Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code
From: Borislav Petkov
Date: Mon Jan 15 2024 - 15:47:43 EST
On Thu, Jan 11, 2024 at 10:36:50PM +0000, Kevin Loughlin wrote:
> SEV/SME code can execute prior to page table fixups for kernel
> relocation. However, as with global variables accessed in
> __startup_64(), the compiler is not required to generate RIP-relative
> accesses for SEV/SME global variables, causing certain flavors of SEV
> hosts and guests built with clang to crash during boot.
So, about that. If I understand my gcc toolchain folks correctly:
mcmodel=kernel - everything fits into the high 31 bit of the address
space
-fPIE/PIC - position independent
And supplied both don't make a whole lotta of sense: if you're building
position-independent, then mcmodel=kernel would be overridden by the
first.
I have no clue why clang enabled it...
So, *actually* the proper fix here should be not to add this "fixed_up"
gunk everywhere but remove mcmodel=kernel from the build and simply do
-fPIE/PIC.
I'd say...
I could also be missing something obvious ofc.
> Fixes: 95d33bfaa3e1 ("x86/sev: Register GHCB memory when SEV-SNP is active")
> Fixes: ee0bfa08a345 ("x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers")
> Fixes: 1cd9c22fee3a ("x86/mm/encrypt: Move page table helpers into separate translation unit")
> Fixes: c9f09539e16e ("x86/head/64: Check SEV encryption before switching to kernel page-table")
> Fixes: b577f542f93c ("x86/coco: Add API to handle encryption mask")
> Tested-by: Kevin Loughlin <kevinloughlin@xxxxxxxxxx>
You don't need to add your Tested-by tag - it is kinda assumed that
people submit patches *after* testing them. Although I have a gazillion
examples where that is not the case...
:-\
> Signed-off-by: Kevin Loughlin <kevinloughlin@xxxxxxxxxx>
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette