From nobody Mon Sep 15 04:17:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1673879914091194.47310157216566; Mon, 16 Jan 2023 06:38:34 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.478644.741944 (Exim 4.92) (envelope-from ) id 1pHQcX-0002Q3-4I; Mon, 16 Jan 2023 14:37:57 +0000 Received: by outflank-mailman (output) from mailman id 478644.741944; Mon, 16 Jan 2023 14:37:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pHQcX-0002Pw-1P; Mon, 16 Jan 2023 14:37:57 +0000 Received: by outflank-mailman (input) for mailman id 478644; Mon, 16 Jan 2023 14:37:54 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pHQcU-0002Pk-77 for xen-devel@lists.xenproject.org; Mon, 16 Jan 2023 14:37:54 +0000 Received: from casper.infradead.org (casper.infradead.org [2001:8b0:10b:1236::1]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 59b18eec-95ab-11ed-b8d0-410ff93cb8f0; Mon, 16 Jan 2023 15:37:51 +0100 (CET) Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1pHQcT-008oZ7-Sz; Mon, 16 Jan 2023 14:37:54 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id E3A5C3007DA; Mon, 16 Jan 2023 15:37:38 +0100 (CET) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0) id AF96620306BCC; Mon, 16 Jan 2023 15:37:38 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 59b18eec-95ab-11ed-b8d0-410ff93cb8f0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Type:MIME-Version:References: Subject:Cc:To:From:Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:In-Reply-To; bh=/Xw5T+5vUqgsMfvHO/2XJeMLoksLNzw5fViFdsAKWFI=; b=Eq3y0scguUgdkMj79Zzk6GCrvF hQAhEQP/E7cAerOW9szVqcnkFmKfzWUaiZxup/I+SMwXzVRopqfn4zPHPbmkQufcFo19M0uELMYv/ kYPxOMfLbqjIwv9QIGVc5oiVosXskQwBXNQfwBy/jDHeBBuxrkRaeFIhaA+Tm2XLDqfwvxvnRyH0O rvOYW2PlqyMs+3qT9hF1XykM1+ON8wTIDA4x8JJJGyRjveBRsW6uZuMNrQ9P/htuomhOyIDx2ZWUH ITNdFmVF/slE93TC/wZdRxX36dsgHyfS5wX7wOPPamJ7fIEFgb5fD7j0P6Cn79iKWZ/XYGoYdt6+A rE5ri56A==; Message-ID: <20230116143645.649204101@infradead.org> User-Agent: quilt/0.66 Date: Mon, 16 Jan 2023 15:25:35 +0100 From: Peter Zijlstra To: x86@kernel.org, Joan Bruguera Cc: linux-kernel@vger.kernel.org, peterz@infradead.org, Juergen Gross , "Rafael J. Wysocki" , xen-devel , Jan Beulich , Roger Pau Monne , Kees Cook , mark.rutland@arm.com, Andrew Cooper , =?UTF-8?q?J=C3=B6rg=20R=C3=B6del?= , "H. Peter Anvin" Subject: [PATCH v2 2/7] x86/boot: Delay sev_verify_cbit() a bit References: <20230116142533.905102512@infradead.org> MIME-Version: 1.0 X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1673879916691100004 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Per the comment it is important to call sev_verify_cbit() before the first RET instruction, this means we can delay calling this until more of the CPU state is set up, specifically delay this until GS is 'sane' such that per-cpu variables work. Fixes: e81dc127ef69 ("x86/callthunks: Add call patching for call depth trac= king") Reported-by: Joan Bruguera Signed-off-by: Peter Zijlstra (Intel) --- arch/x86/kernel/head_64.S | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -185,19 +185,6 @@ SYM_CODE_START(secondary_startup_64) addq phys_base(%rip), %rax =20 /* - * For SEV guests: Verify that the C-bit is correct. A malicious - * hypervisor could lie about the C-bit position to perform a ROP - * attack on the guest by writing to the unencrypted stack and wait for - * the next RET instruction. - * %rsi carries pointer to realmode data and is callee-clobbered. Save - * and restore it. - */ - pushq %rsi - movq %rax, %rdi - call sev_verify_cbit - popq %rsi - - /* * Switch to new page-table * * For the boot CPU this switches to early_top_pgt which still has the @@ -265,6 +252,19 @@ SYM_CODE_START(secondary_startup_64) */ movq initial_stack(%rip), %rsp =20 + /* + * For SEV guests: Verify that the C-bit is correct. A malicious + * hypervisor could lie about the C-bit position to perform a ROP + * attack on the guest by writing to the unencrypted stack and wait for + * the next RET instruction. + * %rsi carries pointer to realmode data and is callee-clobbered. Save + * and restore it. + */ + pushq %rsi + movq %rax, %rdi + call sev_verify_cbit + popq %rsi + /* Setup and Load IDT */ pushq %rsi call early_setup_idt