[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH 10/28] x86/xen: Avoid relocatable quantities in Xen ELF notes

To: linux-kernel@xxxxxxxxxxxxxxx
From: Ard Biesheuvel <ardb+git@xxxxxxxxxx>
Date: Wed, 25 Sep 2024 17:01:10 +0200
Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>, x86@xxxxxxxxxx, "H. Peter Anvin" <hpa@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Uros Bizjak <ubizjak@xxxxxxxxx>, Dennis Zhou <dennis@xxxxxxxxxx>, Tejun Heo <tj@xxxxxxxxxx>, Christoph Lameter <cl@xxxxxxxxx>, Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Masahiro Yamada <masahiroy@xxxxxxxxxx>, Kees Cook <kees@xxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, Keith Packard <keithp@xxxxxxxxxx>, Justin Stitt <justinstitt@xxxxxxxxxx>, Josh Poimboeuf <jpoimboe@xxxxxxxxxx>, Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>, Namhyung Kim <namhyung@xxxxxxxxxx>, Jiri Olsa <jolsa@xxxxxxxxxx>, Ian Rogers <irogers@xxxxxxxxxx>, Adrian Hunter <adrian.hunter@xxxxxxxxx>, Kan Liang <kan.liang@xxxxxxxxxxxxxxx>, linux-doc@xxxxxxxxxxxxxxx, linux-pm@xxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-efi@xxxxxxxxxxxxxxx, linux-arch@xxxxxxxxxxxxxxx, linux-sparse@xxxxxxxxxxxxxxx, linux-kbuild@xxxxxxxxxxxxxxx, linux-perf-users@xxxxxxxxxxxxxxx, rust-for-linux@xxxxxxxxxxxxxxx, llvm@xxxxxxxxxxxxxxx
Delivery-date: Wed, 25 Sep 2024 15:14:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Ard Biesheuvel <ardb@xxxxxxxxxx>

Xen puts virtual and physical addresses into ELF notes that are treated
by the linker as relocatable by default. Doing so is not only pointless,
given that the ELF notes are only intended for consumption by Xen before
the kernel boots. It is also a KASLR leak, given that the kernel's ELF
notes are exposed via the world readable /sys/kernel/notes.

So emit these constants in a way that prevents the linker from marking
them as relocatable. This involves place-relative relocations (which
subtract their own virtual address from the symbol value) and linker
provided absolute symbols that add the address of the place to the
desired value.

Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
---
 arch/x86/kernel/vmlinux.lds.S | 13 +++++++++++++
 arch/x86/platform/pvh/head.S  |  6 +++---
 arch/x86/tools/relocs.c       |  1 +
 arch/x86/xen/xen-head.S       |  6 ++++--
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 00f82db7b3e1..52b8db931d0f 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -111,6 +111,19 @@ PHDRS {
 SECTIONS
 {
        . = __START_KERNEL;
+
+#ifdef CONFIG_XEN_PV
+xen_elfnote_entry_offset =
+       ABSOLUTE(xen_elfnote_entry) + ABSOLUTE(startup_xen);
+xen_elfnote_hypercall_page_offset =
+       ABSOLUTE(xen_elfnote_hypercall_page) + ABSOLUTE(hypercall_page);
+#endif
+
+#ifdef CONFIG_PVH
+xen_elfnote_phys32_entry_offset =
+       ABSOLUTE(xen_elfnote_phys32_entry) + ABSOLUTE(pvh_start_xen - 
LOAD_OFFSET);
+#endif
+
 #ifdef CONFIG_X86_32
        phys_startup_32 = ABSOLUTE(startup_32 - LOAD_OFFSET);
 #else
diff --git a/arch/x86/platform/pvh/head.S b/arch/x86/platform/pvh/head.S
index 11245ecdc08d..adbf57e83e4e 100644
--- a/arch/x86/platform/pvh/head.S
+++ b/arch/x86/platform/pvh/head.S
@@ -50,7 +50,7 @@
 #define PVH_CS_SEL             (PVH_GDT_ENTRY_CS * 8)
 #define PVH_DS_SEL             (PVH_GDT_ENTRY_DS * 8)
 
-SYM_CODE_START_LOCAL(pvh_start_xen)
+SYM_CODE_START(pvh_start_xen)
        UNWIND_HINT_END_OF_STACK
        cld
 
@@ -165,5 +165,5 @@ SYM_DATA_START_LOCAL(early_stack)
        .fill BOOT_STACK_SIZE, 1, 0
 SYM_DATA_END_LABEL(early_stack, SYM_L_LOCAL, early_stack_end)
 
-       ELFNOTE(Xen, XEN_ELFNOTE_PHYS32_ENTRY,
-                    _ASM_PTR (pvh_start_xen - __START_KERNEL_map))
+       ELFNOTE(Xen, XEN_ELFNOTE_PHYS32_ENTRY, .global xen_elfnote_phys32_entry;
+               xen_elfnote_phys32_entry: _ASM_PTR 
xen_elfnote_phys32_entry_offset - .)
diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
index 942c029a5067..22c2d3f07a57 100644
--- a/arch/x86/tools/relocs.c
+++ b/arch/x86/tools/relocs.c
@@ -57,6 +57,7 @@ static const char * const     sym_regex_kernel[S_NSYMTYPES] = 
{
        [S_ABS] =
        "^(xen_irq_disable_direct_reloc$|"
        "xen_save_fl_direct_reloc$|"
+       "xen_elfnote_.+_offset$|"
        "VDSO|"
        "__kcfi_typeid_|"
        "__crc_)",
diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
index faadac7c29e6..4d246a48a85f 100644
--- a/arch/x86/xen/xen-head.S
+++ b/arch/x86/xen/xen-head.S
@@ -88,7 +88,8 @@ SYM_CODE_END(xen_cpu_bringup_again)
        ELFNOTE(Xen, XEN_ELFNOTE_VIRT_BASE,      _ASM_PTR __START_KERNEL_map)
        /* Map the p2m table to a 512GB-aligned user address. */
        ELFNOTE(Xen, XEN_ELFNOTE_INIT_P2M,       .quad (PUD_SIZE * 
PTRS_PER_PUD))
-       ELFNOTE(Xen, XEN_ELFNOTE_ENTRY,          _ASM_PTR startup_xen)
+       ELFNOTE(Xen, XEN_ELFNOTE_ENTRY,          .globl xen_elfnote_entry;
+               xen_elfnote_entry: _ASM_PTR xen_elfnote_entry_offset - .)
        ELFNOTE(Xen, XEN_ELFNOTE_FEATURES,       .ascii "!writable_page_tables")
        ELFNOTE(Xen, XEN_ELFNOTE_PAE_MODE,       .asciz "yes")
        ELFNOTE(Xen, XEN_ELFNOTE_L1_MFN_VALID,
@@ -109,7 +110,8 @@ SYM_CODE_END(xen_cpu_bringup_again)
 #else
 # define FEATURES_DOM0 0
 #endif
-       ELFNOTE(Xen, XEN_ELFNOTE_HYPERCALL_PAGE, _ASM_PTR hypercall_page)
+       ELFNOTE(Xen, XEN_ELFNOTE_HYPERCALL_PAGE, .globl 
xen_elfnote_hypercall_page;
+               xen_elfnote_hypercall_page: _ASM_PTR 
xen_elfnote_hypercall_page_offset - .)
        ELFNOTE(Xen, XEN_ELFNOTE_SUPPORTED_FEATURES,
                .long FEATURES_PV | FEATURES_PVH | FEATURES_DOM0)
        ELFNOTE(Xen, XEN_ELFNOTE_LOADER,         .asciz "generic")
-- 
2.46.0.792.g87dc391469-goog

References:
- [RFC PATCH 00/28] x86: Rely on toolchain for relocatable code
  - From: Ard Biesheuvel

Prev by Date: [RFC PATCH 09/28] x86/tools: Remove special relocation handling for per-CPU variables
Next by Date: [RFC PATCH 12/28] x86/pm-trace: Use RIP-relative accesses for .tracedata
Previous by thread: [RFC PATCH 09/28] x86/tools: Remove special relocation handling for per-CPU variables
Next by thread: [RFC PATCH 12/28] x86/pm-trace: Use RIP-relative accesses for .tracedata
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.