From patchwork Thu Aug 10 17:26:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 9894369
Return-Path: 
 <kernel-hardening-return-9321-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C0FEA60236 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 10 Aug 2017 17:30:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A89B528A39
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 10 Aug 2017 17:30:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9CCA128A92; Thu, 10 Aug 2017 17:30:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 4035A28B60
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 10 Aug 2017 17:30:39 +0000 (UTC)
Received: (qmail 1559 invoked by uid 550); 10 Aug 2017 17:27:19 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 32745 invoked from network); 10 Aug 2017 17:27:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=1y+SX6AQvYfTFgwSMQkmeQMRa4shpxAafat+MY0vAVY=;
	b=NEDDhd2TnoBfCHgNX90RJ0cqQVsKpyXDChd8xFEWrI3rSCZze0bsx6ezRXjzk5f50D
	87eoSEAzH4sQgunaTGKuSfkadOG1t1jJJkh7i5NXyyQrCDmgmrw3To9feIdBNUJ2w+OT
	pQDwPrWJOKdZszbxVxUpUj+ieQZY/zhXkDnl9csHViUixjo0cKncZvGAdABlU8zDJt4H
	mmjjGYuY53B25abeNz3DHmNHOBhm0Pt52ZBGL7NDCPhd0zN/2vqfNDyBQo08RRomt2WN
	+H3aVIifCFX3ERAooKy8lS+HPI62CFTxqwLITCzHrPiLk7c4H1zqPJIsnf7Dc0eUbjwK
	jcgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=1y+SX6AQvYfTFgwSMQkmeQMRa4shpxAafat+MY0vAVY=;
	b=lSYyghajbVblujPN+jz7gmR71UTRtIiSEwYpeiEyvV4YWB8AETiMIxEdCJ0/UqivOL
	JwZccd1zYDgMQ4DFPNcN06PfcDeOfVOm8AZayZhS8DutxnhqtloS07SiBrv8CFax88d4
	wT+iBvKtuS5XVFAyL0ildARmS3jn80DrAWEvaWQk1Hgmg3TGcHl6SbeVveb90oyH9KuO
	jF2ELU/4ucB5o7giMIigYJ3nP8cDunVllj7GwYT70Ru3HJcFFRHwQY7GnyRVdjTzi8rK
	LI6tcpjbzvU9ZbJUwD4eRsvkeOeTyFvoFvSJtBmPmQUKiLO5UIZwnsmjjpRvcwPWKDur
	DVog==
X-Gm-Message-State: AHYfb5iyYJyUz2NLsnXweyBnDeX8zxSujfw0SBdr1EZG8EwS0FANtSY3
	jpNGR1xwdZMqGF01
X-Received: by 10.84.231.198 with SMTP id g6mr5722291pln.36.1502386020638;
	Thu, 10 Aug 2017 10:27:00 -0700 (PDT)
From: Thomas Garnier <thgarnie@google.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
	"H . Peter Anvin" <hpa@zytor.com>, Peter Zijlstra <peterz@infradead.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
	Thomas Garnier <thgarnie@google.com>,
	Matthias Kaehlcke <mka@chromium.org>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Juergen Gross <jgross@suse.com>, Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	Joerg Roedel <joro@8bytes.org>, Tom Lendacky <thomas.lendacky@amd.com>,
	Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
	Brian Gerst <brgerst@gmail.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	"Rafael J . Wysocki" <rjw@rjwysocki.net>,
	Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
	Tejun Heo <tj@kernel.org>, Christoph Lameter <cl@linux.com>,
	Paul Gortmaker <paul.gortmaker@windriver.com>,
	Chris Metcalf <cmetcalf@mellanox.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
	Nicolas Pitre <nicolas.pitre@linaro.org>,
	Christopher Li <sparse@chrisli.org>,
	"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>,
	Lukas Wunner <lukas@wunner.de>,
	Mika Westerberg <mika.westerberg@linux.intel.com>,
	Dou Liyang <douly.fnst@cn.fujitsu.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Alexei Starovoitov <ast@kernel.org>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	Markus Trippelsdorf <markus@trippelsdorf.de>,
	Steven Rostedt <rostedt@goodmis.org>, Kees Cook <keescook@chromium.org>,
	Rik van Riel <riel@redhat.com>, David Howells <dhowells@redhat.com>,
	Waiman Long <longman@redhat.com>, Kyle Huey <me@kylehuey.com>,
	Peter Foley <pefoley2@pefoley.com>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Michal Hocko <mhocko@suse.com>, Matthew Wilcox <mawilcox@microsoft.com>,
	"H . J . Lu" <hjl.tools@gmail.com>, Paul Bolle <pebolle@tiscali.nl>,
	Rob Landley <rob@landley.net>, Baoquan He <bhe@redhat.com>,
	Daniel Micay <danielmicay@gmail.com>
Cc: x86@kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
	kvm@vger.kernel.org, linux-pm@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-sparse@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Date: Thu, 10 Aug 2017 10:26:04 -0700
Message-Id: <20170810172615.51965-13-thgarnie@google.com>
X-Mailer: git-send-email 2.14.0.434.g98096fd7a8-goog
In-Reply-To: <20170810172615.51965-1-thgarnie@google.com>
References: <20170810172615.51965-1-thgarnie@google.com>
Subject: [kernel-hardening] [RFC v2 12/23] x86/boot/64: Adapt assembly for
	PIE support
X-Virus-Scanned: ClamAV using ClamSMTP

Change the assembly code to use only relative references of symbols for the
kernel to be PIE compatible.

Early at boot, the kernel is mapped at a temporary address while preparing
the page table. To know the changes needed for the page table with KASLR,
the boot code calculate the difference between the expected address of the
kernel and the one chosen by KASLR. It does not work with PIE because all
symbols in code are relatives. Instead of getting the future relocated
virtual address, you will get the current temporary mapping. The solution
is using global variables that will be relocated as expected.

Position Independent Executable (PIE) support will allow to extended the
KASLR randomization range below the -2G memory limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
 arch/x86/kernel/head_64.S | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 513cbb012ecc..09579e0714ce 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -85,8 +85,23 @@ startup_64:
 	popq	%rsi
 
 	/* Form the CR3 value being sure to include the CR3 modifier */
-	addq	$(early_top_pgt - __START_KERNEL_map), %rax
+	addq    _early_top_pgt_offset(%rip), %rax
 	jmp 1f
+
+	/*
+	 * Position Independent Code takes only relative references in code
+	 * meaning a global variable address is relative to RIP and not its
+	 * future virtual address. Global variables can be used instead as they
+	 * are still relocated on the expected kernel mapping address.
+	 */
+	.align 8
+_early_top_pgt_offset:
+	.quad early_top_pgt - __START_KERNEL_map
+_init_top_offset:
+	.quad init_top_pgt - __START_KERNEL_map
+_va_jump:
+	.quad 2f
+
 ENTRY(secondary_startup_64)
 	/*
 	 * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 0,
@@ -114,7 +129,7 @@ ENTRY(secondary_startup_64)
 	popq	%rsi
 
 	/* Form the CR3 value being sure to include the CR3 modifier */
-	addq	$(init_top_pgt - __START_KERNEL_map), %rax
+	addq    _init_top_offset(%rip), %rax
 1:
 
 	/* Enable PAE mode, PGE and LA57 */
@@ -129,9 +144,8 @@ ENTRY(secondary_startup_64)
 	movq	%rax, %cr3
 
 	/* Ensure I am executing from virtual addresses */
-	movq	$1f, %rax
-	jmp	*%rax
-1:
+	jmp	*_va_jump(%rip)
+2:
 
 	/* Check if nx is implemented */
 	movl	$0x80000001, %eax
@@ -227,11 +241,12 @@ ENTRY(secondary_startup_64)
 	 *	REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
 	 *		address given in m16:64.
 	 */
-	pushq	$.Lafter_lret	# put return address on stack for unwinder
+	leaq	.Lafter_lret(%rip), %rax
+	pushq	%rax		# put return address on stack for unwinder
 	xorq	%rbp, %rbp	# clear frame pointer
-	movq	initial_code(%rip), %rax
+	leaq	initial_code(%rip), %rax
 	pushq	$__KERNEL_CS	# set correct cs
-	pushq	%rax		# target address in negative space
+	pushq	(%rax)		# target address in negative space
 	lretq
 .Lafter_lret:
 ENDPROC(secondary_startup_64)