[v3] x86: Robustify pgtable_l5_enabled()

[PATCH v3 4/7] x86/boot: Set 5-level paging CPU cap before entering C code

Posted by Ard Biesheuvel 8 months, 4 weeks ago

From: Ard Biesheuvel <ardb@kernel.org>

In order for pgtable_l5_enabled() to be reliable wherever it is used and
however early, set the associated CPU capability from asm code before
entering the startup C code.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/include/asm/cpufeature.h | 12 +++++++++---
 arch/x86/kernel/cpu/common.c      |  3 ---
 arch/x86/kernel/head_64.S         | 15 +++++++++++++++
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
index 893cbca37fe9..1b5de40e7bf7 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -2,10 +2,10 @@
 #ifndef _ASM_X86_CPUFEATURE_H
 #define _ASM_X86_CPUFEATURE_H
 
+#ifdef __KERNEL__
+#ifndef __ASSEMBLER__
 #include <asm/processor.h>
 
-#if defined(__KERNEL__) && !defined(__ASSEMBLER__)
-
 #include <asm/asm.h>
 #include <linux/bitops.h>
 #include <asm/alternative.h>
@@ -137,5 +137,11 @@ static __always_inline bool _static_cpu_has(u16 bit)
 #define CPU_FEATURE_TYPEVAL		boot_cpu_data.x86_vendor, boot_cpu_data.x86, \
 					boot_cpu_data.x86_model
 
-#endif /* defined(__KERNEL__) && !defined(__ASSEMBLER__) */
+#else /* !defined(__ASSEMBLER__) */
+	.macro	setup_force_cpu_cap, cap:req
+	btsl	$\cap % 32, boot_cpu_data+CPUINFO_x86_capability+4*(\cap / 32)(%rip)
+	btsl	$\cap % 32, cpu_caps_set+4*(\cap / 32)(%rip)
+	.endm
+#endif /* !defined(__ASSEMBLER__) */
+#endif /* defined(__KERNEL__) */
 #endif /* _ASM_X86_CPUFEATURE_H */
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f6f206743d6a..c8954dc2fb26 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1752,9 +1752,6 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
 	setup_clear_cpu_cap(X86_FEATURE_PCID);
 #endif
 
-	if (IS_ENABLED(CONFIG_X86_5LEVEL) && (native_read_cr4() & X86_CR4_LA57))
-		setup_force_cpu_cap(X86_FEATURE_5LEVEL_PAGING);
-
 	detect_nopl();
 }
 
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 069420853304..191d5947a762 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -27,6 +27,7 @@
 #include <asm/fixmap.h>
 #include <asm/smp.h>
 #include <asm/thread_info.h>
+#include <asm/cpufeature.h>
 
 /*
  * We are not able to switch in one step to the final KERNEL ADDRESS SPACE
@@ -58,6 +59,20 @@ SYM_CODE_START_NOALIGN(startup_64)
 	 */
 	mov	%rsi, %r15
 
+#ifdef CONFIG_X86_5LEVEL
+	/*
+	 * Set the X86_FEATURE_5LEVEL_PAGING capability before calling into the
+	 * C code, to give it a consistent view of any global pseudo-constants
+	 * that are derived from pgtable_l5_enabled().
+	 */
+	mov	%cr4, %rax
+	btl	$X86_CR4_LA57_BIT, %eax
+	jnc	0f
+
+	setup_force_cpu_cap X86_FEATURE_5LEVEL_PAGING
+0:
+#endif
+
 	/* Set up the stack for verify_cpu() */
 	leaq	__top_init_kernel_stack(%rip), %rsp
 
-- 
2.49.0.1101.gccaa498523-goog

Re: [PATCH v3 4/7] x86/boot: Set 5-level paging CPU cap before entering C code

Posted by Kirill A. Shutemov 8 months, 4 weeks ago

On Wed, May 14, 2025 at 12:42:47PM +0200, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> In order for pgtable_l5_enabled() to be reliable wherever it is used and
> however early, set the associated CPU capability from asm code before
> entering the startup C code.
> 
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/x86/include/asm/cpufeature.h | 12 +++++++++---
>  arch/x86/kernel/cpu/common.c      |  3 ---
>  arch/x86/kernel/head_64.S         | 15 +++++++++++++++
>  3 files changed, 24 insertions(+), 6 deletions(-)
> 
> diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
> index 893cbca37fe9..1b5de40e7bf7 100644
> --- a/arch/x86/include/asm/cpufeature.h
> +++ b/arch/x86/include/asm/cpufeature.h
> @@ -2,10 +2,10 @@
>  #ifndef _ASM_X86_CPUFEATURE_H
>  #define _ASM_X86_CPUFEATURE_H
>  
> +#ifdef __KERNEL__
> +#ifndef __ASSEMBLER__
>  #include <asm/processor.h>
>  
> -#if defined(__KERNEL__) && !defined(__ASSEMBLER__)
> -
>  #include <asm/asm.h>
>  #include <linux/bitops.h>
>  #include <asm/alternative.h>
> @@ -137,5 +137,11 @@ static __always_inline bool _static_cpu_has(u16 bit)
>  #define CPU_FEATURE_TYPEVAL		boot_cpu_data.x86_vendor, boot_cpu_data.x86, \
>  					boot_cpu_data.x86_model
>  
> -#endif /* defined(__KERNEL__) && !defined(__ASSEMBLER__) */
> +#else /* !defined(__ASSEMBLER__) */
> +	.macro	setup_force_cpu_cap, cap:req
> +	btsl	$\cap % 32, boot_cpu_data+CPUINFO_x86_capability+4*(\cap / 32)(%rip)
> +	btsl	$\cap % 32, cpu_caps_set+4*(\cap / 32)(%rip)
> +	.endm
> +#endif /* !defined(__ASSEMBLER__) */
> +#endif /* defined(__KERNEL__) */
>  #endif /* _ASM_X86_CPUFEATURE_H */
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index f6f206743d6a..c8954dc2fb26 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -1752,9 +1752,6 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
>  	setup_clear_cpu_cap(X86_FEATURE_PCID);
>  #endif
>  
> -	if (IS_ENABLED(CONFIG_X86_5LEVEL) && (native_read_cr4() & X86_CR4_LA57))
> -		setup_force_cpu_cap(X86_FEATURE_5LEVEL_PAGING);
> -
>  	detect_nopl();
>  }
>  
> diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
> index 069420853304..191d5947a762 100644
> --- a/arch/x86/kernel/head_64.S
> +++ b/arch/x86/kernel/head_64.S
> @@ -27,6 +27,7 @@
>  #include <asm/fixmap.h>
>  #include <asm/smp.h>
>  #include <asm/thread_info.h>
> +#include <asm/cpufeature.h>
>  
>  /*
>   * We are not able to switch in one step to the final KERNEL ADDRESS SPACE
> @@ -58,6 +59,20 @@ SYM_CODE_START_NOALIGN(startup_64)
>  	 */
>  	mov	%rsi, %r15
>  
> +#ifdef CONFIG_X86_5LEVEL

Is #ifdef really needed?

> +	/*
> +	 * Set the X86_FEATURE_5LEVEL_PAGING capability before calling into the
> +	 * C code, to give it a consistent view of any global pseudo-constants
> +	 * that are derived from pgtable_l5_enabled().
> +	 */
> +	mov	%cr4, %rax
> +	btl	$X86_CR4_LA57_BIT, %eax
> +	jnc	0f
> +
> +	setup_force_cpu_cap X86_FEATURE_5LEVEL_PAGING
> +0:
> +#endif
> +
>  	/* Set up the stack for verify_cpu() */
>  	leaq	__top_init_kernel_stack(%rip), %rsp
>  
> -- 
> 2.49.0.1101.gccaa498523-goog
> 

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

Re: [PATCH v3 4/7] x86/boot: Set 5-level paging CPU cap before entering C code

Posted by Ard Biesheuvel 8 months, 4 weeks ago

On Thu, 15 May 2025 at 09:00, Kirill A. Shutemov <kirill@shutemov.name> wrote:
>
> On Wed, May 14, 2025 at 12:42:47PM +0200, Ard Biesheuvel wrote:
> > From: Ard Biesheuvel <ardb@kernel.org>
> >
> > In order for pgtable_l5_enabled() to be reliable wherever it is used and
> > however early, set the associated CPU capability from asm code before
> > entering the startup C code.
> >
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > ---
> >  arch/x86/include/asm/cpufeature.h | 12 +++++++++---
> >  arch/x86/kernel/cpu/common.c      |  3 ---
> >  arch/x86/kernel/head_64.S         | 15 +++++++++++++++
> >  3 files changed, 24 insertions(+), 6 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
> > index 893cbca37fe9..1b5de40e7bf7 100644
> > --- a/arch/x86/include/asm/cpufeature.h
> > +++ b/arch/x86/include/asm/cpufeature.h
> > @@ -2,10 +2,10 @@
> >  #ifndef _ASM_X86_CPUFEATURE_H
> >  #define _ASM_X86_CPUFEATURE_H
> >
> > +#ifdef __KERNEL__
> > +#ifndef __ASSEMBLER__
> >  #include <asm/processor.h>
> >
> > -#if defined(__KERNEL__) && !defined(__ASSEMBLER__)
> > -
> >  #include <asm/asm.h>
> >  #include <linux/bitops.h>
> >  #include <asm/alternative.h>
> > @@ -137,5 +137,11 @@ static __always_inline bool _static_cpu_has(u16 bit)
> >  #define CPU_FEATURE_TYPEVAL          boot_cpu_data.x86_vendor, boot_cpu_data.x86, \
> >                                       boot_cpu_data.x86_model
> >
> > -#endif /* defined(__KERNEL__) && !defined(__ASSEMBLER__) */
> > +#else /* !defined(__ASSEMBLER__) */
> > +     .macro  setup_force_cpu_cap, cap:req
> > +     btsl    $\cap % 32, boot_cpu_data+CPUINFO_x86_capability+4*(\cap / 32)(%rip)
> > +     btsl    $\cap % 32, cpu_caps_set+4*(\cap / 32)(%rip)
> > +     .endm
> > +#endif /* !defined(__ASSEMBLER__) */
> > +#endif /* defined(__KERNEL__) */
> >  #endif /* _ASM_X86_CPUFEATURE_H */
> > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> > index f6f206743d6a..c8954dc2fb26 100644
> > --- a/arch/x86/kernel/cpu/common.c
> > +++ b/arch/x86/kernel/cpu/common.c
> > @@ -1752,9 +1752,6 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
> >       setup_clear_cpu_cap(X86_FEATURE_PCID);
> >  #endif
> >
> > -     if (IS_ENABLED(CONFIG_X86_5LEVEL) && (native_read_cr4() & X86_CR4_LA57))
> > -             setup_force_cpu_cap(X86_FEATURE_5LEVEL_PAGING);
> > -
> >       detect_nopl();
> >  }
> >
> > diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
> > index 069420853304..191d5947a762 100644
> > --- a/arch/x86/kernel/head_64.S
> > +++ b/arch/x86/kernel/head_64.S
> > @@ -27,6 +27,7 @@
> >  #include <asm/fixmap.h>
> >  #include <asm/smp.h>
> >  #include <asm/thread_info.h>
> > +#include <asm/cpufeature.h>
> >
> >  /*
> >   * We are not able to switch in one step to the final KERNEL ADDRESS SPACE
> > @@ -58,6 +59,20 @@ SYM_CODE_START_NOALIGN(startup_64)
> >        */
> >       mov     %rsi, %r15
> >
> > +#ifdef CONFIG_X86_5LEVEL
>
> Is #ifdef really needed?
>

'Really needed' no but setting this capability is semantically murky
if the kernel is not configured to support it. But you wouldn't get
far in that case, so it doesn't matter much in practice.

Re: [PATCH v3 4/7] x86/boot: Set 5-level paging CPU cap before entering C code

Posted by Kirill A. Shutemov 8 months, 4 weeks ago

On Thu, May 15, 2025 at 10:43:27AM +0100, Ard Biesheuvel wrote:
> On Thu, 15 May 2025 at 09:00, Kirill A. Shutemov <kirill@shutemov.name> wrote:
> >
> > On Wed, May 14, 2025 at 12:42:47PM +0200, Ard Biesheuvel wrote:
> > > From: Ard Biesheuvel <ardb@kernel.org>
> > >
> > > In order for pgtable_l5_enabled() to be reliable wherever it is used and
> > > however early, set the associated CPU capability from asm code before
> > > entering the startup C code.
> > >
> > > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > > ---
> > >  arch/x86/include/asm/cpufeature.h | 12 +++++++++---
> > >  arch/x86/kernel/cpu/common.c      |  3 ---
> > >  arch/x86/kernel/head_64.S         | 15 +++++++++++++++
> > >  3 files changed, 24 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
> > > index 893cbca37fe9..1b5de40e7bf7 100644
> > > --- a/arch/x86/include/asm/cpufeature.h
> > > +++ b/arch/x86/include/asm/cpufeature.h
> > > @@ -2,10 +2,10 @@
> > >  #ifndef _ASM_X86_CPUFEATURE_H
> > >  #define _ASM_X86_CPUFEATURE_H
> > >
> > > +#ifdef __KERNEL__
> > > +#ifndef __ASSEMBLER__
> > >  #include <asm/processor.h>
> > >
> > > -#if defined(__KERNEL__) && !defined(__ASSEMBLER__)
> > > -
> > >  #include <asm/asm.h>
> > >  #include <linux/bitops.h>
> > >  #include <asm/alternative.h>
> > > @@ -137,5 +137,11 @@ static __always_inline bool _static_cpu_has(u16 bit)
> > >  #define CPU_FEATURE_TYPEVAL          boot_cpu_data.x86_vendor, boot_cpu_data.x86, \
> > >                                       boot_cpu_data.x86_model
> > >
> > > -#endif /* defined(__KERNEL__) && !defined(__ASSEMBLER__) */
> > > +#else /* !defined(__ASSEMBLER__) */
> > > +     .macro  setup_force_cpu_cap, cap:req
> > > +     btsl    $\cap % 32, boot_cpu_data+CPUINFO_x86_capability+4*(\cap / 32)(%rip)
> > > +     btsl    $\cap % 32, cpu_caps_set+4*(\cap / 32)(%rip)
> > > +     .endm
> > > +#endif /* !defined(__ASSEMBLER__) */
> > > +#endif /* defined(__KERNEL__) */
> > >  #endif /* _ASM_X86_CPUFEATURE_H */
> > > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> > > index f6f206743d6a..c8954dc2fb26 100644
> > > --- a/arch/x86/kernel/cpu/common.c
> > > +++ b/arch/x86/kernel/cpu/common.c
> > > @@ -1752,9 +1752,6 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
> > >       setup_clear_cpu_cap(X86_FEATURE_PCID);
> > >  #endif
> > >
> > > -     if (IS_ENABLED(CONFIG_X86_5LEVEL) && (native_read_cr4() & X86_CR4_LA57))
> > > -             setup_force_cpu_cap(X86_FEATURE_5LEVEL_PAGING);
> > > -
> > >       detect_nopl();
> > >  }
> > >
> > > diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
> > > index 069420853304..191d5947a762 100644
> > > --- a/arch/x86/kernel/head_64.S
> > > +++ b/arch/x86/kernel/head_64.S
> > > @@ -27,6 +27,7 @@
> > >  #include <asm/fixmap.h>
> > >  #include <asm/smp.h>
> > >  #include <asm/thread_info.h>
> > > +#include <asm/cpufeature.h>
> > >
> > >  /*
> > >   * We are not able to switch in one step to the final KERNEL ADDRESS SPACE
> > > @@ -58,6 +59,20 @@ SYM_CODE_START_NOALIGN(startup_64)
> > >        */
> > >       mov     %rsi, %r15
> > >
> > > +#ifdef CONFIG_X86_5LEVEL
> >
> > Is #ifdef really needed?
> >
> 
> 'Really needed' no but setting this capability is semantically murky
> if the kernel is not configured to support it. But you wouldn't get
> far in that case, so it doesn't matter much in practice.

If we get here with CR4.LA57=1 and CONFIG_X86_5LEVEL=n, we are screwed.
Something is very broken in stub or decompressor.

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

[PATCH v3 1/7] x86/cpu: Use a new feature flag for 5 level paging
[PATCH v3 2/7] x86/cpu: Allow caps to be set arbitrarily early
[PATCH v3 3/7] x86/asm-offsets: Export struct cpuinfo_x86 layout for asm use
[PATCH v3 4/7] x86/boot: Set 5-level paging CPU cap before entering C code
[PATCH v3 5/7] x86/boot: Drop the early variant of pgtable_l5_enabled()
[PATCH v3 6/7] x86/boot: Drop 5-level paging related variables and early updates
[PATCH v3 7/7] x86/cpu: Make CPU capability overrides __ro_after_init