From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Kevin Loughlin <kevinloughlin@google.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Dionna Glaze <dionnaglaze@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Justin Stitt <justinstitt@google.com>,
Kees Cook <keescook@chromium.org>,
Brian Gerst <brgerst@gmail.com>,
linux-arch@vger.kernel.org, llvm@lists.linux.dev
Subject: [PATCH v4 00/11] x86: Confine early 1:1 mapped startup code
Date: Tue, 13 Feb 2024 13:41:44 +0100 [thread overview]
Message-ID: <20240213124143.1484862-13-ardb+git@google.com> (raw)
From: Ard Biesheuvel <ardb@kernel.org>
This is a follow-up to [0] which implemented rigorous build time checks
to ensure that any code that is executed during early startup supports
running from the initial 1:1 mapping of memory, which is how the kernel
is entered from the decompressor or the EFI firmware.
Using PIC codegen and introducing new magic sections into generic code
would create a maintenance burden, and more experimentation is needed
there. One issue with PIC codegen is that it still permits the compiler
to make assumptions about the runtime address of global objects (modulo
runtime relocation), which is incompatible with how the kernel is
entered, i.e., running a fully linked and relocated executable from the
wrong runtime address.
The RIP_REL_REF() macro that was introduced recently [1] is actually
more appropriate for this use case, as it hides the access from the
compiler entirely, and so the compiler can never predict its result.
To make incremental progress on this, this v4 drops the special
instrumentation for .pi.text and PIC codegen, but retains all the
cleanup work on the startup code to make it more maintainable and more
obviously correct.
In particular, this involves:
- getting rid of early accesses to global objects, either by moving them
to the stack, deferring the access until later, or dropping the
globals entirely;
- moving all code that runs early via the 1:1 mapping into .head.text,
and moving code that does not out of it, so that build time checks can
be added later to ensure that no inadvertent absolute references were
emitted into code that does not tolerate them;
- removing fixup_pointer() and occurrences of __pa_symbol(), which rely
on the compiler emitting absolute references, and this is not
guaranteed. (Without -fpic, the compiler might still use RIP-relative
references in some cases)
Changes since v3:
- dropped half of the patches and added a couple of new ones
- applied feedback from Boris to patches that were retained, mostly
related to some minor oversights on my part, and to some style issues
[0] https://lkml.kernel.org/r/20240129180502.4069817-21-ardb%2Bgit%40google.com
[1] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/sev&id=1c811d403afd73f0
Cc: Kevin Loughlin <kevinloughlin@google.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Dionna Glaze <dionnaglaze@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: linux-kernel@vger.kernel.org
Cc: linux-arch@vger.kernel.org
Cc: llvm@lists.linux.dev
Ard Biesheuvel (11):
x86/startup_64: Simplify global variable accesses in GDT/IDT
programming
x86/startup_64: Replace pointer fixups with RIP-relative references
x86/startup_64: Simplify CR4 handling in startup code
x86/startup_64: Defer assignment of 5-level paging global variables
x86/startup_64: Simplify calculation of initial page table address
x86/startup_64: Simplify virtual switch on primary boot
efi/libstub: Add generic support for parsing mem_encrypt=
x86/boot: Move mem_encrypt= parsing to the decompressor
x86/sme: Move early SME kernel encryption handling into .head.text
x86/sev: Move early startup code into .head.text section
x86/startup_64: Drop global variables keeping track of LA57 state
arch/x86/boot/compressed/misc.c | 15 ++
arch/x86/boot/compressed/misc.h | 4 -
arch/x86/boot/compressed/pgtable_64.c | 12 --
arch/x86/boot/compressed/sev.c | 3 +
arch/x86/boot/compressed/vmlinux.lds.S | 1 +
arch/x86/include/asm/mem_encrypt.h | 8 +-
arch/x86/include/asm/pgtable_64_types.h | 58 +++----
arch/x86/include/asm/setup.h | 2 +-
arch/x86/include/asm/sev.h | 10 +-
arch/x86/include/uapi/asm/bootparam.h | 1 +
arch/x86/kernel/cpu/common.c | 2 -
arch/x86/kernel/head64.c | 172 ++++++--------------
arch/x86/kernel/head_64.S | 91 ++++-------
arch/x86/kernel/sev-shared.c | 23 ++-
arch/x86/kernel/sev.c | 14 +-
arch/x86/lib/Makefile | 13 --
arch/x86/mm/kasan_init_64.c | 3 -
arch/x86/mm/mem_encrypt_identity.c | 83 +++-------
drivers/firmware/efi/libstub/efi-stub-helper.c | 8 +
drivers/firmware/efi/libstub/efistub.h | 2 +-
drivers/firmware/efi/libstub/x86-stub.c | 3 +
21 files changed, 186 insertions(+), 342 deletions(-)
base-commit: 1c811d403afd73f04bde82b83b24c754011bd0e8
--
2.43.0.687.g38aa6559b0-goog
next reply other threads:[~2024-02-13 12:42 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 12:41 Ard Biesheuvel [this message]
2024-02-13 12:41 ` [PATCH v4 01/11] x86/startup_64: Simplify global variable accesses in GDT/IDT programming Ard Biesheuvel
2024-02-13 20:05 ` Borislav Petkov
2024-02-13 21:53 ` Ard Biesheuvel
2024-02-14 7:28 ` Ard Biesheuvel
2024-02-15 13:52 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 02/11] x86/startup_64: Replace pointer fixups with RIP-relative references Ard Biesheuvel
2024-02-17 12:51 ` Borislav Petkov
2024-02-17 13:58 ` Ard Biesheuvel
2024-02-17 16:10 ` Ard Biesheuvel
2024-02-19 9:55 ` Borislav Petkov
2024-02-19 10:45 ` Ard Biesheuvel
2024-02-19 10:01 ` Borislav Petkov
2024-02-19 10:47 ` Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 03/11] x86/startup_64: Simplify CR4 handling in startup code Ard Biesheuvel
2024-02-19 10:32 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 04/11] x86/startup_64: Defer assignment of 5-level paging global variables Ard Biesheuvel
2024-02-20 18:45 ` Borislav Petkov
2024-02-20 23:33 ` Ard Biesheuvel
2024-02-21 10:09 ` Borislav Petkov
2024-02-21 10:20 ` Ard Biesheuvel
2024-02-21 11:12 ` Borislav Petkov
2024-02-21 11:21 ` Ard Biesheuvel
2024-02-21 11:23 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 05/11] x86/startup_64: Simplify calculation of initial page table address Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 06/11] x86/startup_64: Simplify virtual switch on primary boot Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 07/11] efi/libstub: Add generic support for parsing mem_encrypt= Ard Biesheuvel
2024-02-19 17:00 ` Tom Lendacky
2024-02-19 17:06 ` Ard Biesheuvel
2024-02-20 19:28 ` Tom Lendacky
2024-02-13 12:41 ` [PATCH v4 08/11] x86/boot: Move mem_encrypt= parsing to the decompressor Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 09/11] x86/sme: Move early SME kernel encryption handling into .head.text Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 10/11] x86/sev: Move early startup code into .head.text section Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 11/11] x86/startup_64: Drop global variables keeping track of LA57 state Ard Biesheuvel
2024-02-14 15:24 ` Brian Gerst
2024-02-14 15:44 ` Ard Biesheuvel
2024-02-14 20:25 ` Brian Gerst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240213124143.1484862-13-ardb+git@google.com \
--to=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dionnaglaze@google.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=kevinloughlin@google.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).