[v5,11/75] x86/boot/compressed/64: Disable red-zone usage

Message ID	20200724160336.5435-12-joro@8bytes.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=BqhU=BD=vger.kernel.org=kvm-owner@kernel.org> From: Joerg Roedel <joro@8bytes.org> To: x86@kernel.org Cc: Joerg Roedel <joro@8bytes.org>, Joerg Roedel <jroedel@suse.de>, hpa@zytor.com, Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave.hansen@linux.intel.com>, Peter Zijlstra <peterz@infradead.org>, Jiri Slaby <jslaby@suse.cz>, Dan Williams <dan.j.williams@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>, Juergen Gross <jgross@suse.com>, Kees Cook <keescook@chromium.org>, David Rientjes <rientjes@google.com>, Cfir Cohen <cfir@google.com>, Erdem Aktas <erdemaktas@google.com>, Masami Hiramatsu <mhiramat@kernel.org>, Mike Stunes <mstunes@vmware.com>, Sean Christopherson <sean.j.christopherson@intel.com>, Martin Radev <martin.b.radev@gmail.com>, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v5 11/75] x86/boot/compressed/64: Disable red-zone usage Date: Fri, 24 Jul 2020 18:02:32 +0200 Message-Id: <20200724160336.5435-12-joro@8bytes.org> In-Reply-To: <20200724160336.5435-1-joro@8bytes.org> References: <20200724160336.5435-1-joro@8bytes.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	x86: SEV-ES Guest Support \| expand [v5,00/75] x86: SEV-ES Guest Support [v5,01/75] KVM: SVM: Add GHCB definitions [v5,02/75] KVM: SVM: Add GHCB Accessor functions [v5,03/75] KVM: SVM: Use __packed shorthand [v5,04/75] x86/cpufeatures: Add SEV-ES CPU feature [v5,05/75] x86/traps: Move pf error codes to <asm/trap_pf.h> [v5,06/75] x86/insn: Make inat-tables.c suitable for pre-decompression code [v5,07/75] x86/umip: Factor out instruction fetch [v5,08/75] x86/umip: Factor out instruction decoding [v5,09/75] x86/insn: Add insn_get_modrm_reg_off() [v5,10/75] x86/insn: Add insn_has_rep_prefix() helper [v5,11/75] x86/boot/compressed/64: Disable red-zone usage [v5,12/75] x86/boot/compressed/64: Add IDT Infrastructure [v5,13/75] x86/boot/compressed/64: Rename kaslr_64.c to ident_map_64.c [v5,14/75] x86/boot/compressed/64: Add page-fault handler [v5,15/75] x86/boot/compressed/64: Always switch to own page-table [v5,16/75] x86/boot/compressed/64: Don't pre-map memory in KASLR code [v5,17/75] x86/boot/compressed/64: Change add_identity_map() to take start and end [v5,18/75] x86/boot/compressed/64: Add stage1 #VC handler [v5,19/75] x86/boot/compressed/64: Call set_sev_encryption_mask earlier [v5,20/75] x86/boot/compressed/64: Check return value of kernel_ident_mapping_init() [v5,21/75] x86/boot/compressed/64: Add set_page_en/decrypted() helpers [v5,22/75] x86/boot/compressed/64: Setup GHCB Based VC Exception handler [v5,23/75] x86/boot/compressed/64: Unmap GHCB page before booting the kernel [v5,24/75] x86/sev-es: Add support for handling IOIO exceptions [v5,25/75] x86/fpu: Move xgetbv()/xsetbv() into separate header [v5,26/75] x86/sev-es: Add CPUID handling to #VC handler [v5,27/75] x86/idt: Move IDT to data segment [v5,28/75] x86/idt: Split idt_data setup out of set_intr_gate() [v5,29/75] x86/head/64: Install startup GDT [v5,30/75] x86/head/64: Setup MSR_GS_BASE before calling into C code [v5,31/75] x86/head/64: Load GDT after switch to virtual addresses [v5,32/75] x86/head/64: Load segment registers earlier [v5,33/75] x86/head/64: Switch to initial stack earlier [v5,34/75] x86/head/64: Make fixup_pointer() static inline [v5,35/75] x86/head/64: Load IDT earlier [v5,36/75] x86/head/64: Move early exception dispatch to C code [v5,37/75] x86/head/64: Set CR4.FSGSBASE early [v5,38/75] x86/sev-es: Add SEV-ES Feature Detection [v5,39/75] x86/sev-es: Print SEV-ES info into kernel log [v5,40/75] x86/sev-es: Compile early handler code into kernel image [v5,41/75] x86/sev-es: Setup early #VC handler [v5,42/75] x86/sev-es: Setup GHCB based boot #VC handler [v5,43/75] x86/sev-es: Setup per-cpu GHCBs for the runtime handler [v5,44/75] x86/sev-es: Allocate and Map IST stack for #VC handler [v5,45/75] x86/sev-es: Adjust #VC IST Stack on entering NMI handler [v5,46/75] x86/dumpstack/64: Add noinstr version of get_stack_info() [v5,47/75] x86/entry/64: Add entry code for #VC handler [v5,48/75] x86/sev-es: Add Runtime #VC Exception Handler [v5,49/75] x86/sev-es: Wire up existing #VC exit-code handlers [v5,50/75] x86/sev-es: Handle instruction fetches from user-space [v5,51/75] x86/sev-es: Handle MMIO events [v5,52/75] x86/sev-es: Handle MMIO String Instructions [v5,53/75] x86/sev-es: Handle MSR events [v5,54/75] x86/sev-es: Handle DR7 read/write events [v5,55/75] x86/sev-es: Handle WBINVD Events [v5,56/75] x86/sev-es: Handle RDTSC(P) Events [v5,57/75] x86/sev-es: Handle RDPMC Events [v5,58/75] x86/sev-es: Handle INVD Events [v5,59/75] x86/sev-es: Handle MONITOR/MONITORX Events [v5,60/75] x86/sev-es: Handle MWAIT/MWAITX Events [v5,61/75] x86/sev-es: Handle VMMCALL Events [v5,62/75] x86/sev-es: Handle #AC Events [v5,63/75] x86/sev-es: Handle #DB Events [v5,64/75] x86/paravirt: Allow hypervisor specific VMMCALL handling under SEV-ES [v5,65/75] x86/kvm: Add KVM specific VMMCALL handling under SEV-ES [v5,66/75] x86/vmware: Add VMware specific handling for VMMCALL under SEV-ES [v5,67/75] x86/realmode: Add SEV-ES specific trampoline entry point [v5,68/75] x86/realmode: Setup AP jump table [v5,69/75] x86/smpboot: Setup TSS for starting AP [v5,70/75] x86/head/64: Don't call verify_cpu() on starting APs [v5,71/75] x86/head/64: Rename start_cpu0 [v5,72/75] x86/sev-es: Support CPU offline/online [v5,73/75] x86/sev-es: Handle NMI State [v5,74/75] x86/efi: Add GHCB mappings when SEV-ES is active [v5,75/75] x86/sev-es: Check required CPU features for SEV-ES

Message ID

20200724160336.5435-12-joro@8bytes.org (mailing list archive)

State

New, archived

Headers

From: Joerg Roedel <joro@8bytes.org>
To: x86@kernel.org
Cc: Joerg Roedel <joro@8bytes.org>, Joerg Roedel <jroedel@suse.de>,
        hpa@zytor.com, Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Jiri Slaby <jslaby@suse.cz>,
        Dan Williams <dan.j.williams@intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Juergen Gross <jgross@suse.com>,
        Kees Cook <keescook@chromium.org>,
        David Rientjes <rientjes@google.com>,
        Cfir Cohen <cfir@google.com>,
        Erdem Aktas <erdemaktas@google.com>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Mike Stunes <mstunes@vmware.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Martin Radev <martin.b.radev@gmail.com>,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
        virtualization@lists.linux-foundation.org
Subject: [PATCH v5 11/75] x86/boot/compressed/64: Disable red-zone usage
Date: Fri, 24 Jul 2020 18:02:32 +0200
Message-Id: <20200724160336.5435-12-joro@8bytes.org>
In-Reply-To: <20200724160336.5435-1-joro@8bytes.org>
References: <20200724160336.5435-1-joro@8bytes.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Series

x86: SEV-ES Guest Support | expand

Commit Message

Joerg Roedel July 24, 2020, 4:02 p.m. UTC

From: Joerg Roedel <jroedel@suse.de>

The x86-64 ABI defines a red-zone on the stack:

  The 128-byte area beyond the location pointed to by %rsp is considered
  to be reserved and shall not be modified by signal or interrupt
  handlers. Therefore, functions may use this area for temporary data
  that is not needed across function calls. In particular, leaf
  functions may use this area for their entire stack frame, rather than
  adjusting the stack pointer in the prologue and epilogue. This area is
  known as the red zone.

This is not compatible with exception handling, because the IRET frame
written by the hardware at the stack pointer and the functions to handle
the exception will overwrite the temporary variables of the interrupted
function, causing undefined behavior. So disable red-zones for the
pre-decompression boot code.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 arch/x86/boot/Makefile            | 2 +-
 arch/x86/boot/compressed/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Kees Cook July 24, 2020, 5:43 p.m. UTC | #1

On Fri, Jul 24, 2020 at 06:02:32PM +0200, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@suse.de>
> 
> The x86-64 ABI defines a red-zone on the stack:
> 
>   The 128-byte area beyond the location pointed to by %rsp is considered
>   to be reserved and shall not be modified by signal or interrupt
>   handlers. Therefore, functions may use this area for temporary data
>   that is not needed across function calls. In particular, leaf
>   functions may use this area for their entire stack frame, rather than
>   adjusting the stack pointer in the prologue and epilogue. This area is
>   known as the red zone.
> 
> This is not compatible with exception handling, because the IRET frame
> written by the hardware at the stack pointer and the functions to handle
> the exception will overwrite the temporary variables of the interrupted
> function, causing undefined behavior. So disable red-zones for the
> pre-decompression boot code.
> 
> Signed-off-by: Joerg Roedel <jroedel@suse.de>

Reviewed-by: Kees Cook <keescook@chromium.org>

Arvind Sankar July 24, 2020, 5:58 p.m. UTC | #2

On Fri, Jul 24, 2020 at 06:02:32PM +0200, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@suse.de>
> 
> The x86-64 ABI defines a red-zone on the stack:
> 
>   The 128-byte area beyond the location pointed to by %rsp is considered
>   to be reserved and shall not be modified by signal or interrupt
>   handlers. Therefore, functions may use this area for temporary data
>   that is not needed across function calls. In particular, leaf
>   functions may use this area for their entire stack frame, rather than
>   adjusting the stack pointer in the prologue and epilogue. This area is
>   known as the red zone.
> 
> This is not compatible with exception handling, because the IRET frame
> written by the hardware at the stack pointer and the functions to handle
> the exception will overwrite the temporary variables of the interrupted
> function, causing undefined behavior. So disable red-zones for the
> pre-decompression boot code.
> 
> Signed-off-by: Joerg Roedel <jroedel@suse.de>
> ---
>  arch/x86/boot/Makefile            | 2 +-
>  arch/x86/boot/compressed/Makefile | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
> index fe605205b4ce..4d6a16a47e9f 100644
> --- a/arch/x86/boot/Makefile
> +++ b/arch/x86/boot/Makefile
> @@ -66,7 +66,7 @@ targets += cpustr.h
>  
>  # ---------------------------------------------------------------------------
>  
> -KBUILD_CFLAGS	:= $(REALMODE_CFLAGS) -D_SETUP
> +KBUILD_CFLAGS	:= $(REALMODE_CFLAGS) -D_SETUP -mno-red-zone
>  KBUILD_AFLAGS	:= $(KBUILD_CFLAGS) -D__ASSEMBLY__
>  KBUILD_CFLAGS	+= $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
>  KBUILD_CFLAGS	+= -fno-asynchronous-unwind-tables

This change seems unnecessary? REALMODE_CFLAGS means it uses -m16, so
this isn't 64-bit code. [As an aside, we can drop the check for -m16
support in arch/x86/Makefile now that we've bumbed to 4.9]

> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
> index 5a828fde7a42..416f52ab39ec 100644
> --- a/arch/x86/boot/compressed/Makefile
> +++ b/arch/x86/boot/compressed/Makefile
> @@ -32,7 +32,7 @@ KBUILD_CFLAGS := -m$(BITS) -O2
>  KBUILD_CFLAGS += -fno-strict-aliasing $(call cc-option, -fPIE, -fPIC)
>  KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
>  cflags-$(CONFIG_X86_32) := -march=i386
> -cflags-$(CONFIG_X86_64) := -mcmodel=small
> +cflags-$(CONFIG_X86_64) := -mcmodel=small -mno-red-zone
>  KBUILD_CFLAGS += $(cflags-y)
>  KBUILD_CFLAGS += -mno-mmx -mno-sse
>  KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
> -- 
> 2.27.0
> 

This one is necessary.

diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
index fe605205b4ce..4d6a16a47e9f 100644
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -66,7 +66,7 @@  targets += cpustr.h
 
 # ---------------------------------------------------------------------------
 
-KBUILD_CFLAGS	:= $(REALMODE_CFLAGS) -D_SETUP
+KBUILD_CFLAGS	:= $(REALMODE_CFLAGS) -D_SETUP -mno-red-zone
 KBUILD_AFLAGS	:= $(KBUILD_CFLAGS) -D__ASSEMBLY__
 KBUILD_CFLAGS	+= $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
 KBUILD_CFLAGS	+= -fno-asynchronous-unwind-tables
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 5a828fde7a42..416f52ab39ec 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -32,7 +32,7 @@  KBUILD_CFLAGS := -m$(BITS) -O2
 KBUILD_CFLAGS += -fno-strict-aliasing $(call cc-option, -fPIE, -fPIC)
 KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
 cflags-$(CONFIG_X86_32) := -march=i386
-cflags-$(CONFIG_X86_64) := -mcmodel=small
+cflags-$(CONFIG_X86_64) := -mcmodel=small -mno-red-zone
 KBUILD_CFLAGS += $(cflags-y)
 KBUILD_CFLAGS += -mno-mmx -mno-sse
 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)

[v5,11/75] x86/boot/compressed/64: Disable red-zone usage

Commit Message

Comments

Patch