5t8WSjKrDFtiq X-Received: by 2002:a05:6e02:3891:b0:361:92a4:28b6 with SMTP id cn17-20020a056e02389100b0036192a428b6mr7149565ilb.13.1706552121055; Mon, 29 Jan 2024 10:15:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706552121; cv=pass; d=google.com; s=arc-20160816; b=djLY7P/WrrRGRl7ptcT60OTZzD6Tx2qe/iDvGmhEFhrnCpiI+D/ya0kQ3/awJzdLnT 7JaJIk21MjeWoBuH+NSAxohhosNjujxSwTsQD1abLJ/lGkZrLYG83JEq7NK3g/TDAjba Vw1zrtbsnjwKbiT4Y/8Xnne55bv0exmfd/SLFDsI/l1mRjzjghUI9lh9dnreNOrAUmm8 /wfb4kzvojSYzrETDtBHvsC7HsbHpNqdbaaNFu+cfg+Q0gZhXmKY8vDFRdjrtygY7PKs xStvWfGBv55Ot20RPLjdZN/wSQxTz+O710Ow1/ozN0tsD1eMvlqbDD8WCPyxiA987oPp Te9Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:dkim-signature; bh=0dgHDmyiuf24yKbMsV5rC/PIHquqMJzNMfIw3GnnTIc=; fh=fMhMPvo8duafGkM4xZHdH7fULbau3etefTGsKa+Qy7I=; b=d0tbrZIJfWSf4xySAb03knx/E65IlzuEqN8tmYzszwBpCw/4TKgUR2iFYLzDuVLF4V L5nAawB/+QmXcYFvRjbKeCnD8uRTGg2gHSfi6M0OJmcyIVyN2LV8En9p4AHxbFiAnwMs UDfuU7alXq1kBMcKlwcR4RfNImzEgq2rtIQ8wRFUXF5VTc4ltKo621ToQk7KTzNHzIum 8f/K/RU9fGwSMaJ2G54UBeO9DRA9GTdl1fuDA0GqEL3SqyKf6+yQD9d1L2iAftlW3aWn MFjmFoLESM530oCUfNW9xE0gM4yXTJmRJ2b5Crx19J6CHc/tCtlVZ0vIJt9nErB1nmXZ qvxw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=u+u97NKp; arc=pass (i=1 spf=pass spfdomain=flex--ardb.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-43267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43267-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id p29-20020a63741d000000b005cdf8b4d2fesi5974295pgc.747.2024.01.29.10.15.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:15:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=u+u97NKp; arc=pass (i=1 spf=pass spfdomain=flex--ardb.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-43267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43267-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id B1DD9B20E6F for ; Mon, 29 Jan 2024 18:05:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1DE7A3F9EA; Mon, 29 Jan 2024 18:05:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="u+u97NKp" Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5990D3F9CD for ; Mon, 29 Jan 2024 18:05:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551531; cv=none; b=QpqwbjqDLznDolYTVVKnjZxECs/pu1q2iRUhN+J49A4m0MXEgKK61pJ1exsAo+OtPUWFjZvATZ4d7PwfDRKCpTB/knQMOwApkEZa5i4CPkaW8M+M4Nqcu+IT5qIbU+h8csOceOMRHhCQ2/UkDkqo4JF82tNJcss3dFqzX7Xojzo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551531; c=relaxed/simple; bh=YdhZ66KOErP/puxhjIeE2xj8p2TmW0k7m++j4/SciGY=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=tqNmDIKEoT4EYK3wxnpsfaVPbp+IHsoQGICQPkLZ/iwoKjcscAqwnUM/9EIkRbUEcPbGgfAR4OPJx2h5b/wElDur+7ULrwkW9tVjAgXMHHhdTo7O3p4vlPTkId2Z1mYaLFNWMvz2mdDRficafba7eYuQ056j/1dcCDxxNsGkMbI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=u+u97NKp; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-dc22f3426aeso5716631276.1 for ; Mon, 29 Jan 2024 10:05:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1706551528; x=1707156328; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=0dgHDmyiuf24yKbMsV5rC/PIHquqMJzNMfIw3GnnTIc=; b=u+u97NKp6UC4HnYs6s2q0nQfUi8jWB4uOaoeESTWWQHvNDyPc6lSQpF7s8niY15gVf UbGwEgk4FUZlVVWVlk878dJiMjYOdslph8C12B0DCfKIqnZ8NdDInhAfQ1vKRJgsZej+ Auo0bBNnyX2hHqdw/8Q9EhhxgPCEhB/4nEKqmmomglkLSzzdqYO8gEQBzTulTv9xx/bp Q0RDUpdDmM9FhV4oEBqAqqAP4QiB4yUSZJyYfZuBT6i/QT5UYI5DUQxG6vPtKbnnGTH1 SM6lFm/C2/XHift2BahCUAMpnpypPof57eSzhpxCYoELt2n5xi9STbsdE0lP94gumbR6 GQzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551528; x=1707156328; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=0dgHDmyiuf24yKbMsV5rC/PIHquqMJzNMfIw3GnnTIc=; b=Bc7lXM1SWUGSzZU8ZnguLbHW5UV2wXnLRBv7CwXMZhhhRdwfL2TmNQQV5IP8V8Hoeu vAmQr3gUNkBZDIkvydOem6Y5RwsjI0LVXkJ7Ndz0AVRtppV78bb/qm1iKpXpaH+AMyzf pOXIoCyP7ZI7SHmqwQNKX8E1T5lRtuik6D18+4w5NNsaKjLrMuFr/m3fNhy0LWUvPn5P +8/rajHWV/GT8VdeLquQYXuTCshnUQyZVchXzBq2RFSMSRTvjD3huBiY0GnpiVn0vhXY YjShVSynIjf4CnHVU1vFdYZ1lhCz3pEfpDKhplksZRQhdEQeEZZucXTasMjTRS5olKxp CM9A== X-Gm-Message-State: AOJu0YxROPCJ2gD9z5hffgseay31vteNmYr/p1Gp43Fg8pFdWcj0x0Rx U3mud7iX6xFHJDo9ykP450d/dNOw/txnyl3o6hzM+ispgehlRDnsGtJzJo1cpv3X6yAscAlRUaD g0CStlKDoh7JwcXedIL1cSW5qkPXleF+1HLNS4DUMytvV4TnUIXQQ1V5V52QdXu7NLGfWcqPOrJ HOPQEA6xpOBQHzpDBCRELZJL5PFbrIaQ== X-Received: from palermo.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:118a]) (user=ardb job=sendgmr) by 2002:a25:8908:0:b0:dc3:696e:ffae with SMTP id e8-20020a258908000000b00dc3696effaemr1936135ybl.3.1706551528335; Mon, 29 Jan 2024 10:05:28 -0800 (PST) Date: Mon, 29 Jan 2024 19:05:03 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=6464; i=ardb@kernel.org; h=from:subject; bh=3TIgd8JH8leGyvCOvibsMg9R6VNfjDFus1JZk+AZ7Zs=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIXX7i/N3XHfs68hwrlq/xO1Tou0aE1lPb6fL/mVP5vzJ8 VrOzTy/o5SFQYyDQVZMkUVg9t93O09PlKp1niULM4eVCWQIAxenAEwk/jgjw78vwX51p59YF/JM 799+tWSLWe/KJNc+hdU6mQxtRa+70hj+R0w3TQm7uXryiQkLjjyfIio1Y/+lf93qm3/8mDH76nd eZz4A X-Mailer: git-send-email 2.43.0.429.g432eaa2c6b-goog Message-ID: <20240129180502.4069817-21-ardb+git@google.com> Subject: [PATCH v3 00/19] x86: Confine early 1:1 mapped startup code From: Ard Biesheuvel To: linux-kernel@vger.kernel.org Cc: Ard Biesheuvel , Kevin Loughlin , Tom Lendacky , Dionna Glaze , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Andy Lutomirski , Arnd Bergmann , Nathan Chancellor , Nick Desaulniers , Justin Stitt , Kees Cook , Brian Gerst , linux-arch@vger.kernel.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" From: Ard Biesheuvel This is a follow-up to my RFC [0] that proposed to build the entire core kernel with -fPIC, to reduce the likelihood that code that runs extremely early from the 1:1 mapping of memory will misbehave. This is needed to address reports that SEV boot on Clang built kernels is broken, due to the fact that this early code attempts to access virtual kernel address that are not mapped yet. Kevin has suggested some workarounds to this [1] but this is really something that requires a more rigorous approach, rather than addressing a couple of symptoms of the underlying defect. As it turns out, the use of fPIE for the entire kernel is neither necessary nor sufficient, and has its own set of problems, including the fact that the PIE small C code model uses FS rather than GS for the per-CPU register, and only recent GCC and Clang versions permit this to be overridden on the command line. But the real problem is that even position independent code is not guaranteed to execute correctly at any offset unless all statically initialized pointer variables use the same translation as the code. So instead, this v2 and later proposes another solution, taking the following approach: - clean up and refactor the startup code so that the primary startup code executes from the 1:1 mapping but nothing else; - define a new text section type .pi.text and enforce that it can only call into other .pi.text sections; - (tbd) require that objects containing .pi.text sections are built with -fPIC, and disallow any absolute references from such objects. The latter point is not implemented yet in this v3, but this could be done rather straight-forwardly. (The EFI stub already does something similar across all architectures) Changes since v2: [2] - move command line parsing out of early startup code entirely - fix LTO and instrumentation related build warnings reported by Nathan - omit PTI related PGD/P4D setters when creating the early page tables, instead of pulling that code into the 'early' set [0] https://lkml.kernel.org/r/20240122090851.851120-7-ardb%2Bgit%40google.com [1] https://lore.kernel.org/all/20240111223650.3502633-1-kevinloughlin@google.com/T/#u [2] https://lkml.kernel.org/r/20240125112818.2016733-19-ardb%2Bgit%40google.com Cc: Kevin Loughlin Cc: Tom Lendacky Cc: Dionna Glaze Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Justin Stitt Cc: Kees Cook Cc: Brian Gerst Cc: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: llvm@lists.linux.dev Ard Biesheuvel (19): efi/libstub: Add generic support for parsing mem_encrypt= x86/boot: Move mem_encrypt= parsing to the decompressor x86/startup_64: Drop long return to initial_code pointer x86/startup_64: Simplify calculation of initial page table address x86/startup_64: Simplify CR4 handling in startup code x86/startup_64: Drop global variables keeping track of LA57 state x86/startup_64: Simplify virtual switch on primary boot x86/head64: Replace pointer fixups with PIE codegen x86/head64: Simplify GDT/IDT initialization code asm-generic: Add special .pi.text section for position independent code x86: Move return_thunk to __pitext section x86/head64: Move early startup code into __pitext modpost: Warn about calls from __pitext into other text sections x86/coco: Make cc_set_mask() static inline x86/sev: Make all code reachable from 1:1 mapping __pitext x86/sev: Avoid WARN() in early code x86/sev: Use PIC codegen for early SEV startup code x86/sev: Drop inline asm LEA instructions for RIP-relative references x86/startup_64: Don't bother setting up GS before the kernel is mapped arch/x86/Makefile | 8 + arch/x86/boot/compressed/Makefile | 2 +- arch/x86/boot/compressed/misc.c | 22 +++ arch/x86/boot/compressed/pgtable_64.c | 2 - arch/x86/boot/compressed/sev.c | 6 + arch/x86/coco/core.c | 7 +- arch/x86/include/asm/coco.h | 8 +- arch/x86/include/asm/desc.h | 3 +- arch/x86/include/asm/init.h | 2 - arch/x86/include/asm/mem_encrypt.h | 8 +- arch/x86/include/asm/pgtable_64.h | 12 +- arch/x86/include/asm/pgtable_64_types.h | 15 +- arch/x86/include/asm/setup.h | 4 +- arch/x86/include/asm/sev.h | 6 +- arch/x86/include/uapi/asm/bootparam.h | 2 + arch/x86/kernel/Makefile | 7 + arch/x86/kernel/cpu/common.c | 2 - arch/x86/kernel/head64.c | 206 +++++++------------- arch/x86/kernel/head_64.S | 156 +++++---------- arch/x86/kernel/sev-shared.c | 54 +++-- arch/x86/kernel/sev.c | 27 ++- arch/x86/kernel/vmlinux.lds.S | 3 +- arch/x86/lib/Makefile | 13 -- arch/x86/lib/memcpy_64.S | 3 +- arch/x86/lib/memset_64.S | 3 +- arch/x86/lib/retpoline.S | 2 +- arch/x86/mm/Makefile | 2 +- arch/x86/mm/kasan_init_64.c | 3 - arch/x86/mm/mem_encrypt_boot.S | 3 +- arch/x86/mm/mem_encrypt_identity.c | 98 +++------- drivers/firmware/efi/libstub/efi-stub-helper.c | 8 + drivers/firmware/efi/libstub/efistub.h | 2 +- drivers/firmware/efi/libstub/x86-stub.c | 6 + include/asm-generic/vmlinux.lds.h | 3 + include/linux/init.h | 12 ++ scripts/mod/modpost.c | 11 +- tools/objtool/check.c | 26 +-- 37 files changed, 319 insertions(+), 438 deletions(-) base-commit: aa8eff72842021f52600392b245fb82d113afa8a -- 2.43.0.429.g432eaa2c6b-goog