Brian Gerst
2020-May-19 13:58 UTC
[PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
On Tue, Apr 28, 2020 at 11:28 AM Joerg Roedel <joro at 8bytes.org> wrote:> > From: Joerg Roedel <jroedel at suse.de> > > The code inserted by the stack protector does not work in the early > boot environment because it uses the GS segment, at least with memory > encryption enabled. Make sure the early code is compiled without this > feature enabled. > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > --- > arch/x86/kernel/Makefile | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile > index ba89cabe5fcf..1192de38fa56 100644 > --- a/arch/x86/kernel/Makefile > +++ b/arch/x86/kernel/Makefile > @@ -35,6 +35,10 @@ ifdef CONFIG_FRAME_POINTER > OBJECT_FILES_NON_STANDARD_ftrace_$(BITS).o := y > endif > > +# make sure head64.c is built without stack protector > +nostackp := $(call cc-option, -fno-stack-protector) > +CFLAGS_head64.o := $(nostackp) > + > # If instrumentation of this dir is enabled, boot hangs during first second. > # Probably could be more selective here, but note that files related to irqs, > # boot, dumpstack/stacktrace, etc are either non-interesting or can lead toThe proper fix would be to initialize MSR_GS_BASE earlier. -- Brian Gerst
Joerg Roedel
2020-Jun-03 15:18 UTC
[PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
On Tue, May 19, 2020 at 09:58:18AM -0400, Brian Gerst wrote:> On Tue, Apr 28, 2020 at 11:28 AM Joerg Roedel <joro at 8bytes.org> wrote:> The proper fix would be to initialize MSR_GS_BASE earlier.That'll mean to initialize it two times during boot, as the first C function with stack-protection is called before the kernel switches to its high addresses (early_idt_setup call-path). But okay, I can do that. On the other side, which value does the stack protector have in the early boot code? Joerg
Brian Gerst
2020-Jun-03 17:14 UTC
[PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
On Wed, Jun 3, 2020 at 11:18 AM Joerg Roedel <joro at 8bytes.org> wrote:> > On Tue, May 19, 2020 at 09:58:18AM -0400, Brian Gerst wrote: > > On Tue, Apr 28, 2020 at 11:28 AM Joerg Roedel <joro at 8bytes.org> wrote: > > > The proper fix would be to initialize MSR_GS_BASE earlier. > > That'll mean to initialize it two times during boot, as the first C > function with stack-protection is called before the kernel switches to > its high addresses (early_idt_setup call-path). But okay, I can do that.Good point. Since this is boot code which isn't subject to stack smashing attacks, disabling stack protector is probably the simpler option. -- Brian Gerst
Seemingly Similar Threads
- [PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
- [PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
- [PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
- [PATCH v3 35/75] x86/head/64: Build k/head64.c with -fno-stack-protector
- [PATCH v4 34/75] x86/head/64: Build k/head64.c with -fno-stack-protector