| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 15:20:13 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Andrew Cooper <Andrew.Cooper3@...rix.com>
Cc: "x86@...nel.org" <x86@...nel.org>,
"joao@...rdrivepizza.com" <joao@...rdrivepizza.com>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"jpoimboe@...hat.com" <jpoimboe@...hat.com>,
Juergen Gross <jgross@...e.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
"keescook@...omium.org" <keescook@...omium.org>,
"samitolvanen@...gle.com" <samitolvanen@...gle.com>,
"mark.rutland@....com" <mark.rutland@....com>,
"alyssa.milburn@...el.com" <alyssa.milburn@...el.com>,
Andy Lutomirski <luto@...nel.org>
Subject: Re: [PATCH 19/29] x86/ibt,xen: Annotate away warnings
On Fri, Feb 18, 2022 at 11:07:15PM +0000, Andrew Cooper wrote:
> or so, but my point is that the early Xen code, if it can identify this
> patch point separate to the list of everything, can easily arrange for
> it to be modified before HYPERCALL_set_trap_table (Xen PV's LIDT), and
> then return_to_kernel is in its fully configured state (paravirt or
> otherwise) before interrupts/exceptions can be taken.
I ended up with the below... still bit of a hack, and I wonder if the
asm version you did isn't saner..
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -619,8 +619,8 @@ SYM_INNER_LABEL(swapgs_restore_regs_and_
/* Restore RDI. */
popq %rdi
- SWAPGS
- INTERRUPT_RETURN
+ swapgs
+ jmp .Lnative_iret
SYM_INNER_LABEL(restore_regs_and_return_to_kernel, SYM_L_GLOBAL)
@@ -637,11 +637,16 @@ SYM_INNER_LABEL(restore_regs_and_return_
* ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization
* when returning from IPI handler.
*/
- INTERRUPT_RETURN
+#ifdef CONFIG_XEN_PV
+SYM_INNER_LABEL(early_xen_iret_patch, SYM_L_GLOBAL)
+ ANNOTATE_NOENDBR
+ .byte 0xe9
+ .long .Lnative_iret - (. + 4)
+#endif
-SYM_INNER_LABEL_ALIGN(native_iret, SYM_L_GLOBAL)
+.Lnative_iret:
UNWIND_HINT_IRET_REGS
- ENDBR // paravirt_iret
+ ANNOTATE_NOENDBR
/*
* Are we returning to a stack segment from the LDT? Note: in
* 64-bit mode SS:RSP on the exception stack is always valid.
--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
@@ -141,13 +141,8 @@ static __always_inline void arch_local_i
#ifdef CONFIG_X86_64
#ifdef CONFIG_XEN_PV
#define SWAPGS ALTERNATIVE "swapgs", "", X86_FEATURE_XENPV
-#define INTERRUPT_RETURN \
- ANNOTATE_RETPOLINE_SAFE; \
- ALTERNATIVE_TERNARY("jmp *paravirt_iret(%rip);", \
- X86_FEATURE_XENPV, "jmp xen_iret;", "jmp native_iret;")
#else
#define SWAPGS swapgs
-#define INTERRUPT_RETURN jmp native_iret
#endif
#endif
#endif /* !__ASSEMBLY__ */
--- a/arch/x86/include/asm/paravirt_types.h
+++ b/arch/x86/include/asm/paravirt_types.h
@@ -272,7 +272,6 @@ struct paravirt_patch_template {
extern struct pv_info pv_info;
extern struct paravirt_patch_template pv_ops;
-extern void (*paravirt_iret)(void);
#define PARAVIRT_PATCH(x) \
(offsetof(struct paravirt_patch_template, x) / sizeof(void *))
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -350,7 +350,6 @@ SYM_CODE_START_NOALIGN(vc_boot_ghcb)
/* Remove Error Code */
addq $8, %rsp
- /* Pure iret required here - don't use INTERRUPT_RETURN */
iretq
SYM_CODE_END(vc_boot_ghcb)
#endif
@@ -435,6 +434,8 @@ SYM_CODE_END(early_idt_handler_common)
* early_idt_handler_array can't be used because it returns via the
* paravirtualized INTERRUPT_RETURN and pv-ops don't work that early.
*
+ * XXX it does, fix this.
+ *
* This handler will end up in the .init.text section and not be
* available to boot secondary CPUs.
*/
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -151,8 +151,6 @@ void paravirt_set_sched_clock(u64 (*func
}
/* These are in entry.S */
-extern void native_iret(void);
-
static struct resource reserve_ioports = {
.start = 0,
.end = IO_SPACE_LIMIT,
@@ -416,8 +414,6 @@ struct paravirt_patch_template pv_ops =
#ifdef CONFIG_PARAVIRT_XXL
NOKPROBE_SYMBOL(native_load_idt);
-
-void (*paravirt_iret)(void) = native_iret;
#endif
EXPORT_SYMBOL(pv_ops);
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -1178,9 +1178,13 @@ static void __init xen_domu_set_legacy_f
x86_platform.legacy.rtc = 0;
}
+extern void early_xen_iret_patch(void);
+
/* First C function to be called on Xen boot */
asmlinkage __visible void __init xen_start_kernel(void)
{
+ void *early_xen_iret = &early_xen_iret_patch;
+ void *xen_iret_dest = &xen_iret;
struct physdev_set_iopl set_iopl;
unsigned long initrd_start = 0;
int rc;
@@ -1188,6 +1192,13 @@ asmlinkage __visible void __init xen_sta
if (!xen_start_info)
return;
+ OPTIMIZER_HIDE_VAR(early_xen_iret);
+ OPTIMIZER_HIDE_VAR(xen_iret_dest);
+
+ memcpy(early_xen_iret,
+ text_gen_insn(JMP32_INSN_OPCODE, early_xen_iret, xen_iret_dest),
+ JMP32_INSN_SIZE);
+
xen_domain_type = XEN_PV_DOMAIN;
xen_start_flags = xen_start_info->flags;
@@ -1196,7 +1207,6 @@ asmlinkage __visible void __init xen_sta
/* Install Xen paravirt ops */
pv_info = xen_info;
pv_ops.cpu = xen_cpu_ops.cpu;
- paravirt_iret = xen_iret;
xen_init_irq_ops();
/*
--- a/arch/x86/xen/xen-asm.S
+++ b/arch/x86/xen/xen-asm.S
@@ -193,7 +193,7 @@ hypercall_iret = hypercall_page + __HYPE
*/
SYM_CODE_START(xen_iret)
UNWIND_HINT_EMPTY
- ENDBR
+ ANNOTATE_NOENDBR
pushq $0
jmp hypercall_iret
SYM_CODE_END(xen_iret)
Powered by blists - more mailing lists