lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4d8f0629-4815-825f-fda2-3033e7956da3@ghiti.fr>
Date:   Sun, 22 Mar 2020 03:10:45 -0400
From:   Alex Ghiti <alex@...ti.fr>
To:     Zong Li <zong.li@...ive.com>, Palmer Dabbelt <palmer@...belt.com>
Cc:     Paul Walmsley <paul.walmsley@...ive.com>,
        Anup Patel <anup@...infault.org>,
        linux-riscv <linux-riscv@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org List" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH RESEND v2] riscv: Introduce CONFIG_RELOCATABLE

Hi Zong,

Sorry for the response delay, please find below my comments.

On 3/12/20 1:57 AM, Zong Li wrote:
> On Sat, Mar 7, 2020 at 1:58 AM Palmer Dabbelt <palmer@...belt.com> wrote:
>>
>> On Mon, 02 Mar 2020 21:44:37 PST (-0800), alex@...ti.fr wrote:
>>> This config allows to compile the kernel as PIE and to relocate it at any
>>> virtual address at runtime: this paves the way to KASLR and to 4-level
>>> page table folding at runtime. Runtime relocation is possible since
>>> relocation metadata are embedded into the kernel.
>>>
>>> Note that relocating at runtime introduces an overhead even if the kernel
>>> is loaded at the same address it was linked at and that the compiler
>>> options are those used in arm64 which uses the same RELA relocation format.
>>>
>>> Signed-off-by: Alexandre Ghiti <alex@...ti.fr>
>>> Reviewed-by: Zong Li <zong.li@...ive.com>
>>> Reviewed-by: Anup Patel <anup@...infault.org>
>>> Tested-by: Zong Li <zong.li@...ive.com>
>>> ---
>>> Changes in v2:
>>> - Make RELOCATABLE depend on MMU as suggested by Anup
>>> - Rename kernel_load_addr into kernel_virt_addr as suggested by Anup
>>> - Use __pa_symbol instead of __pa, as suggested by Zong
>>> - Rebased on top of v5.6-rc3
>>> - Tested with sv48 patchset
>>> - Add Reviewed/Tested-by from Zong and Anup
>>>
>>>   arch/riscv/Kconfig              | 12 +++++
>>>   arch/riscv/Makefile             |  5 +-
>>>   arch/riscv/boot/loader.lds.S    |  2 +-
>>>   arch/riscv/include/asm/page.h   |  5 +-
>>>   arch/riscv/kernel/head.S        |  3 +-
>>>   arch/riscv/kernel/vmlinux.lds.S | 10 ++--
>>>   arch/riscv/mm/Makefile          |  4 ++
>>>   arch/riscv/mm/init.c            | 92 ++++++++++++++++++++++++++++-----
>>>   8 files changed, 111 insertions(+), 22 deletions(-)
>>>
>>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>>> index 73f029eae0cc..f5f3d474504d 100644
>>> --- a/arch/riscv/Kconfig
>>> +++ b/arch/riscv/Kconfig
>>> @@ -163,6 +163,18 @@ config PGTABLE_LEVELS
>>>        default 3 if 64BIT
>>>        default 2
>>>
>>> +config RELOCATABLE
>>> +     bool
>>> +     depends on MMU
>>> +     help
>>> +          This builds a kernel as a Position Independent Executable (PIE),
>>> +          which retains all relocation metadata required to relocate the
>>> +          kernel binary at runtime to a different virtual address than the
>>> +          address it was linked at.
>>> +          Since RISCV uses the RELA relocation format, this requires a
>>> +          relocation pass at runtime even if the kernel is loaded at the
>>> +          same address it was linked at.
>>> +
>>>   source "arch/riscv/Kconfig.socs"
>>>
>>>   menu "Platform type"
>>> diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
>>> index b9009a2fbaf5..5a115cf6a9c1 100644
>>> --- a/arch/riscv/Makefile
>>> +++ b/arch/riscv/Makefile
>>> @@ -9,7 +9,10 @@
>>>   #
>>>
>>>   OBJCOPYFLAGS    := -O binary
>>> -LDFLAGS_vmlinux :=
>>> +ifeq ($(CONFIG_RELOCATABLE),y)
>>> +LDFLAGS_vmlinux := -shared -Bsymbolic -z notext -z norelro
>>> +KBUILD_CFLAGS += -fPIE
>>> +endif
>>>   ifeq ($(CONFIG_DYNAMIC_FTRACE),y)
>>>        LDFLAGS_vmlinux := --no-relax
>>>   endif
>>> diff --git a/arch/riscv/boot/loader.lds.S b/arch/riscv/boot/loader.lds.S
>>> index 47a5003c2e28..a9ed218171aa 100644
>>> --- a/arch/riscv/boot/loader.lds.S
>>> +++ b/arch/riscv/boot/loader.lds.S
>>> @@ -7,7 +7,7 @@ ENTRY(_start)
>>>
>>>   SECTIONS
>>>   {
>>> -     . = PAGE_OFFSET;
>>> +     . = CONFIG_PAGE_OFFSET;
>>>
>>>        .payload : {
>>>                *(.payload)
>>> diff --git a/arch/riscv/include/asm/page.h b/arch/riscv/include/asm/page.h
>>> index 8ca1930caa44..af5810f9aebd 100644
>>> --- a/arch/riscv/include/asm/page.h
>>> +++ b/arch/riscv/include/asm/page.h
>>> @@ -31,9 +31,9 @@
>>>    * When not using MMU this corresponds to the first free page in
>>>    * physical memory (aligned on a page boundary).
>>>    */
>>> -#define PAGE_OFFSET          _AC(CONFIG_PAGE_OFFSET, UL)
>>> +#define PAGE_OFFSET          kernel_virt_addr
>>
>> I assume we want to keep PAGE_OFFSET a constant for the non-relocatable
>> systems.  As it currently stands this is imposing a performance hit even when
>>
> 
> I had almost done the KASLR implementation on top of this patch.
> Actually, PAGE_OFFSET change is unnecessary in KASLR , because we
> would move kernel image to a random physical address as well, so the
> $pc will go to the relevant random virtual address. We need

I don't understand what you mean here, can you explain it a bit more ?

> kernel_virt_addr to record the new destination, but keep PAGE_OFFSET
> to be CONFIG_PAGE_OFFSET is enough.

 From my understanding, PAGE_OFFSET should represent the start of the 
direct mapping, so in case of a relocatable kernel, its value should 
reflect the offset too.

Is there any issue with having PAGE_OFFSET equal to kernel_virt_addr ?

If we use both, we will need to know precisely when we should use 
kernel_virt_addr or PAGE_OFFSET, which I think will be painful and error 
prone.

> 
>>> -#define KERN_VIRT_SIZE (-PAGE_OFFSET)
>>> +#define KERN_VIRT_SIZE               (-_AC(CONFIG_PAGE_OFFSET, UL))
>>
>> This seems like it would cause issues if the kernel is relocated to high enough
>> addresses that "kernel_virt_addr+KERN_VIRT_SIZE" overflows.
>>
> 
> Based on the same reason, keep KERN_VIRT_SIZE to be -PAGE_OFFSET is good.
> 
>>>   #ifndef __ASSEMBLY__
>>>
>>> @@ -97,6 +97,7 @@ extern unsigned long pfn_base;
>>>   #define ARCH_PFN_OFFSET              (PAGE_OFFSET >> PAGE_SHIFT)
>>>   #endif /* CONFIG_MMU */
>>>
>>> +extern unsigned long kernel_virt_addr;
>>>   extern unsigned long max_low_pfn;
>>>   extern unsigned long min_low_pfn;
>>>
>>> diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S
>>> index 271860fc2c3f..d792912c2da3 100644
>>> --- a/arch/riscv/kernel/head.S
>>> +++ b/arch/riscv/kernel/head.S
>>> @@ -131,7 +131,8 @@ clear_bss_done:
>>>   #ifdef CONFIG_MMU
>>>   relocate:
>>>        /* Relocate return address */
>>> -     li a1, PAGE_OFFSET
>>> +     la a1, kernel_virt_addr
>>> +     REG_L a1, 0(a1)
>>>        la a2, _start
>>>        sub a1, a1, a2
>>>        add ra, ra, a1
>>> diff --git a/arch/riscv/kernel/vmlinux.lds.S b/arch/riscv/kernel/vmlinux.lds.S
>>> index 1e0193ded420..5bf69e9b91e6 100644
>>> --- a/arch/riscv/kernel/vmlinux.lds.S
>>> +++ b/arch/riscv/kernel/vmlinux.lds.S
>>> @@ -4,7 +4,7 @@
>>>    * Copyright (C) 2017 SiFive
>>>    */
>>>
>>> -#define LOAD_OFFSET PAGE_OFFSET
>>> +#define LOAD_OFFSET CONFIG_PAGE_OFFSET
>>>   #include <asm/vmlinux.lds.h>
>>>   #include <asm/page.h>
>>>   #include <asm/cache.h>
>>> @@ -71,9 +71,11 @@ SECTIONS
>>>
>>>        EXCEPTION_TABLE(0x10)
>>>
>>> -     .rel.dyn : {
>>> -             *(.rel.dyn*)
>>> -     }
>>> +        .rela.dyn : ALIGN(8) {
>>> +             __rela_dyn_start = .;
>>> +                *(.rela .rela*)
>>> +             __rela_dyn_end = .;
>>> +        }
>>
>> It looks like the indentation is screwed up here: I see a mix of tabs/spaces
>> that doesn't match the rest of the file.
>>
>>>
>>>        _end = .;
>>>
>>> diff --git a/arch/riscv/mm/Makefile b/arch/riscv/mm/Makefile
>>> index 50b7af58c566..27593d362248 100644
>>> --- a/arch/riscv/mm/Makefile
>>> +++ b/arch/riscv/mm/Makefile
>>> @@ -1,6 +1,10 @@
>>>   # SPDX-License-Identifier: GPL-2.0-only
>>>
>>>   CFLAGS_init.o := -mcmodel=medany
>>> +ifdef CONFIG_RELOCATABLE
>>> +CFLAGS_init.o += -fno-pie
>>> +endif
>>> +
>>>   ifdef CONFIG_FTRACE
>>>   CFLAGS_REMOVE_init.o = -pg
>>>   endif
>>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>>> index 965a8cf4829c..428aee2669aa 100644
>>> --- a/arch/riscv/mm/init.c
>>> +++ b/arch/riscv/mm/init.c
>>> @@ -12,6 +12,9 @@
>>>   #include <linux/sizes.h>
>>>   #include <linux/of_fdt.h>
>>>   #include <linux/libfdt.h>
>>> +#ifdef CONFIG_RELOCATABLE
>>> +#include <linux/elf.h>
>>> +#endif
>>>
>>>   #include <asm/fixmap.h>
>>>   #include <asm/tlbflush.h>
>>> @@ -28,6 +31,9 @@ EXPORT_SYMBOL(empty_zero_page);
>>>   extern char _start[];
>>>   void *dtb_early_va;
>>>
>>> +unsigned long kernel_virt_addr = _AC(CONFIG_PAGE_OFFSET, UL);
>>> +EXPORT_SYMBOL(kernel_virt_addr);
>>> +
>>>   static void __init zone_sizes_init(void)
>>>   {
>>>        unsigned long max_zone_pfns[MAX_NR_ZONES] = { 0, };
>>> @@ -132,7 +138,8 @@ void __init setup_bootmem(void)
>>>                phys_addr_t end = reg->base + reg->size;
>>>
>>>                if (reg->base <= vmlinux_end && vmlinux_end <= end) {
>>> -                     mem_size = min(reg->size, (phys_addr_t)-PAGE_OFFSET);
>>> +                     mem_size = min(reg->size,
>>> +                                    (phys_addr_t)-kernel_virt_addr);
>>
>> PAGE_OFFSET is kernel_virt_addr, so I don't see any reason to change these --
>> they account for a significant fraction of the diff.
>>
> 
> kernel_virt_addr would be assigned to a random destination by KASLR,
> but here still should be PAGE_OFFSET rather than kernel_virt_addr as
> mentioned above.
> 
>>>                        /*
>>>                         * Remove memblock from the end of usable area to the
>>> @@ -269,7 +276,7 @@ static phys_addr_t __init alloc_pmd(uintptr_t va)
>>>        if (mmu_enabled)
>>>                return memblock_phys_alloc(PAGE_SIZE, PAGE_SIZE);
>>>
>>> -     pmd_num = (va - PAGE_OFFSET) >> PGDIR_SHIFT;
>>> +     pmd_num = (va - kernel_virt_addr) >> PGDIR_SHIFT;
> 
> Here is the same, please use PAGE_OFFSET instead of kernel_virt_addr.
> 
>>>        BUG_ON(pmd_num >= NUM_EARLY_PMDS);
>>>        return (uintptr_t)&early_pmd[pmd_num * PTRS_PER_PMD];
>>>   }
>>> @@ -370,6 +377,54 @@ static uintptr_t __init best_map_size(phys_addr_t base, phys_addr_t size)
>>>   #error "setup_vm() is called from head.S before relocate so it should not use absolute addressing."
>>>   #endif
>>>
>>> +#ifdef CONFIG_RELOCATABLE
>>> +extern unsigned long __rela_dyn_start, __rela_dyn_end;
>>> +
>>> +#ifdef CONFIG_64BIT
>>> +#define Elf_Rela Elf64_Rela
>>> +#define Elf_Addr Elf64_Addr
>>> +#else
>>> +#define Elf_Rela Elf32_Rela
>>> +#define Elf_Addr Elf32_Addr
>>> +#endif
>>> +
>>> +void __init relocate_kernel(uintptr_t load_pa)
>>> +{
>>> +     Elf_Rela *rela = (Elf_Rela *)&__rela_dyn_start;
>>> +     uintptr_t link_addr = _AC(CONFIG_PAGE_OFFSET, UL);
>>> +     /*
>>> +      * This holds the offset between the linked virtual address and the
>>> +      * relocated virtual address.
>>> +      */
>>> +     uintptr_t reloc_offset = kernel_virt_addr - link_addr;
>>> +     /*
>>> +      * This holds the offset between linked virtual address and physical
>>> +      * address whereas va_pa_offset holds the offset between relocated
>>> +      * virtual address and physical address.
>>> +      */
>>> +     uintptr_t va_link_pa_offset = link_addr - load_pa;
>>> +
>>> +     for ( ; rela < (Elf_Rela *)&__rela_dyn_end; rela++) {
>>> +             Elf_Addr addr = (rela->r_offset - va_link_pa_offset);
>>> +             Elf_Addr relocated_addr = rela->r_addend;
>>> +
>>> +             if (rela->r_info != R_RISCV_RELATIVE)
>>> +                     continue;
>>
>> This should at least provide a warning when it encounters an unresolvable
>> relocation.  Is it currently stands this just ignores all other runtime
>> relocations, and while I can buy the argument there shouldn't be any (though
>> I'd expect R_RISCV_{32,64} to show up?) we certainly shouldn't just silently
>> skip them.
>>
>>> +
>>> +             /*
>>> +              * Make sure to not relocate vdso symbols like rt_sigreturn
>>> +              * which are linked from the address 0 in vmlinux since
>>> +              * vdso symbol addresses are actually used as an offset from
>>> +              * mm->context.vdso in VDSO_OFFSET macro.
>>> +              */
>>> +             if (relocated_addr >= link_addr)
>>> +                     relocated_addr += reloc_offset;
>>> +
>>> +             *(Elf_Addr *)addr = relocated_addr;
>>> +     }
>>> +}
>>> +#endif
>>> +
>>>   asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>>   {
>>>        uintptr_t va, end_va;
>>> @@ -377,9 +432,20 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>>        uintptr_t load_sz = (uintptr_t)(&_end) - load_pa;
>>>        uintptr_t map_size = best_map_size(load_pa, MAX_EARLY_MAPPING_SIZE);
>>>
>>> -     va_pa_offset = PAGE_OFFSET - load_pa;
>>> +     va_pa_offset = kernel_virt_addr - load_pa;
>>>        pfn_base = PFN_DOWN(load_pa);
>>>
>>> +#ifdef CONFIG_RELOCATABLE
>>> +     /*
>>> +      * Early page table uses only one PGDIR, which makes it possible
>>> +      * to map 1GB aligned on 1GB: if the relocation offset makes the kernel
>>> +      * cross over a 1G boundary, raise a bug since a part of the kernel
>>> +      * would not get mapped.
>>> +      */
>>> +     BUG_ON(SZ_1G - (kernel_virt_addr & (SZ_1G - 1)) < load_sz);
>>> +     relocate_kernel(load_pa);
>>> +#endif
>>> +
>>>        /*
>>>         * Enforce boot alignment requirements of RV32 and
>>>         * RV64 by only allowing PMD or PGD mappings.
>>> @@ -387,7 +453,7 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>>        BUG_ON(map_size == PAGE_SIZE);
>>>
>>>        /* Sanity check alignment and size */
>>> -     BUG_ON((PAGE_OFFSET % PGDIR_SIZE) != 0);
>>> +     BUILD_BUG_ON((_AC(CONFIG_PAGE_OFFSET, UL) % PGDIR_SIZE) != 0);
>>>        BUG_ON((load_pa % map_size) != 0);
>>>        BUG_ON(load_sz > MAX_EARLY_MAPPING_SIZE);
>>>
>>> @@ -400,13 +466,13 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>>        create_pmd_mapping(fixmap_pmd, FIXADDR_START,
>>>                           (uintptr_t)fixmap_pte, PMD_SIZE, PAGE_TABLE);
>>>        /* Setup trampoline PGD and PMD */
>>> -     create_pgd_mapping(trampoline_pg_dir, PAGE_OFFSET,
>>> +     create_pgd_mapping(trampoline_pg_dir, kernel_virt_addr,
>>>                           (uintptr_t)trampoline_pmd, PGDIR_SIZE, PAGE_TABLE);
>>> -     create_pmd_mapping(trampoline_pmd, PAGE_OFFSET,
>>> +     create_pmd_mapping(trampoline_pmd, kernel_virt_addr,
>>>                           load_pa, PMD_SIZE, PAGE_KERNEL_EXEC);
>>>   #else
>>>        /* Setup trampoline PGD */
>>> -     create_pgd_mapping(trampoline_pg_dir, PAGE_OFFSET,
>>> +     create_pgd_mapping(trampoline_pg_dir, kernel_virt_addr,
>>>                           load_pa, PGDIR_SIZE, PAGE_KERNEL_EXEC);
>>>   #endif
>>>
>>> @@ -415,10 +481,10 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>>         * us to reach paging_init(). We map all memory banks later
>>>         * in setup_vm_final() below.
>>>         */
>>> -     end_va = PAGE_OFFSET + load_sz;
>>> -     for (va = PAGE_OFFSET; va < end_va; va += map_size)
>>> +     end_va = kernel_virt_addr + load_sz;
>>> +     for (va = kernel_virt_addr; va < end_va; va += map_size)
>>>                create_pgd_mapping(early_pg_dir, va,
>>> -                                load_pa + (va - PAGE_OFFSET),
>>> +                                load_pa + (va - kernel_virt_addr),
>>>                                   map_size, PAGE_KERNEL_EXEC);
>>>
>>>        /* Create fixed mapping for early FDT parsing */
>>> @@ -457,9 +523,9 @@ static void __init setup_vm_final(void)
>>>                        break;
>>>                if (memblock_is_nomap(reg))
>>>                        continue;
>>> -             if (start <= __pa(PAGE_OFFSET) &&
>>> -                 __pa(PAGE_OFFSET) < end)
>>> -                     start = __pa(PAGE_OFFSET);
>>> +             if (start <= __pa_symbol(kernel_virt_addr) &&
>>> +                 __pa(kernel_virt_addr) < end)
>>> +                     start = __pa_symbol(kernel_virt_addr);
> 
> Here is the same, please use PAGE_OFFSET instead of kernel_virt_addr.
> 
>>>
>>>                map_size = best_map_size(start, end - start);
>>>                for (pa = start; pa < end; pa += map_size) {

Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ