• Michael Roth's avatar
    x86/head/64: Re-enable stack protection · 469693d8
    Michael Roth authored
    Due to
    
      103a4908 ("x86/head/64: Disable stack protection for head$(BITS).o")
    
    kernel/head{32,64}.c are compiled with -fno-stack-protector to allow
    a call to set_bringup_idt_handler(), which would otherwise have stack
    protection enabled with CONFIG_STACKPROTECTOR_STRONG.
    
    While sufficient for that case, there may still be issues with calls to
    any external functions that were compiled with stack protection enabled
    that in-turn make stack-protected calls, or if the exception handlers
    set up by set_bringup_idt_handler() make calls to stack-protected
    functions.
    
    Subsequent patches for SEV-SNP CPUID validation support will introduce
    both such cases. Attempting to disable stack protection for everything
    in scope to address that is prohibitive since much of the code, like the
    SEV-ES #VC handler, is shared code that remains in use after boot and
    could benefit from having stack protection enabled. Attempting to inline
    calls is brittle and can quickly balloon out to library/helper code
    where that's not really an option.
    
    Instead, re-enable stack protection for head32.c/head64.c, and make the
    appropriate changes to ensure the segment used for the stack canary is
    initialized in advance of any stack-protected C calls.
    
    For head64.c:
    
    - The BSP will enter from startup_64() and call into C code
      (startup_64_setup_env()) shortly after setting up the stack, which
      may result in calls to stack-protected code. Set up %gs early to allow
      for this safely.
    - APs will enter from secondary_startup_64*(), and %gs will be set up
      soon after. There is one call to C code prior to %gs being setup
      (__startup_secondary_64()), but it is only to fetch 'sme_me_mask'
      global, so just load 'sme_me_mask' directly instead, and remove the
      now-unused __startup_secondary_64() function.
    
    For head32.c:
    
    - BSPs/APs will set %fs to __BOOT_DS prior to any C calls. In recent
      kernels, the compiler is configured to access the stack canary at
      %fs:__stack_chk_guard [1], which overlaps with the initial per-cpu
      '__stack_chk_guard' variable in the initial/"master" .data..percpu
      area. This is sufficient to allow access to the canary for use
      during initial startup, so no changes are needed there.
    
    [1] 3fb0fdb3 ("x86/stackprotector/32: Make the canary into a regular percpu variable")
    
      [ bp: Massage commit message. ]
    
    Suggested-by: Joerg Roedel <jroedel@suse.de> #for 64-bit %gs set up
    Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
    Signed-off-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/20220307213356.2797205-24-brijesh.singh@amd.com
    469693d8
setup.h 3.82 KB