From: Peter Zijlstra <peterz@infradead.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "Poimboe, Josh" <jpoimboe@redhat.com>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"x86@kernel.org" <x86@kernel.org>,
"joao@overdrivepizza.com" <joao@overdrivepizza.com>,
"Cooper, Andrew" <andrew.cooper3@citrix.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"mark.rutland@arm.com" <mark.rutland@arm.com>,
"samitolvanen@google.com" <samitolvanen@google.com>,
"ndesaulniers@google.com" <ndesaulniers@google.com>,
"Milburn, Alyssa" <alyssa.milburn@intel.com>
Subject: Re: [PATCH 00/29] x86: Kernel IBT
Date: Sat, 19 Feb 2022 10:58:27 +0100 [thread overview]
Message-ID: <20220219095827.GI23216@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <7a241b81ccd21da02bc27379b0a837c09fe4f135.camel@intel.com>
On Sat, Feb 19, 2022 at 01:29:45AM +0000, Edgecombe, Rick P wrote:
> On Fri, 2022-02-18 at 17:49 +0100, Peter Zijlstra wrote:
> > This is an (almost!) complete Kernel IBT implementation. It's been
> > self-hosting
> > for a few days now. That is, it runs on IBT enabled hardware
> > (Tigerlake) and is
> > capable of building the next kernel.
> >
> > It is also almost clean on allmodconfig using GCC-11.2.
> >
> > The biggest TODO item at this point is Clang, I've not yet looked at
> > that.
>
> Do you need to turn this off before kexec?
Probably... :-) I've never looked at that code though; so I'm not
exactly sure where to put things.
I'm assuming kexec does a hot-unplug of all but the boot-cpu which then
leaves only a single CPU with state in machine_kexec() ? Does the below
look reasonable?
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -638,6 +638,12 @@ static __always_inline void setup_cet(st
}
}
+void cet_disable(void)
+{
+ cr4_clear_bits(X86_CR4_CET);
+ wrmsrl(MSR_IA32_S_CET, 0);
+}
+
/*
* Some CPU features depend on higher CPUID levels, which may not always
* be available due to CPUID level capping or broken virtualization
diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h
index 33d41e350c79..cf26356db53e 100644
--- a/arch/x86/include/asm/cpu.h
+++ b/arch/x86/include/asm/cpu.h
@@ -72,4 +72,7 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c);
#else
static inline void init_ia32_feat_ctl(struct cpuinfo_x86 *c) {}
#endif
+
+extern void cet_disable(void);
+
#endif /* _ASM_X86_CPU_H */
diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
index f5da4a18070a..29a2a1732605 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -310,6 +310,7 @@ void machine_kexec(struct kimage *image)
/* Interrupts aren't acceptable while we reboot */
local_irq_disable();
hw_breakpoint_disable();
+ cet_disable();
if (image->preserve_context) {
#ifdef CONFIG_X86_IO_APIC
next prev parent reply other threads:[~2022-02-19 9:58 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-18 16:49 [PATCH 00/29] x86: Kernel IBT Peter Zijlstra
2022-02-18 16:49 ` [PATCH 01/29] static_call: Avoid building empty .static_call_sites Peter Zijlstra
2022-02-18 16:49 ` [PATCH 02/29] x86/module: Fix the paravirt vs alternative order Peter Zijlstra
2022-02-18 20:28 ` Josh Poimboeuf
2022-02-18 21:22 ` Peter Zijlstra
2022-02-18 23:28 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 03/29] objtool: Add --dry-run Peter Zijlstra
2022-02-18 16:49 ` [PATCH 04/29] x86/livepatch: Validate __fentry__ location Peter Zijlstra
2022-02-18 21:08 ` Josh Poimboeuf
2022-02-23 10:09 ` Peter Zijlstra
2022-02-23 10:21 ` Miroslav Benes
2022-02-23 10:57 ` Peter Zijlstra
2022-02-23 12:41 ` Steven Rostedt
2022-02-23 14:05 ` Peter Zijlstra
2022-02-23 14:16 ` Steven Rostedt
2022-02-23 14:23 ` Steven Rostedt
2022-02-23 14:33 ` Steven Rostedt
2022-02-23 14:49 ` Peter Zijlstra
2022-02-23 15:54 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 05/29] x86: Base IBT bits Peter Zijlstra
2022-02-18 20:49 ` Andrew Cooper
2022-02-18 21:11 ` David Laight
2022-02-18 21:24 ` Andrew Cooper
2022-02-18 22:37 ` David Laight
2022-02-18 21:26 ` Peter Zijlstra
2022-02-18 21:14 ` Josh Poimboeuf
2022-02-18 21:21 ` Peter Zijlstra
2022-02-18 22:12 ` Joao Moreira
2022-02-19 1:07 ` Edgecombe, Rick P
2022-02-18 16:49 ` [PATCH 06/29] x86/ibt: Add ANNOTATE_NOENDBR Peter Zijlstra
2022-02-18 16:49 ` [PATCH 07/29] x86/entry: Sprinkle ENDBR dust Peter Zijlstra
2022-02-19 0:23 ` Josh Poimboeuf
2022-02-19 23:08 ` Peter Zijlstra
2022-02-19 0:36 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 08/29] x86/linkage: Add ENDBR to SYM_FUNC_START*() Peter Zijlstra
2022-02-18 16:49 ` [PATCH 09/29] x86/ibt,paravirt: Sprinkle ENDBR Peter Zijlstra
2022-02-18 16:49 ` [PATCH 10/29] x86/bpf: Add ENDBR instructions to prologue Peter Zijlstra
2022-02-18 16:49 ` [PATCH 11/29] x86/ibt,crypto: Add ENDBR for the jump-table entries Peter Zijlstra
2022-02-18 16:49 ` [PATCH 12/29] x86/ibt,kvm: Add ENDBR to fastops Peter Zijlstra
2022-02-18 16:49 ` [PATCH 13/29] x86/ibt,ftrace: Add ENDBR to samples/ftrace Peter Zijlstra
2022-02-18 16:49 ` [PATCH 14/29] x86/ibt: Add IBT feature, MSR and #CP handling Peter Zijlstra
2022-02-18 19:31 ` Andrew Cooper
2022-02-18 21:15 ` Peter Zijlstra
2022-02-19 1:20 ` Edgecombe, Rick P
2022-02-19 1:21 ` Josh Poimboeuf
2022-02-19 9:24 ` Peter Zijlstra
2022-02-21 8:24 ` Kees Cook
2022-02-22 4:38 ` Edgecombe, Rick P
2022-02-22 9:32 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 15/29] x86: Disable IBT around firmware Peter Zijlstra
2022-02-21 8:27 ` Kees Cook
2022-02-21 10:06 ` Peter Zijlstra
2022-02-21 13:22 ` Peter Zijlstra
2022-02-21 15:54 ` Kees Cook
2022-02-21 16:10 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 16/29] x86/bugs: Disable Retpoline when IBT Peter Zijlstra
2022-02-19 2:15 ` Josh Poimboeuf
2022-02-22 15:00 ` Peter Zijlstra
2022-02-25 0:19 ` Josh Poimboeuf
2022-02-18 16:49 ` [PATCH 17/29] x86/ibt: Annotate text references Peter Zijlstra
2022-02-19 5:22 ` Josh Poimboeuf
2022-02-19 9:39 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 18/29] x86/ibt,ftrace: Annotate ftrace code patching Peter Zijlstra
2022-02-18 16:49 ` [PATCH 19/29] x86/ibt,xen: Annotate away warnings Peter Zijlstra
2022-02-18 20:24 ` Andrew Cooper
2022-02-18 21:05 ` Peter Zijlstra
2022-02-18 23:07 ` Andrew Cooper
2022-02-21 14:20 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 20/29] x86/ibt,sev: Annotations Peter Zijlstra
2022-02-18 16:49 ` [PATCH 21/29] objtool: Rename --duplicate to --lto Peter Zijlstra
2022-02-26 19:42 ` Josh Poimboeuf
2022-02-26 21:48 ` Josh Poimboeuf
2022-02-28 11:05 ` Peter Zijlstra
2022-02-28 18:32 ` Josh Poimboeuf
2022-02-28 20:09 ` Peter Zijlstra
2022-02-28 20:18 ` Josh Poimboeuf
2022-03-01 14:19 ` Miroslav Benes
2022-02-18 16:49 ` [PATCH 22/29] Kbuild: Prepare !CLANG whole module objtool Peter Zijlstra
2022-02-18 16:49 ` [PATCH 23/29] objtool: Read the NOENDBR annotation Peter Zijlstra
2022-02-18 16:49 ` [PATCH 24/29] x86/text-patching: Make text_gen_insn() IBT aware Peter Zijlstra
2022-02-24 1:18 ` Joao Moreira
2022-02-24 9:10 ` Peter Zijlstra
2022-02-18 16:49 ` [PATCH 25/29] x86/ibt: Dont generate ENDBR in .discard.text Peter Zijlstra
2022-02-18 16:49 ` [PATCH 26/29] objtool: Add IBT validation / fixups Peter Zijlstra
2022-02-18 16:49 ` [PATCH 27/29] x86/ibt: Finish --ibt-fix-direct on module loading Peter Zijlstra
2022-02-18 16:49 ` [PATCH 28/29] x86/ibt: Ensure module init/exit points have references Peter Zijlstra
2022-02-18 16:49 ` [PATCH 29/29] x86/alternative: Use .ibt_endbr_sites to seal indirect calls Peter Zijlstra
2022-02-19 1:29 ` [PATCH 00/29] x86: Kernel IBT Edgecombe, Rick P
2022-02-19 9:58 ` Peter Zijlstra [this message]
2022-02-19 16:00 ` Andrew Cooper
2022-02-21 8:42 ` Kees Cook
2022-02-21 9:24 ` Peter Zijlstra
2022-02-23 7:26 ` Kees Cook
2022-02-24 16:47 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220219095827.GI23216@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=alyssa.milburn@intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=hjl.tools@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=ndesaulniers@google.com \
--cc=rick.p.edgecombe@intel.com \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox