[v5,03/27] x86/boot: Set cr0 to known state in trampoline

Message ID	63368ff665956a64f07aee9bc863b70c86b8b0c8.1678785672.git.baskov@ispras.ru
State	New
Headers	show Return-Path: <linux-efi-owner@vger.kernel.org> From: Evgeniy Baskov <baskov@ispras.ru> To: Ard Biesheuvel <ardb@kernel.org> Cc: Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave.hansen@linux.intel.com>, Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Alexey Khoroshilov <khoroshilov@ispras.ru>, Peter Jones <pjones@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, "Limonciello, Mario" <mario.limonciello@amd.com>, joeyli <jlee@suse.com>, lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v5 03/27] x86/boot: Set cr0 to known state in trampoline Date: Tue, 14 Mar 2023 13:13:30 +0300 Message-Id: <63368ff665956a64f07aee9bc863b70c86b8b0c8.1678785672.git.baskov@ispras.ru> In-Reply-To: <cover.1678785672.git.baskov@ispras.ru> References: <cover.1678785672.git.baskov@ispras.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86_64: Improvements at compressed kernel stage \| expand [v5,00/27] x86_64: Improvements at compressed kernel stage [v5,01/27] x86/boot: Align vmlinuz sections on page size [v5,02/27] x86/build: Remove RWX sections and align on 4KB [v5,03/27] x86/boot: Set cr0 to known state in trampoline [v5,04/27] x86/boot: Increase boot page table size [v5,05/27] x86/boot: Support 4KB pages for identity mapping [v5,06/27] x86/boot: Setup memory protection for bzImage code [v5,07/27] x86/build: Check W^X of vmlinux during build [v5,08/27] x86/boot: Map memory explicitly [v5,09/27] x86/boot: Remove mapping from page fault handler [v5,10/27] efi/libstub: Move helper function to related file [v5,11/27] x86/boot: Make console interface more abstract [v5,12/27] x86/boot: Make kernel_add_identity_map() a pointer [v5,13/27] x86/boot: Split trampoline and pt init code [v5,14/27] x86/boot: Add EFI kernel extraction interface [v5,15/27] efi/x86: Support extracting kernel from libstub [v5,16/27] x86/boot: Reduce lower limit of physical KASLR [v5,17/27] x86: decompressor: Remove the 'bugger off' message [v5,18/27] tools/include: Add simplified version of pe.h [v5,19/27] x86/build: Cleanup tools/build.c [v5,20/27] efi: x86: Use private copy of struct setup_header [v5,21/27] x86/build: Add SETUP_HEADER_OFFSET constant [v5,22/27] x86/build: set type_of_loader for EFISTUB [v5,23/27] efi/libstub: Don't set ramdisk_image/ramdisk_size [v5,24/27] x86/build: Make generated PE more spec compliant [v5,25/27] efi/libstub: Use memory attribute protocol [v5,26/27] efi/libstub: make memory protection warnings include newlines. [v5,27/27] efi/x86: don't try to set page attributes on 0-sized regions.

Message ID

63368ff665956a64f07aee9bc863b70c86b8b0c8.1678785672.git.baskov@ispras.ru

State

New

Headers

From: Evgeniy Baskov <baskov@ispras.ru>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Peter Jones <pjones@redhat.com>,
        Gerd Hoffmann <kraxel@redhat.com>,
        "Limonciello, Mario" <mario.limonciello@amd.com>,
        joeyli <jlee@suse.com>, lvc-project@linuxtesting.org,
        x86@kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH v5 03/27] x86/boot: Set cr0 to known state in trampoline
Date: Tue, 14 Mar 2023 13:13:30 +0300
Message-Id: 
 <63368ff665956a64f07aee9bc863b70c86b8b0c8.1678785672.git.baskov@ispras.ru>
In-Reply-To: <cover.1678785672.git.baskov@ispras.ru>
References: <cover.1678785672.git.baskov@ispras.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

x86_64: Improvements at compressed kernel stage | expand

Commit Message

Evgeniy Baskov March 14, 2023, 10:13 a.m. UTC

Ensure WP bit to be set to prevent boot code from writing to
non-writable memory pages.

Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
---
 arch/x86/boot/compressed/head_64.S | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Borislav Petkov April 5, 2023, 5:54 p.m. UTC | #1

On Tue, Mar 14, 2023 at 01:13:30PM +0300, Evgeniy Baskov wrote:
> Ensure WP bit to be set to prevent boot code from writing to
> non-writable memory pages.
> 
> Tested-by: Mario Limonciello <mario.limonciello@amd.com>
> Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
> ---
>  arch/x86/boot/compressed/head_64.S | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
> index 03c4328a88cb..01fa42d31648 100644
> --- a/arch/x86/boot/compressed/head_64.S
> +++ b/arch/x86/boot/compressed/head_64.S
> @@ -660,9 +660,8 @@ SYM_CODE_START(trampoline_32bit_src)
>  	pushl	$__KERNEL_CS
>  	pushl	%eax
>  
> -	/* Enable paging again. */
> -	movl	%cr0, %eax
> -	btsl	$X86_CR0_PG_BIT, %eax
> +	/* Enable paging and set CR0 to known state (this also sets WP flag) */
> +	movl	$CR0_STATE, %eax

This sets a lot more than WP. Why?

Evgeniy Baskov April 8, 2023, 3:09 p.m. UTC | #2

On 2023-04-05 20:54, Borislav Petkov wrote:
> On Tue, Mar 14, 2023 at 01:13:30PM +0300, Evgeniy Baskov wrote:
>> Ensure WP bit to be set to prevent boot code from writing to
>> non-writable memory pages.
>> 
>> Tested-by: Mario Limonciello <mario.limonciello@amd.com>
>> Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
>> ---
>>  arch/x86/boot/compressed/head_64.S | 5 ++---
>>  1 file changed, 2 insertions(+), 3 deletions(-)
>> 
>> diff --git a/arch/x86/boot/compressed/head_64.S 
>> b/arch/x86/boot/compressed/head_64.S
>> index 03c4328a88cb..01fa42d31648 100644
>> --- a/arch/x86/boot/compressed/head_64.S
>> +++ b/arch/x86/boot/compressed/head_64.S
>> @@ -660,9 +660,8 @@ SYM_CODE_START(trampoline_32bit_src)
>>  	pushl	$__KERNEL_CS
>>  	pushl	%eax
>> 
>> -	/* Enable paging again. */
>> -	movl	%cr0, %eax
>> -	btsl	$X86_CR0_PG_BIT, %eax
>> +	/* Enable paging and set CR0 to known state (this also sets WP flag) 
>> */
>> +	movl	$CR0_STATE, %eax
> 
> This sets a lot more than WP. Why?

Because there are code paths where cr0 state is not initialized
(e.g. the EFISTUB code path) and it's better to know it exactly.
Although we don't actually care about MP, ET, NE and AM flags, but they
should be all supported, so the choice was arbitrary. Also they are 
already
initialized to this value on one code path -- when the kernel started 
its
execution via startup_32.

Thanks.

diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
index 03c4328a88cb..01fa42d31648 100644
--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -660,9 +660,8 @@  SYM_CODE_START(trampoline_32bit_src)
 	pushl	$__KERNEL_CS
 	pushl	%eax
 
-	/* Enable paging again. */
-	movl	%cr0, %eax
-	btsl	$X86_CR0_PG_BIT, %eax
+	/* Enable paging and set CR0 to known state (this also sets WP flag) */
+	movl	$CR0_STATE, %eax
 	movl	%eax, %cr0
 
 	lret

[v5,03/27] x86/boot: Set cr0 to known state in trampoline

Commit Message

Comments

Patch