lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Jan 2024 10:08:52 +0100
From: Ard Biesheuvel <ardb+git@...gle.com>
To: linux-kernel@...r.kernel.org
Cc: Ard Biesheuvel <ardb@...nel.org>, Kevin Loughlin <kevinloughlin@...gle.com>, 
	Tom Lendacky <thomas.lendacky@....com>, Dionna Glaze <dionnaglaze@...gle.com>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, Andy Lutomirski <luto@...nel.org>, 
	Arnd Bergmann <arnd@...db.de>, Martin KaFai Lau <martin.lau@...ux.dev>, 
	Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, 
	Justin Stitt <justinstitt@...gle.com>, linux-arch@...r.kernel.org, bpf@...r.kernel.org, 
	llvm@...ts.linux.dev
Subject: [RFC PATCH 0/5] x86: Build the core kernel using PIC codegen

From: Ard Biesheuvel <ardb@...nel.org>

Originally, only arch/x86/kernel/head64.c had some code that required
special care because it executes very early from the 1:1 mapping of the
kernel rather than the ordinary kernel virtual mapping.

This is no longer the case, and there is a lot of SEV related code that
is reachable from the primary startup path, with no guarantees that the
toolchain will produce code that runs correctly. This is especially
problematic when it comes to things like string literals, which are
emitted by the compiler as data objects, and subsequently referenced via
an absolute address that is not mapped yet this early in the boot [0].

Kevin has been looking into failures resulting from the fact that Clang
behaves slightly differently from GCC in this regard, by selectively
applying PIC codegen to the objects in question. However, while this
fixes the observed issues, it does not offer any guarantees, given that
the set of reachable code from startup_64() does not appear to be
bounded when running on SEV hardware.

Instead of applying this change piecemeal to objects that happen to have
caused issues in the past, this series convert the core kernel to PIC
codegen entirely.

Note that this does not entirely solve the problem of the unbounded set
of reachable code from the early SEV entrypoint: there might be code
that attempts to access global objects via their kernel virtual address
(which is not mapped yet). But at least all implicit accesses will be
made via the same translation that the code is running from.
 
This does result in a slight increase in code size (see below) but it
also reduces the size of the KASLR relocation table (applied by the
decompressor) by roughly half.


Before

$ size -x vmlinux
   text	   data	    bss	    dec	    hex	filename
0x1b78ec1	0xdde145	0x381000	47022086	2cd8006	vmlinux

After

$ size -x vmlinux
   text	   data	    bss	    dec	    hex	filename
0x1b8371b	0xde0d1d	0x370000	47006776	2cd4438	vmlinux


[0] arch/x86/mm/mem_encrypt_identity.c has some nice examples of this,
    where RIP-relative references are emitted using inline asm.

[1] https://lkml.kernel.org/r/20240111223650.3502633-1-kevinloughlin%40google.com

Cc: Kevin Loughlin <kevinloughlin@...gle.com>
Cc: Tom Lendacky <thomas.lendacky@....com>
Cc: Dionna Glaze <dionnaglaze@...gle.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>
Cc: Martin KaFai Lau <martin.lau@...ux.dev>
Cc: Nathan Chancellor <nathan@...nel.org>
Cc: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Justin Stitt <justinstitt@...gle.com>
Cc: linux-kernel@...r.kernel.org
Cc: linux-arch@...r.kernel.org
Cc: bpf@...r.kernel.org
Cc: llvm@...ts.linux.dev

Ard Biesheuvel (5):
  kallsyms: Avoid weak references for kallsyms symbols
  vmlinux: Avoid weak reference to notes section
  btf: Avoid weak external references
  x86/head64: Replace pointer fixups with PIE codegen
  x86: Build the core kernel with position independent codegen

 arch/x86/Makefile                 |  18 ++-
 arch/x86/boot/compressed/Makefile |   2 +-
 arch/x86/entry/vdso/Makefile      |   2 +-
 arch/x86/include/asm/init.h       |   2 -
 arch/x86/include/asm/setup.h      |   2 +-
 arch/x86/kernel/head64.c          | 117 +++++++-------------
 arch/x86/realmode/rm/Makefile     |   1 +
 include/asm-generic/vmlinux.lds.h |  23 ++++
 kernel/bpf/btf.c                  |   4 +-
 kernel/kallsyms.c                 |   6 -
 kernel/kallsyms_internal.h        |  30 ++---
 kernel/ksysfs.c                   |   4 +-
 lib/buildid.c                     |   4 +-
 13 files changed, 104 insertions(+), 111 deletions(-)

-- 
2.43.0.429.g432eaa2c6b-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ