From: Borislav Petkov <bp@alien8.de>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, linux-efi@vger.kernel.org,
platform-driver-x86@vger.kernel.org, linux-coco@lists.linux.dev,
linux-mm@kvack.org, Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Ard Biesheuvel <ardb@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>,
Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
David Rientjes <rientjes@google.com>,
Dov Murik <dovmurik@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Michael Roth <michael.roth@amd.com>,
Vlastimil Babka <vbabka@suse.cz>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
Andi Kleen <ak@linux.intel.com>,
tony.luck@intel.com, marcorr@google.com,
sathyanarayanan.kuppuswamy@linux.intel.com
Subject: Re: [PATCH Part1 v5 23/38] x86/head/64: set up a startup %gs for stack protector
Date: Wed, 25 Aug 2021 16:29:13 +0200 [thread overview]
Message-ID: <YSZTubkROktMMSba@zn.tnic> (raw)
In-Reply-To: <20210820151933.22401-24-brijesh.singh@amd.com>
On Fri, Aug 20, 2021 at 10:19:18AM -0500, Brijesh Singh wrote:
> From: Michael Roth <michael.roth@amd.com>
>
> As of commit 103a4908ad4d ("x86/head/64: Disable stack protection for
> head$(BITS).o") kernel/head64.c is compiled with -fno-stack-protector
> to allow a call to set_bringup_idt_handler(), which would otherwise
> have stack protection enabled with CONFIG_STACKPROTECTOR_STRONG. While
> sufficient for that case, this will still cause issues if we attempt to
> call out to any external functions that were compiled with stack
> protection enabled that in-turn make stack-protected calls, or if the
> exception handlers set up by set_bringup_idt_handler() make calls to
> stack-protected functions.
>
> Subsequent patches for SEV-SNP CPUID validation support will introduce
> both such cases. Attempting to disable stack protection for everything
> in scope to address that is prohibitive since much of the code, like
> SEV-ES #VC handler, is shared code that remains in use after boot and
> could benefit from having stack protection enabled. Attempting to inline
> calls is brittle and can quickly balloon out to library/helper code
> where that's not really an option.
>
> Instead, set up %gs to point a buffer that stack protector can use for
> canary values when needed.
>
> In doing so, it's likely we can stop using -no-stack-protector for
> head64.c, but that hasn't been tested yet, and head32.c would need a
> similar solution to be safe, so that is left as a potential follow-up.
That...
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
> arch/x86/kernel/Makefile | 2 +-
> arch/x86/kernel/head64.c | 20 ++++++++++++++++++++
> 2 files changed, 21 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
> index 3e625c61f008..5abdfd0dbbc3 100644
> --- a/arch/x86/kernel/Makefile
> +++ b/arch/x86/kernel/Makefile
> @@ -46,7 +46,7 @@ endif
> # non-deterministic coverage.
> KCOV_INSTRUMENT := n
>
> -CFLAGS_head$(BITS).o += -fno-stack-protector
> +CFLAGS_head32.o += -fno-stack-protector
... and that needs to be taken care of too.
> CFLAGS_irq.o := -I $(srctree)/$(src)/../include/asm/trace
>
> diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
> index a1711c4594fa..f1b76a54c84e 100644
> --- a/arch/x86/kernel/head64.c
> +++ b/arch/x86/kernel/head64.c
> @@ -74,6 +74,11 @@ static struct desc_struct startup_gdt[GDT_ENTRIES] = {
> [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
> };
>
> +/* For use by stack protector code before switching to virtual addresses */
> +#if CONFIG_STACKPROTECTOR
That's "#ifdef". Below too.
Did you even build this with CONFIG_STACKPROTECTOR disabled?
Because if you did, you would've seen this:
arch/x86/kernel/head64.c:78:5: warning: "CONFIG_STACKPROTECTOR" is not defined, evaluates to 0 [-Wundef]
78 | #if CONFIG_STACKPROTECTOR
| ^~~~~~~~~~~~~~~~~~~~~
arch/x86/kernel/head64.c: In function ‘startup_64_setup_env’:
arch/x86/kernel/head64.c:613:35: error: ‘startup_gs_area’ undeclared (first use in this function)
613 | u64 gs_area = (u64)fixup_pointer(startup_gs_area, physbase);
| ^~~~~~~~~~~~~~~
arch/x86/kernel/head64.c:613:35: note: each undeclared identifier is reported only once for each function it appears in
arch/x86/kernel/head64.c:632:5: warning: "CONFIG_STACKPROTECTOR" is not defined, evaluates to 0 [-Wundef]
632 | #if CONFIG_STACKPROTECTOR
| ^~~~~~~~~~~~~~~~~~~~~
arch/x86/kernel/head64.c:613:6: warning: unused variable ‘gs_area’ [-Wunused-variable]
613 | u64 gs_area = (u64)fixup_pointer(startup_gs_area, physbase);
| ^~~~~~~
make[2]: *** [scripts/Makefile.build:271: arch/x86/kernel/head64.o] Error 1
make[1]: *** [scripts/Makefile.build:514: arch/x86/kernel] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1851: arch/x86] Error 2
make: *** Waiting for unfinished jobs....
> +static char startup_gs_area[64];
> +#endif
> +
> /*
> * Address needs to be set at runtime because it references the startup_gdt
> * while the kernel still uses a direct mapping.
> @@ -605,6 +610,8 @@ void early_setup_idt(void)
> */
> void __head startup_64_setup_env(unsigned long physbase)
> {
> + u64 gs_area = (u64)fixup_pointer(startup_gs_area, physbase);
> +
> /* Load GDT */
> startup_gdt_descr.address = (unsigned long)fixup_pointer(startup_gdt, physbase);
> native_load_gdt(&startup_gdt_descr);
> @@ -614,5 +621,18 @@ void __head startup_64_setup_env(unsigned long physbase)
> "movl %%eax, %%ss\n"
> "movl %%eax, %%es\n" : : "a"(__KERNEL_DS) : "memory");
>
> + /*
> + * GCC stack protection needs a place to store canary values. The
> + * default is %gs:0x28, which is what the kernel currently uses.
> + * Point GS base to a buffer that can be used for this purpose.
> + * Note that newer GCCs now allow this location to be configured,
> + * so if we change from the default in the future we need to ensure
> + * that this buffer overlaps whatever address ends up being used.
> + */
> +#if CONFIG_STACKPROTECTOR
> + asm volatile("movl %%eax, %%gs\n" : : "a"(__KERNEL_DS) : "memory");
> + native_wrmsr(MSR_GS_BASE, gs_area, gs_area >> 32);
> +#endif
> +
> startup_64_load_idt(physbase);
> }
> --
> 2.17.1
>
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
next prev parent reply other threads:[~2021-08-25 14:28 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-20 15:18 [PATCH Part1 v5 00/38] Add AMD Secure Nested Paging (SEV-SNP) Guest Support Brijesh Singh
2021-08-20 15:18 ` [PATCH Part1 v5 01/38] x86/mm: Add sev_feature_enabled() helper Brijesh Singh
2021-08-20 15:18 ` [PATCH Part1 v5 02/38] x86/sev: Shorten GHCB terminate macro names Brijesh Singh
2021-08-20 15:18 ` [PATCH Part1 v5 03/38] x86/sev: Get rid of excessive use of defines Brijesh Singh
2021-08-20 15:18 ` [PATCH Part1 v5 04/38] x86/head64: Carve out the guest encryption postprocessing into a helper Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 05/38] x86/sev: Define the Linux specific guest termination reasons Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 06/38] x86/sev: Save the negotiated GHCB version Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 07/38] x86/sev: Add support for hypervisor feature VMGEXIT Brijesh Singh
2021-08-23 9:47 ` Borislav Petkov
2021-08-23 18:25 ` Brijesh Singh
2021-08-23 18:34 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 08/38] x86/sev: Check SEV-SNP features support Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 09/38] x86/sev: Add a helper for the PVALIDATE instruction Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 10/38] x86/sev: Check the vmpl level Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 11/38] x86/compressed: Add helper for validating pages in the decompression stage Brijesh Singh
2021-08-23 14:16 ` Borislav Petkov
2021-08-23 18:55 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 12/38] x86/compressed: Register GHCB memory when SEV-SNP is active Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 13/38] x86/sev: " Brijesh Singh
2021-08-23 17:35 ` Borislav Petkov
2021-08-23 18:56 ` Brijesh Singh
2021-08-23 19:45 ` [PATCH] x86/sev: Remove do_early_exception() forward declarations Borislav Petkov
2021-08-23 20:06 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 14/38] x86/sev: Add helper for validating pages in early enc attribute changes Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 15/38] x86/kernel: Make the bss.decrypted section shared in RMP table Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 16/38] x86/kernel: Validate rom memory before accessing when SEV-SNP is active Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 17/38] x86/mm: Add support to validate memory when changing C-bit Brijesh Singh
2021-08-25 11:06 ` Borislav Petkov
2021-08-25 13:54 ` Brijesh Singh
2021-08-25 14:00 ` Borislav Petkov
2021-08-27 17:09 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 18/38] KVM: SVM: Define sev_features and vmpl field in the VMSA Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 19/38] KVM: SVM: Create a separate mapping for the SEV-ES save area Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 20/38] KVM: SVM: Create a separate mapping for the GHCB " Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 21/38] KVM: SVM: Update the SEV-ES save area mapping Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 22/38] x86/sev: Use SEV-SNP AP creation to start secondary CPUs Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 23/38] x86/head/64: set up a startup %gs for stack protector Brijesh Singh
2021-08-25 14:29 ` Borislav Petkov [this message]
2021-08-25 15:18 ` Michael Roth
2021-08-25 16:29 ` Borislav Petkov
2021-08-27 13:38 ` Michael Roth
2021-08-31 8:03 ` Borislav Petkov
2021-08-31 23:30 ` Michael Roth
2021-08-25 15:07 ` Joerg Roedel
2021-08-25 17:07 ` Michael Roth
2021-08-20 15:19 ` [PATCH Part1 v5 24/38] x86/sev: move MSR-based VMGEXITs for CPUID to helper Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 25/38] KVM: x86: move lookup of indexed CPUID leafs " Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 26/38] x86/compressed/acpi: move EFI config table access to common code Brijesh Singh
2021-08-25 15:18 ` Borislav Petkov
2021-08-25 17:14 ` Michael Roth
2021-08-20 15:19 ` [PATCH Part1 v5 27/38] x86/boot: Add Confidential Computing type to setup_data Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 28/38] x86/compressed/64: enable SEV-SNP-validated CPUID in #VC handler Brijesh Singh
2021-08-25 19:19 ` Borislav Petkov
2021-08-27 16:46 ` Michael Roth
2021-08-31 10:04 ` Borislav Petkov
2021-09-01 1:03 ` Michael Roth
2021-09-02 10:53 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 29/38] x86/boot: add a pointer to Confidential Computing blob in bootparams Brijesh Singh
2021-08-27 13:51 ` Borislav Petkov
2021-08-27 18:48 ` Michael Roth
2021-08-20 15:19 ` [PATCH Part1 v5 30/38] x86/compressed/64: store Confidential Computing blob address " Brijesh Singh
2021-08-27 14:15 ` Borislav Petkov
2021-08-27 19:09 ` Michael Roth
2021-08-31 10:26 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 31/38] x86/compressed/64: add identity mapping for Confidential Computing blob Brijesh Singh
2021-08-27 14:43 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 32/38] x86/sev: enable SEV-SNP-validated CPUID in #VC handlers Brijesh Singh
2021-08-27 15:18 ` Borislav Petkov
2021-08-27 15:47 ` Brijesh Singh
2021-08-27 16:56 ` Borislav Petkov
2021-08-27 18:39 ` Michael Roth
2021-08-27 18:32 ` Michael Roth
2021-08-30 16:03 ` Michael Roth
2021-08-31 16:22 ` Borislav Petkov
2021-09-01 1:16 ` Michael Roth
2021-09-02 11:05 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 33/38] x86/sev: Provide support for SNP guest request NAEs Brijesh Singh
2021-08-27 17:44 ` Borislav Petkov
2021-08-27 18:07 ` Brijesh Singh
2021-08-27 18:13 ` Borislav Petkov
2021-08-27 18:27 ` Brijesh Singh
2021-08-27 18:38 ` Borislav Petkov
2021-08-27 19:57 ` Tom Lendacky
2021-08-27 20:17 ` Borislav Petkov
2021-08-27 20:31 ` Tom Lendacky
2021-08-20 15:19 ` [PATCH Part1 v5 34/38] x86/sev: Add snp_msg_seqno() helper Brijesh Singh
2021-08-27 18:41 ` Borislav Petkov
2021-08-30 15:07 ` Brijesh Singh
2021-09-02 11:26 ` Borislav Petkov
2021-09-02 15:27 ` Brijesh Singh
2021-08-31 20:46 ` Dov Murik
2021-08-31 21:13 ` Brijesh Singh
2021-09-09 14:54 ` Peter Gonda
2021-09-09 15:26 ` Brijesh Singh
2021-09-09 15:43 ` Peter Gonda
2021-09-09 16:17 ` Brijesh Singh
2021-09-09 16:21 ` Peter Gonda
2021-09-09 19:26 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 35/38] x86/sev: Register SNP guest request platform device Brijesh Singh
2021-08-31 11:37 ` Dov Murik
2021-08-31 16:03 ` Brijesh Singh
2021-09-02 16:40 ` Borislav Petkov
2021-09-02 19:58 ` Brijesh Singh
2021-09-03 8:15 ` Dov Murik
2021-09-03 12:08 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 36/38] virt: Add SEV-SNP guest driver Brijesh Singh
2021-09-06 17:38 ` Borislav Petkov
2021-09-07 13:35 ` Brijesh Singh
2021-09-08 13:44 ` Borislav Petkov
2021-08-20 15:19 ` [PATCH Part1 v5 37/38] virt: sevguest: Add support to derive key Brijesh Singh
2021-08-31 18:59 ` Dov Murik
2021-08-31 21:04 ` Brijesh Singh
2021-09-01 5:33 ` Dov Murik
2021-09-08 14:00 ` Borislav Petkov
2021-09-08 21:44 ` Brijesh Singh
2021-08-20 15:19 ` [PATCH Part1 v5 38/38] virt: sevguest: Add support to get extended report Brijesh Singh
2021-08-31 20:22 ` Dov Murik
2021-08-31 21:11 ` Brijesh Singh
2021-09-01 8:32 ` Dov Murik
2021-09-08 17:53 ` Borislav Petkov
2021-09-15 11:46 ` Brijesh Singh
2021-09-15 10:02 ` Dr. David Alan Gilbert
2021-09-15 11:53 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSZTubkROktMMSba@zn.tnic \
--to=bp@alien8.de \
--cc=ak@linux.intel.com \
--cc=ardb@kernel.org \
--cc=brijesh.singh@amd.com \
--cc=dave.hansen@linux.intel.com \
--cc=dovmurik@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=jroedel@suse.de \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=marcorr@google.com \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=rientjes@google.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=slp@redhat.com \
--cc=srinivas.pandruvada@linux.intel.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tony.luck@intel.com \
--cc=vbabka@suse.cz \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.