From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>,
Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Peter Jones <pjones@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>, Dave Young <dyoung@redhat.com>,
Mario Limonciello <mario.limonciello@amd.com>,
Kees Cook <keescook@chromium.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joerg Roedel <jroedel@suse.de>
Subject: [PATCH v7 01/22] x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved
Date: Fri, 28 Jul 2023 11:08:55 +0200 [thread overview]
Message-ID: <20230728090916.1538550-2-ardb@kernel.org> (raw)
In-Reply-To: <20230728090916.1538550-1-ardb@kernel.org>
The 4-to-5 level mode switch trampoline disables long mode and paging in
order to be able to flick the LA57 bit. According to section 3.4.1.1 of
the x86 architecture manual [0], we should not rely on 64-bit GPRs
retaining the upper 32 bits of their contents across such a mode switch.
Given that RBP, RBX and RSI are live at this point, let's preserve them
on the stack, along with the return address that might be above 4G as
well.
[0] Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture
"Because the upper 32 bits of 64-bit general-purpose registers are
undefined in 32-bit modes, the upper 32 bits of any general-purpose
register are not preserved when switching from 64-bit mode to a 32-bit
mode (to protected mode or compatibility mode). Software must not
depend on these bits to maintain a value after a 64-bit to 32-bit
mode switch."
Fixes: 194a9749c73d650c ("x86/boot/compressed/64: Handle 5-level paging boot if kernel is above 4G")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/x86/boot/compressed/head_64.S | 23 +++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
index 03c4328a88cbd5d0..f7c11a0018477de8 100644
--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -459,11 +459,22 @@ SYM_CODE_START(startup_64)
/* Save the trampoline address in RCX */
movq %rax, %rcx
+ /* Set up 32-bit addressable stack */
+ leaq TRAMPOLINE_32BIT_STACK_END(%rcx), %rsp
+
/*
- * Load the address of trampoline_return() into RDI.
- * It will be used by the trampoline to return to the main code.
+ * Load the address of trampoline_return() into RDI and push it onto
+ * the stack so it will survive 32-bit truncation due to the 32-bit
+ * protected mode switch. It will be used by the trampoline to return
+ * to the main code.
*/
leaq trampoline_return(%rip), %rdi
+ pushq %rdi
+
+ /* Preserve other live 64-bit registers */
+ pushq %rbp
+ pushq %rbx
+ pushq %rsi
/* Switch to compatibility mode (CS.L = 0 CS.D = 1) via far return */
pushq $__KERNEL32_CS
@@ -592,9 +603,6 @@ SYM_CODE_START(trampoline_32bit_src)
movl %eax, %ds
movl %eax, %ss
- /* Set up new stack */
- leal TRAMPOLINE_32BIT_STACK_END(%ecx), %esp
-
/* Disable paging */
movl %cr0, %eax
btrl $X86_CR0_PG_BIT, %eax
@@ -671,7 +679,10 @@ SYM_CODE_END(trampoline_32bit_src)
.code64
SYM_FUNC_START_LOCAL_NOALIGN(.Lpaging_enabled)
/* Return from the trampoline */
- jmp *%rdi
+ popq %rsi
+ popq %rbx
+ popq %rbp
+ retq
SYM_FUNC_END(.Lpaging_enabled)
/*
--
2.39.2
next prev parent reply other threads:[~2023-07-28 9:14 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 9:08 [PATCH v7 00/22] efi/x86: Avoid bare metal decompressor during EFI boot Ard Biesheuvel
2023-07-28 9:08 ` Ard Biesheuvel [this message]
2023-07-31 10:07 ` [PATCH v7 01/22] x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved Borislav Petkov
2023-07-31 10:09 ` Ard Biesheuvel
2023-07-31 11:01 ` Borislav Petkov
2023-07-28 9:08 ` [PATCH v7 02/22] x86/head_64: Store boot_params pointer in callee save register Ard Biesheuvel
2023-08-01 11:28 ` Borislav Petkov
2023-07-28 9:08 ` [PATCH v7 03/22] x86/efistub: Branch straight to kernel entry point from C code Ard Biesheuvel
2023-07-28 9:08 ` [PATCH v7 04/22] x86/efistub: Simplify and clean up handover entry code Ard Biesheuvel
2023-07-28 9:08 ` [PATCH v7 05/22] x86/decompressor: Avoid magic offsets for EFI handover entrypoint Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 06/22] x86/efistub: Clear BSS in EFI handover protocol entrypoint Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 07/22] x86/decompressor: Use proper sequence to take the address of the GOT Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 08/22] x86/decompressor: Store boot_params pointer in callee save register Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 09/22] x86/decompressor: Call trampoline as a normal function Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 10/22] x86/decompressor: Use standard calling convention for trampoline Ard Biesheuvel
2023-07-31 11:28 ` Borislav Petkov
2023-07-31 11:35 ` Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 11/22] x86/decompressor: Avoid the need for a stack in the 32-bit trampoline Ard Biesheuvel
2023-08-01 10:30 ` Borislav Petkov
2023-07-28 9:09 ` [PATCH v7 12/22] x86/decompressor: Call trampoline directly from C code Ard Biesheuvel
2023-08-01 11:45 ` Borislav Petkov
2023-08-01 11:48 ` Ard Biesheuvel
2023-08-01 11:51 ` Borislav Petkov
2023-07-28 9:09 ` [PATCH v7 13/22] x86/decompressor: Only call the trampoline when changing paging levels Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 14/22] x86/decompressor: Merge trampoline cleanup with switching code Ard Biesheuvel
2023-08-01 12:08 ` Borislav Petkov
2023-08-01 12:11 ` Ard Biesheuvel
2023-08-01 12:40 ` Borislav Petkov
2023-08-01 12:46 ` Ard Biesheuvel
2023-08-01 13:04 ` Borislav Petkov
2023-07-28 9:09 ` [PATCH v7 15/22] x86/efistub: Perform 4/5 level paging switch from the stub Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 16/22] x86/efistub: Prefer EFI memory attributes protocol over DXE services Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 17/22] decompress: Use 8 byte alignment Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 18/22] x86/decompressor: Move global symbol references to C code Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 19/22] x86/decompressor: Factor out kernel decompression and relocation Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 20/22] efi/libstub: Add limit argument to efi_random_alloc() Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 21/22] x86/efistub: Perform SNP feature test while running in the firmware Ard Biesheuvel
2023-07-28 9:09 ` [PATCH v7 22/22] x86/efistub: Avoid legacy decompressor when doing EFI boot Ard Biesheuvel
2023-08-02 10:26 ` Borislav Petkov
2023-08-02 10:47 ` Ard Biesheuvel
2023-08-02 15:55 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230728090916.1538550-2-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=baskov@ispras.ru \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=dyoung@redhat.com \
--cc=jroedel@suse.de \
--cc=keescook@chromium.org \
--cc=khoroshilov@ispras.ru \
--cc=kirill.shutemov@linux.intel.com \
--cc=kraxel@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mario.limonciello@amd.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox