x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Fabio Aiuto]

Dear Joerg and other x86 developers,

I work on a Lenovo Ideapad Miix 300-10IBY (intel baytrail based)
for hardware tests.
I have fedora 34 installed on, and since I updated to the 5.13.x
versions, the tablet very often freezes at Lenovo startup logo.

I did a bisect and found that the commit that introduced
the bug is:

commit 79419e13e8082cc15d174df979a363528e31f2e7
Author: Joerg Roedel <jroedel@suse.de>
Date:   Wed Mar 10 09:43:21 2021 +0100

    x86/boot/compressed/64: Setup IDT in startup_32 boot path
    
    This boot path needs exception handling when it is used with SEV-ES.
    Setup an IDT and provide a helper function to write IDT entries for
    use in 32-bit protected mode.
    
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lkml.kernel.org/r/20210312123824.306-5-joro@8bytes.org

I tried also to checkout a v5.13 and revert this commit
together with the following:

fef81c86262879d4b1176ef51a834c15b805ebb9
"x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path"

e927e62d8e370ebfc0d702fec22bc752249ebcef
"x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path"

1ccdbf748d862bc2ea106fa9f2300983c77860fe
"x86/boot/compressed/64: Add 32-bit boot #VC handler"

to ensure an errorless build. The kernel works fine on tablet
without those changes.

My efibootmgr -v output is:

BootCurrent: 0000
Timeout: 2 seconds
BootOrder: 0000,0001,2001,2002,2003
Boot0000* Fedora	HD(1,GPT,1bb602be-6ed0-4ef5-aee4-b26891963c4a,0x800,0xaf000)/File(\EFI\fedora\shimia32.efi)
Boot0001* Fedora	HD(1,GPT,1bb602be-6ed0-4ef5-aee4-b26891963c4a,0x800,0xaf000)/File(\EFI\fedora\shim.efi)RC
Boot2001* EFI USB Device	RC
Boot2002* EFI DVD/CDROM	RC
Boot2003* EFI Network	RC

This means that on startup is followed the 32-bit boot-path.

CONFIG_AMD_MEM_ENCRYPT=y

Tell me if can help, I started contributing to linux kernel
five months ago in staging subsystem. I'd be glad to contribute
to such a core area of the kernel.

thank you in advance,

fabio

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Borislav Petkov]

On Thu, Aug 19, 2021 at 12:02:31PM +0200, Fabio Aiuto wrote:
> CONFIG_AMD_MEM_ENCRYPT=y

Lemme see if I understand it correctly: you have this enabled on an
Intel-based tablet?

Does it boot plain 5.13.x (without any reverts) fine with that config
item disabled?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Hans de Goede]

Hi,

On 8/19/21 12:12 PM, Borislav Petkov wrote:
> On Thu, Aug 19, 2021 at 12:02:31PM +0200, Fabio Aiuto wrote:
>> CONFIG_AMD_MEM_ENCRYPT=y
> 
> Lemme see if I understand it correctly: you have this enabled on an
> Intel-based tablet?

Fabio is using the standard Fedora kernels which as generic distro
kernels have this enabled.

He used the Fedora .config when bisecting because in general when
debugging it is a good idea to change as little variables as
possible (even if using a distro-kernel-config leads to long
build times for the bisect).

Regards,

Hans

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Borislav Petkov]

On Thu, Aug 19, 2021 at 12:47:05PM +0200, Hans de Goede wrote:
> Fabio is using the standard Fedora kernels which as generic distro
> kernels have this enabled.

Right, I suspected but wanted to make sure. Then my second question
would need answering:

Does it boot plain 5.13.x (without any reverts) fine with that config
item disabled?

> (even if using a distro-kernel-config leads to long build times for
> the bisect).

Yah, tell me about it. :-\

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Fabio Aiuto]

Hello Borislav,

On Thu, Aug 19, 2021 at 12:12:13PM +0200, Borislav Petkov wrote:
> On Thu, Aug 19, 2021 at 12:02:31PM +0200, Fabio Aiuto wrote:
> > CONFIG_AMD_MEM_ENCRYPT=y
> 
> Lemme see if I understand it correctly: you have this enabled on an
> Intel-based tablet?

Yes I have, as Hans replied I use for rebuild the configuration
provided by Fedora 34 distribution.

> 
> Does it boot plain 5.13.x (without any reverts) fine with that config
> item disabled?

I rebuilt a plain v5.13 kernel (no reverts) with that config
disabled and everything goes fine.

> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette

thank you,

fabio

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Joerg Roedel]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

Hi Fabio,

thanks for your report!

On Thu, Aug 19, 2021 at 02:16:53PM +0200, Fabio Aiuto wrote:
> I rebuilt a plain v5.13 kernel (no reverts) with that config
> disabled and everything goes fine.

Can you please try the attached patch? I think the problem is that the
32-bit EFI boot path sets up its own IDT before ExitBootServices() is
called.

Regards,

	Joerg

[-- Attachment #2: boot-idt.fix --]
[-- Type: text/plain, Size: 2208 bytes --]

diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
index 95a223b3e56a..99cfd5dea23c 100644
--- a/arch/x86/boot/compressed/efi_thunk_64.S
+++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -39,7 +39,7 @@ SYM_FUNC_START(__efi64_thunk)
 	/*
 	 * Convert x86-64 ABI params to i386 ABI
 	 */
-	subq	$32, %rsp
+	subq	$64, %rsp
 	movl	%esi, 0x0(%rsp)
 	movl	%edx, 0x4(%rsp)
 	movl	%ecx, 0x8(%rsp)
@@ -49,14 +49,19 @@ SYM_FUNC_START(__efi64_thunk)
 	leaq	0x14(%rsp), %rbx
 	sgdt	(%rbx)
 
+	addq	$16, %rbx
+	sidt	(%rbx)
+
 	/*
-	 * Switch to gdt with 32-bit segments. This is the firmware GDT
-	 * that was installed when the kernel started executing. This
-	 * pointer was saved at the EFI stub entry point in head_64.S.
+	 * Switch to idt and gdt with 32-bit segments. This is the firmware GDT
+	 * and IDT that was installed when the kernel started executing. The
+	 * pointers were saved at the EFI stub entry point in head_64.S.
 	 *
 	 * Pass the saved DS selector to the 32-bit code, and use far return to
 	 * restore the saved CS selector.
 	 */
+	leaq	efi32_boot_idt(%rip), %rax
+	lidt	(%rax)
 	leaq	efi32_boot_gdt(%rip), %rax
 	lgdt	(%rax)
 
@@ -67,7 +72,7 @@ SYM_FUNC_START(__efi64_thunk)
 	pushq	%rax
 	lretq
 
-1:	addq	$32, %rsp
+1:	addq	$64, %rsp
 	movq	%rdi, %rax
 
 	pop	%rbx
@@ -132,6 +137,9 @@ SYM_FUNC_START_LOCAL(efi_enter32)
 	 */
 	cli
 
+	lidtl	(%ebx)
+	subl	$16, %ebx
+
 	lgdtl	(%ebx)
 
 	movl	%cr4, %eax
@@ -166,6 +174,11 @@ SYM_DATA_START(efi32_boot_gdt)
 	.quad	0
 SYM_DATA_END(efi32_boot_gdt)
 
+SYM_DATA_START(efi32_boot_idt)
+	.word	0
+	.quad	0
+SYM_DATA_END(efi32_boot_idt)
+
 SYM_DATA_START(efi32_boot_cs)
 	.word	0
 SYM_DATA_END(efi32_boot_cs)
diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
index a2347ded77ea..572c535cf45b 100644
--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -319,6 +319,9 @@ SYM_INNER_LABEL(efi32_pe_stub_entry, SYM_L_LOCAL)
 	movw	%cs, rva(efi32_boot_cs)(%ebp)
 	movw	%ds, rva(efi32_boot_ds)(%ebp)
 
+	/* Store firmware IDT descriptor */
+	sidtl	rva(efi32_boot_idt)(%ebp)
+
 	/* Disable paging */
 	movl	%cr0, %eax
 	btrl	$X86_CR0_PG_BIT, %eax

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Fabio Aiuto]

Hi Joerg,

On Thu, Aug 19, 2021 at 03:33:40PM +0200, Joerg Roedel wrote:
> Hi Fabio,
> 
> thanks for your report!

you are welcome,

> 
> On Thu, Aug 19, 2021 at 02:16:53PM +0200, Fabio Aiuto wrote:
> > I rebuilt a plain v5.13 kernel (no reverts) with that config
> > disabled and everything goes fine.
> 
> Can you please try the attached patch? I think the problem is that the
> 32-bit EFI boot path sets up its own IDT before ExitBootServices() is
> called.

shall I restore back CONFIG_AMD_MEM_ENCRYPT?

thank you,

fabio

> 
> Regards,
> 
> 	Joerg

> diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
> index 95a223b3e56a..99cfd5dea23c 100644
> --- a/arch/x86/boot/compressed/efi_thunk_64.S
> +++ b/arch/x86/boot/compressed/efi_thunk_64.S
> @@ -39,7 +39,7 @@ SYM_FUNC_START(__efi64_thunk)
>  	/*
>  	 * Convert x86-64 ABI params to i386 ABI
>  	 */
> -	subq	$32, %rsp
> +	subq	$64, %rsp
>  	movl	%esi, 0x0(%rsp)
>  	movl	%edx, 0x4(%rsp)
>  	movl	%ecx, 0x8(%rsp)
> @@ -49,14 +49,19 @@ SYM_FUNC_START(__efi64_thunk)
>  	leaq	0x14(%rsp), %rbx
>  	sgdt	(%rbx)
>  
> +	addq	$16, %rbx
> +	sidt	(%rbx)
> +
>  	/*
> -	 * Switch to gdt with 32-bit segments. This is the firmware GDT
> -	 * that was installed when the kernel started executing. This
> -	 * pointer was saved at the EFI stub entry point in head_64.S.
> +	 * Switch to idt and gdt with 32-bit segments. This is the firmware GDT
> +	 * and IDT that was installed when the kernel started executing. The
> +	 * pointers were saved at the EFI stub entry point in head_64.S.
>  	 *
>  	 * Pass the saved DS selector to the 32-bit code, and use far return to
>  	 * restore the saved CS selector.
>  	 */
> +	leaq	efi32_boot_idt(%rip), %rax
> +	lidt	(%rax)
>  	leaq	efi32_boot_gdt(%rip), %rax
>  	lgdt	(%rax)
>  
> @@ -67,7 +72,7 @@ SYM_FUNC_START(__efi64_thunk)
>  	pushq	%rax
>  	lretq
>  
> -1:	addq	$32, %rsp
> +1:	addq	$64, %rsp
>  	movq	%rdi, %rax
>  
>  	pop	%rbx
> @@ -132,6 +137,9 @@ SYM_FUNC_START_LOCAL(efi_enter32)
>  	 */
>  	cli
>  
> +	lidtl	(%ebx)
> +	subl	$16, %ebx
> +
>  	lgdtl	(%ebx)
>  
>  	movl	%cr4, %eax
> @@ -166,6 +174,11 @@ SYM_DATA_START(efi32_boot_gdt)
>  	.quad	0
>  SYM_DATA_END(efi32_boot_gdt)
>  
> +SYM_DATA_START(efi32_boot_idt)
> +	.word	0
> +	.quad	0
> +SYM_DATA_END(efi32_boot_idt)
> +
>  SYM_DATA_START(efi32_boot_cs)
>  	.word	0
>  SYM_DATA_END(efi32_boot_cs)
> diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
> index a2347ded77ea..572c535cf45b 100644
> --- a/arch/x86/boot/compressed/head_64.S
> +++ b/arch/x86/boot/compressed/head_64.S
> @@ -319,6 +319,9 @@ SYM_INNER_LABEL(efi32_pe_stub_entry, SYM_L_LOCAL)
>  	movw	%cs, rva(efi32_boot_cs)(%ebp)
>  	movw	%ds, rva(efi32_boot_ds)(%ebp)
>  
> +	/* Store firmware IDT descriptor */
> +	sidtl	rva(efi32_boot_idt)(%ebp)
> +
>  	/* Disable paging */
>  	movl	%cr0, %eax
>  	btrl	$X86_CR0_PG_BIT, %eax

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Joerg Roedel]

On Thu, Aug 19, 2021 at 03:43:28PM +0200, Fabio Aiuto wrote:
> shall I restore back CONFIG_AMD_MEM_ENCRYPT?

Yes, please restore it.

Thanks,

	Joerg

Re: x86/boot/compressed/64: Lenovo Ideapad Miix300 bug report

[Fabio Aiuto]

Hello Joerg,

On Thu, Aug 19, 2021 at 03:49:28PM +0200, Joerg Roedel wrote:
> On Thu, Aug 19, 2021 at 03:43:28PM +0200, Fabio Aiuto wrote:
> > shall I restore back CONFIG_AMD_MEM_ENCRYPT?
> 
> Yes, please restore it.
> 
> Thanks,
> 
> 	Joerg

Your patch works. I've tested the boot 10 times and
worked fine. Tell me if you want me to test some other
ways.

thank you,

fabio