From: Dave Hansen <dave.hansen@linux.intel.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>,
ning.sun@intel.com, tglx@linutronix.de, mingo@redhat.com,
hpa@zytor.com, tboot-devel@lists.sourceforge.net,
aarcange@redhat.com, jcm@redhat.com, dwmw@amazon.co.uk,
pbonzini@redhat.com, gnomes@lxorguk.ukuu.org.uk,
torvalds@linux-foundation.org, andi@firstfloor.org,
gregkh@linux-foundation.org, tim.c.chen@linux.intel.com,
law@redhat.com, nickc@redhat.com, luto@kernel.org,
peterz@infradead.org
Subject: [PATCH] x86/pti: unpoison pgd for trusted boot
Date: Wed, 10 Jan 2018 14:49:39 -0800 [thread overview]
Message-ID: <20180110224939.2695CD47@viggo.jf.intel.com> (raw)
Updated to make this on top of x86/pti.
--
From: Dave Hansen <dave.hansen@linux.intel.com>
The code in -tip potentially misses the pgd clearing if pud_alloc()
sets a PGD. It would also be nice to have that comment back.
Note that the -tip commit probably works in *practice* because for
two adjacent calls to map_tboot_page() that share a PGD entry, the
first will clear NX, *then* allocate and set the PGD (without NX
clear). The second call will *not* allocate but will clear the NX
bit.
This just defers the NX clearing to a point after it is known that
all top-level allocations have occurred. Add a comment to clarify
why.
Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ning Sun <ning.sun@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Cc: tboot-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Cc: Andrea Arcangeli <aarcange@redhat.com>
CC: Jon Masters <jcm@redhat.com>
Cc: "Woodhouse, David" <dwmw@amazon.co.uk>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
CC: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: Jeff Law <law@redhat.com>
Cc: Nick Clifton <nickc@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
---
b/arch/x86/kernel/tboot.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
--- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-10 14:24:46.454544324 -0800
+++ b/arch/x86/kernel/tboot.c 2018-01-10 14:25:53.354544157 -0800
@@ -127,7 +127,6 @@ static int map_tboot_page(unsigned long
p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
if (!p4d)
return -1;
- pgd->pgd &= ~_PAGE_NX;
pud = pud_alloc(&tboot_mm, p4d, vaddr);
if (!pud)
return -1;
@@ -139,6 +138,17 @@ static int map_tboot_page(unsigned long
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
_
next reply other threads:[~2018-01-10 22:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-10 22:49 Dave Hansen [this message]
2018-01-10 22:53 ` [PATCH] x86/pti: unpoison pgd for trusted boot Andrea Arcangeli
2018-01-10 23:34 ` [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real tip-bot for Dave Hansen
2018-01-11 23:22 ` tip-bot for Dave Hansen
-- strict thread matches above, loose matches on Subject: below --
2018-01-10 21:11 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110224939.2695CD47@viggo.jf.intel.com \
--to=dave.hansen@linux.intel.com \
--cc=aarcange@redhat.com \
--cc=andi@firstfloor.org \
--cc=dwmw@amazon.co.uk \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linux-foundation.org \
--cc=hpa@zytor.com \
--cc=jcm@redhat.com \
--cc=law@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nickc@redhat.com \
--cc=ning.sun@intel.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=tboot-devel@lists.sourceforge.net \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.