| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 May 2017 10:46:22 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Borislav Petkov <bp@...en8.de>,
Josh Poimboeuf <jpoimboe@...hat.com>
CC: <linux-arch@...r.kernel.org>, <linux-efi@...r.kernel.org>,
<kvm@...r.kernel.org>, <linux-doc@...r.kernel.org>,
<x86@...nel.org>, <kexec@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>, <kasan-dev@...glegroups.com>,
<linux-mm@...ck.org>, <iommu@...ts.linux-foundation.org>,
Rik van Riel <riel@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
Toshimitsu Kani <toshi.kani@....com>,
Arnd Bergmann <arnd@...db.de>,
Jonathan Corbet <corbet@....net>,
Matt Fleming <matt@...eblueprint.co.uk>,
"Michael S. Tsirkin" <mst@...hat.com>,
Joerg Roedel <joro@...tes.org>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Larry Woodman <lwoodman@...hat.com>,
Brijesh Singh <brijesh.singh@....com>,
Ingo Molnar <mingo@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dave Young <dyoung@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [PATCH v5 32/32] x86/mm: Add support to make use of Secure Memory
Encryption
On 5/19/2017 6:30 AM, Borislav Petkov wrote:
> On Fri, Apr 21, 2017 at 01:56:13PM -0500, Tom Lendacky wrote:
>> On 4/18/2017 4:22 PM, Tom Lendacky wrote:
>>> Add support to check if SME has been enabled and if memory encryption
>>> should be activated (checking of command line option based on the
>>> configuration of the default state). If memory encryption is to be
>>> activated, then the encryption mask is set and the kernel is encrypted
>>> "in place."
>>>
>>> Signed-off-by: Tom Lendacky <thomas.lendacky@....com>
>>> ---
>>> arch/x86/kernel/head_64.S | 1 +
>>> arch/x86/mm/mem_encrypt.c | 83 +++++++++++++++++++++++++++++++++++++++++++--
>>> 2 files changed, 80 insertions(+), 4 deletions(-)
>>>
>>
>> ...
>>
>>>
>>> -unsigned long __init sme_enable(void)
>>> +unsigned long __init sme_enable(struct boot_params *bp)
>>> {
>>> + const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off;
>>> + unsigned int eax, ebx, ecx, edx;
>>> + unsigned long me_mask;
>>> + bool active_by_default;
>>> + char buffer[16];
>>
>> So it turns out that when KASLR is enabled (CONFIG_RAMDOMIZE_BASE=y)
>> the stack-protector support causes issues with this function because
>
> What issues?
The stack protection support makes use of the gs segment register and
at this point not everything is setup properly to allow it to work,
so it segfaults.
Thanks,
Tom
>
>> it is called so early. I can get past it by adding:
>>
>> CFLAGS_mem_encrypt.o := $(nostackp)
>>
>> in the arch/x86/mm/Makefile, but that obviously eliminates the support
>> for the whole file. Would it be better to split out the sme_enable()
>> and other boot routines into a separate file or just apply the
>> $(nostackp) to the whole file?
>
> Josh might have a better idea here... CCed.
>
Powered by blists - more mailing lists