Commit 7b38dec3 authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Borislav Petkov (AMD)
Browse files

x86/boot: Create a confined code area for startup code 



In order to be able to have tight control over which code may execute
from the early 1:1 mapping of memory, but still link vmlinux as a single
executable, prefix all symbol references in startup code with __pi_, and
invoke it from outside using the __pi_ prefix.

Use objtool to check that no absolute symbol references are present in
the startup code, as these cannot be used from code running from the 1:1
mapping.

Note that this also requires disabling the latent-entropy GCC plugin, as
the global symbol references that it injects would require explicit
exports, and given that the startup code rarely executes more than once,
it is not a useful source of entropy anyway.

Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250828102202.1849035-43-ardb+git@google.com
parent 749627c3

arch/x86/boot/startup/Makefile

+14 −0
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ KBUILD_AFLAGS += -D__DISABLE_EXPORTS 
KBUILD_CFLAGS		+= -D__DISABLE_EXPORTS -mcmodel=small -fPIC \

			   -Os -DDISABLE_BRANCH_PROFILING \

			   $(DISABLE_STACKLEAK_PLUGIN) \

			   $(DISABLE_LATENT_ENTROPY_PLUGIN) \

			   -fno-stack-protector -D__NO_FORTIFY \

			   -fno-jump-tables \

			   -include $(srctree)/include/linux/hidden.h
@@ -36,3 +37,16 @@ $(patsubst %.o,$(obj)/%.o,$(lib-y)): OBJECT_FILES_NON_STANDARD := y 
#

$(pi-objs): objtool-enabled	= 1

$(pi-objs): objtool-args	= $(if $(delay-objtool),,$(objtool-args-y)) --noabs



#

# Confine the startup code by prefixing all symbols with __pi_ (for position

# independent). This ensures that startup code can only call other startup

# code, or code that has explicitly been made accessible to it via a symbol

# alias.

#

$(obj)/%.pi.o: OBJCOPYFLAGS := --prefix-symbols=__pi_

$(obj)/%.pi.o: $(obj)/%.o FORCE

	$(call if_changed,objcopy)



targets	+= $(obj-y)

obj-y	:= $(patsubst %.o,%.pi.o,$(obj-y))

arch/x86/boot/startup/sev-shared.c

+0 −1
Original line number Diff line number Diff line
@@ -12,7 +12,6 @@ 
#include <asm/setup_data.h>



#ifndef __BOOT_COMPRESSED

#define error(v)			pr_err(v)

#define has_cpuflag(f)			boot_cpu_has(f)

#else

#undef WARN

arch/x86/boot/startup/sme.c

+0 −1
Original line number Diff line number Diff line
@@ -568,7 +568,6 @@ void __head sme_enable(struct boot_params *bp) 


#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION

/* Local version for startup code, which never operates on user page tables */

__weak

pgd_t __pti_set_user_pgtbl(pgd_t *pgdp, pgd_t pgd)

{

	return pgd;

arch/x86/coco/sev/core.c

+1 −1
Original line number Diff line number Diff line
@@ -272,7 +272,7 @@ static int svsm_perform_call_protocol(struct svsm_call *call) 


	do {

		ret = ghcb ? svsm_perform_ghcb_protocol(ghcb, call)

			   : svsm_perform_msr_protocol(call);

			   : __pi_svsm_perform_msr_protocol(call);

	} while (ret == -EAGAIN);



	if (sev_cfg.ghcbs_initialized)

arch/x86/include/asm/setup.h

+1 −0
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ extern void i386_reserve_resources(void); 
extern unsigned long __startup_64(unsigned long p2v_offset, struct boot_params *bp);

extern void startup_64_setup_gdt_idt(void);

extern void startup_64_load_idt(void *vc_handler);

extern void __pi_startup_64_load_idt(void *vc_handler);

extern void early_setup_idt(void);

extern void __init do_early_exception(struct pt_regs *regs, int trapnr);