linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ardb@kernel.org>
To: Borislav Petkov <bp@alien8.de>
Cc: Kevin Loughlin <kevinloughlin@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	 Ingo Molnar <mingo@redhat.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org,  "H. Peter Anvin" <hpa@zytor.com>,
	Andy Lutomirski <luto@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	 Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	 Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	 Tom Lendacky <thomas.lendacky@amd.com>,
	Michael Kelley <mikelley@microsoft.com>,
	 Pankaj Gupta <pankaj.gupta@amd.com>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	 Arnd Bergmann <arnd@arndb.de>,
	Steve Rutherford <srutherford@google.com>,
	 Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	 Hou Wenlong <houwenlong.hwl@antgroup.com>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	 Josh Poimboeuf <jpoimboe@kernel.org>,
	Yuntao Wang <ytcoode@gmail.com>,
	 Wang Jinchao <wangjinchao@xfusion.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	 Brian Gerst <brgerst@gmail.com>, Hugh Dickins <hughd@google.com>,
	Joerg Roedel <jroedel@suse.de>,
	 Randy Dunlap <rdunlap@infradead.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	 Dionna Glaze <dionnaglaze@google.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	 Michael Roth <michael.roth@amd.com>,
	 "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	linux-kernel@vger.kernel.org,  llvm@lists.linux.dev,
	linux-coco@lists.linux.dev,  Ashish Kalra <ashish.kalra@amd.com>,
	Andi Kleen <ak@linux.intel.com>,
	 Adam Dunlap <acdunlap@google.com>,
	Peter Gonda <pgonda@google.com>, Jacob Xu <jacobhxu@google.com>,
	 Sidharth Telang <sidtelang@google.com>
Subject: Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code
Date: Wed, 17 Jan 2024 11:59:14 +0100	[thread overview]
Message-ID: <CAMj1kXH=k26nNyB+LQJ7WUJgbD2f3PREyjCzSngMCGc+72XJ6w@mail.gmail.com> (raw)
In-Reply-To: <20240115204634.GHZaWZqsVyU_fvn_RW@fat_crate.local>

On Mon, 15 Jan 2024 at 21:47, Borislav Petkov <bp@alien8.de> wrote:
>
> On Thu, Jan 11, 2024 at 10:36:50PM +0000, Kevin Loughlin wrote:
> > SEV/SME code can execute prior to page table fixups for kernel
> > relocation. However, as with global variables accessed in
> > __startup_64(), the compiler is not required to generate RIP-relative
> > accesses for SEV/SME global variables, causing certain flavors of SEV
> > hosts and guests built with clang to crash during boot.
>
> So, about that. If I understand my gcc toolchain folks correctly:
>
> mcmodel=kernel - everything fits into the high 31 bit of the address
> space
>
> -fPIE/PIC - position independent
>
> And supplied both don't make a whole lotta of sense: if you're building
> position-independent, then mcmodel=kernel would be overridden by the
> first.
>
> I have no clue why clang enabled it...
>
> So, *actually* the proper fix here should be not to add this "fixed_up"
> gunk everywhere but remove mcmodel=kernel from the build and simply do
> -fPIE/PIC.
>

Fully agree. All this fiddling with RIP relative references from C
code is going to be a maintenance burden going forward.

The proper way to do this is use PIC codegen for the objects that
matter. I had a stab [0] at this a while ago (for the purpose of
increasing the KASLR range, which requires PIE linking) but I didn't
pursue it in the end.

On arm64, we use a separate pseudo-namespace for code that can run
safely at any offset, using the __pi_ prefix (for Position
Independent). Using symbol prefixing at the linker level, we ensure
that __pi_ code can only call other __pi_ code, or code that has been
made available to it via an explicit __pi_ prefixed alias. (Happy to
elaborate more but we should find a smaller audience - your cc list is
a tad long). Perhaps this is something we should explore on x86 as
well (note that the EFI stub does something similar for architectures
that link the EFI stub into the core kernel rather than into the
decompressor)



[0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/commit/?h=x86-pie&id=4ba81de75d92fafdab2a8a389d1b7791dddf74f3

  parent reply	other threads:[~2024-01-17 10:59 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-10  1:26 [RFC PATCH] x86/sev: x86/sev: enforce PC-relative addressing in clang Kevin Loughlin
2024-01-10 11:45 ` Andi Kleen
2024-01-10 17:14   ` Kevin Loughlin
2024-01-10 17:49     ` Andi Kleen
2024-01-11 22:36       ` [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code Kevin Loughlin
2024-01-12 12:17         ` Kirill A. Shutemov
2024-01-12 18:29           ` Kevin Loughlin
2024-01-15 10:12             ` Kirill A. Shutemov
2024-01-16 22:13               ` Kevin Loughlin
2024-01-15 15:53         ` Tom Lendacky
2024-01-16 23:44           ` Kevin Loughlin
2024-01-15 20:46         ` Borislav Petkov
2024-01-17  0:07           ` Kevin Loughlin
2024-01-17  2:47             ` Hou Wenlong
2024-01-17 10:59           ` Ard Biesheuvel [this message]
2024-01-17 11:39             ` Andi Kleen
2024-01-17 11:55               ` Ard Biesheuvel
2024-01-17 13:05             ` Borislav Petkov
2024-01-17 13:38               ` Ard Biesheuvel
2024-01-21 14:12                 ` Ard Biesheuvel
2024-01-21 15:37                   ` Borislav Petkov
2024-01-21 16:49                     ` Ard Biesheuvel
2024-01-21 18:20                       ` Borislav Petkov
2024-01-30 22:08                         ` [PATCH v3 0/2] x86: enforce and cleanup RIP-relative accesses in early boot code Kevin Loughlin
2024-01-31 14:00                           ` Borislav Petkov
2024-01-31 18:16                             ` Jacob Xu
2024-01-31 18:29                               ` Borislav Petkov
2024-02-03  0:22                                 ` Kevin Loughlin
2024-02-03 10:15                                   ` Ard Biesheuvel
2024-02-03 10:19                                   ` Borislav Petkov
2024-02-03 10:27                                     ` Ard Biesheuvel
2024-02-03 11:25                                       ` Borislav Petkov
2024-02-06 15:46                           ` [tip: x86/sev] x86/sev: Fix position dependent variable references in startup code tip-bot2 for Ard Biesheuvel
2024-01-30 22:08                         ` [PATCH v3 1/2] x86/sev: enforce RIP-relative accesses in early SEV/SME code Kevin Loughlin
2024-01-31  8:20                           ` Kirill A. Shutemov
2024-02-02 22:00                             ` Kevin Loughlin
2024-02-02 22:47                               ` Ard Biesheuvel
2024-02-03  0:11                                 ` Kevin Loughlin
2024-01-31 13:42                           ` Ard Biesheuvel
2024-02-03  0:14                             ` Kevin Loughlin
2024-01-30 22:08                         ` [PATCH v3 2/2] x86/head64: Replace pointer fixups with RIP_RELATIVE_ADDR() Kevin Loughlin
2024-01-31  8:22                           ` Kirill A. Shutemov
2024-02-01 16:38                             ` Kevin Loughlin
2024-01-31 15:30                           ` Tom Lendacky
2024-01-31 15:36                             ` Kirill A. Shutemov
2024-01-10 13:36 ` [RFC PATCH] x86/sev: x86/sev: enforce PC-relative addressing in clang Kirill A. Shutemov
2024-01-10 17:28   ` Kevin Loughlin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMj1kXH=k26nNyB+LQJ7WUJgbD2f3PREyjCzSngMCGc+72XJ6w@mail.gmail.com' \
    --to=ardb@kernel.org \
    --cc=acdunlap@google.com \
    --cc=ak@linux.intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=ashish.kalra@amd.com \
    --cc=bhelgaas@google.com \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=brijesh.singh@amd.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=dionnaglaze@google.com \
    --cc=dwmw@amazon.co.uk \
    --cc=houwenlong.hwl@antgroup.com \
    --cc=hpa@zytor.com \
    --cc=hughd@google.com \
    --cc=jacobhxu@google.com \
    --cc=jpoimboe@kernel.org \
    --cc=jroedel@suse.de \
    --cc=justinstitt@google.com \
    --cc=kevinloughlin@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=luto@kernel.org \
    --cc=michael.roth@amd.com \
    --cc=mikelley@microsoft.com \
    --cc=mingo@redhat.com \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=pankaj.gupta@amd.com \
    --cc=peterz@infradead.org \
    --cc=pgonda@google.com \
    --cc=rdunlap@infradead.org \
    --cc=sfr@canb.auug.org.au \
    --cc=sidtelang@google.com \
    --cc=srutherford@google.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=vegard.nossum@oracle.com \
    --cc=wangjinchao@xfusion.com \
    --cc=x86@kernel.org \
    --cc=ytcoode@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).