search for: unwind_hint_empty

...: > From: Joerg Roedel <jroedel at suse.de> > > The APs are not ready to handle exceptions when verify_cpu() is called > in secondary_startup_64. Eek, no. MSR_IA32_MISC_ENABLE_XD_DISABLE needs to be cleared very early during CPU startup; this can't just be skipped. Also, is UNWIND_HINT_EMPTY needed for the new target? -Kees > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > --- > arch/x86/include/asm/realmode.h | 1 + > arch/x86/kernel/head_64.S | 1 + > arch/x86/realmode/init.c | 6 ++++++ > 3 files changed, 8 insertions(+) > > di...

...: > From: Joerg Roedel <jroedel at suse.de> > > The APs are not ready to handle exceptions when verify_cpu() is called > in secondary_startup_64. Eek, no. MSR_IA32_MISC_ENABLE_XD_DISABLE needs to be cleared very early during CPU startup; this can't just be skipped. Also, is UNWIND_HINT_EMPTY needed for the new target? -Kees > > Signed-off-by: Joerg Roedel <jroedel at suse.de> > --- > arch/x86/include/asm/realmode.h | 1 + > arch/x86/kernel/head_64.S | 1 + > arch/x86/realmode/init.c | 6 ++++++ > 3 files changed, 8 insertions(+) > > di...

...rip) > + lgdt boot_gdt_descr(%rip) > + > + /* GDT loaded - switch to __KERNEL_CS so IRET works reliably */ > + pushq $__KERNEL_CS > + leaq .Lon_kernel_cs(%rip), %rax > + pushq %rax > + lretq > + > +.Lon_kernel_cs: > + UNWIND_HINT_EMPTY I would suggest fixing at least SS as well.

...cr(%rip) + + /* New GDT is live - reload data segment registers */ + movl $__KERNEL_DS, %eax + movl %eax, %ds + movl %eax, %ss + movl %eax, %es + + /* Now switch to __KERNEL_CS so IRET works reliably */ + pushq $__KERNEL_CS + leaq .Lon_kernel_cs(%rip), %rax + pushq %rax + lretq + +.Lon_kernel_cs: + UNWIND_HINT_EMPTY + /* Sanitize CPU configuration */ call verify_cpu @@ -143,6 +163,11 @@ SYM_CODE_START(secondary_startup_64) 1: UNWIND_HINT_EMPTY + /* Setup boot GDT descriptor and load boot GDT */ + leaq boot_gdt(%rip), %rax + movq %rax, boot_gdt_descr+2(%rip) + lgdt boot_gdt_descr(%rip) + /* Check i...

On Tue, Apr 28, 2020 at 05:16:41PM +0200, Joerg Roedel wrote: > @@ -480,6 +500,22 @@ SYM_DATA_LOCAL(early_gdt_descr_base, .quad INIT_PER_CPU_VAR(gdt_page)) > SYM_DATA(phys_base, .quad 0x0) > EXPORT_SYMBOL(phys_base) > > +/* Boot GDT used when kernel addresses are not mapped yet */ > +SYM_DATA_LOCAL(boot_gdt_descr, .word boot_gdt_end - boot_gdt) >

On Tue, Apr 28, 2020 at 05:16:41PM +0200, Joerg Roedel wrote: > @@ -480,6 +500,22 @@ SYM_DATA_LOCAL(early_gdt_descr_base, .quad INIT_PER_CPU_VAR(gdt_page)) > SYM_DATA(phys_base, .quad 0x0) > EXPORT_SYMBOL(phys_base) > > +/* Boot GDT used when kernel addresses are not mapped yet */ > +SYM_DATA_LOCAL(boot_gdt_descr, .word boot_gdt_end - boot_gdt) >

...etup boot GDT descriptor and load boot GDT */ + leaq boot_gdt(%rip), %rax + movq %rax, boot_gdt_base(%rip) + lgdt boot_gdt_descr(%rip) + + /* GDT loaded - switch to __KERNEL_CS so IRET works reliably */ + pushq $__KERNEL_CS + leaq .Lon_kernel_cs(%rip), %rax + pushq %rax + lretq + +.Lon_kernel_cs: + UNWIND_HINT_EMPTY + /* Sanitize CPU configuration */ call verify_cpu @@ -480,6 +494,18 @@ SYM_DATA_LOCAL(early_gdt_descr_base, .quad INIT_PER_CPU_VAR(gdt_page)) SYM_DATA(phys_base, .quad 0x0) EXPORT_SYMBOL(phys_base) +/* Boot GDT used when kernel addresses are not mapped yet */ +SYM_DATA_LOCAL(boot_gdt_des...

...cr(%rip) + + /* New GDT is live - reload data segment registers */ + movl $__KERNEL_DS, %eax + movl %eax, %ds + movl %eax, %ss + movl %eax, %es + + /* Now switch to __KERNEL_CS so IRET works reliably */ + pushq $__KERNEL_CS + leaq .Lon_kernel_cs(%rip), %rax + pushq %rax + lretq + +.Lon_kernel_cs: + UNWIND_HINT_EMPTY + /* Sanitize CPU configuration */ call verify_cpu @@ -480,6 +500,22 @@ SYM_DATA_LOCAL(early_gdt_descr_base, .quad INIT_PER_CPU_VAR(gdt_page)) SYM_DATA(phys_base, .quad 0x0) EXPORT_SYMBOL(phys_base) +/* Boot GDT used when kernel addresses are not mapped yet */ +SYM_DATA_LOCAL(boot_gdt_des...

...so this MSR is not even accessed during boot on those VMs. The alternative is to set up exception handling prior to calling verify_cpu, including segments, stack and IDT. Given that verify_cpu() does not add much value to SEV-ES guests, I'd like to avoid adding this complexity. > Also, is UNWIND_HINT_EMPTY needed for the new target? Yes, I think it is, will add it in the next version. Regards, Joerg

...++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S index 800053219054..f958d4e4ee08 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -166,6 +166,14 @@ SYM_CODE_START(secondary_startup_64) 1: UNWIND_HINT_EMPTY + /* + * We must switch to a new descriptor in kernel space for the GDT + * because soon the kernel won't have access anymore to the userspace + * addresses where we're currently running on. We have to do that here + * because in 32bit we couldn't load a 64bit linear address. + *...

...ould cause + * #VC exceptions which can not be handled at this stage of secondary + * CPU bringup. + * + * All non SEV-ES systems, especially Intel systems, need to execute + * verify_cpu() above to make sure NX is enabled. + */ +SYM_INNER_LABEL(secondary_startup_64_no_verify, SYM_L_GLOBAL) + UNWIND_HINT_EMPTY + /* * Retrieve the modifier (SME encryption mask if SME is active) to be * added to the initial pgdir entry that will be programmed into CR3. diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c index 61a52b925d15..df701f87ddef 100644 --- a/arch/x86/realmode/init.c +++ b/arch/x...

...called from play_dead(). Everything has been set + * CPU entry point. It's called from play_dead(). Everything has been set * up already except stack. We just set up stack here. Then call * start_secondary() via .Ljump_to_C_code. */ -SYM_CODE_START(start_cpu0) +SYM_CODE_START(start_cpu) UNWIND_HINT_EMPTY movq initial_stack(%rip), %rsp jmp .Ljump_to_C_code -SYM_CODE_END(start_cpu0) +SYM_CODE_END(start_cpu) #endif /* Both SMP bootup and ACPI suspend change these variables */ diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c index fb55d28332e2..c6311c55b84c 100644 --- a/arch/...

...called from play_dead(). Everything has been set + * CPU entry point. It's called from play_dead(). Everything has been set * up already except stack. We just set up stack here. Then call * start_secondary() via .Ljump_to_C_code. */ -SYM_CODE_START(start_cpu0) +SYM_CODE_START(start_cpu) UNWIND_HINT_EMPTY movq initial_stack(%rip), %rsp jmp .Ljump_to_C_code -SYM_CODE_END(start_cpu0) +SYM_CODE_END(start_cpu) #endif /* Both SMP bootup and ACPI suspend change these variables */ diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c index fb55d28332e2..c6311c55b84c 100644 --- a/arch/...

...quirements here ... what things in verify_cpu() can cause exceptions? AFAICT, cpuid is safely handled (i.e. it is detected and only run in a way to avoid exceptions and the MSR reads/writes are similarly bound by CPU family/id range checks). I must be missing something. :) > > > Also, is UNWIND_HINT_EMPTY needed for the new target? > > Yes, I think it is, will add it in the next version. > > Regards, > > Joerg -- Kees Cook

...quirements here ... what things in verify_cpu() can cause exceptions? AFAICT, cpuid is safely handled (i.e. it is detected and only run in a way to avoid exceptions and the MSR reads/writes are similarly bound by CPU family/id range checks). I must be missing something. :) > > > Also, is UNWIND_HINT_EMPTY needed for the new target? > > Yes, I think it is, will add it in the next version. > > Regards, > > Joerg -- Kees Cook

...ev-es.h> /* * Manage page tables very early on. diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S index 4622940134a5..12bf6f11fd83 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -95,6 +95,13 @@ SYM_CODE_START_NOALIGN(startup_64) .Lon_kernel_cs: UNWIND_HINT_EMPTY + /* Setup IDT - Needed for SEV-ES */ + pushq %rsi + /* early_idt_setup - physbase as first parameter */ + leaq _text(%rip), %rdi + call early_idt_setup + popq %rsi + /* Sanitize CPU configuration */ call verify_cpu @@ -363,6 +370,33 @@ SYM_CODE_START_LOCAL(early_idt_handler_common) jmp r...

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.

From: Joerg Roedel <jroedel at suse.de> Hi, here is a rebased version of the latest SEV-ES patches. They are now based on latest tip/master instead of upstream Linux and include the necessary changes. Changes to v4 are in particular: - Moved early IDT setup code to idt.c, because the idt_descr and the idt_table are now static - This required to make stack protector work early (or

From: Joerg Roedel <jroedel at suse.de> Hi, here is the fourth version of the SEV-ES Guest Support patches. I addressed the review comments sent to me for the previous version and rebased the code v5.8-rc5. The biggest change in this version is the IST handling code for the #VC handler. I adapted the entry code for the #VC handler to the big pile of entry code changes merged into