Received: by 2002:ab2:3319:0:b0:1ef:7a0f:c32d with SMTP id i25csp375466lqc; Thu, 7 Mar 2024 23:10:07 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUDDchawmsDc9gCuUVnIiPla56xUCxA3OmSLCv4hqlhK9gf5aGxt6t6G2e98hJA0YZ6t/1x08HoeInzQxrtxB45yTRx6Ss4cJph1g3uGg== X-Google-Smtp-Source: AGHT+IEcHXZLvpoExVRK7TWoXXDAG0Ao6Dw3RkGAENPhlh3o4RCNKQOIHx9JuPT0zzT4GvAIOUPC X-Received: by 2002:a05:6102:3a0a:b0:471:e00e:75ce with SMTP id b10-20020a0561023a0a00b00471e00e75cemr12389679vsu.7.1709881807374; Thu, 07 Mar 2024 23:10:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709881807; cv=pass; d=google.com; s=arc-20160816; b=gBknLu51ECkmcACye0NyNfw6d+5n/XIzFSM676hG7sshrQc83Qemnql1cF0gVBC0Nc JIrTbnGisSpQ7tY5pmtIbPdN9rzrvqqKe7ZYqgMlnnkJgpShEGxKleExPq0f3cjxWVZt xsmMM9JfeyE6zv4tqkLHjLZlsVcoZiElPUX6UqDWwxD+dx/tS4aYJ3mcO+9FZclP+4Wl ST2e/k+LzJvbqmmLvUEGRWgVltP1y8l4NWloF8hX5ZmOTeAYppM9BDuCvxNPJLMpMI1q Xu4PG59cEVlu34HV/etUoxKuBGLumiRRh88Imz73mTGn88R4Ux0639wCwTWjYh50Loeb kkkw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=4mzC03zGyATOP3gzEZUnSU+K1YFl+dHhu2DUvP/mur0=; fh=tdl64BQR06n7aHwbiF0eqLr8RTLX664SRAyHgDDjInw=; b=LJr1E0yWvHLi8IEbc8aZSgVoAEUX+xuIcGnohI4UiD2C8bIzJKS7V7Q/hLKzJZKFIn vhspZ7kKAtyW6x/goqHTYmsm7QLR1qnqll1ygx7R9oEne23HxaWbjmnACwBXwSz+PpAH 8EvctFDsS8VTCKb5yPvuhR5RhSmMvykwBLRi0D5Pj12WKk2F0SLmFEzRZ1AKRFE86u9V M2fgMpQ4Mj9nm/UBj4tDAMbZY0tDLggTfJSos+a+x6YIRa42BRgO2W+md/ZaY850suFp 12iQA0H4/QEA4uazaeGfO0J23n79MNes2GaHBeKO/vPvjTmDEhDwdAQ6RxsRlauN6SXC wtEA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=QbTPBYei; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-96566-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96566-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id s9-20020a05622a018900b0042ee5457283si12729196qtw.1.2024.03.07.23.10.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 23:10:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-96566-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=QbTPBYei; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-96566-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96566-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 0FF781C217C3 for ; Fri, 8 Mar 2024 07:10:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D134C4EB44; Fri, 8 Mar 2024 07:10:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="QbTPBYei" Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CEBC42E3E4 for ; Fri, 8 Mar 2024 07:09:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709881799; cv=none; b=mWD4g++UYxQnlc/l9yVHjr49X2hmon3WsOnVpSxMhiATA1txiSU95Ba8I0f3g23N5A/n42IyuATxJ0Q1LLnWGQwYUcHFMdQWVb06sA6xj3iR7IoOhjGPml6hqi94ZwCFgoratY6dSK8lot0kZLutkaBPZ88IDfDyRTrFUg5GGls= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709881799; c=relaxed/simple; bh=zRZa5pLUOC5g9yma7RyKYKAPSpayxGnS5uyQlDWGukc=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=XY0esn3A65DYSRvzJ4adt5q92D8vwVmAC/91GnjPj1lL2Pf2A6s5SQ/K9YauWLcy7dCYtWklxHFnqoo1eIXjVBlw6kFqiFBhTJ5WTCPUunPx5ttD1WosR3eCBm1oQ5BSNxqSZA++3cylW0ESL2vYwoNO6ND3of9xwjiUCcZ6iIU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=QbTPBYei; arc=none smtp.client-ip=209.85.210.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Received: by mail-ot1-f47.google.com with SMTP id 46e09a7af769-6e4f7e1af80so207630a34.3 for ; Thu, 07 Mar 2024 23:09:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1709881797; x=1710486597; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=4mzC03zGyATOP3gzEZUnSU+K1YFl+dHhu2DUvP/mur0=; b=QbTPBYeiMMrnXyebM095xVgAfc1vivYqVcuQa3qEmpLbAKjCuj/O0LPOcVQ4s6IUyI RwaBUvtmC31CzL+3qusGEt7CjtewcN9GeYGmHkanComAvQcY2jgdJjxQKHzqnOF3+eYI Mt6M17vWVLJw5qFNmm5v4oOJCKgphTfzrtcZprVddHY2+rvMP2E9lBuGIzwFbOdED9yn Vg90qiDXn/g0KuOJVH/uVdd6QSWzJbx3EwuVhNdLI69ZATyf+zG1OKJ2pjDaPwlkjJ6J 4ZZaZ34sG9i+8FiJuPMMi6xRwu5vRs94oaKL3iAsKvreeDIRiwxeq+ukcmrlRr57io3g NcQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709881797; x=1710486597; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4mzC03zGyATOP3gzEZUnSU+K1YFl+dHhu2DUvP/mur0=; b=BNkZjV7McU/y3S11HOQcw6M4s+gVdaTPhPI+BhLt6rdJuH+kCYu26fd1wJ59KK/i+7 tAGZSiyFXvBJYBGV2S3y8lNAo/H4FUSSFogvFuPjcJ65yIoPecGQZhSHv59jya0ClRXS KmVowlHlV+3lB2ZwwiiGVmP6DU6v95xreuEuDcYvNGHVm5sNJpA4TDDDrg41gd6+YRFJ 8CnJsGa0IBczworWgvXpC66y8ktc8e0nOqmcFIu+1yFp5TJBZ5rksWpxU0R+KL9LqW15 zREVCBRu9Ki6q9DwcJ6Xm5m7KVFA5c7NL85L/xFqMyKGmBxONQex5LW8Giywkqp8yccj 77yg== X-Forwarded-Encrypted: i=1; AJvYcCX3fL8P83RkobYgZY6Le4oO8hRwjvqmuUAm/i/pYoac+kBT8g5pVApTkAZR0nV+0/gZE8WVMyvxL+dSSmBkTvp8BGEwLuRhfpdZWtYC X-Gm-Message-State: AOJu0YwRWHsBR7qM0ieERyY0repbM6vrYE6JW6RYc8Iv8p0VzcIXrJyK IxLB7CtaD5WhSbciqEshksCSulCrrYovOE5FlxE/eBgkK7WdGF4rRWDESrB5QAtUA+AawYA2NZ+ /j3hrXUte4BhmZXwStYojhPNxqMuA/HkQhJcQDA== X-Received: by 2002:a05:6870:1649:b0:221:45a1:b72a with SMTP id c9-20020a056870164900b0022145a1b72amr2439591oae.35.1709881796686; Thu, 07 Mar 2024 23:09:56 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: In-Reply-To: From: yunhui cui Date: Fri, 8 Mar 2024 15:09:45 +0800 Message-ID: Subject: Re: [External] Re: [PATCH 3/3] efistub: fix missed the initialization of gp To: Ard Biesheuvel Cc: Palmer Dabbelt , Paul Walmsley , aou@eecs.berkeley.edu, xuzhipeng.1973@bytedance.com, alexghiti@rivosinc.com, samitolvanen@google.com, bp@alien8.de, xiao.w.wang@intel.com, jan.kiszka@siemens.com, kirill.shutemov@linux.intel.com, nathan@kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, Conor Dooley , Heinrich Schuchardt Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Ard, On Fri, Mar 8, 2024 at 12:49=E2=80=AFAM Ard Biesheuvel wr= ote: > > On Thu, 7 Mar 2024 at 04:19, yunhui cui wrote: > > > > Hi Ard, > > > > On Thu, Mar 7, 2024 at 12:15=E2=80=AFAM Ard Biesheuvel wrote: > > > > > > On Wed, 6 Mar 2024 at 16:44, Ard Biesheuvel wrote: > > > > > > > > On Wed, 6 Mar 2024 at 16:21, Palmer Dabbelt wr= ote: > > > > > > > > > > On Wed, 06 Mar 2024 05:09:07 PST (-0800), Ard Biesheuvel wrote: > > > > > > On Wed, 6 Mar 2024 at 14:02, Ard Biesheuvel w= rote: > > > > > >> > > > > > >> On Wed, 6 Mar 2024 at 13:34, yunhui cui wrote: > > > > > >> > > > > > > >> > Hi Ard, > > > > > >> > > > > > > >> > On Wed, Mar 6, 2024 at 5:36=E2=80=AFPM Ard Biesheuvel wrote: > > > > > >> > > > > > > > >> > > On Wed, 6 Mar 2024 at 09:56, Yunhui Cui wrote: > > > > > >> > > > > > > > > >> > > > Compared with gcc version 12, gcc version 13 uses the gp > > > > > >> > > > register for compilation optimization, but the efistub m= odule > > > > > >> > > > does not initialize gp. > > > > > >> > > > > > > > > >> > > > Signed-off-by: Yunhui Cui > > > > > >> > > > Co-Developed-by: Zhipeng Xu > > > > > >> > > > > > > > >> > > This needs a sign-off, and your signoff needs to come afte= r. > > > > > >> > > > > > > > >> > > > --- > > > > > >> > > > arch/riscv/kernel/efi-header.S | 11 ++++++++++- > > > > > >> > > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > > >> > > > > > > > > >> > > > diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv= /kernel/efi-header.S > > > > > >> > > > index 515b2dfbca75..fa17c08c092a 100644 > > > > > >> > > > --- a/arch/riscv/kernel/efi-header.S > > > > > >> > > > +++ b/arch/riscv/kernel/efi-header.S > > > > > >> > > > @@ -40,7 +40,7 @@ optional_header: > > > > > >> > > > .long __pecoff_data_virt_end - __pecoff_text_e= nd // SizeOfInitializedData > > > > > >> > > > #endif > > > > > >> > > > .long 0 = // SizeOfUninitializedData > > > > > >> > > > - .long __efistub_efi_pe_entry - _start = // AddressOfEntryPoint > > > > > >> > > > + .long _efistub_entry - _start // Addre= ssOfEntryPoint > > > > > >> > > > .long efi_header_end - _start = // BaseOfCode > > > > > >> > > > #ifdef CONFIG_32BIT > > > > > >> > > > .long __pecoff_text_end - _start = // BaseOfData > > > > > >> > > > @@ -121,4 +121,13 @@ section_table: > > > > > >> > > > > > > > > >> > > > .balign 0x1000 > > > > > >> > > > efi_header_end: > > > > > >> > > > + > > > > > >> > > > + .global _efistub_entry > > > > > >> > > > +_efistub_entry: > > > > > >> > > > > > > > >> > > This should go into .text or .init.text, not the header. > > > > > >> > > > > > > > >> > > > + /* Reload the global pointer */ > > > > > >> > > > + load_global_pointer > > > > > >> > > > + > > > > > >> > > > > > > > >> > > What is supposed to happen here if CONFIG_SHADOW_CALL_STAC= K=3Dy? The EFI > > > > > >> > > stub Makefile removes the SCS CFLAGS, so the stub will be = built > > > > > >> > > without shadow call stack support, which I guess means tha= t it might > > > > > >> > > use GP as a global pointer as usual? > > > > > >> > > > > > > > >> > > > + call __efistub_efi_pe_entry > > > > > >> > > > + ret > > > > > >> > > > + > > > > > >> > > > > > > > >> > > You are returning to the firmware here, but after modifyin= g the GP > > > > > >> > > register. Shouldn't you restore it to its old value? > > > > > >> > There is no need to restore the value of the gp register. Wh= ere gp is > > > > > >> > needed, the gp register must first be initialized. And here = is the > > > > > >> > entry. > > > > > >> > > > > > > >> > > > > > >> But how should the firmware know that GP was corrupted after c= alling > > > > > >> the kernel's EFI entrypoint? The EFI stub can return to the fi= rmware > > > > > >> if it encounters any errors while still running in the EFI boo= t > > > > > >> services. > > > > > >> > > > > > > > > > > > > Actually, I wonder if GP can be modified at all before > > > > > > ExitBootServices(). The EFI timer interrupt is still live at th= is > > > > > > point, and so the firmware is being called behind your back, an= d might > > > > > > rely on GP retaining its original value. > > > > > > > > > > [A few of us are talking on IRC as I'm writing this...] > > > > > > > > > > The UEFI spec says "UEFI firmware must neither trust the > > > > > values of tp and gp nor make an assumption of owning the write ac= cess to > > > > > these register in any circumstances". It's kind of vague what "U= EFI > > > > > firmware" means here, but I think it's reasonable to assume that = the > > > > > kernel (and thus the EFI stub) is not included there. > > > > > > > > > > So under that interpretation, the kernel (including the EFI stub)= would > > > > > be allowed to overwrite GP with whatever it wants. > > > > > > > > > > > > > OK, so even if the UEFI spec seems to suggest that using GP in EFI > > > > applications such as the Linux EFI stub should be safe, I'd still l= ike > > > > to understand why this change is necessary. The patches you are > > > > reverting are supposed to ensure that a) the compiler does not > > > > generate references that can be relaxed to GP based ones, and b) no > > > > R_RISCV_RELAX relocations are present in any of the code that runs = in > > > > the context of the EFI firmware. > > > > > > > > Are you still seeing GP based symbol references? Is there C code th= at > > > > gets pulled into the EFI stub that uses GP based relocations perhap= s? > > > > (see list below). If any of those are implemented in C, they should > > > > not be used by the EFI stub directly unless they are guaranteed to = be > > > > uninstrumented and callable at arbitrary offsets other than the one > > > > they were linked to run at. > > > > > > > > > > > > __efistub_memcmp =3D memcmp; > > > > __efistub_memchr =3D memchr; > > > > __efistub_memcpy =3D memcpy; > > > > __efistub_memmove =3D memmove; > > > > __efistub_memset =3D memset; > > > > __efistub_strlen =3D strlen; > > > > __efistub_strnlen =3D strnlen; > > > > __efistub_strcmp =3D strcmp; > > > > __efistub_strncmp =3D strncmp; > > > > __efistub_strrchr =3D strrchr; > > > > __efistub___memcpy =3D memcpy; > > > > __efistub___memmove =3D memmove; > > > > __efistub___memset =3D memset; > > > > __efistub__start =3D _start; > > > > __efistub__start_kernel =3D _start_kernel; > > > > > > > > (from arch/riscv/kernel/image-vars.h) > > > > > > Uhm never mind - these are all gone now, I was looking at a v6.1 > > > kernel source tree. > > > > > > So that means that, as far as I can tell, the only kernel C code that > > > executes in the context of the EFI firmware is built with -mno-relax > > > and is checked for the absence of R_RISCV_RELAX relocations. So I fai= l > > > to see why these changes are needed. > > > > > > Yunhui, could you please explain the reason for this series? > > > > From the logic of binutils, if "__global_pointer$" exists, it is > > possible to use GP for optimization. For RISC-V, "__global_pointer$" > > was introduced in commit "fbe934d69eb7e". Therefore, for the system as > > a whole, we should keep using GP uniformly. > > There is no 'system as a whole' that can use GP 'uniformly' > > The EFI stub is a separate executable that runs from a different > mapping of memory, in an execution context managed by the firmware. It > happens to be linked into the same executable as the vmlinux kernel. > > > The root cause of this > > problem is that GP is not loaded, rather than "On RISC-V, we also > > avoid GP based relocations..." as commit "d2baf8cc82c17" said. > > GP is not loaded because in the EFI firmware context, there is no safe > way to rely on it. > > > We need > > to address problems head-on, rather than avoid them. > > > > So what solution are you proposing for the potential GP conflicts > between the boot loader, the Linux EFI stub and the firmware? The GP register values are now loaded in the arch/riscv/kernel/head.S and arch/riscv/kernel/suspend_entry.S files. Let's think about EFI runtimeservice. If the EFI firmware code uses GP registers but the compiler does not avoid GP, and kernel uses the callback function provided by EFI, is there a problem? Is it possible to solve the problem only by making the firmware code not use GP at all and compiling options to avoid using GP? The same goes for efistub. So the way to solve this problem is that the firmware does not use GP optimization. Does this allow efistub to load the GP register? Thanks, Yunhui