Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code

From: Andi Kleen
Date: Wed Jan 17 2024 - 06:39:32 EST

Next message: Karim Manaouil: "Debug: mm: meminfo reports 222GiB of AnonPages but sum of RSS in ps is barely 400MiB"
Previous message: Badhri Jagan Sridharan: "[PATCH v1] Revert "usb: typec: tcpm: fix cc role at port reset""
In reply to: Ard Biesheuvel: "Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code"
Next in thread: Ard Biesheuvel: "Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 17, 2024 at 11:59:14AM +0100, Ard Biesheuvel wrote:
> On Mon, 15 Jan 2024 at 21:47, Borislav Petkov <bp@xxxxxxxxx> wrote:
> >
> > On Thu, Jan 11, 2024 at 10:36:50PM +0000, Kevin Loughlin wrote:
> > > SEV/SME code can execute prior to page table fixups for kernel
> > > relocation. However, as with global variables accessed in
> > > __startup_64(), the compiler is not required to generate RIP-relative
> > > accesses for SEV/SME global variables, causing certain flavors of SEV
> > > hosts and guests built with clang to crash during boot.
> >
> > So, about that. If I understand my gcc toolchain folks correctly:
> >
> > mcmodel=kernel - everything fits into the high 31 bit of the address
> > space
> >
> > -fPIE/PIC - position independent
> >
> > And supplied both don't make a whole lotta of sense: if you're building
> > position-independent, then mcmodel=kernel would be overridden by the
> > first.
> >
> > I have no clue why clang enabled it...
> >
> > So, *actually* the proper fix here should be not to add this "fixed_up"
> > gunk everywhere but remove mcmodel=kernel from the build and simply do
> > -fPIE/PIC.

For the SEV file this might not work because it also has functions
that get called later at runtime, and may need to reference real
globals. I doubt the linker could resolve that.

For linking the whole kernel, I haven't seen the latest numbers, but
traditionally -fPIE/PIC cost some performance because globals get loaded
through the GOT instead of directly as immediates. That's why the original
x86-64 port went with -mcmodel=kernel.

Of course for the startup code it doesn't matter, but it might make
a difference for hot path code.

> >
>
> Fully agree. All this fiddling with RIP relative references from C
> code is going to be a maintenance burden going forward.

IIC it's only a few functions in this case, so it shouldn't be that bad.
The early x86 startup code has a few other areas with odd restrictions,
so it's not unprecedented.

-Andi

Next message: Karim Manaouil: "Debug: mm: meminfo reports 222GiB of AnonPages but sum of RSS in ps is barely 400MiB"
Previous message: Badhri Jagan Sridharan: "[PATCH v1] Revert "usb: typec: tcpm: fix cc role at port reset""
In reply to: Ard Biesheuvel: "Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code"
Next in thread: Ard Biesheuvel: "Re: [RFC PATCH v2] x86/sev: enforce RIP-relative accesses in early SEV/SME code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]