From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thomas Garnier <thgarnie@google.com>
Subject: [RFC v2 12/23] x86/boot/64: Adapt assembly for PIE
	support
Date: Thu, 10 Aug 2017 10:26:04 -0700
Message-ID: <20170810172615.51965-13-thgarnie@google.com>
References: <20170810172615.51965-1-thgarnie@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Cc: linux-arch@vger.kernel.org, kvm@vger.kernel.org, linux-pm@vger.kernel.org,
 x86@kernel.org, linux-kernel@vger.kernel.org, linux-sparse@vger.kernel.org,
 linux-crypto@vger.kernel.org, kernel-hardening@lists.openwall.com,
 xen-devel@lists.xenproject.org
To: Herbert Xu <herbert@gondor.apana.org.au>,
 "David S . Miller" <davem@davemloft.net>,
 Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 "H . Peter Anvin" <hpa@zytor.com>, Peter Zijlstra <peterz@infradead.org>,
 Josh Poimboeuf <jpoimboe@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
 Thomas Garnier <thgarnie@google.com>, Matthias Kaehlcke <mka@chromium.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Juergen Gross <jgross@suse.com>, Paolo Bonzini <pbonzini@redhat.com>,
 =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
 Joerg Roedel <joro@8bytes.org>, Tom Lendacky <thomas.lendacky@amd.com>,
 Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
 Brian Gerst <brgerst@gmail.com>,
 "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
 "Rafael J . Wysocki" <rjw@rjwysocki.net>, Len Brown <len.brown@intel.com>,
 Pavel Machek <pavel@ucw.cz>
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20170810172615.51965-1-thgarnie@google.com>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
List-Id: linux-crypto.vger.kernel.org

Q2hhbmdlIHRoZSBhc3NlbWJseSBjb2RlIHRvIHVzZSBvbmx5IHJlbGF0aXZlIHJlZmVyZW5jZXMg
b2Ygc3ltYm9scyBmb3IgdGhlCmtlcm5lbCB0byBiZSBQSUUgY29tcGF0aWJsZS4KCkVhcmx5IGF0
IGJvb3QsIHRoZSBrZXJuZWwgaXMgbWFwcGVkIGF0IGEgdGVtcG9yYXJ5IGFkZHJlc3Mgd2hpbGUg
cHJlcGFyaW5nCnRoZSBwYWdlIHRhYmxlLiBUbyBrbm93IHRoZSBjaGFuZ2VzIG5lZWRlZCBmb3Ig
dGhlIHBhZ2UgdGFibGUgd2l0aCBLQVNMUiwKdGhlIGJvb3QgY29kZSBjYWxjdWxhdGUgdGhlIGRp
ZmZlcmVuY2UgYmV0d2VlbiB0aGUgZXhwZWN0ZWQgYWRkcmVzcyBvZiB0aGUKa2VybmVsIGFuZCB0
aGUgb25lIGNob3NlbiBieSBLQVNMUi4gSXQgZG9lcyBub3Qgd29yayB3aXRoIFBJRSBiZWNhdXNl
IGFsbApzeW1ib2xzIGluIGNvZGUgYXJlIHJlbGF0aXZlcy4gSW5zdGVhZCBvZiBnZXR0aW5nIHRo
ZSBmdXR1cmUgcmVsb2NhdGVkCnZpcnR1YWwgYWRkcmVzcywgeW91IHdpbGwgZ2V0IHRoZSBjdXJy
ZW50IHRlbXBvcmFyeSBtYXBwaW5nLiBUaGUgc29sdXRpb24KaXMgdXNpbmcgZ2xvYmFsIHZhcmlh
YmxlcyB0aGF0IHdpbGwgYmUgcmVsb2NhdGVkIGFzIGV4cGVjdGVkLgoKUG9zaXRpb24gSW5kZXBl
bmRlbnQgRXhlY3V0YWJsZSAoUElFKSBzdXBwb3J0IHdpbGwgYWxsb3cgdG8gZXh0ZW5kZWQgdGhl
CktBU0xSIHJhbmRvbWl6YXRpb24gcmFuZ2UgYmVsb3cgdGhlIC0yRyBtZW1vcnkgbGltaXQuCgpT
aWduZWQtb2ZmLWJ5OiBUaG9tYXMgR2FybmllciA8dGhnYXJuaWVAZ29vZ2xlLmNvbT4KLS0tCiBh
cmNoL3g4Ni9rZXJuZWwvaGVhZF82NC5TIHwgMzEgKysrKysrKysrKysrKysrKysrKysrKystLS0t
LS0tLQogMSBmaWxlIGNoYW5nZWQsIDIzIGluc2VydGlvbnMoKyksIDggZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2hlYWRfNjQuUyBiL2FyY2gveDg2L2tlcm5lbC9o
ZWFkXzY0LlMKaW5kZXggNTEzY2JiMDEyZWNjLi4wOTU3OWUwNzE0Y2UgMTAwNjQ0Ci0tLSBhL2Fy
Y2gveDg2L2tlcm5lbC9oZWFkXzY0LlMKKysrIGIvYXJjaC94ODYva2VybmVsL2hlYWRfNjQuUwpA
QCAtODUsOCArODUsMjMgQEAgc3RhcnR1cF82NDoKIAlwb3BxCSVyc2kKIAogCS8qIEZvcm0gdGhl
IENSMyB2YWx1ZSBiZWluZyBzdXJlIHRvIGluY2x1ZGUgdGhlIENSMyBtb2RpZmllciAqLwotCWFk
ZHEJJChlYXJseV90b3BfcGd0IC0gX19TVEFSVF9LRVJORUxfbWFwKSwgJXJheAorCWFkZHEgICAg
X2Vhcmx5X3RvcF9wZ3Rfb2Zmc2V0KCVyaXApLCAlcmF4CiAJam1wIDFmCisKKwkvKgorCSAqIFBv
c2l0aW9uIEluZGVwZW5kZW50IENvZGUgdGFrZXMgb25seSByZWxhdGl2ZSByZWZlcmVuY2VzIGlu
IGNvZGUKKwkgKiBtZWFuaW5nIGEgZ2xvYmFsIHZhcmlhYmxlIGFkZHJlc3MgaXMgcmVsYXRpdmUg
dG8gUklQIGFuZCBub3QgaXRzCisJICogZnV0dXJlIHZpcnR1YWwgYWRkcmVzcy4gR2xvYmFsIHZh
cmlhYmxlcyBjYW4gYmUgdXNlZCBpbnN0ZWFkIGFzIHRoZXkKKwkgKiBhcmUgc3RpbGwgcmVsb2Nh
dGVkIG9uIHRoZSBleHBlY3RlZCBrZXJuZWwgbWFwcGluZyBhZGRyZXNzLgorCSAqLworCS5hbGln
biA4CitfZWFybHlfdG9wX3BndF9vZmZzZXQ6CisJLnF1YWQgZWFybHlfdG9wX3BndCAtIF9fU1RB
UlRfS0VSTkVMX21hcAorX2luaXRfdG9wX29mZnNldDoKKwkucXVhZCBpbml0X3RvcF9wZ3QgLSBf
X1NUQVJUX0tFUk5FTF9tYXAKK192YV9qdW1wOgorCS5xdWFkIDJmCisKIEVOVFJZKHNlY29uZGFy
eV9zdGFydHVwXzY0KQogCS8qCiAJICogQXQgdGhpcyBwb2ludCB0aGUgQ1BVIHJ1bnMgaW4gNjRi
aXQgbW9kZSBDUy5MID0gMSBDUy5EID0gMCwKQEAgLTExNCw3ICsxMjksNyBAQCBFTlRSWShzZWNv
bmRhcnlfc3RhcnR1cF82NCkKIAlwb3BxCSVyc2kKIAogCS8qIEZvcm0gdGhlIENSMyB2YWx1ZSBi
ZWluZyBzdXJlIHRvIGluY2x1ZGUgdGhlIENSMyBtb2RpZmllciAqLwotCWFkZHEJJChpbml0X3Rv
cF9wZ3QgLSBfX1NUQVJUX0tFUk5FTF9tYXApLCAlcmF4CisJYWRkcSAgICBfaW5pdF90b3Bfb2Zm
c2V0KCVyaXApLCAlcmF4CiAxOgogCiAJLyogRW5hYmxlIFBBRSBtb2RlLCBQR0UgYW5kIExBNTcg
Ki8KQEAgLTEyOSw5ICsxNDQsOCBAQCBFTlRSWShzZWNvbmRhcnlfc3RhcnR1cF82NCkKIAltb3Zx
CSVyYXgsICVjcjMKIAogCS8qIEVuc3VyZSBJIGFtIGV4ZWN1dGluZyBmcm9tIHZpcnR1YWwgYWRk
cmVzc2VzICovCi0JbW92cQkkMWYsICVyYXgKLQlqbXAJKiVyYXgKLTE6CisJam1wCSpfdmFfanVt
cCglcmlwKQorMjoKIAogCS8qIENoZWNrIGlmIG54IGlzIGltcGxlbWVudGVkICovCiAJbW92bAkk
MHg4MDAwMDAwMSwgJWVheApAQCAtMjI3LDExICsyNDEsMTIgQEAgRU5UUlkoc2Vjb25kYXJ5X3N0
YXJ0dXBfNjQpCiAJICoJUkVYLlcgKyBGRiAvNSBKTVAgbTE2OjY0IEp1bXAgZmFyLCBhYnNvbHV0
ZSBpbmRpcmVjdCwKIAkgKgkJYWRkcmVzcyBnaXZlbiBpbiBtMTY6NjQuCiAJICovCi0JcHVzaHEJ
JC5MYWZ0ZXJfbHJldAkjIHB1dCByZXR1cm4gYWRkcmVzcyBvbiBzdGFjayBmb3IgdW53aW5kZXIK
KwlsZWFxCS5MYWZ0ZXJfbHJldCglcmlwKSwgJXJheAorCXB1c2hxCSVyYXgJCSMgcHV0IHJldHVy
biBhZGRyZXNzIG9uIHN0YWNrIGZvciB1bndpbmRlcgogCXhvcnEJJXJicCwgJXJicAkjIGNsZWFy
IGZyYW1lIHBvaW50ZXIKLQltb3ZxCWluaXRpYWxfY29kZSglcmlwKSwgJXJheAorCWxlYXEJaW5p
dGlhbF9jb2RlKCVyaXApLCAlcmF4CiAJcHVzaHEJJF9fS0VSTkVMX0NTCSMgc2V0IGNvcnJlY3Qg
Y3MKLQlwdXNocQklcmF4CQkjIHRhcmdldCBhZGRyZXNzIGluIG5lZ2F0aXZlIHNwYWNlCisJcHVz
aHEJKCVyYXgpCQkjIHRhcmdldCBhZGRyZXNzIGluIG5lZ2F0aXZlIHNwYWNlCiAJbHJldHEKIC5M
YWZ0ZXJfbHJldDoKIEVORFBST0Moc2Vjb25kYXJ5X3N0YXJ0dXBfNjQpCi0tIAoyLjE0LjAuNDM0
Lmc5ODA5NmZkN2E4LWdvb2cKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fXwpYZW4tZGV2ZWwgbWFpbGluZyBsaXN0Clhlbi1kZXZlbEBsaXN0cy54ZW4ub3Jn
Cmh0dHBzOi8vbGlzdHMueGVuLm9yZy94ZW4tZGV2ZWwK

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thomas Garnier <thgarnie@google.com>
Date: Thu, 10 Aug 2017 10:26:04 -0700
Message-Id: <20170810172615.51965-13-thgarnie@google.com>
In-Reply-To: <20170810172615.51965-1-thgarnie@google.com>
References: <20170810172615.51965-1-thgarnie@google.com>
Subject: [kernel-hardening] [RFC v2 12/23] x86/boot/64: Adapt assembly for PIE support
To: Herbert Xu <herbert@gondor.apana.org.au>, "David S . Miller" <davem@davemloft.net>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>, Peter Zijlstra <peterz@infradead.org>, Josh Poimboeuf <jpoimboe@redhat.com>, Arnd Bergmann <arnd@arndb.de>, Thomas Garnier <thgarnie@google.com>, Matthias Kaehlcke <mka@chromium.org>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Juergen Gross <jgross@suse.com>, Paolo Bonzini <pbonzini@redhat.com>, =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>, Joerg Roedel <joro@8bytes.org>, Tom Lendacky <thomas.lendacky@amd.com>, Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>, Brian Gerst <brgerst@gmail.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, "Rafael J . Wysocki" <rjw@rjwysocki.net>, Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>, Tejun Heo <tj@kernel.org>, Christoph Lameter <cl@linux.com>, Paul Gortmaker <paul.gortmaker@windriver.com>, Chris Metcalf <cmetcalf@mellanox.com>, Andrew Morton <akpm@linux-foundation.org>, "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>, Nicolas Pitre <nicolas.pitre@linaro.org>, Christopher Li <sparse@chrisli.org>, "Rafael J . Wysocki" <rafael.j.wysocki@intel.com>, Lukas Wunner <lukas@wunner.de>, Mika Westerberg <mika.westerberg@linux.intel.com>, Dou Liyang <douly.fnst@cn.fujitsu.com>, Daniel Borkmann <daniel@iogearbox.net>, Alexei Starovoitov <ast@kernel.org>, Masahiro Yamada <yamada.masahiro@socionext.com>, Markus Trippelsdorf <markus@trippelsdorf.de>, Steven Rostedt <rostedt@goodmis.org>, Kees Cook <keescook@chromium.org>, Rik van Riel <riel@redhat.com>, David Howells <dhowells@redhat.com>, Waiman Long <longman@redhat.com>, Kyle Huey <me@kylehuey.com>, Peter Foley <pefoley2@pefoley.com>, Tim Chen <tim.c.chen@linux.intel.com>, Catalin Marinas <catalin.marinas@arm.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Michal Hocko <mhocko@suse.com>, Matthew Wilcox <mawilcox@microsoft.com>, "H . J . Lu" <hjl.tools@gmail.com>, Paul Bolle <pebolle@tiscali.nl>, Rob Landley <rob@landley.net>, Baoquan He <bhe@redhat.com>, Daniel Micay <danielmicay@gmail.com>
Cc: x86@kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, kvm@vger.kernel.org, linux-pm@vger.kernel.org, linux-arch@vger.kernel.org, linux-sparse@vger.kernel.org, kernel-hardening@lists.openwall.com
List-ID: <kernel-hardening.lists.openwall.com>

Change the assembly code to use only relative references of symbols for the
kernel to be PIE compatible.

Early at boot, the kernel is mapped at a temporary address while preparing
the page table. To know the changes needed for the page table with KASLR,
the boot code calculate the difference between the expected address of the
kernel and the one chosen by KASLR. It does not work with PIE because all
symbols in code are relatives. Instead of getting the future relocated
virtual address, you will get the current temporary mapping. The solution
is using global variables that will be relocated as expected.

Position Independent Executable (PIE) support will allow to extended the
KASLR randomization range below the -2G memory limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
 arch/x86/kernel/head_64.S | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 513cbb012ecc..09579e0714ce 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -85,8 +85,23 @@ startup_64:
 	popq	%rsi
 
 	/* Form the CR3 value being sure to include the CR3 modifier */
-	addq	$(early_top_pgt - __START_KERNEL_map), %rax
+	addq    _early_top_pgt_offset(%rip), %rax
 	jmp 1f
+
+	/*
+	 * Position Independent Code takes only relative references in code
+	 * meaning a global variable address is relative to RIP and not its
+	 * future virtual address. Global variables can be used instead as they
+	 * are still relocated on the expected kernel mapping address.
+	 */
+	.align 8
+_early_top_pgt_offset:
+	.quad early_top_pgt - __START_KERNEL_map
+_init_top_offset:
+	.quad init_top_pgt - __START_KERNEL_map
+_va_jump:
+	.quad 2f
+
 ENTRY(secondary_startup_64)
 	/*
 	 * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 0,
@@ -114,7 +129,7 @@ ENTRY(secondary_startup_64)
 	popq	%rsi
 
 	/* Form the CR3 value being sure to include the CR3 modifier */
-	addq	$(init_top_pgt - __START_KERNEL_map), %rax
+	addq    _init_top_offset(%rip), %rax
 1:
 
 	/* Enable PAE mode, PGE and LA57 */
@@ -129,9 +144,8 @@ ENTRY(secondary_startup_64)
 	movq	%rax, %cr3
 
 	/* Ensure I am executing from virtual addresses */
-	movq	$1f, %rax
-	jmp	*%rax
-1:
+	jmp	*_va_jump(%rip)
+2:
 
 	/* Check if nx is implemented */
 	movl	$0x80000001, %eax
@@ -227,11 +241,12 @@ ENTRY(secondary_startup_64)
 	 *	REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
 	 *		address given in m16:64.
 	 */
-	pushq	$.Lafter_lret	# put return address on stack for unwinder
+	leaq	.Lafter_lret(%rip), %rax
+	pushq	%rax		# put return address on stack for unwinder
 	xorq	%rbp, %rbp	# clear frame pointer
-	movq	initial_code(%rip), %rax
+	leaq	initial_code(%rip), %rax
 	pushq	$__KERNEL_CS	# set correct cs
-	pushq	%rax		# target address in negative space
+	pushq	(%rax)		# target address in negative space
 	lretq
 .Lafter_lret:
 ENDPROC(secondary_startup_64)
-- 
2.14.0.434.g98096fd7a8-goog