search for: msr_gs_base

...le("movl %%eax, %%ds\n" "movl %%eax, %%ss\n" "movl %%eax, %%es\n" : : "a"(__KERNEL_DS) : "memory"); + + /* Setup GS_BASE - needed for stack protector */ + gsbase = (unsigned long)fixup_pointer((void *)initial_gs, physbase); + __wrmsr(MSR_GS_BASE, (u32)gsbase, (u32)(gsbase >> 32)); } diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S index 2b2e91627221..800053219054 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -78,6 +78,14 @@ SYM_CODE_START_NOALIGN(startup_64) call startup_64_setup_env...

...le("movl %%eax, %%ds\n" "movl %%eax, %%ss\n" "movl %%eax, %%es\n" : : "a"(__KERNEL_DS) : "memory"); + + /* Setup GS_BASE - needed for stack protector */ + gsbase = (unsigned long)fixup_pointer((void *)initial_gs, physbase); + __wrmsr(MSR_GS_BASE, (u32)gsbase, (u32)(gsbase >> 32)); } diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S index 2b2e91627221..800053219054 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -78,6 +78,14 @@ SYM_CODE_START_NOALIGN(startup_64) call startup_64_setup_env...

.../* > + * Setup %gs here already to make stack-protector work - it needs to be > + * setup again after the switch to kernel addresses. The address read > + * from initial_gs is a kernel address, so it needs to be adjusted first > + * for the identity mapping. > + */ > + movl $MSR_GS_BASE,%ecx I'm confused: is this missing those three lines: movl initial_gs(%rip),%eax movl initial_gs+4(%rip),%edx wrmsr as it is done in secondary_startup_64 ? Or why would you otherwise put 0xc0000101 in %ecx and not do anything with it... -- Regards/Gruss,...

1: correct LDT checks 2: add address validity check to guest_map_l1e() 3: use {rd,wr}{fs,gs}base when available 4: check for canonical address before doing page walks Signed-off-by: Jan Beulich <jbeulich@suse.com>

...ckp) > + > # If instrumentation of this dir is enabled, boot hangs during first second. > # Probably could be more selective here, but note that files related to irqs, > # boot, dumpstack/stacktrace, etc are either non-interesting or can lead to The proper fix would be to initialize MSR_GS_BASE earlier. -- Brian Gerst

...ckp) > + > # If instrumentation of this dir is enabled, boot hangs during first second. > # Probably could be more selective here, but note that files related to irqs, > # boot, dumpstack/stacktrace, etc are either non-interesting or can lead to The proper fix would be to initialize MSR_GS_BASE earlier. -- Brian Gerst

...+ movl %eax,%fs + movl %eax,%gs + + /* Set up %gs. + * + * The base of %gs always points to fixed_percpu_data. If the + * stack protector canary is enabled, it is located at %gs:40. + * Note that, on SMP, the boot cpu uses init data section until + * the per cpu areas are set up. + */ + movl $MSR_GS_BASE,%ecx + movl initial_gs(%rip),%eax + movl initial_gs+4(%rip),%edx + wrmsr + /* Check if nx is implemented */ movl $0x80000001, %eax cpuid @@ -201,32 +227,6 @@ SYM_CODE_START(secondary_startup_64) pushq $0 popfq - /* set up data segments */ - xorl %eax,%eax - movl %eax,%ds - movl %eax,%ss...

...if ( wrmsr_safe(MSR_FS_BASE, regs->eax, regs->edx) ) goto fail; - v->arch.guest_context.fs_base = - ((u64)regs->edx << 32) | regs->eax; + v->arch.guest_context.fs_base = res; break; case MSR_GS_BASE: if ( is_pv_32on64_vcpu(v) ) goto fail; if ( wrmsr_safe(MSR_GS_BASE, regs->eax, regs->edx) ) goto fail; - v->arch.guest_context.gs_base_kernel = - ((u64)regs->edx << 32) | regs->eax; +...

...2,6 +42,7 @@ #include <asm/system.h> #include <asm/io.h> #include <asm/processor.h> +#include <asm/system.h> #include <asm/i387.h> #include <asm/mmu_context.h> #include <asm/pda.h> @@ -338,10 +339,10 @@ void __show_regs(struct pt_regs * regs) rdmsrl(MSR_GS_BASE, gs); rdmsrl(MSR_KERNEL_GS_BASE, shadowgs); - asm("movq %%cr0, %0": "=r" (cr0)); - asm("movq %%cr2, %0": "=r" (cr2)); - asm("movq %%cr3, %0": "=r" (cr3)); - asm("movq %%cr4, %0": "=r" (cr4)); + cr0 = read_cr0(); +...

...2,6 +42,7 @@ #include <asm/system.h> #include <asm/io.h> #include <asm/processor.h> +#include <asm/system.h> #include <asm/i387.h> #include <asm/mmu_context.h> #include <asm/pda.h> @@ -338,10 +339,10 @@ void __show_regs(struct pt_regs * regs) rdmsrl(MSR_GS_BASE, gs); rdmsrl(MSR_KERNEL_GS_BASE, shadowgs); - asm("movq %%cr0, %0": "=r" (cr0)); - asm("movq %%cr2, %0": "=r" (cr2)); - asm("movq %%cr3, %0": "=r" (cr3)); - asm("movq %%cr4, %0": "=r" (cr4)); + cr0 = read_cr0(); +...

...*vmx_create_vcpu(struct kvm *kvm, unsigned int id) goto free_pml; msr_bitmap = vmx->vmcs01.msr_bitmap; - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_TSC, MSR_TYPE_R); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_FS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_GS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_KERNEL_GS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_CS, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_ESP, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, M...

...@ static int vmx_create_vcpu(struct kvm_vcpu *vcpu) goto free_pml; msr_bitmap = vmx->vmcs01.msr_bitmap; - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_TSC, MSR_TYPE_R); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_FS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_GS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_KERNEL_GS_BASE, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_CS, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_ESP, MSR_TYPE_RW); - vmx_disable_intercept_for_msr(msr_bitmap, M...

On Tue, May 19, 2020 at 09:58:18AM -0400, Brian Gerst wrote: > On Tue, Apr 28, 2020 at 11:28 AM Joerg Roedel <joro at 8bytes.org> wrote: > The proper fix would be to initialize MSR_GS_BASE earlier. That'll mean to initialize it two times during boot, as the first C function with stack-protection is called before the kernel switches to its high addresses (early_idt_setup call-path). But okay, I can do that. On the other side, which value does the stack protector have in the earl...

...hvm/vmx/vmcs.c index 290b42f..4aab971 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -950,6 +950,7 @@ static int construct_vmcs(struct vcpu *v) vmx_disable_intercept_for_msr(v, MSR_FS_BASE, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_GS_BASE, MSR_TYPE_R | MSR_TYPE_W); + vmx_disable_intercept_for_msr(v, MSR_SHADOW_GS_BASE, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W);...

...nion+THREAD_SIZE, %_ASM_SP + _ASM_MOVABS $xen_start_info, %_ASM_AX + _ASM_MOV %_ASM_SI, (%_ASM_AX) + _ASM_MOVABS $init_thread_union+THREAD_SIZE, %_ASM_SP #ifdef CONFIG_X86_64 /* Set up %gs. @@ -46,7 +47,7 @@ ENTRY(startup_xen) * init data section till per cpu areas are set up. */ movl $MSR_GS_BASE,%ecx - movq $INIT_PER_CPU_VAR(irq_stack_union),%rax + movabsq $INIT_PER_CPU_VAR(irq_stack_union),%rax cdq wrmsr #endif diff --git a/arch/x86/xen/xen-pvh.S b/arch/x86/xen/xen-pvh.S index e1a5fbeae08d..43e234c7c2de 100644 --- a/arch/x86/xen/xen-pvh.S +++ b/arch/x86/xen/xen-pvh.S @@ -101,8 +101,8...

...SAVE_GREG(11) + SAVE_GREG(12) + SAVE_GREG(13) + SAVE_GREG(14) + SAVE_GREG(15) + pushfq; + popq SAVED_GREG(flags) + + mov %cr8, GREG(ax) + mov GREG(ax), REF(saved_cr8) + + RDMSR(MSR_FS_BASE, saved_fs_base) + RDMSR(MSR_GS_BASE, saved_gs_base) + RDMSR(MSR_SHADOW_GS_BASE, saved_kernel_gs_base) + +#else /* !defined(__x86_64__) */ + + pushfl; + popl SAVED_GREG(flags) + +#endif + + mov %ds, REF(saved_ds) + mov %es, REF(saved_es) + mov %fs, REF(saved_fs) + mov...

...0xc0000081 /* legacy mode SYSCALL target */ +#define MSR_LSTAR 0xc0000082 /* long mode SYSCALL target */ +#define MSR_CSTAR 0xc0000083 /* compat mode SYSCALL target */ +#define MSR_SYSCALL_MASK 0xc0000084 /* EFLAGS mask for syscall */ +#define MSR_FS_BASE 0xc0000100 /* 64bit FS base */ +#define MSR_GS_BASE 0xc0000101 /* 64bit GS base */ +#define MSR_KERNEL_GS_BASE 0xc0000102 /* SwapGS GS shadow */ + +/* EFER bits: */ +#define _EFER_SCE 0x00000000 /* SYSCALL/SYSRET */ +#define _EFER_LME 0x00000008 /* Long mode enable */ +#define _EFER_LMA 0x0000000a /* Long mode active (read-only) */ +#define _EFE...

...0xc0000081 /* legacy mode SYSCALL target */ +#define MSR_LSTAR 0xc0000082 /* long mode SYSCALL target */ +#define MSR_CSTAR 0xc0000083 /* compat mode SYSCALL target */ +#define MSR_SYSCALL_MASK 0xc0000084 /* EFLAGS mask for syscall */ +#define MSR_FS_BASE 0xc0000100 /* 64bit FS base */ +#define MSR_GS_BASE 0xc0000101 /* 64bit GS base */ +#define MSR_KERNEL_GS_BASE 0xc0000102 /* SwapGS GS shadow */ + +/* EFER bits: */ +#define _EFER_SCE 0x00000000 /* SYSCALL/SYSRET */ +#define _EFER_LME 0x00000008 /* Long mode enable */ +#define _EFER_LMA 0x0000000a /* Long mode active (read-only) */ +#define _EFE...

...el/head64.c b/arch/x86/kernel/head64.c index ce2d8284edb9..b26a7f1bd6fe 100644 --- a/arch/x86/kernel/head64.c +++ b/arch/x86/kernel/head64.c @@ -545,3 +545,14 @@ void __head startup_64_setup_env(unsigned long physbase) gsbase = (unsigned long)fixup_pointer((void *)initial_gs, physbase); __wrmsr(MSR_GS_BASE, (u32)gsbase, (u32)(gsbase >> 32)); } + +void __head early_load_tss(void) +{ + struct desc_struct *gdt = (struct desc_struct *)early_gdt_descr.address; + tss_desc tss; + + /* Load TSS only if entry in GDT is marked present */ + memcpy(&tss, &gdt[GDT_ENTRY_TSS], sizeof(tss_desc)); + i...

...3.000000000 -0200 +++ linux-2.6.19-paravirt1/arch/x86_64/kernel/setup64.c 2007-01-09 10:24:25.000000000 -0200 @@ -123,7 +123,7 @@ void pda_init(int cpu) asm volatile("movl %0,%%fs ; movl %0,%%gs" :: "r" (0)); /* Memory clobbers used to order PDA accessed */ mb(); - wrmsrl(MSR_GS_BASE, pda); + wrmsrl(MSR_GS_BASE, (u64)pda); mb(); pda->cpunumber = cpu; @@ -160,7 +160,7 @@ void syscall_init(void) * but only a 32bit target. LSTAR sets the 64bit rip. */ wrmsrl(MSR_STAR, ((u64)__USER32_CS)<<48 | ((u64)__KERNEL_CS)<<32); - wrmsrl(MSR_LSTAR, system_...