From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com
 [209.85.128.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90CB71F427E
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398106; cv=none;
 b=qJDxOz5Mq8+Q+GrPKL32on7niOCyVTkT9kIa5RHUs9osodK0gI4UySUPbDvDuVb9L+jOS2H833NWrjj36Oq1M7m0Vg2e9A99Cb7XuKHZ2MP4YHgv8GgbCD3rZ0Z7nvJP4ykMLo6JwvBUUxGmpfkTrwFgGY3WsyRmI9W2DrUzSFc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398106; c=relaxed/simple;
	bh=DBRMrtU3BneuI23gD6GcBvYRIwBuzovHn3/5N1XHOhY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=sp0VjiISZ7R2aluisZqe+wKOIavwsO4vnO6W3cH0aC4KZkkrTIsjUNZ15ROE6xv9ZzhFqxO8W8kDgoneC2JVEx2pfRWxp2JVK2by4C/XrXr301he97fnuhB+APnEpEbYdyM5nZhrl5aJsfCC1KMLzanvBulQbJnITWzfNzWC2KA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=qkuSa8sj; arc=none smtp.client-ip=209.85.128.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="qkuSa8sj"
Received: by mail-wm1-f74.google.com with SMTP id
 5b1f17b1804b1-4349d895ef8so7857845e9.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398103; x=1734002903;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=TK52PsD7eqvOZMcbHq0MK/FDCTFUEiVfbJZbNIORGp4=;
        b=qkuSa8sjPG+6UA9cVnN2lkrni3JtXFlMdUerfdx5+5n84EPME2Y+sfjsY7wHo/0PHd
         8PI2QKfHyLYWuYzQ3y8Et+/6exOFwHjxQU8f5HlQGjiuaRlGcvNq7M8walzlNPwtDh5V
         SuULAqSY5bhfYgiPnj1DD1zaiL2PQhKkg256NukOYGXKJoyGRyzExARAJNGSX1LVwJiz
         eQ+OIZYaqA7qwxbLUrsVvI6gGo5cd2wEOpb0I2cl+BWjkH4IGJLjRLE+DsKnnAKUIXaz
         h441CEQefQ+DNXkT2RARfuMuK5nibSMz3HErT5idFn0WNoVGiN6ia/y3aQhEe5DuHwda
         SdVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398103; x=1734002903;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=TK52PsD7eqvOZMcbHq0MK/FDCTFUEiVfbJZbNIORGp4=;
        b=gfb7VFt0eMdBe8J8mvFGWk4olkCKEbBwmXQnMrBxpn1kqNDlTf8ADNkhZS+ocJCex3
         mKNw2MXFUB5oG3f3H4mzsrxrjJT+njbiKNLz3tZZs6BomgyB2+M+ogcjZ5fScj5rwthn
         J+aHWezqWeASSGYk2nvcDHU+RCUQxxflAmkWLWPtxiTDF/2scQoaN0ZQTRJtR0FCT9un
         E47qNtOCitAFtZ6U2fPtCxCvCYgnGLt0XPlcN/Y0r0E+oafSDGLyFCZOnsTz6gZ2hx0j
         zoPB94kGQR+oEG57ZNlJjuSQxpbnltSYgJGG8KwUXEBB3u4q6BgqeJhmQW5ksoB7mNiF
         QUew==
X-Gm-Message-State: AOJu0YxEq8HNaxG7lhhzp8EWyNxdfu+6hB66huDf/UpYXn3bkLOnLWXe
	XHdHemo+XsRUTNeQ/W0T7UkDJ3iz+82YDuhX+XgSZpFuaj2vtPYQBQwgLToZa1rtiHnBKmnLPCP
	4pBcDY4EguuA/kwyEjqE4LmIabjr3Qhg71JMzfT50jwouZA/HX/XeA2higzE41sLoPe/KJIpngW
	tSJ54j+CEOhUjf2woqJrka+hMABjI7pg==
X-Google-Smtp-Source: 
 AGHT+IEKSgqh/kMIdd32T8gun8oyfBtYL6y1yZ1S5lF6wxY4kA6FukPkNjh3i5pKn2adq9S5Knxv40IA
X-Received: from wmj5.prod.google.com ([2002:a05:600c:245:b0:434:a4a6:487a])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a5d:5888:0:b0:385:ded5:86ee
 with SMTP id ffacd0b85a97d-385fd43c326mr9068987f8f.57.1733398103030; Thu, 05
 Dec 2024 03:28:23 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:06 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=3819; i=ardb@kernel.org;
 h=from:subject; bh=3JZPOEZBXLByXMtcdnLrpry4D8Y9LpxCLkWAlkGdFG4=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wzz39QXqQauKO+6pR1o2TJpZl2B9cOJnZ5/vhFU4z7
 nXtOCPfUcrCIMbBICumyCIw+++7nacnStU6z5KFmcPKBDKEgYtTACayLYfhf01jefBBQdfGxC37
 6pTe87swWpWvCNmo5vixXeSE3K+5zgz/465FHX20iPG/k+1SfSlvfbNs44sLVs22tDufnDzlGoM
 VOwA=
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-10-ardb+git@google.com>
Subject: [PATCH v4 1/7] x86/sev: Avoid WARN()s and panic()s in early boot code
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

Using WARN() or panic() while executing from the early 1:1 mapping is
unlikely to do anything useful: the string literals are passed using
their kernel virtual addresses which are not even mapped yet. But even
if they were, calling into the printk() machinery from the early 1:1
mapped code is not going to get very far.

So drop the WARN()s entirely, and replace panic() with a deadloop.

Link: https://lore.kernel.org/all/6904c198-9047-14bb-858e-38b531589379@amd.=
com/T/#u
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/coco/sev/core.c   | 15 +++++----------
 arch/x86/coco/sev/shared.c |  9 +++++----
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c
index c5b0148b8c0a..499b41953e3c 100644
--- a/arch/x86/coco/sev/core.c
+++ b/arch/x86/coco/sev/core.c
@@ -777,15 +777,10 @@ early_set_pages_state(unsigned long vaddr, unsigned l=
ong paddr,
=20
 		val =3D sev_es_rd_ghcb_msr();
=20
-		if (WARN(GHCB_RESP_CODE(val) !=3D GHCB_MSR_PSC_RESP,
-			 "Wrong PSC response code: 0x%x\n",
-			 (unsigned int)GHCB_RESP_CODE(val)))
+		if (GHCB_RESP_CODE(val) !=3D GHCB_MSR_PSC_RESP)
 			goto e_term;
=20
-		if (WARN(GHCB_MSR_PSC_RESP_VAL(val),
-			 "Failed to change page state to '%s' paddr 0x%lx error 0x%llx\n",
-			 op =3D=3D SNP_PAGE_STATE_PRIVATE ? "private" : "shared",
-			 paddr, GHCB_MSR_PSC_RESP_VAL(val)))
+		if (GHCB_MSR_PSC_RESP_VAL(val))
 			goto e_term;
=20
 		/* Page validation must be performed after changing to private */
@@ -821,7 +816,7 @@ void __head early_snp_set_memory_private(unsigned long =
vaddr, unsigned long padd
 	early_set_pages_state(vaddr, paddr, npages, SNP_PAGE_STATE_PRIVATE);
 }
=20
-void __init early_snp_set_memory_shared(unsigned long vaddr, unsigned long=
 paddr,
+void __head early_snp_set_memory_shared(unsigned long vaddr, unsigned long=
 paddr,
 					unsigned long npages)
 {
 	/*
@@ -2361,8 +2356,8 @@ static __head void svsm_setup(struct cc_blob_sev_info=
 *cc_info)
 	call.rax =3D SVSM_CORE_CALL(SVSM_CORE_REMAP_CA);
 	call.rcx =3D pa;
 	ret =3D svsm_perform_call_protocol(&call);
-	if (ret)
-		panic("Can't remap the SVSM CA, ret=3D%d, rax_out=3D0x%llx\n", ret, call=
.rax_out);
+	while (ret)
+		cpu_relax(); /* too early to panic */
=20
 	RIP_REL_REF(boot_svsm_caa) =3D (struct svsm_ca *)pa;
 	RIP_REL_REF(boot_svsm_caa_pa) =3D pa;
diff --git a/arch/x86/coco/sev/shared.c b/arch/x86/coco/sev/shared.c
index 71de53194089..afb7ffc355fe 100644
--- a/arch/x86/coco/sev/shared.c
+++ b/arch/x86/coco/sev/shared.c
@@ -1243,7 +1243,7 @@ static void svsm_pval_terminate(struct svsm_pvalidate=
_call *pc, int ret, u64 svs
 	__pval_terminate(pfn, action, page_size, ret, svsm_ret);
 }
=20
-static void svsm_pval_4k_page(unsigned long paddr, bool validate)
+static void __head svsm_pval_4k_page(unsigned long paddr, bool validate)
 {
 	struct svsm_pvalidate_call *pc;
 	struct svsm_call call =3D {};
@@ -1275,12 +1275,13 @@ static void svsm_pval_4k_page(unsigned long paddr, =
bool validate)
=20
 	ret =3D svsm_perform_call_protocol(&call);
 	if (ret)
-		svsm_pval_terminate(pc, ret, call.rax_out);
+		sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE);
=20
 	native_local_irq_restore(flags);
 }
=20
-static void pvalidate_4k_page(unsigned long vaddr, unsigned long paddr, bo=
ol validate)
+static void __head pvalidate_4k_page(unsigned long vaddr, unsigned long pa=
ddr,
+				     bool validate)
 {
 	int ret;
=20
@@ -1293,7 +1294,7 @@ static void pvalidate_4k_page(unsigned long vaddr, un=
signed long paddr, bool val
 	} else {
 		ret =3D pvalidate(vaddr, RMP_PG_SIZE_4K, validate);
 		if (ret)
-			__pval_terminate(PHYS_PFN(paddr), validate, RMP_PG_SIZE_4K, ret, 0);
+			sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE);
 	}
 }
=20
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com
 [209.85.221.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A3951F03F6
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398109; cv=none;
 b=odt71Q+TRB3IaYpUy8ZcGOwkeiazI6aYR8pp57t8LVDka9suUhuNArqVsF2iAnz6ED4/a2XaBOvPU+GpNe4DNDRTt33OqfglDuks9IZLiXGZhUArkQbvyGnqgYAV2+zMe8SKbiWc7xKCxsa1xTlSG/f3o7pglMHQKKFbSALhDKw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398109; c=relaxed/simple;
	bh=B27k299H+iLvXKu+g9hQqxuGUviaGecZMriDr8EImaY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Kxl0dIK1zd4fBmVg84HyigFQe3eJ4mBu31W3F4djktDZVPvH3n5rjv8PuAyC2Rk+NFrD+59TyUTx8lNUd0b+13Sj+LXE4E2mbUCreEMPnOfguzu7oLvmE0lRnFCOQ1tbxx6qqRZzYL+0an54YCHcLWXuAfSK33rzssJz06QUQjU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=H/kH/AdC; arc=none smtp.client-ip=209.85.221.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="H/kH/AdC"
Received: by mail-wr1-f74.google.com with SMTP id
 ffacd0b85a97d-385d7d51ac8so410674f8f.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398105; x=1734002905;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=bNb7gvbB68GY4FoEY1goL8tTfrtwnuvDL+QgmlzPOog=;
        b=H/kH/AdCMMbwutuJiDboLGcHA0X5QXxUCYinNEq6/ZMLiKtknICeHKFgh5BBzSG1OP
         z/9/uLeVCKYvvaOmsoqS/DC0Bq+9Km7kdEtDhcslp/bKihGfGZbRgeUkl/MjoLqwlF75
         LrpvN3jhQ6s5S24qHv4QkXVYSupQ6XiIzdy4rDbq5jtXAKKALeMv/ny2Sd1zfduFztCQ
         1KeRmO1MzGOLm4UqGqNsqi4ocd6ydV5eX9pqh7xGIWPc3VbjhqKmSU5k1Q2u3Tyoo6o8
         NEUg8QsstKNU1sADw42q0C8R3WXGbF+n9jlhEfKeaC3hv0Sf1WtQZEOc2gm0Eodi9HdL
         VGeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398105; x=1734002905;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bNb7gvbB68GY4FoEY1goL8tTfrtwnuvDL+QgmlzPOog=;
        b=j9d+9QIXltIKCj6mffm2s1uwZ2mDrk4p7k2969jY+zf6JttwQPdoFf0W9QUYvxtzva
         P7zfDNasqiCr1s9uA111ZbhUdmodFm9/14h0TtyowCt4Usni4dZN4phZMlsobDfEHSaI
         OZRLU8/J6FF3kyPUO9fH5SNDPcievos2IbhT58shdH6+QpHggr4Rc5b4LHR+l5rLZg6R
         z+M8qHQTgvuyWZ3ep9adXAIyXW5NGfYRgDjOcTq8dGaQicLAGJClUrqcBmmcgQYF7VhD
         kRtrlZ3wQDXQ1gcsepiJaUWRZiAFcU4RolO+Z+jq/GLWt2G4c9/FyqrL8Kvby6xQUkrh
         HJSw==
X-Gm-Message-State: AOJu0YxUcfHRrhThwbD4+4LPdxWq8BdkArAqSKZkTJcaBRB18nN6Ws9X
	AKAy/SUQiQYDvPB6eSeZuLCsPUB/C+uR2TPvSNr5tScvWONeMYZ6/su+t/bzEFRXUftRkpfk5dN
	Wb1TQFWbT7xiii4OLNmCWU9ppgfB2kwwKmcljxv5cpkjmpWKfyPEQ9AM0SOX6mbBJ54nBRSywXy
	PdkWmmAOpPyemqLIPkuu/jzounZT9GYg==
X-Google-Smtp-Source: 
 AGHT+IHKOL5KkofYqxsGkgNzag5vUWzV+1c6SDcOeLVaazO9tdXBv9gPns/19Y4FrAN+sbNKkSgJ1qHu
X-Received: from wmbbg26.prod.google.com
 ([2002:a05:600c:3c9a:b0:434:a2fb:effe])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a5d:59ab:0:b0:385:f4db:e33b
 with SMTP id ffacd0b85a97d-385fd3ec8d6mr8638320f8f.21.1733398105020; Thu, 05
 Dec 2024 03:28:25 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:07 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=4688; i=ardb@kernel.org;
 h=from:subject; bh=CVdCAQPjLUiDyPJjHktJs3oAxj/txjSvWAOADaDmc9Q=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wz+Pl5jXOx7KUN2x6qVw+IWuj/EPHQAuvCyaxah4RX
 eKerdc7SlkYxDgYZMUUWQRm/3238/REqVrnWbIwc1iZQIYwcHEKwES+PmX4n7Cw+r2Kqd7RWtGP
 VRId+dk/LY89u8Iz37hh9vO73gUR9gx/5W59VWSvvCwiWWB2spqpY2vhdpY9F/fWnV7ynTnvWIs
 5MwA=
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-11-ardb+git@google.com>
Subject: [PATCH v4 2/7] x86/boot/64: Determine VA/PA offset before entering C
 code
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

Implicit absolute symbol references (e.g., taking the address of a
global variable) must be avoided in the C code that runs from the early
1:1 mapping of the kernel, given that this is a practice that violates
assumptions on the part of the toolchain. I.e., RIP-relative and
absolute references are expected to produce the same values, and so the
compiler is free to choose either. However, the code currently assumes
that RIP-relative references are never emitted here.

So an explicit virtual-to-physical offset needs to be used instead to
derive the kernel virtual addresses of _text and _end, instead of simply
taking the addresses and assuming that the compiler will not choose to
use a RIP-relative references in this particular case.

Currently, phys_base is already used to perform such calculations, but
it is derived from the kernel virtual address of _text, which is taken
using an implicit absolute symbol reference. So instead, derive this
VA-to-PA offset in asm code, and pass it to the C startup code.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/include/asm/setup.h |  2 +-
 arch/x86/kernel/head64.c     |  8 +++++---
 arch/x86/kernel/head_64.S    | 12 +++++++++---
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
index 0667b2a88614..85f4fde3515c 100644
--- a/arch/x86/include/asm/setup.h
+++ b/arch/x86/include/asm/setup.h
@@ -49,7 +49,7 @@ extern unsigned long saved_video_mode;
=20
 extern void reserve_standard_io_resources(void);
 extern void i386_reserve_resources(void);
-extern unsigned long __startup_64(unsigned long physaddr, struct boot_para=
ms *bp);
+extern unsigned long __startup_64(unsigned long p2v_offset, struct boot_pa=
rams *bp);
 extern void startup_64_setup_gdt_idt(void);
 extern void early_setup_idt(void);
 extern void __init do_early_exception(struct pt_regs *regs, int trapnr);
diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
index 4b9d4557fc94..a7cd4053eeb3 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
@@ -138,12 +138,14 @@ static unsigned long __head sme_postprocess_startup(s=
truct boot_params *bp, pmdv
  * doesn't have to generate PC-relative relocations when accessing globals=
 from
  * that function. Clang actually does not generate them, which leads to
  * boot-time crashes. To work around this problem, every global pointer mu=
st
- * be accessed using RIP_REL_REF().
+ * be accessed using RIP_REL_REF(). Kernel virtual addresses can be determ=
ined
+ * by subtracting p2v_offset from the RIP-relative address.
  */
-unsigned long __head __startup_64(unsigned long physaddr,
+unsigned long __head __startup_64(unsigned long p2v_offset,
 				  struct boot_params *bp)
 {
 	pmd_t (*early_pgts)[PTRS_PER_PMD] =3D RIP_REL_REF(early_dynamic_pgts);
+	unsigned long physaddr =3D (unsigned long)&RIP_REL_REF(_text);
 	unsigned long pgtable_flags;
 	unsigned long load_delta;
 	pgdval_t *pgd;
@@ -163,7 +165,7 @@ unsigned long __head __startup_64(unsigned long physadd=
r,
 	 * Compute the delta between the address I am compiled to run at
 	 * and the address I am actually running at.
 	 */
-	load_delta =3D physaddr - (unsigned long)(_text - __START_KERNEL_map);
+	load_delta =3D __START_KERNEL_map + p2v_offset;
 	RIP_REL_REF(phys_base) =3D load_delta;
=20
 	/* Is the address not 2M aligned? */
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 56163e2124cf..31345e0ba006 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -94,13 +94,19 @@ SYM_CODE_START_NOALIGN(startup_64)
 	/* Sanitize CPU configuration */
 	call verify_cpu
=20
+	/*
+	 * Derive the kernel's physical-to-virtual offset from the physical and
+	 * virtual addresses of common_startup_64().
+	 */
+	leaq	common_startup_64(%rip), %rdi
+	subq	.Lcommon_startup_64(%rip), %rdi
+
 	/*
 	 * Perform pagetable fixups. Additionally, if SME is active, encrypt
 	 * the kernel and retrieve the modifier (SME encryption mask if SME
 	 * is active) to be added to the initial pgdir entry that will be
 	 * programmed into CR3.
 	 */
-	leaq	_text(%rip), %rdi
 	movq	%r15, %rsi
 	call	__startup_64
=20
@@ -128,11 +134,11 @@ SYM_CODE_START_NOALIGN(startup_64)
=20
 	/* Branch to the common startup code at its kernel virtual address */
 	ANNOTATE_RETPOLINE_SAFE
-	jmp	*0f(%rip)
+	jmp	*.Lcommon_startup_64(%rip)
 SYM_CODE_END(startup_64)
=20
 	__INITRODATA
-0:	.quad	common_startup_64
+SYM_DATA_LOCAL(.Lcommon_startup_64, .quad common_startup_64)
=20
 	.text
 SYM_CODE_START(secondary_startup_64)
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com
 [209.85.128.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BA5A202C32
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398110; cv=none;
 b=k8LtSlioJqSFRiwGMU5A2/3QTmYHNys2qRF+BLiynW9+7ZDo17midF7pFMMdrxh8wpExxTHu4EyWmhHTBOAciMwsDo7S9E8ico3Qmr7/RFnGCOfgTbYxUhoBrRsbz+vOM7s19yI72/DT6MF0R4Q0z5Zk1QeUE3OqPawwJoMbQ8k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398110; c=relaxed/simple;
	bh=cNPqBV2asGRYk4KDnmS95o6rHXLgSF4/nk+rZajYBqc=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=sVkaIjnvX8vkAHiZoMy1M2t/OSdk5raycBngW6SNRsH5uQGiT+o/aOL9aSGxs6JI5cox0Sk1uIcq64oEblCFePl4eCrl2hhLiyx/5geCexyNYenElC4kGjdIybJEb+Km0aqua45U8U9tESUOShh4YBnXH9Ft1A3YvDNnaUr+zo0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=i/jKdSlR; arc=none smtp.client-ip=209.85.128.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="i/jKdSlR"
Received: by mail-wm1-f73.google.com with SMTP id
 5b1f17b1804b1-434a195814fso6813985e9.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398107; x=1734002907;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=bm1Ka5uwmly0Cgi1lxCtqIUhWjpra8ZMMQLn8XAgLmo=;
        b=i/jKdSlRDDht6Pvi/+kLJ85i0pJmUap2Dh5WVNcbXIZffXUnjzVP4+WHj+p751wJhw
         wbLJO/anFUPMe56OiiATp1DOPLYlmhu2tDp/TFjSGWinZIKh0AmywTXiHPaBT73A9Rbt
         O4vM5vJvQo9rtcD1Q922Dl36kJ7hD3fHP4snXvScXerjDEc8L7xUuRq57deYkg8aA6Rz
         Bapt+IlvBLKmI9o61uuZtk/7/+9ryia1OE2v99k8ixkgwp5wxNJE7rgHVHc1nK3/ARWr
         47+9/DdPo28gSDmNA5q1B4aUO3EO6E0ivq7yDvY3RWo1Zuykn6oVqKOuTAZVoo3z67Xb
         U9yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398107; x=1734002907;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bm1Ka5uwmly0Cgi1lxCtqIUhWjpra8ZMMQLn8XAgLmo=;
        b=OYi/S76PW00XnrcznYXkVmfN8M0QnBLBFFS6ZrWWlx0TOvAM6tlCpmf90te1cedzFp
         5CJl7EDg1Ol661RpLvtxp7lR7A0A4qoC+by/n1wyGM0rdC+YNZilh4NeiezmC0gJABC2
         LW9IapmFkGhwccEuL2t0r0vbrBOOHI9ZfNUi/aHxMkIAtRiNqBZpxdD5iCM3GbyHCTS4
         D6Bpgs7kX4czEP+RZUKLZJFVQjTl9TloZ9uLlkdv0F5tIos8VWixG3sI2jtNln60IfSG
         x10z5uQMTxmrkgvLxG2z5cljVmjqH14U4zSU4MfCagfsC5vtx3OLMwuIAWSxUqexVOM+
         Z3xw==
X-Gm-Message-State: AOJu0YxRlLI4RAOrGybCKIUfpx2GsvPbmbrMUecAj4oHHIEnpENTbmoR
	jETLf1sR77oC5fyD56t7td0LfFLqHiyeo9RgZqmBzbby3KEbbU3OJlzOFWclS/+jAAt8w6o0hbH
	xva/Wp1BUJXIhXBL0LAzNn/s8FfzZBiPLpObBy0Wei/ZASTskjtQLl+8ViNsXDyFBDGWUVk036i
	2Ja6vCJLS7HVW1uAIm88AGuvUbIwng5w==
X-Google-Smtp-Source: 
 AGHT+IF75/PWd3mXHQmNiaS0NEimlrVSBtgJsHVS29Ev0elQ1BTrdrn9zQho3C88wFbKtBC7dTxhozEo
X-Received: from wmbbg19.prod.google.com
 ([2002:a05:600c:3c93:b0:431:59ab:a545])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:4511:b0:434:a94f:f8a9
 with SMTP id 5b1f17b1804b1-434d0a239d0mr68937275e9.28.1733398107327; Thu, 05
 Dec 2024 03:28:27 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:08 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=4681; i=ardb@kernel.org;
 h=from:subject; bh=aishywIuVWUZ5XOlPXdxpKgKAjksbg1NQRdKDYm6qRk=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wz/POmp5HvH1tRY4rfVb88ZyUmtu0adVt+alBt7/2M
 /h+2GnYUcrCIMbBICumyCIw+++7nacnStU6z5KFmcPKBDKEgYtTACby7gXDPxNLj6q3q92uZKbG
 PLG+2J31p6VceWKVr7ttB1vCbk8OIUaG+W7bpsz48vxPMsvN8iKV3T9My/PfljfMN5SaLbRl/bx
 zPAA=
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-12-ardb+git@google.com>
Subject: [PATCH v4 3/7] x86/boot/64: Avoid intentional absolute symbol
 references in .head.text
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

The code in .head.text executes from a 1:1 mapping and cannot generally
refer to global variables using their kernel virtual addresses. However,
there are some occurrences of such references that are valid: the kernel
virtual addresses of _text and _end are needed to populate the page
tables correctly, and some other section markers are used in a similar
way.

To avoid the need for making exceptions to the rule that .head.text must
not contain any absolute symbol references, derive these addresses from
the RIP-relative 1:1 mapped physical addresses, which can be safely
determined using RIP_REL_REF().

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/kernel/head64.c | 30 ++++++++++++--------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
index a7cd4053eeb3..54f9a8faf212 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
@@ -91,9 +91,11 @@ static inline bool check_la57_support(void)
 	return true;
 }
=20
-static unsigned long __head sme_postprocess_startup(struct boot_params *bp=
, pmdval_t *pmd)
+static unsigned long __head sme_postprocess_startup(struct boot_params *bp,
+						    pmdval_t *pmd,
+						    unsigned long p2v_offset)
 {
-	unsigned long vaddr, vaddr_end;
+	unsigned long paddr, paddr_end;
 	int i;
=20
 	/* Encrypt the kernel and related (if SME is active) */
@@ -106,10 +108,10 @@ static unsigned long __head sme_postprocess_startup(s=
truct boot_params *bp, pmdv
 	 * attribute.
 	 */
 	if (sme_get_me_mask()) {
-		vaddr =3D (unsigned long)__start_bss_decrypted;
-		vaddr_end =3D (unsigned long)__end_bss_decrypted;
+		paddr =3D (unsigned long)&RIP_REL_REF(__start_bss_decrypted);
+		paddr_end =3D (unsigned long)&RIP_REL_REF(__end_bss_decrypted);
=20
-		for (; vaddr < vaddr_end; vaddr +=3D PMD_SIZE) {
+		for (; paddr < paddr_end; paddr +=3D PMD_SIZE) {
 			/*
 			 * On SNP, transition the page to shared in the RMP table so that
 			 * it is consistent with the page table attribute change.
@@ -118,11 +120,11 @@ static unsigned long __head sme_postprocess_startup(s=
truct boot_params *bp, pmdv
 			 * mapping (kernel .text). PVALIDATE, by way of
 			 * early_snp_set_memory_shared(), requires a valid virtual
 			 * address but the kernel is currently running off of the identity
-			 * mapping so use __pa() to get a *currently* valid virtual address.
+			 * mapping so use the PA to get a *currently* valid virtual address.
 			 */
-			early_snp_set_memory_shared(__pa(vaddr), __pa(vaddr), PTRS_PER_PMD);
+			early_snp_set_memory_shared(paddr, paddr, PTRS_PER_PMD);
=20
-			i =3D pmd_index(vaddr);
+			i =3D pmd_index(paddr - p2v_offset);
 			pmd[i] -=3D sme_get_me_mask();
 		}
 	}
@@ -146,6 +148,7 @@ unsigned long __head __startup_64(unsigned long p2v_off=
set,
 {
 	pmd_t (*early_pgts)[PTRS_PER_PMD] =3D RIP_REL_REF(early_dynamic_pgts);
 	unsigned long physaddr =3D (unsigned long)&RIP_REL_REF(_text);
+	unsigned long va_text, va_end;
 	unsigned long pgtable_flags;
 	unsigned long load_delta;
 	pgdval_t *pgd;
@@ -172,6 +175,9 @@ unsigned long __head __startup_64(unsigned long p2v_off=
set,
 	if (load_delta & ~PMD_MASK)
 		for (;;);
=20
+	va_text =3D physaddr - p2v_offset;
+	va_end  =3D (unsigned long)&RIP_REL_REF(_end) - p2v_offset;
+
 	/* Include the SME encryption mask in the fixup value */
 	load_delta +=3D sme_get_me_mask();
=20
@@ -232,7 +238,7 @@ unsigned long __head __startup_64(unsigned long p2v_off=
set,
 	pmd_entry +=3D sme_get_me_mask();
 	pmd_entry +=3D  physaddr;
=20
-	for (i =3D 0; i < DIV_ROUND_UP(_end - _text, PMD_SIZE); i++) {
+	for (i =3D 0; i < DIV_ROUND_UP(va_end - va_text, PMD_SIZE); i++) {
 		int idx =3D i + (physaddr >> PMD_SHIFT);
=20
 		pmd[idx % PTRS_PER_PMD] =3D pmd_entry + i * PMD_SIZE;
@@ -257,11 +263,11 @@ unsigned long __head __startup_64(unsigned long p2v_o=
ffset,
 	pmd =3D &RIP_REL_REF(level2_kernel_pgt)->pmd;
=20
 	/* invalidate pages before the kernel image */
-	for (i =3D 0; i < pmd_index((unsigned long)_text); i++)
+	for (i =3D 0; i < pmd_index(va_text); i++)
 		pmd[i] &=3D ~_PAGE_PRESENT;
=20
 	/* fixup pages that are part of the kernel image */
-	for (; i <=3D pmd_index((unsigned long)_end); i++)
+	for (; i <=3D pmd_index(va_end); i++)
 		if (pmd[i] & _PAGE_PRESENT)
 			pmd[i] +=3D load_delta;
=20
@@ -269,7 +275,7 @@ unsigned long __head __startup_64(unsigned long p2v_off=
set,
 	for (; i < PTRS_PER_PMD; i++)
 		pmd[i] &=3D ~_PAGE_PRESENT;
=20
-	return sme_postprocess_startup(bp, pmd);
+	return sme_postprocess_startup(bp, pmd, p2v_offset);
 }
=20
 /* Wipe all early page tables except for the kernel symbol map */
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com
 [209.85.128.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14086202C51
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398112; cv=none;
 b=LsEMrdolulOhi7olIPxwmVBRNUy0v87UMg3Rq4zsF3VJbOOrBff8c7M+s36dmI0LwV2vs2AVXLs/WYMc/86357gcaHbs236DNl/X22BhEApgjlnta1Ljw42d2rVyeIxqaLu98BZcp4dTXwEjoR+eGnxKJeBZFZXPX8woQCfvaOU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398112; c=relaxed/simple;
	bh=lni3T7nAOKqeKR9aOuwR3FyPjos9+9swT71Frm1TROA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Wj8bQgoEE3rzqW3G/xnAVNlF1UaUA7STvUoDwsAjeKWZCfcGTmAzEaMjUQr7QvjDFQy2otsrwH+ejq990I3ajLO6jyIGWy/u31S4V8oOw6Il5RWdr9UR1nVQ4294LScEse/Iik08m0QY6IGdN/cB2lTF+3ua7OgMoo+wwEP1Dog=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=b3D1RC7v; arc=none smtp.client-ip=209.85.128.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="b3D1RC7v"
Received: by mail-wm1-f73.google.com with SMTP id
 5b1f17b1804b1-434c214c05aso7241535e9.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398109; x=1734002909;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=VVHFtdC4tGHrnT2RLaG/kfBVCtydj5FxuAbxuEoeQDM=;
        b=b3D1RC7vKxAsdbI99xd/7GOqQ84WNcUhns2jQpYq0xzstbgIC/Ep7TiiKIhJFh34do
         gep5ghQ8QSxSZAO5dvG7MEt+AtaD+KMhJPelEaxYLk/RPepD8Qa0/URh6Av0+G2rXZpw
         VhDI8uXo7+PVg1XceG3x+DOSc1CpGaS+A2lzbHVS8GZ+VnScLRMcqHdc8DDu5GyAycAJ
         Tqev1S537JYeHNkvxwaYC5j9gJ/7AoV7lxdBKC4pyPoJKA34FqaRqhNDTlBvkXsUDIPQ
         iB1/UNibfY9Eq/terT0wUVJho5rsUkQhoQQPPuGhx7yUs5r6QJ0F+zhEfA20uEz+96gH
         x8nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398109; x=1734002909;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=VVHFtdC4tGHrnT2RLaG/kfBVCtydj5FxuAbxuEoeQDM=;
        b=H2PvQrcyQamXqkFCZ2tgEkaDv9PXgYC/Ztg3X0SwH6+BvlYBQBqC5Hjwp4t6Uuf8wD
         DSYwOPdrBRMbjxEuDhIT/apCSqq6P9HI873tbdMZ2tEfdfOi01r7h0WZmYB5YXTKKTQt
         MauBZaCb/25Qmva6zUxryyCRXNV0VaO6ueSZjRSA8it9KHnr4TvKHpxgmns5LO7xXHuT
         1jpKFItm+5ieQ3SjzjMKdeRemaJkL2hfOX6v1Y+Hm/W7N6uMfgh+vXeGhXeCgMjYlj3o
         3IPIxkEKQ2tywQGVEbjf9JT2bN24kZxFKhZNuQufWylnESEOjcRLWY5Xql2+JJLuISEM
         OSeA==
X-Gm-Message-State: AOJu0Yy/lvsfGge5X6xDHkv04dOiaHWhFIpIBxdmKkthd8R4ly0itxGL
	sq8XoB175N4K0Q6FGrPtdOJfZAMUpV6FxxorIgEhEXvd3TFdCI3s4LuKCuxEAHSllq7pROSznT7
	fgITCeoCXRTuY4BvbTiZAjv2HU/XkLQOkVaAX4ICM845MK42NupkaO/TDCf+2dP3mCJjeE0pTWo
	ItXfcAZvrAcwCNxE5Xq2XSqy5hi6bu7Q==
X-Google-Smtp-Source: 
 AGHT+IFTBWeUj+w5hoMCItRs01C+vgEGeOiYmN6U1m93meOyBKQFdsSn/zlL9qmWVZYMLtF+AbhRnW6h
X-Received: from wmpu36.prod.google.com
 ([2002:a05:600c:4d24:b0:434:9e7b:42c1])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:1553:b0:431:93dd:8e77
 with SMTP id 5b1f17b1804b1-434d0a16c18mr95064735e9.31.1733398109494; Thu, 05
 Dec 2024 03:28:29 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:09 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=2199; i=ardb@kernel.org;
 h=from:subject; bh=uES8g+LccWV6nXK1JQl+/U3ZNTuBuvX5wGEg7FtZn6A=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wz9vp4yGz0uwJlh+EbzcXXn7quvnf3LfbZslUTo51i
 T/9J2tdRykLgxgHg6yYIovA7L/vdp6eKFXrPEsWZg4rE8gQBi5OAZhIFgvD/9JU3fO7v6ctXF1x
 bMY7n/6GFye0Jl/NqTNzTzp/2CvlmDTDf7e5LDGsPQ8X6WgtY8hozXSJ9Q3vEK284cO2VD2660g
 4GwA=
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-13-ardb+git@google.com>
Subject: [PATCH v4 4/7] x86/boot: Disable UBSAN in early boot code
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

The early boot code runs from a 1:1 mapping of memory, and may execute
before the kernel virtual mapping is even up. This means absolute symbol
references cannot be permitted in this code.

UBSAN injects references to global data structures into the code, and
without -fPIC, those references are emitted as absolute references to
kernel virtual addresses. Accessing those will fault before the kernel
virtual mapping is up, so UBSAN needs to be disabled in early boot code.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/coco/sev/shared.c  | 7 ++++---
 arch/x86/include/asm/init.h | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/arch/x86/coco/sev/shared.c b/arch/x86/coco/sev/shared.c
index afb7ffc355fe..96023bd978cc 100644
--- a/arch/x86/coco/sev/shared.c
+++ b/arch/x86/coco/sev/shared.c
@@ -498,7 +498,7 @@ static const struct snp_cpuid_table *snp_cpuid_get_tabl=
e(void)
  *
  * Return: XSAVE area size on success, 0 otherwise.
  */
-static u32 snp_cpuid_calc_xsave_size(u64 xfeatures_en, bool compacted)
+static u32 __head snp_cpuid_calc_xsave_size(u64 xfeatures_en, bool compact=
ed)
 {
 	const struct snp_cpuid_table *cpuid_table =3D snp_cpuid_get_table();
 	u64 xfeatures_found =3D 0;
@@ -576,8 +576,9 @@ static void snp_cpuid_hv(struct ghcb *ghcb, struct es_e=
m_ctxt *ctxt, struct cpui
 		sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_CPUID_HV);
 }
=20
-static int snp_cpuid_postprocess(struct ghcb *ghcb, struct es_em_ctxt *ctx=
t,
-				 struct cpuid_leaf *leaf)
+static int __head
+snp_cpuid_postprocess(struct ghcb *ghcb, struct es_em_ctxt *ctxt,
+		      struct cpuid_leaf *leaf)
 {
 	struct cpuid_leaf leaf_hv =3D *leaf;
=20
diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
index 14d72727d7ee..0e82ebc5d1e1 100644
--- a/arch/x86/include/asm/init.h
+++ b/arch/x86/include/asm/init.h
@@ -2,7 +2,7 @@
 #ifndef _ASM_X86_INIT_H
 #define _ASM_X86_INIT_H
=20
-#define __head	__section(".head.text")
+#define __head	__section(".head.text") __no_sanitize_undefined
=20
 struct x86_mapping_info {
 	void *(*alloc_pgt_page)(void *); /* allocate buf for page table */
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com
 [209.85.128.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27D1F2066DD
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398114; cv=none;
 b=dY2pNln7hvh1H0ZK1oXpsW+HZMx+Goao5is1xLYQACuo1U2ztUW/OvX7rdhqX5sdPMMI2aYcMFomFSh7kX+XKFaBZhvRL8MqGu0o5St5gAnnJ2O5qSsudi39S5995uADs9jcsQR6kw03VG3ISEN+KuURrbxqfGyXIfBt8iR6wbw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398114; c=relaxed/simple;
	bh=/YvV9l3pQm76dLk2s+A4wuevSEt3hiNsmv08HgXWrpw=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=auGh3jzM6MT+Sk4QgunkjyAvRQXApPCvbcFPQTgdMldO0NeOMD7oF3qdZlTsenZCfQmoyMeaFNoZFPcrjGl7DC1bOWjocJcIbiVCQTwLynOHNxaRsh3EYx0EhlVCXQZdKbw8MugZa8kXZiqkljFBKvI5/kbhyRj2tj0O3NkZSnM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=2tPQl8TN; arc=none smtp.client-ip=209.85.128.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="2tPQl8TN"
Received: by mail-wm1-f74.google.com with SMTP id
 5b1f17b1804b1-434996c1aa7so6826115e9.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398111; x=1734002911;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=AnvdN3VftUWkRI82445ybOQvXbk1ghezwmtQPxwxKiQ=;
        b=2tPQl8TNuz3e5tQvmPdupH3qBDrWekie1Xa9dmys2SRr+Ys/+A+Xm01XCOaW6Sspu5
         5QDLiD5dEjkvF7eNC9idQ0hUuggZodPImcVkpVZjqaldViuWK1uEf1DDl6FjCn04Yj4M
         Esksd4/DU+cA1Q0wZobbdhn5xfVVocfX0d98NRFaM7jiz9p/ro7ByJmcq/0zZcPsc3ey
         fUSPMUw8p59G/N4v+ErXCe0GwXAAXgtUzNPFtOxH/H12rvQRSQLvKi1DGKKr5YYsc47B
         ssnRv+CYyo9jpc5irYlKaMwfQXCayuowhCWuogZVZsIKHbwaMqZPwrRxkkW5oSnW51jT
         UkYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398111; x=1734002911;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=AnvdN3VftUWkRI82445ybOQvXbk1ghezwmtQPxwxKiQ=;
        b=qQfyYOG+Qqr9Cb/TOC+ZLxOnOPJLLor0lUrldi73YWJs2bLqINgGHQOWLp0LtvkfIv
         sbUOxjCtf04hNTikRGBb9VRl9F7tPVWZ+YAJPDzrbF6GtSwPaSxvAanfRjJcCZh9HdE/
         sJ4XVi11dhwbzvGUAGFM6n1KGU6xhyrcf2cAic6+H0tU8YnbS4uTG7779xCiXt8N0MSk
         lVvELn9Pg/le1bgkkdgN6y0jfIF5JoM0FFLRegjMeKcrHaGbd7ZEBP7fZc4zlxpZ9W4S
         9miHDbRwElYF56G4K93LiLwOntjh2sJX6myIMAT1Gg/LLlxXFKP/R2LRyW8q/7/ISRBl
         0FUw==
X-Gm-Message-State: AOJu0YzzNOvS0o187lBDZj5wmgveuBkYizr6Sn7DFXy5F96rqXR+kFYE
	LyLbTxfqjSKJqTYcnh67OUO7csebTweNJ0Mu7MCkbHWi5zs0Aj4+t6x2xUeNmKX5xvtpadpCIK2
	Rsm1jcAGlE51hqrvT9lnj8a7hg2rFlumfCCXujG8spNrgcczinmCO3yiSCVH/80xHpCJpPcptrw
	R3sZOC+E7MF9l5S1YrcW84j3Hpju2F4A==
X-Google-Smtp-Source: 
 AGHT+IEuIlfhARIcbOHb5Y5tBc1TaoHS8JRg698S5VHSBKDpvfagxN57YF4M3ejpY8ZErkAl6cttgrQU
X-Received: from wmlc19.prod.google.com ([2002:a7b:c853:0:b0:434:a16d:950d])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:3ca7:b0:434:a1e7:27b2
 with SMTP id 5b1f17b1804b1-434d09b1817mr82261385e9.7.1733398111547; Thu, 05
 Dec 2024 03:28:31 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:10 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=1780; i=ardb@kernel.org;
 h=from:subject; bh=C9f1Jrw/jMP8yxDP/tyUNWCXL7TLAnJYYswszi7hh0Y=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wz8f7280Fhsens+d/Fwwqf/c9q0a0cPe3dz/NP4sff
 MN2OSezo5SFQYyDQVZMkUVg9t93O09PlKp1niULM4eVCWQIAxenAEzk8V9GhkkFfGd8nJQkBbjP
 8D5bwi/w+CmTzwwxs7zLP00q570OvcfIsKd53SLW4Ky2B7vdHq3QTWK42X6rLnO3rHXfM70vz1/
 y8QEA
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-14-ardb+git@google.com>
Subject: [PATCH v4 5/7] x86/kernel: Move ENTRY_TEXT to the start of the image
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

Since commit

  7734a0f31e99 ("x86/boot: Robustify calling startup_{32,64}() from the dec=
ompressor code")

it is no longer necessary for .head.text to appear at the start of the
image. Since ENTRY_TEXT needs to appear PMD-aligned, it is easier to
just place it at the start of the image, rather than line it up with the
end of the .text section. The amount of padding required should be the
same, but this arrangement also permits .head.text to be split off and
emitted separately, which is needed by a subsequent change.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/kernel/vmlinux.lds.S | 26 ++++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index fab3ac9a4574..1ce7889cd12b 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -121,19 +121,6 @@ SECTIONS
 	.text :  AT(ADDR(.text) - LOAD_OFFSET) {
 		_text =3D .;
 		_stext =3D .;
-		/* bootstrapping code */
-		HEAD_TEXT
-		TEXT_TEXT
-		SCHED_TEXT
-		LOCK_TEXT
-		KPROBES_TEXT
-		SOFTIRQENTRY_TEXT
-#ifdef CONFIG_MITIGATION_RETPOLINE
-		*(.text..__x86.indirect_thunk)
-		*(.text..__x86.return_thunk)
-#endif
-		STATIC_CALL_TEXT
-
 		ALIGN_ENTRY_TEXT_BEGIN
 		*(.text..__x86.rethunk_untrain)
 		ENTRY_TEXT
@@ -147,6 +134,19 @@ SECTIONS
 		*(.text..__x86.rethunk_safe)
 #endif
 		ALIGN_ENTRY_TEXT_END
+
+		/* bootstrapping code */
+		HEAD_TEXT
+		TEXT_TEXT
+		SCHED_TEXT
+		LOCK_TEXT
+		KPROBES_TEXT
+		SOFTIRQENTRY_TEXT
+#ifdef CONFIG_MITIGATION_RETPOLINE
+		*(.text..__x86.indirect_thunk)
+		*(.text..__x86.return_thunk)
+#endif
+		STATIC_CALL_TEXT
 		*(.gnu.warning)
=20
 	} :text =3D 0xcccccccc
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:49 2025
Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com
 [209.85.221.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C9F4206F1C
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398117; cv=none;
 b=Sm0Kmf6FYqI+SUGj4hTS4brEsHL2mtin0Gihg9B+RFFnhFuRW5zYifLEJ8QxKyr6lcOsLDi5rMmpXSdLuluJnDH0USTGDfEKmtJOhmMNMoRj+lV/clJm1e6w25LHpDqbvq0YHgay1c88BwAOz/w6KhWrpa0QdH8Hdl3YumY8nG0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398117; c=relaxed/simple;
	bh=BJxWaG3LG07cByXogeTrhHPotDDC9djWuaXGZrlgS30=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=trzxe5SupcIayjSeqL1K19g+PG9BFpFGtuZ3cAzlyHEysHNGLWQwThGixIhzrXxKAP4vzFTL7y+EHN9NgyooZA4tKNJ5sVKX9Rk7juyfYHdOKFgxTEuNPu/GHQOQnLvK2qb60NUtXxSA+mE8/chnUUzYYpcMdLKTY9L1A3oxCOo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=J5pzfJ3B; arc=none smtp.client-ip=209.85.221.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="J5pzfJ3B"
Received: by mail-wr1-f73.google.com with SMTP id
 ffacd0b85a97d-385e1339790so552400f8f.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398113; x=1734002913;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=EVxbuMOjYyrpPpcUh6qSzDwsNDxKmpVMu7erIHpl4HY=;
        b=J5pzfJ3Bh71J7o8VHITFA3RE6HT+uXx0gDULvfbWkQq7Wk0obFjX5MLrchmkuyc+Md
         DauLVd7Xt2l2/ekwjPuEteX3GHgcZwyPmpg0zAZMvNBq/jy1SrC6fLA+EAojKkQ83t0w
         H4Ac35U9FXfmoEqb9ghimTAgm9z3b//rrVSLqIghmlfTNVWsaBD0t9fiBis9di+wtzyL
         U46pN1FxGZVFhxXVvu9ejQNAPlDPm1FrTpngDPVviU10b+5QptH/j6hAvWUTVrTq2C6/
         WMIq3ux0FEhcD6u+BcNwYMzlWvGW+xM1cLLbVDgPGLbmhkf6L3GcFEApIKonsy+3OUtq
         Fm2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398113; x=1734002913;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=EVxbuMOjYyrpPpcUh6qSzDwsNDxKmpVMu7erIHpl4HY=;
        b=VbWMWsxgpbjjXcGHNEe/afCM5h3GUnXOe70c3+qL6QVJ4MqE5g1qjr711tUNZjdhX7
         KF+ssZc1fL9zmROar77u2OdQTS5908oWNdYUEHQgboVK+lh7mabRYHo0TWjVSRVIpmaa
         uZHEXt8fCKgPl3IJV3FfPc6ez8QWVpCEfk+1IXiIk0HnkdA8REoe64uFODs9c/IbRfMT
         7dypC8CVNI08PGr4OEPS2Kb4Z5ljIEZtzo04t5Q4fuUpP+vcfBjIcqxQxjfY5D0kdzuV
         nI61HjB+20YZjLMJCZg0T0/8wF548jRa+Tlfh26INjT/FH4NkV66DpZcaZjESjOfJHbc
         ZZjw==
X-Gm-Message-State: AOJu0YxRdp95MiXQrlxHQ6wQz6snRY+96yJnp0lSJ/bsJx6nOam4kcpQ
	AfhRcML/9m7pd7D/3yHhdQ8OGrV5l4Taaoo93ajyoqDqsyTZrlOuckd8r9bGEp4+oiW+0QfnI3Q
	4Co3wLQApdbJDw6mjjQwXNLqCzTDkqaziPYc9olH9QMBtCryQ7G40Fhli9e3DjzMWrCJEb611lC
	bA/uYyaK56HKQ4V3KXqVRqmIz+pCDMKQ==
X-Google-Smtp-Source: 
 AGHT+IHrr3+PUxqcL2pee8GvT0QXdAtHoEfvoXnwzcg3QB/dtY60CjjL0g8V7CdoLbs8+b3I+wlKdjtx
X-Received: from wmbd19.prod.google.com
 ([2002:a05:600c:58d3:b0:431:1903:8a3e])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a5d:6d81:0:b0:386:144d:680f
 with SMTP id ffacd0b85a97d-386144d691emr3098753f8f.54.1733398113637; Thu, 05
 Dec 2024 03:28:33 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:11 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=1061; i=ardb@kernel.org;
 h=from:subject; bh=cMyytGdZQid8ZkRyymkz/WdbypNbvdtAWvmTUH1fzms=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wz2+lZ+K5Ty5nhNI9MosX7WSIWPlh4fvXp0yFgu85L
 DNdcrm6o4SFQYyDQVZMkUVg9t93O09PlKp1niULM4eVCWQIAxenAExE/xjDd38Zq2JpN7035xlP
 71rJ58yqtWTHoU7Wjhfn23NqXnN+ZPhn/+v87AWfi5XZGrNrnEw2HC6VCPyYuv/EdssjCnWxPue
 YAQ==
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-15-ardb+git@google.com>
Subject: [PATCH v4 6/7] x86/boot: Move .head.text into its own output section
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

In order to be able to double check that vmlinux is emitted without
absolute symbol references in .head.text, it needs to be distinguishable
from the rest of .text in the ELF metadata.

So move .head.text into its own ELF section.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/kernel/vmlinux.lds.S | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 1ce7889cd12b..56cdf13611e3 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -135,8 +135,6 @@ SECTIONS
 #endif
 		ALIGN_ENTRY_TEXT_END
=20
-		/* bootstrapping code */
-		HEAD_TEXT
 		TEXT_TEXT
 		SCHED_TEXT
 		LOCK_TEXT
@@ -151,6 +149,11 @@ SECTIONS
=20
 	} :text =3D 0xcccccccc
=20
+	/* bootstrapping code */
+	.head.text : AT(ADDR(.head.text) - LOAD_OFFSET) {
+		HEAD_TEXT
+	} :text =3D 0xcccccccc
+
 	/* End of text section, which should occupy whole number of pages */
 	_etext =3D .;
 	. =3D ALIGN(PAGE_SIZE);
--=20
2.47.0.338.g60cca15819-goog
From nobody Thu Dec 18 08:11:50 2025
Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com
 [209.85.221.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD14206F3A
	for <linux-kernel@vger.kernel.org>; Thu,  5 Dec 2024 11:28:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1733398119; cv=none;
 b=Aw/W3j7U3TREDmBwQdjGjWpFOuNl5L6XgEHgc92LxHywjrlGfjvLVhkceBCJIvps2oAdfDoCMkrLDcaMZ34DoPz/XWrnXTZTyzTy0FdD0+93JQS7nyOH8bqy8r2vhIwNQZGtoqUZqPXHDViDZ0W0kv6ruiDcMeDR4ZSrnaF+V9A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1733398119; c=relaxed/simple;
	bh=lUZhqz1dSG6yLNkf6C6Z8bFBbE6mrOupQ3iqOOA6Lx4=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=iKW8d0vjJWHeMbu60Sy/f8s8JwIO8rVi2Laci4cXMXirCxqdf9iUNe019vVKaIwxuLD22+083GIx2SlmasolWo8Mq3QvFkBXKyQv5xpZ/gDq4FNOjqBzk3kChF7vm9yrGU5VF3Bvr4DwBrtxkMvwMUySYpIWKskM9OvJRe75Mw8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=qxpBiDYY; arc=none smtp.client-ip=209.85.221.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="qxpBiDYY"
Received: by mail-wr1-f74.google.com with SMTP id
 ffacd0b85a97d-385e03f54d0so388451f8f.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Dec 2024 03:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1733398115; x=1734002915;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=KWjxfMYp9wpJ6/N4DjNwAjmUtIPYUBCW2BMl/ScViUo=;
        b=qxpBiDYYeilK1yVNG6QyQEe6lSZGV2ELO2MaZ8zT3ChHE9RMHb1Rx/ViNn5ADiHVWT
         xFw3RhyhjJHkNeP8LuSxhHIoN0CP8/jfuSUTvX5bMK6oB3+gIH2ZHWQWiQ5USer7gIjC
         eIA+82AidSPKtITTywNxsdOiJk7rKyYWCyaIPHpllc9LKV/jkUNB/emGeQFDot2w2JMs
         ponN2F+YfmwswXP5twZFpqB/1bfiAklCMdLIoEensKtUi7cFCWOkSKeI/yXFVRWfHK/M
         Hsoas8qp6PD/9HLSCknAtR/9UudnsRk0Il8Q1DG3RhN/UAmjTAUcKZE+ZPkHlB5hU1Ra
         AaQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1733398115; x=1734002915;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=KWjxfMYp9wpJ6/N4DjNwAjmUtIPYUBCW2BMl/ScViUo=;
        b=FdY+ek1P2aMrmRE6l8XzpRtfUTT+3HXi3WXv2+y6i7N8YURxSeJyxZEZ/lr79S4fV1
         0hB5PbqHZo/NPyR3+hzZRZFA07u515W5bbP8bV0lFhutstRxmD+n6X3V4Zw7REOyrkWa
         n+dhi3UhTPya7kPEqx1kdP07EN2BpbIh4/rvpjcjQQBHZXzjzOPGch/FFwGCW7MomvMy
         Uo3mFyLsMK1M5FWZNprywyyi/H6FZqkIXP3KCTF1lsJpDxOH/98mF0Bp8ia7DvTFP9Xw
         3J2RwmGwBRX2VsEF+ckBohCaqF7wTYRkgpKbH1YZELsrdDEbYhjcf9GeJveGdYHr1IPY
         sOKQ==
X-Gm-Message-State: AOJu0YwTeEXLV79I4u6tJ8t13n4HjQ8yC4v4FJ1jgCetVqlNBMpHrMIh
	aeXg5OO19P62ODVBY2uLBCmmNeLjxXH07og0YGgPXkKKDiLslu745Qf3kxqWuRFgD87o9Idmq3f
	bp25DLigvQpo0ZnjWzTEJ6PNeLqvw8HvFDDmrLK1q85SPOdgJ6FfwT/zLcvSPYyBHssMjn8aDTh
	MeuftsRnTWq2mteKyltaCLQGKnJVOxQQ==
X-Google-Smtp-Source: 
 AGHT+IHP7qPBHC2qIq+bZhcco/G5754G9BU63cH6/TpLd9DE8dE9EPo5Vaif+IOCOzxB2XA2s4ayHih2
X-Received: from wrbfr7.prod.google.com
 ([2002:a05:6000:2a87:b0:385:e1f3:ed59])
 (user=ardb job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6000:1f8f:b0:385:f071:a1c9
 with SMTP id ffacd0b85a97d-38607c28575mr6314966f8f.50.1733398115691; Thu, 05
 Dec 2024 03:28:35 -0800 (PST)
Date: Thu,  5 Dec 2024 12:28:12 +0100
In-Reply-To: <20241205112804.3416920-9-ardb+git@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20241205112804.3416920-9-ardb+git@google.com>
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=2472; i=ardb@kernel.org;
 h=from:subject; bh=sCoQOT0ZZK/f9nS0zUZRW3b6rs/HLppuqFwCRLR4Kgg=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIT2wzz/X8HyQ/XLWj76/ZkVkuM3kiVKxkQqVLliacdlee
 Y5uO3NHKQuDGAeDrJgii8Dsv+92np4oVes8SxZmDisTyBAGLk4BmMifQIb/Vdbt4dLZ2xZun1Sm
 ZTQp7KoE97RQ4U8t83pWLZdtec8nzMjw9ObxQtHVy2q3G8oyLJ4U2d/xzJXpj9in6sOpdfxT2ze
 zAQA=
X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog
Message-ID: <20241205112804.3416920-16-ardb+git@google.com>
Subject: [PATCH v4 7/7] x86/boot: Reject absolute references in .head.text
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
 Tom Lendacky <thomas.lendacky@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, Andy Lutomirski <luto@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
 Brian Gerst <brgerst@gmail.com>,
	Kevin Loughlin <kevinloughlin@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ard Biesheuvel <ardb@kernel.org>

The .head.text section used to contain asm code that bootstrapped the
page tables and switched to the kernel virtual address space before
executing C code. The asm code carefully avoided dereferencing absolute
symbol references, as those will fault before the page tables are
installed.

Today, the .head.text section contains lots of C code too, and getting
the compiler to reason about absolute addresses taken from, e.g.,
section markers such as _text[] or _end[] but never use such absolute
references to access global variables [*] is intractible.

So instead, forbid the use of absolute references in .head.text
entirely, and rely on explicit arithmetic involving VA-to-PA offsets
generated by the asm startup code to construct virtual addresses where
needed (e.g., to construct the page tables).

Note that the 'relocs' tool is only used on the core kernel image when
building a relocatable image, but this is the default, and so adding the
check there is sufficient to catch new occurrences of code that use
absolute references before the kernel mapping is up.

[*] it is feasible when using PIC codegen but there is strong pushback
    to using this for all of the core kernel, and using it only for
    .head.text is not straight-forward.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/tools/relocs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
index 27441e5863b2..e937be979ec8 100644
--- a/arch/x86/tools/relocs.c
+++ b/arch/x86/tools/relocs.c
@@ -841,10 +841,10 @@ static int is_percpu_sym(ElfW(Sym) *sym, const char *=
symname)
 static int do_reloc64(struct section *sec, Elf_Rel *rel, ElfW(Sym) *sym,
 		      const char *symname)
 {
+	int headtext =3D !strcmp(sec_name(sec->shdr.sh_info), ".head.text");
 	unsigned r_type =3D ELF64_R_TYPE(rel->r_info);
 	ElfW(Addr) offset =3D rel->r_offset;
 	int shn_abs =3D (sym->st_shndx =3D=3D SHN_ABS) && !is_reloc(S_REL, symnam=
e);
-
 	if (sym->st_shndx =3D=3D SHN_UNDEF)
 		return 0;
=20
@@ -900,6 +900,12 @@ static int do_reloc64(struct section *sec, Elf_Rel *re=
l, ElfW(Sym) *sym,
 			break;
 		}
=20
+		if (headtext) {
+			die("Absolute reference to symbol '%s' not permitted in .head.text\n",
+			    symname);
+			break;
+		}
+
 		/*
 		 * Relocation offsets for 64 bit kernels are output
 		 * as 32 bits and sign extended back to 64 bits when
--=20
2.47.0.338.g60cca15819-goog