lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <mhng-ecd68703-9cc0-48a4-be15-f82f2b4fbe22@palmer-ri-x1c9a>
Date:   Thu, 20 Apr 2023 11:44:18 -0700 (PDT)
From:   Palmer Dabbelt <palmer@...belt.com>
To:     alexghiti@...osinc.com
CC:     corbet@....net, Paul Walmsley <paul.walmsley@...ive.com>,
        aou@...s.berkeley.edu, Conor Dooley <conor@...nel.org>,
        Ard Biesheuvel <ardb@...nel.org>, bjorn@...nel.org,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-riscv@...ts.infradead.org, alexghiti@...osinc.com,
        Bjorn Topel <bjorn@...osinc.com>
Subject:     Re: [PATCH v9 1/1] riscv: Allow to downgrade paging mode from the command line

On Thu, 20 Apr 2023 10:36:43 PDT (-0700), Palmer Dabbelt wrote:
> On Tue, 28 Mar 2023 22:09:51 PDT (-0700), alexghiti@...osinc.com wrote:
>> Add 2 early command line parameters that allow to downgrade satp mode
>> (using the same naming as x86):
>> - "no5lvl": use a 4-level page table (down from sv57 to sv48)
>> - "no4lvl": use a 3-level page table (down from sv57/sv48 to sv39)
>>
>> Note that going through the device tree to get the kernel command line
>> works with ACPI too since the efi stub creates a device tree anyway with
>> the command line.
>>
>> In KASAN kernels, we can't use the libfdt that early in the boot process
>> since we are not ready to execute instrumented functions. So instead of
>> using the "generic" libfdt, we compile our own versions of those functions
>> that are not instrumented and that are prefixed so that they do not
>> conflict with the generic ones. We also need the non-instrumented versions
>> of the string functions and the prefixed versions of memcpy/memmove.
>>
>> This is largely inspired by commit aacd149b6238 ("arm64: head: avoid
>> relocating the kernel twice for KASLR") from which I removed compilation
>> flags that were not relevant to RISC-V at the moment (LTO, SCS, pie).
>>
>> Signed-off-by: Alexandre Ghiti <alexghiti@...osinc.com>
>> Tested-by: Björn Töpel <bjorn@...osinc.com>
>> Reviewed-by: Björn Töpel <bjorn@...osinc.com>
>> ---
>>  .../admin-guide/kernel-parameters.txt         |  5 +-
>>  arch/riscv/kernel/Makefile                    |  2 +
>>  arch/riscv/kernel/pi/Makefile                 | 39 ++++++++++++
>>  arch/riscv/kernel/pi/cmdline_early.c          | 62 +++++++++++++++++++
>>  arch/riscv/kernel/vmlinux.lds.S               |  8 +++
>>  arch/riscv/lib/memcpy.S                       |  2 +
>>  arch/riscv/lib/memmove.S                      |  2 +
>>  arch/riscv/lib/strlen.S                       |  1 +
>>  arch/riscv/mm/init.c                          | 36 +++++++++--
>>  9 files changed, 150 insertions(+), 7 deletions(-)
>>  create mode 100644 arch/riscv/kernel/pi/Makefile
>>  create mode 100644 arch/riscv/kernel/pi/cmdline_early.c
>>
>> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> index 6221a1d057dd..accc400b43f1 100644
>> --- a/Documentation/admin-guide/kernel-parameters.txt
>> +++ b/Documentation/admin-guide/kernel-parameters.txt
>> @@ -3576,7 +3576,10 @@
>>  			emulation library even if a 387 maths coprocessor
>>  			is present.
>>
>> -	no5lvl		[X86-64] Disable 5-level paging mode. Forces
>> +	no4lvl		[RISCV] Disable 4-level and 5-level paging modes. Forces
>> +			kernel to use 3-level paging instead.
>> +
>> +	no5lvl		[X86-64,RISCV] Disable 5-level paging mode. Forces
>>  			kernel to use 4-level paging instead.
>>
>>  	nofsgsbase	[X86] Disables FSGSBASE instructions.
>> diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
>> index 4cf303a779ab..aa22f87faeae 100644
>> --- a/arch/riscv/kernel/Makefile
>> +++ b/arch/riscv/kernel/Makefile
>> @@ -89,3 +89,5 @@ obj-$(CONFIG_EFI)		+= efi.o
>>  obj-$(CONFIG_COMPAT)		+= compat_syscall_table.o
>>  obj-$(CONFIG_COMPAT)		+= compat_signal.o
>>  obj-$(CONFIG_COMPAT)		+= compat_vdso/
>> +
>> +obj-$(CONFIG_64BIT)		+= pi/
>> diff --git a/arch/riscv/kernel/pi/Makefile b/arch/riscv/kernel/pi/Makefile
>> new file mode 100644
>> index 000000000000..42c58f4ab53b
>> --- /dev/null
>> +++ b/arch/riscv/kernel/pi/Makefile
>> @@ -0,0 +1,39 @@
>> +# SPDX-License-Identifier: GPL-2.0
>> +# This file was copied from arm64/kernel/pi/Makefile.
>> +
>> +KBUILD_CFLAGS	:= $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) \
>> +		   -Os -DDISABLE_BRANCH_PROFILING $(DISABLE_STACKLEAK_PLUGIN) \
>> +		   $(call cc-option,-mbranch-protection=none) \
>> +		   -I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \
>> +		   -D__DISABLE_EXPORTS -ffreestanding \
>> +		   -fno-asynchronous-unwind-tables -fno-unwind-tables \
>> +		   $(call cc-option,-fno-addrsig)
>> +
>> +KBUILD_CFLAGS	+= -mcmodel=medany
>> +
>> +CFLAGS_cmdline_early.o += -D__NO_FORTIFY
>> +CFLAGS_lib-fdt_ro.o += -D__NO_FORTIFY
>> +
>> +GCOV_PROFILE	:= n
>> +KASAN_SANITIZE	:= n
>> +KCSAN_SANITIZE	:= n
>> +UBSAN_SANITIZE	:= n
>> +KCOV_INSTRUMENT	:= n
>> +
>> +$(obj)/%.pi.o: OBJCOPYFLAGS := --prefix-symbols=__pi_ \
>> +			       --remove-section=.note.gnu.property \
>> +			       --prefix-alloc-sections=.init
>> +$(obj)/%.pi.o: $(obj)/%.o FORCE
>> +	$(call if_changed,objcopy)
>> +
>> +$(obj)/lib-%.o: $(srctree)/lib/%.c FORCE
>> +	$(call if_changed_rule,cc_o_c)
>> +
>> +$(obj)/string.o: $(srctree)/lib/string.c FORCE
>> +	$(call if_changed_rule,cc_o_c)
>> +
>> +$(obj)/ctype.o: $(srctree)/lib/ctype.c FORCE
>> +	$(call if_changed_rule,cc_o_c)
>> +
>> +obj-y		:= cmdline_early.pi.o string.pi.o ctype.pi.o lib-fdt.pi.o lib-fdt_ro.pi.o
>> +extra-y		:= $(patsubst %.pi.o,%.o,$(obj-y))
>> diff --git a/arch/riscv/kernel/pi/cmdline_early.c b/arch/riscv/kernel/pi/cmdline_early.c
>> new file mode 100644
>> index 000000000000..05652d13c746
>> --- /dev/null
>> +++ b/arch/riscv/kernel/pi/cmdline_early.c
>> @@ -0,0 +1,62 @@
>> +// SPDX-License-Identifier: GPL-2.0-only
>> +#include <linux/types.h>
>> +#include <linux/init.h>
>> +#include <linux/libfdt.h>
>> +#include <linux/string.h>
>> +#include <asm/pgtable.h>
>> +#include <asm/setup.h>
>> +
>> +static char early_cmdline[COMMAND_LINE_SIZE];
>> +
>> +/*
>> + * Declare the functions that are exported (but prefixed) here so that LLVM
>> + * does not complain it lacks the 'static' keyword (which, if added, makes
>> + * LLVM complain because the function is actually unused in this file).
>> + */
>> +u64 set_satp_mode_from_cmdline(uintptr_t dtb_pa);
>> +
>> +static char *get_early_cmdline(uintptr_t dtb_pa)
>> +{
>> +	const char *fdt_cmdline = NULL;
>> +	unsigned int fdt_cmdline_size = 0;
>> +	int chosen_node;
>> +
>> +	if (!IS_ENABLED(CONFIG_CMDLINE_FORCE)) {
>> +		chosen_node = fdt_path_offset((void *)dtb_pa, "/chosen");
>> +		if (chosen_node >= 0) {
>> +			fdt_cmdline = fdt_getprop((void *)dtb_pa, chosen_node,
>> +						  "bootargs", NULL);
>> +			if (fdt_cmdline) {
>> +				fdt_cmdline_size = strlen(fdt_cmdline);
>> +				strscpy(early_cmdline, fdt_cmdline,
>> +					COMMAND_LINE_SIZE);
>> +			}
>> +		}
>> +	}
>> +
>> +	if (IS_ENABLED(CONFIG_CMDLINE_EXTEND) ||
>> +	    IS_ENABLED(CONFIG_CMDLINE_FORCE) ||
>> +	    fdt_cmdline_size == 0 /* CONFIG_CMDLINE_FALLBACK */) {
>> +		strncat(early_cmdline, CONFIG_CMDLINE,
>> +			COMMAND_LINE_SIZE - fdt_cmdline_size);
>> +	}
>> +
>> +	return early_cmdline;
>> +}
>> +
>> +static u64 match_noXlvl(char *cmdline)
>> +{
>> +	if (strstr(cmdline, "no4lvl"))
>> +		return SATP_MODE_48;
>> +	else if (strstr(cmdline, "no5lvl"))
>> +		return SATP_MODE_57;
>> +
>> +	return 0;
>> +}
>> +
>> +u64 set_satp_mode_from_cmdline(uintptr_t dtb_pa)
>> +{
>> +	char *cmdline = get_early_cmdline(dtb_pa);
>> +
>> +	return match_noXlvl(cmdline);
>> +}
>> diff --git a/arch/riscv/kernel/vmlinux.lds.S b/arch/riscv/kernel/vmlinux.lds.S
>> index 615ff5842690..b12a843ad426 100644
>> --- a/arch/riscv/kernel/vmlinux.lds.S
>> +++ b/arch/riscv/kernel/vmlinux.lds.S
>> @@ -83,6 +83,14 @@ SECTIONS
>>  	/* Start of init data section */
>>  	__init_data_begin = .;
>>  	INIT_DATA_SECTION(16)
>> +
>> +	/* Those sections result from the compilation of kernel/pi/string.c */
>> +	.init.pidata : {
>> +		*(.init.srodata.cst8*)
>> +		*(.init__bug_table*)
>> +		*(.init.sdata*)
>> +	}
>> +
>>  	.init.bss : {
>>  		*(.init.bss)	/* from the EFI stub */
>>  	}
>> diff --git a/arch/riscv/lib/memcpy.S b/arch/riscv/lib/memcpy.S
>> index 51ab716253fa..1a40d01a9543 100644
>> --- a/arch/riscv/lib/memcpy.S
>> +++ b/arch/riscv/lib/memcpy.S
>> @@ -106,3 +106,5 @@ WEAK(memcpy)
>>  6:
>>  	ret
>>  END(__memcpy)
>> +SYM_FUNC_ALIAS(__pi_memcpy, __memcpy)
>> +SYM_FUNC_ALIAS(__pi___memcpy, __memcpy)
>> diff --git a/arch/riscv/lib/memmove.S b/arch/riscv/lib/memmove.S
>> index e0609e1f0864..838ff2022fe3 100644
>> --- a/arch/riscv/lib/memmove.S
>> +++ b/arch/riscv/lib/memmove.S
>> @@ -314,3 +314,5 @@ return_from_memmove:
>>
>>  SYM_FUNC_END(memmove)
>>  SYM_FUNC_END(__memmove)
>> +SYM_FUNC_ALIAS(__pi_memmove, __memmove)
>> +SYM_FUNC_ALIAS(__pi___memmove, __memmove)
>> diff --git a/arch/riscv/lib/strlen.S b/arch/riscv/lib/strlen.S
>> index 15bb8f3aa959..9d0055616f7b 100644
>> --- a/arch/riscv/lib/strlen.S
>> +++ b/arch/riscv/lib/strlen.S
>> @@ -131,3 +131,4 @@ strlen_zbb:
>>  .option pop
>>  #endif
>>  SYM_FUNC_END(strlen)
>> +SYM_FUNC_ALIAS(__pi_strlen, strlen)
>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>> index bce899b180cd..3ad771571c2d 100644
>> --- a/arch/riscv/mm/init.c
>> +++ b/arch/riscv/mm/init.c
>> @@ -746,6 +746,8 @@ static __init pgprot_t pgprot_from_va(uintptr_t va)
>>  #endif /* CONFIG_STRICT_KERNEL_RWX */
>>
>>  #if defined(CONFIG_64BIT) && !defined(CONFIG_XIP_KERNEL)
>> +u64 __pi_set_satp_mode_from_cmdline(uintptr_t dtb_pa);
>> +
>>  static void __init disable_pgtable_l5(void)
>>  {
>>  	pgtable_l5_enabled = false;
>> @@ -760,17 +762,39 @@ static void __init disable_pgtable_l4(void)
>>  	satp_mode = SATP_MODE_39;
>>  }
>>
>> +static int __init print_no4lvl(char *p)
>> +{
>> +	pr_info("Disabled 4-level and 5-level paging");
>> +	return 0;
>> +}
>> +early_param("no4lvl", print_no4lvl);
>> +
>> +static int __init print_no5lvl(char *p)
>> +{
>> +	pr_info("Disabled 5-level paging");
>> +	return 0;
>> +}
>> +early_param("no5lvl", print_no5lvl);
>> +
>>  /*
>>   * There is a simple way to determine if 4-level is supported by the
>>   * underlying hardware: establish 1:1 mapping in 4-level page table mode
>>   * then read SATP to see if the configuration was taken into account
>>   * meaning sv48 is supported.
>>   */
>> -static __init void set_satp_mode(void)
>> +static __init void set_satp_mode(uintptr_t dtb_pa)
>>  {
>>  	u64 identity_satp, hw_satp;
>>  	uintptr_t set_satp_mode_pmd = ((unsigned long)set_satp_mode) & PMD_MASK;
>> -	bool check_l4 = false;
>> +	u64 satp_mode_cmdline = __pi_set_satp_mode_from_cmdline(dtb_pa);
>> +
>> +	if (satp_mode_cmdline == SATP_MODE_57) {
>> +		disable_pgtable_l5();
>> +	} else if (satp_mode_cmdline == SATP_MODE_48) {
>> +		disable_pgtable_l5();
>> +		disable_pgtable_l4();
>> +		return;
>> +	}
>>
>>  	create_p4d_mapping(early_p4d,
>>  			set_satp_mode_pmd, (uintptr_t)early_pud,
>> @@ -789,7 +813,8 @@ static __init void set_satp_mode(void)
>>  retry:
>>  	create_pgd_mapping(early_pg_dir,
>>  			   set_satp_mode_pmd,
>> -			   check_l4 ? (uintptr_t)early_pud : (uintptr_t)early_p4d,
>> +			   pgtable_l5_enabled ?
>> +				(uintptr_t)early_p4d : (uintptr_t)early_pud,
>>  			   PGDIR_SIZE, PAGE_TABLE);
>>
>>  	identity_satp = PFN_DOWN((uintptr_t)&early_pg_dir) | satp_mode;
>> @@ -800,9 +825,8 @@ static __init void set_satp_mode(void)
>>  	local_flush_tlb_all();
>>
>>  	if (hw_satp != identity_satp) {
>> -		if (!check_l4) {
>> +		if (pgtable_l5_enabled) {
>>  			disable_pgtable_l5();
>> -			check_l4 = true;
>>  			memset(early_pg_dir, 0, PAGE_SIZE);
>>  			goto retry;
>>  		}
>> @@ -1031,7 +1055,7 @@ asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>  #endif
>>
>>  #if defined(CONFIG_64BIT) && !defined(CONFIG_XIP_KERNEL)
>> -	set_satp_mode();
>> +	set_satp_mode(dtb_pa);
>>  #endif
>>
>>  	/*
>
> Alex found that we're missing -fpie, which was causing the LLVM boot
> failures.  I'm just going to squash in
>
> diff --git a/arch/riscv/kernel/pi/Makefile b/arch/riscv/kernel/pi/Makefile
> index 42c58f4ab53b..5d7cb991f2b8 100644
> --- a/arch/riscv/kernel/pi/Makefile
> +++ b/arch/riscv/kernel/pi/Makefile
> @@ -1,7 +1,7 @@
>  # SPDX-License-Identifier: GPL-2.0
>  # This file was copied from arm64/kernel/pi/Makefile.
>
> -KBUILD_CFLAGS	:= $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) \
> +KBUILD_CFLAGS	:= $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) -fpie \
>  		   -Os -DDISABLE_BRANCH_PROFILING $(DISABLE_STACKLEAK_PLUGIN) \
>  		   $(call cc-option,-mbranch-protection=none) \
>  		   -I$(srctree)/scripts/dtc/libfdt -fno-stack-protector \

Looks like we got a bit ahead of ourselves, this trips up some warnings 
like

riscv64-unknown-linux-gnu-ld: warning: orphan section `.got' from `init/main.o' being placed in section `.got'
riscv64-unknown-linux-gnu-ld: warning: orphan section `.got.plt' from `init/main.o' being placed in section `.got.plt'

I'm going to drop this for now, Alex is looking at a better fix.  Sorry 
for the churn!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ