From patchwork Tue Jun 11 20:11:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946542 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb03wsTz20Wl for ; Wed, 12 Jun 2024 06:12:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qV-0004U1-Sh; Tue, 11 Jun 2024 20:11:55 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qU-0004Td-1U for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:11:54 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A039E3F197 for ; Tue, 11 Jun 2024 20:11:53 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-795505d8e46so155366685a.1 for ; Tue, 11 Jun 2024 13:11:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136712; x=1718741512; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Nw70ro1zYW9XlCeA52HJlxkU8dMTyRMds6VNRw9Z4Ko=; b=QMpm2CogekY+JZzFEZGdJfohc46zB7zYlhFHKj0GO6vWNGWABYU2Wl3dJLJJ1dMP3R J02B+Im/d4WeN6N+CvlthalqqMI4NS+sw448ZXTuc5R6HHukVd1gg8l1Y4/y+g8ZbeWL r7Yu8T07yfMkvRdIm0qrFKEGH9MjU7iOe/hzVM7AQuUT2J1B3TJH7dnH7lJXT5sojN8J J3NlvYYOoMk8cxtVvcFJMV/JQqrhJjYZ6FjioZ6wNnerc7uNqmNGFvdTZHoY7nbMoeJN qN5jvu0CTqJSH3x6WlQCBS5uOrqufJ7HoGyqAkDaN+PnZljkuC8B4m9vjkSaN86qJZiN Rajw== X-Gm-Message-State: AOJu0YxbxXrT8A+dKfrwWJ0m2pdhl3HEPXvUVaOA77nNBXvpdNqnND2f vYx0lIPIewg6u8fJe7IPRRLuzDbSJjWr2tlpB6hoZFBPzyxqtHGVmXJnu0ai1fTg/jzRD5+g9MV gr32+BkWmwe+vYbnX8bYsJV1D2sTkpg+v+qroyP4rQ9jP5sx8f1Hr9Vb5lwc7jEPAupZQRinRkB aLN6ghoi4t2Q== X-Received: by 2002:a05:620a:25d3:b0:794:99f3:d407 with SMTP id af79cd13be357-7953c43b786mr1480013885a.19.1718136712067; Tue, 11 Jun 2024 13:11:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFaO3e8yYKZTjuSfwIrHVrbdUn+wP8aDlr328zqmvUd4HOxNlXmWjYWw3NVGUwexlb/NpqUCQ== X-Received: by 2002:a05:620a:25d3:b0:794:99f3:d407 with SMTP id af79cd13be357-7953c43b786mr1480012685a.19.1718136711739; Tue, 11 Jun 2024 13:11:51 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.11.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:11:51 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Focal][PATCH 1/3] x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c Date: Tue, 11 Jun 2024 16:11:37 -0400 Message-Id: <20240611201145.183510-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kuppuswamy Sathyanarayanan Both Intel TDX and AMD SEV implement memory encryption features. But the bulk of the code in mem_encrypt.c is AMD-specific. Rename the file to mem_encrypt_amd.c. A subsequent patch will extract the parts that can be shared by both TDX and AMD SEV/SME into a generic file. No functional changes. Signed-off-by: Kuppuswamy Sathyanarayanan Signed-off-by: Kirill A. Shutemov Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Reviewed-by: Tom Lendacky Tested-by: Tom Lendacky Link: https://lore.kernel.org/r/20211206135505.75045-3-kirill.shutemov@linux.intel.com (cherry picked from commit dbca5e1a04f8b30aea4e2c91e5045ee6e7c3ef43) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/mm/Makefile | 8 ++++---- arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (100%) diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index 84373dc9b341e..0eb2ee47a4af9 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -1,14 +1,14 @@ # SPDX-License-Identifier: GPL-2.0 # Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c KCOV_INSTRUMENT_tlb.o := n -KCOV_INSTRUMENT_mem_encrypt.o := n +KCOV_INSTRUMENT_mem_encrypt_amd.o := n KCOV_INSTRUMENT_mem_encrypt_identity.o := n -KASAN_SANITIZE_mem_encrypt.o := n +KASAN_SANITIZE_mem_encrypt_amd.o := n KASAN_SANITIZE_mem_encrypt_identity.o := n ifdef CONFIG_FUNCTION_TRACER -CFLAGS_REMOVE_mem_encrypt.o = -pg +CFLAGS_REMOVE_mem_encrypt_amd.o = -pg CFLAGS_REMOVE_mem_encrypt_identity.o = -pg endif @@ -50,6 +50,6 @@ obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o -obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o +obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_amd.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_identity.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt_amd.c similarity index 100% rename from arch/x86/mm/mem_encrypt.c rename to arch/x86/mm/mem_encrypt_amd.c From patchwork Tue Jun 11 20:11:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946540 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb03QkBz20Py for ; Wed, 12 Jun 2024 06:12:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qY-0004Ug-2C; Tue, 11 Jun 2024 20:11:58 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qW-0004U8-1q for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:11:56 +0000 Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D3D7A3F197 for ; Tue, 11 Jun 2024 20:11:55 +0000 (UTC) Received: by mail-qt1-f199.google.com with SMTP id d75a77b69052e-4405784484eso38350021cf.3 for ; Tue, 11 Jun 2024 13:11:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136714; x=1718741514; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H5o1qdQUeK9ueCdMVstloyXbezLy4pj6VmaTqfpuYuI=; b=rCmwQv+Ky1CzWhYAiHTfj0eTXd2GFx3m2Wn/JpTNFwN+iavJWK7KSo/Nyyt/akb+zb gAo8wBt7LU5RQRwqbGviNvk9sFk2YGRNDEszNhBwwnilL0qbOXFWc0ngg4AmVhgV9b+4 n/fjufZzBNJmhSfhs2mbDtqc/Aa1EOcyKBUFp7dOqH2GUO5U7B1EOD4EzM7NCdOrvymq Bq/ZLFCHxIne2Hc4w0tcootSxYuFp/GYDyrNyA3BrYgEaFChRNKCLRme3YW17kQMUU+J aZIUZoFK2v7mKc3cnuIts9zrTc2pL8om6nlAdHgbXdGzbzEzPP8PrWDI3hs45IbQ+Cwf lucA== X-Gm-Message-State: AOJu0Ywq+FivDG7gkX4qSX1ZuDJ1TujcEPTQyYT4nYcodbcBPMxLh4Mq zio4FJD/ivDMkkW9KGNquYsGQMwV4B/MTaKXDpa6cNKweMllNfiqRMan/jW1XXQkSu4q4WgSmvL n+Mav6+tKMHlvhjtlnwhDDKQ01o9FEbCE0DYKLDfR53+aMa6uDjKWQvoI6awg68Rcd41iBvKVxK x7Xd7PD+g6dg== X-Received: by 2002:a05:620a:4308:b0:794:e711:953d with SMTP id af79cd13be357-7953c43acc6mr1355742685a.41.1718136713550; Tue, 11 Jun 2024 13:11:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF70IXgZVMBKOlJLL2I2ek9QZmL6R6pxDBdLjLsWdjfsPgzje5EZPvPUuxkr05WPhirybz0Nw== X-Received: by 2002:a05:620a:4308:b0:794:e711:953d with SMTP id af79cd13be357-7953c43acc6mr1355740985a.41.1718136713201; Tue, 11 Jun 2024 13:11:53 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.11.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:11:52 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Focal][PATCH 2/3] x86: Introduce ia32_enabled() Date: Tue, 11 Jun 2024 16:11:38 -0400 Message-Id: <20240611201145.183510-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Nikolay Borisov IA32 support on 64bit kernels depends on whether CONFIG_IA32_EMULATION is selected or not. As it is a compile time option it doesn't provide the flexibility to have distributions set their own policy for IA32 support and give the user the flexibility to override it. As a first step introduce ia32_enabled() which abstracts whether IA32 compat is turned on or off. Upcoming patches will implement the ability to set IA32 compat state at boot time. Signed-off-by: Nikolay Borisov Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20230623111409.3047467-2-nik.borisov@suse.com (backported from commit 1da5c9bc119d3a749b519596b93f9b2667e93c4a) [yuxuan.luo: ignored context conflicts and backported the changes.] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 5 +++++ arch/x86/include/asm/ia32.h | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 721109c0cf994..1aa1c302f392f 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -303,6 +303,11 @@ __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs) #endif #if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION) + +#ifdef CONFIG_IA32_EMULATION +bool __ia32_enabled __ro_after_init = true; +#endif + /* * Does a 32-bit syscall. Called with IRQs on in CONTEXT_KERNEL. Does * all entry and exit work and returns with IRQs off. This function is diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 2c5f7861d373c..3486ad645be4b 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -68,6 +68,20 @@ extern void ia32_pick_mmap_layout(struct mm_struct *mm); #endif -#endif /* !CONFIG_IA32_SUPPORT */ +extern bool __ia32_enabled; + +static inline bool ia32_enabled(void) +{ + return __ia32_enabled; +} + +#else /* !CONFIG_IA32_SUPPORT */ + +static inline bool ia32_enabled(void) +{ + return IS_ENABLED(CONFIG_X86_32); +} + +#endif #endif /* _ASM_X86_IA32_H */ From patchwork Tue Jun 11 20:11:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946541 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb03W7wz20Tk for ; Wed, 12 Jun 2024 06:12:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qZ-0004VB-8r; Tue, 11 Jun 2024 20:11:59 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qW-0004UU-Tg for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:11:56 +0000 Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CA2B93F63C for ; Tue, 11 Jun 2024 20:11:56 +0000 (UTC) Received: by mail-qt1-f197.google.com with SMTP id d75a77b69052e-4405de838abso14303281cf.2 for ; Tue, 11 Jun 2024 13:11:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136715; x=1718741515; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H+/QsY2x1Qc7C44K1EsQiA/EIUG6LVBEc0CifvEJ7r0=; b=d3jbfYkZMhqK1Fmffd7cwgi0mSBRLnPmaK1svdxp7zikmd4gYCiAGNncLNdP4w1hMB 1ZKw00r8agxBDfRRCk3yuMTQLewN8btxU7CpMMBCqF0pRDRgM7HMSGuA17CrcAn+Veaj 74qFh7yIs9fIZ/ETRdr8GjbIdnNBvPig1FHkoovtbN39JK/WSkyqmsY76s4mEu5/QouL 4BtzIEYzpLg7CVJJRfUvjfQ1LhXKAP4nnlWtb5F6pd2FU7WiLKxawxOaVAcWixaFruuV BeXPtJ5cMgwj/OmpPe+wiLBWfTnCFvk7+6xr4jrFkgUutYAE5RfiXYn8QS0NFvYtBx8Q GGAQ== X-Gm-Message-State: AOJu0YwgsAnCAS+p6bQrf94w0qmJ/5k8qxOanaJbsY6qxHOmmotXANTc JRmdreCAmw2B0G0EwgV4qVCakaDAfLZuISMSAM8NJ15sCsLem3Ydm8QyApsSzAhqCUNEiBvF2EC oSbsarLhd5X/T0LjneTbD8rPH9s+iALCJhqOz/6vQoLxekZtuoavFIL18hTL8xvXBWkJm41xeZJ fm9VKFR6TmJw== X-Received: by 2002:a05:620a:3728:b0:795:5540:6f9b with SMTP id af79cd13be357-7955540715fmr1104273985a.18.1718136714413; Tue, 11 Jun 2024 13:11:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGSpO+Go4gGtjb4BR1lte/UtohV74/PjV4IVhdltLwnVBU26pG7ZJpJ4VqeuxUg+GMB4deYrw== X-Received: by 2002:a05:620a:3728:b0:795:5540:6f9b with SMTP id af79cd13be357-7955540715fmr1104272685a.18.1718136714010; Tue, 11 Jun 2024 13:11:54 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.11.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:11:53 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Focal][PATCH 3/3] x86/coco: Disable 32-bit emulation by default on TDX and SEV Date: Tue, 11 Jun 2024 16:11:39 -0400 Message-Id: <20240611201145.183510-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Kirill A. Shutemov" The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector triggers the same handler. The kernel interprets an external interrupt on vector 0x80 as a 32-bit system call that came from userspace. A VMM can inject external interrupts on any arbitrary vector at any time. This remains true even for TDX and SEV guests where the VMM is untrusted. Put together, this allows an untrusted VMM to trigger int80 syscall handling at any given point. The content of the guest register file at that moment defines what syscall is triggered and its arguments. It opens the guest OS to manipulation from the VMM side. Disable 32-bit emulation by default for TDX and SEV. User can override it with the ia32_emulation=y command line option. [ dhansen: reword the changelog ] Reported-by: Supraja Sridhara Reported-by: Benedict Schlüter Reported-by: Mark Kuhne Reported-by: Andrin Bertschi Reported-by: Shweta Shinde Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Thomas Gleixner Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+: 1da5c9b x86: Introduce ia32_enabled() Cc: # v6.0+ (backported from commit b82a8dbd3d2f4563156f7150c6f2ecab6e960b30) [yuxuan.luo: - tdx.c - TDX is yet to be supported on Focal, ignore it. - ia32.h - ignored context conflicts and applied the change. - mem_encrypt_amd.c - appended the changes to the correct function, sme_early_init, not the one git am chose. - sev_status is introduced, use sev_active() as alternative since they are equivalent: - aa5a461171f9 (“x86/sev: Add an x86 version of cc_platform_has()”) - 4d96f9109109 (“x86/sev: Replace occurrences of sev_active() with cc_platform_has()”) ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 7 +++++++ arch/x86/mm/mem_encrypt_amd.c | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 3486ad645be4b..1d69acb119f3e 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -75,6 +75,11 @@ static inline bool ia32_enabled(void) return __ia32_enabled; } +static inline void ia32_disable(void) +{ + __ia32_enabled = false; +} + #else /* !CONFIG_IA32_SUPPORT */ static inline bool ia32_enabled(void) @@ -82,6 +87,8 @@ static inline bool ia32_enabled(void) return IS_ENABLED(CONFIG_X86_32); } +static inline void ia32_disable(void) {} + #endif #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c index 7b558939b89c1..93f799d7465b8 100644 --- a/arch/x86/mm/mem_encrypt_amd.c +++ b/arch/x86/mm/mem_encrypt_amd.c @@ -29,6 +29,7 @@ #include #include #include +#include #include "mm_internal.h" @@ -194,6 +195,16 @@ void __init sme_early_init(void) if (sev_active()) swiotlb_force = SWIOTLB_FORCE; + + /* + * The VMM is capable of injecting interrupt 0x80 and triggering the + * compatibility syscall path. + * + * By default, the 32-bit emulation is disabled in order to ensure + * the safety of the VM. + */ + if (sev_active()) + ia32_disable(); } static void __init __set_clr_pte_enc(pte_t *kpte, int level, bool enc) From patchwork Tue Jun 11 20:11:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946543 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb03tcBz20Vv for ; Wed, 12 Jun 2024 06:12:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qd-0004aP-KD; Tue, 11 Jun 2024 20:12:03 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qc-0004Yl-CO for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:12:02 +0000 Received: from mail-oa1-f69.google.com (mail-oa1-f69.google.com [209.85.160.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id CEBB73F197 for ; Tue, 11 Jun 2024 20:12:01 +0000 (UTC) Received: by mail-oa1-f69.google.com with SMTP id 586e51a60fabf-25487ffdf69so1444695fac.0 for ; Tue, 11 Jun 2024 13:12:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136720; x=1718741520; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jHVnfsOnMxcdk85mZlR3zrQYUHo1NpdH1SYE3/sgtdc=; b=UIhRcPVUdeZ5ppb8GZisUWA2UdTwbPAPl5tah4FTloMlLoDowmAxdYtGLWOm7w9bW7 lP4TF2807eU826nPiiYIN6vQ3tB60HYnFUusQgcdry1ey5KAYxoSDLvobjxSxbcINxZJ QdZlqPBSLBiuLLRjJdpycxQ6+pyPfv2Q8yf5c8SN5KINLHeawvOoiT76VrY2IzIZEw34 fAc5C3vXkU4Vq4R6ot8z/9gxxwFv5cssEV8oYZYIxLMxyOFiE0JDcPC2u8RQf2Vh696w MtMvK65QQkXkYk8Hss8uaE12fSYni09up2FlZ2cbE563kroqkq0w/pJ+LBcDTYF/h4Iy sS7Q== X-Gm-Message-State: AOJu0YxXDJmlO5KmrHwnKCoHk+CIQWzS759fmoe6Uk2eVstBnKEmT38s Az+Kf89yzlOmBoYd1HSVwdFo8w1zC0Q7CvAyHiRTzG0GL1NJh4NRSw4l1WORxUgg3+I9LwhVy3x zZHmG9MkqUYiGri8gJwtDZYOtEO6VEosmvGcFCBUXtz8dyNF1P/Ft0KqgtVviKFGMtcYBEIM+eT 9LHJugc/dJfA== X-Received: by 2002:a05:6870:23a3:b0:254:7dbe:1b90 with SMTP id 586e51a60fabf-2547dbebf9bmr11867489fac.9.1718136719481; Tue, 11 Jun 2024 13:11:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFF9/wKEq2EB6hArvYMc2WYaTm5wZ5IQg0Ps9fKV/VlIWzcsp9I9+QWdkMXBU08KFH+E+O8/w== X-Received: by 2002:a05:6870:23a3:b0:254:7dbe:1b90 with SMTP id 586e51a60fabf-2547dbebf9bmr11867465fac.9.1718136718730; Tue, 11 Jun 2024 13:11:58 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.11.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:11:57 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Jammy][PATCH 4/6] x86/coco: Disable 32-bit emulation by default on TDX and SEV Date: Tue, 11 Jun 2024 16:11:43 -0400 Message-Id: <20240611201145.183510-8-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Kirill A. Shutemov" The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector triggers the same handler. The kernel interprets an external interrupt on vector 0x80 as a 32-bit system call that came from userspace. A VMM can inject external interrupts on any arbitrary vector at any time. This remains true even for TDX and SEV guests where the VMM is untrusted. Put together, this allows an untrusted VMM to trigger int80 syscall handling at any given point. The content of the guest register file at that moment defines what syscall is triggered and its arguments. It opens the guest OS to manipulation from the VMM side. Disable 32-bit emulation by default for TDX and SEV. User can override it with the ia32_emulation=y command line option. [ dhansen: reword the changelog ] Reported-by: Supraja Sridhara Reported-by: Benedict Schlüter Reported-by: Mark Kuhne Reported-by: Andrin Bertschi Reported-by: Shweta Shinde Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Thomas Gleixner Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+: 1da5c9b x86: Introduce ia32_enabled() Cc: # v6.0+ (backported from commit b82a8dbd3d2f4563156f7150c6f2ecab6e960b30) [yuxuan.luo: - mem_encrypt_amd.c: - two trivial conflicts are hard to solve, ignore them and apply the fix. - tdx.c: - Drop the change since TDX is not supported in the tree. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/ia32.h | 7 +++++++ arch/x86/mm/mem_encrypt_amd.c | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h index 5a2ae24b1204f..9805629479d96 100644 --- a/arch/x86/include/asm/ia32.h +++ b/arch/x86/include/asm/ia32.h @@ -75,6 +75,11 @@ static inline bool ia32_enabled(void) return __ia32_enabled; } +static inline void ia32_disable(void) +{ + __ia32_enabled = false; +} + #else /* !CONFIG_IA32_EMULATION */ static inline bool ia32_enabled(void) @@ -82,6 +87,8 @@ static inline bool ia32_enabled(void) return IS_ENABLED(CONFIG_X86_32); } +static inline void ia32_disable(void) {} + #endif #endif /* _ASM_X86_IA32_H */ diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c index e29b1418d00c7..20a96183ae7ec 100644 --- a/arch/x86/mm/mem_encrypt_amd.c +++ b/arch/x86/mm/mem_encrypt_amd.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "mm_internal.h" @@ -196,6 +197,16 @@ void __init sme_early_init(void) if (sev_active()) swiotlb_force = SWIOTLB_FORCE; + + /* + * The VMM is capable of injecting interrupt 0x80 and triggering the + * compatibility syscall path. + * + * By default, the 32-bit emulation is disabled in order to ensure + * the safety of the VM. + */ + if (sev_status & MSR_AMD64_SEV_ENABLED) + ia32_disable(); } void __init sev_setup_arch(void) From patchwork Tue Jun 11 20:11:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946548 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb15CR3z20Py for ; Wed, 12 Jun 2024 06:12:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qf-0004eg-UV; Tue, 11 Jun 2024 20:12:05 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qd-0004Zx-5B for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:12:03 +0000 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D03863F197 for ; Tue, 11 Jun 2024 20:12:02 +0000 (UTC) Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-79557d418e0so29215185a.1 for ; Tue, 11 Jun 2024 13:12:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136721; x=1718741521; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/qD9WYsG+/tFH1YVMuwmzrZkTRHzl5NeRHM5W42WhI4=; b=PFGiACGbDqz4zgeq0vixiO2/ntZmxOzW7doFykXKsgEhi8EYYLbgwZQuxOnvX4DysD C7AwjZlz/Om70bzyGO2KQu4JyhAadLBpAn6504mL8F1/SHVDAZAwAWN/NYWaOZzLVPVW 0InxCYn412JGMIhsPV3MuTHx/X0TacATIQCJuCw9LeJUi5qGL1rnYr+5iAglsgJo3kCi /DGw/oUkR1Zzbpi+5eF8MK3FXLIkBn9IGA01Nl5xdjqkODk6q3Z8KP/lLYL2jOMElFTo WU4Zz4kdaJX5EBSnnswrmg9c+KCKHjiCcZT85eD6iXTi5fYk/Z/JnT02TDJ0VCUc0Twv iUcA== X-Gm-Message-State: AOJu0YzwpDiiPAq0aRUjjDnkUq3PSp2ePDZ/QcLLe0exucOi4EUzzimy b6Ph8hLwKSdweb0WT9bUiZvY0eGrMpqFeow1vir4JQx6kg6WPEbQCZUXOC4/Q/CGphD5/f05Z6q i8MifC6gZRPlWuZ1RsRSiVzOavP5YeOjmtxOjapk52kkXkZl2Qn5PQ1w3KdPCNI08aSf3Cv1a1G yhQ2j5MVCFMw== X-Received: by 2002:a05:620a:28c2:b0:795:50fe:fb3f with SMTP id af79cd13be357-797c2d765d2mr659595785a.14.1718136720815; Tue, 11 Jun 2024 13:12:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFWyBIZlDtfzUMa6VBOkrbf2MckE8/oHrJwuENkuJBeYEv1zjuYWCNFtz666dclRtASSIZ8uA== X-Received: by 2002:a05:620a:28c2:b0:795:50fe:fb3f with SMTP id af79cd13be357-797c2d765d2mr659586985a.14.1718136719876; Tue, 11 Jun 2024 13:11:59 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.11.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:11:59 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Jammy][PATCH 5/6] x86/entry: Convert INT 0x80 emulation to IDTENTRY Date: Tue, 11 Jun 2024 16:11:44 -0400 Message-Id: <20240611201145.183510-9-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner There is no real reason to have a separate ASM entry point implementation for the legacy INT 0x80 syscall emulation on 64-bit. IDTENTRY provides all the functionality needed with the only difference that it does not: - save the syscall number (AX) into pt_regs::orig_ax - set pt_regs::ax to -ENOSYS Both can be done safely in the C code of an IDTENTRY before invoking any of the syscall related functions which depend on this convention. Aside of ASM code reduction this prepares for detecting and handling a local APIC injected vector 0x80. [ kirill.shutemov: More verbose comments ] Suggested-by: Linus Torvalds Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (backported from commit be5341eb0d43b1e754799498bd2e8756cc167a41) [yuxuan.luo: - entry_64_compat.S: ignore the conflict and remove the macro. - proto.h: ignore the conflict and remove the declarations. ] CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 58 ++++++++++++++++- arch/x86/entry/entry_64_compat.S | 106 ------------------------------- arch/x86/include/asm/idtentry.h | 4 ++ arch/x86/include/asm/proto.h | 4 -- arch/x86/kernel/idt.c | 2 +- arch/x86/xen/enlighten_pv.c | 2 +- arch/x86/xen/xen-asm.S | 2 +- 7 files changed, 64 insertions(+), 114 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 3ea32cbca6513..5adc7a17f37c9 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -119,7 +119,62 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } } -/* Handles int $0x80 */ +#ifdef CONFIG_IA32_EMULATION +/** + * int80_emulation - 32-bit legacy syscall entry + * + * This entry point can be used by 32-bit and 64-bit programs to perform + * 32-bit system calls. Instances of INT $0x80 can be found inline in + * various programs and libraries. It is also used by the vDSO's + * __kernel_vsyscall fallback for hardware that doesn't support a faster + * entry method. Restarted 32-bit system calls also fall back to INT + * $0x80 regardless of what instruction was originally used to do the + * system call. + * + * This is considered a slow path. It is not used by most libc + * implementations on modern hardware except during process startup. + * + * The arguments for the INT $0x80 based syscall are on stack in the + * pt_regs structure: + * eax: system call number + * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 + */ +DEFINE_IDTENTRY_RAW(int80_emulation) +{ + int nr; + + /* Establish kernel context. */ + enter_from_user_mode(regs); + + instrumentation_begin(); + add_random_kstack_offset(); + + /* + * The low level idtentry code pushed -1 into regs::orig_ax + * and regs::ax contains the syscall number. + * + * User tracing code (ptrace or signal handlers) might assume + * that the regs::orig_ax contains a 32-bit number on invoking + * a 32-bit syscall. + * + * Establish the syscall convention by saving the 32bit truncated + * syscall number in regs::orig_ax and by invalidating regs::ax. + */ + regs->orig_ax = regs->ax & GENMASK(31, 0); + regs->ax = -ENOSYS; + + nr = syscall_32_enter(regs); + + local_irq_enable(); + nr = syscall_enter_from_user_mode_work(regs, nr); + do_syscall_32_irqs_on(regs, nr); + + instrumentation_end(); + syscall_exit_to_user_mode(regs); +} +#else /* CONFIG_IA32_EMULATION */ + +/* Handles int $0x80 on a 32bit kernel */ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) { int nr = syscall_32_enter(regs); @@ -138,6 +193,7 @@ __visible noinstr void do_int80_syscall_32(struct pt_regs *regs) instrumentation_end(); syscall_exit_to_user_mode(regs); } +#endif /* !CONFIG_IA32_EMULATION */ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) { diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index d03f0cfbcb1e8..1b0ebbfd0d7f2 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -324,109 +324,3 @@ sysret32_from_system_call: CLEAR_CPU_BUFFERS sysretl SYM_CODE_END(entry_SYSCALL_compat) - -/* - * 32-bit legacy system call entry. - * - * 32-bit x86 Linux system calls traditionally used the INT $0x80 - * instruction. INT $0x80 lands here. - * - * This entry point can be used by 32-bit and 64-bit programs to perform - * 32-bit system calls. Instances of INT $0x80 can be found inline in - * various programs and libraries. It is also used by the vDSO's - * __kernel_vsyscall fallback for hardware that doesn't support a faster - * entry method. Restarted 32-bit system calls also fall back to INT - * $0x80 regardless of what instruction was originally used to do the - * system call. - * - * This is considered a slow path. It is not used by most libc - * implementations on modern hardware except during process startup. - * - * Arguments: - * eax system call number - * ebx arg1 - * ecx arg2 - * edx arg3 - * esi arg4 - * edi arg5 - * ebp arg6 - */ -SYM_CODE_START(entry_INT80_compat) - UNWIND_HINT_ENTRY - /* - * Interrupts are off on entry. - */ - ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - - /* - * User tracing code (ptrace or signal handlers) might assume that - * the saved RAX contains a 32-bit number when we're invoking a 32-bit - * syscall. Just in case the high bits are nonzero, zero-extend - * the syscall number. (This could almost certainly be deleted - * with no ill effects.) - */ - movl %eax, %eax - - /* switch to thread stack expects orig_ax and rdi to be pushed */ - pushq %rax /* pt_regs->orig_ax */ - pushq %rdi /* pt_regs->di */ - - /* Need to switch before accessing the thread stack. */ - SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi - - /* In the Xen PV case we already run on the thread stack. */ - ALTERNATIVE "", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV - - movq %rsp, %rdi - movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp - - pushq 6*8(%rdi) /* regs->ss */ - pushq 5*8(%rdi) /* regs->rsp */ - pushq 4*8(%rdi) /* regs->eflags */ - pushq 3*8(%rdi) /* regs->cs */ - pushq 2*8(%rdi) /* regs->ip */ - pushq 1*8(%rdi) /* regs->orig_ax */ - pushq (%rdi) /* pt_regs->di */ -.Lint80_keep_stack: - - pushq %rsi /* pt_regs->si */ - xorl %esi, %esi /* nospec si */ - pushq %rdx /* pt_regs->dx */ - xorl %edx, %edx /* nospec dx */ - pushq %rcx /* pt_regs->cx */ - xorl %ecx, %ecx /* nospec cx */ - pushq $-ENOSYS /* pt_regs->ax */ - pushq %r8 /* pt_regs->r8 */ - xorl %r8d, %r8d /* nospec r8 */ - pushq %r9 /* pt_regs->r9 */ - xorl %r9d, %r9d /* nospec r9 */ - pushq %r10 /* pt_regs->r10*/ - xorl %r10d, %r10d /* nospec r10 */ - pushq %r11 /* pt_regs->r11 */ - xorl %r11d, %r11d /* nospec r11 */ - pushq %rbx /* pt_regs->rbx */ - xorl %ebx, %ebx /* nospec rbx */ - pushq %rbp /* pt_regs->rbp */ - xorl %ebp, %ebp /* nospec rbp */ - pushq %r12 /* pt_regs->r12 */ - xorl %r12d, %r12d /* nospec r12 */ - pushq %r13 /* pt_regs->r13 */ - xorl %r13d, %r13d /* nospec r13 */ - pushq %r14 /* pt_regs->r14 */ - xorl %r14d, %r14d /* nospec r14 */ - pushq %r15 /* pt_regs->r15 */ - xorl %r15d, %r15d /* nospec r15 */ - - UNWIND_HINT_REGS - - cld - - IBRS_ENTER - UNTRAIN_RET - CLEAR_BRANCH_HISTORY - - movq %rsp, %rdi - call do_int80_syscall_32 - jmp swapgs_restore_regs_and_return_to_usermode -SYM_CODE_END(entry_INT80_compat) diff --git a/arch/x86/include/asm/idtentry.h b/arch/x86/include/asm/idtentry.h index 1345088e99025..2ab668956741d 100644 --- a/arch/x86/include/asm/idtentry.h +++ b/arch/x86/include/asm/idtentry.h @@ -567,6 +567,10 @@ DECLARE_IDTENTRY_RAW(X86_TRAP_UD, exc_invalid_op); DECLARE_IDTENTRY_RAW(X86_TRAP_BP, exc_int3); DECLARE_IDTENTRY_RAW_ERRORCODE(X86_TRAP_PF, exc_page_fault); +#if defined(CONFIG_IA32_EMULATION) +DECLARE_IDTENTRY_RAW(IA32_SYSCALL_VECTOR, int80_emulation); +#endif + #ifdef CONFIG_X86_MCE #ifdef CONFIG_X86_64 DECLARE_IDTENTRY_MCE(X86_TRAP_MC, exc_machine_check); diff --git a/arch/x86/include/asm/proto.h b/arch/x86/include/asm/proto.h index feed36d44d044..c4d331fe65ffd 100644 --- a/arch/x86/include/asm/proto.h +++ b/arch/x86/include/asm/proto.h @@ -28,10 +28,6 @@ void entry_SYSENTER_compat(void); void __end_entry_SYSENTER_compat(void); void entry_SYSCALL_compat(void); void entry_SYSCALL_compat_safe_stack(void); -void entry_INT80_compat(void); -#ifdef CONFIG_XEN_PV -void xen_entry_INT80_compat(void); -#endif #endif void x86_configure_nx(void); diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c index df0fa695bb09c..b9e806ac1de77 100644 --- a/arch/x86/kernel/idt.c +++ b/arch/x86/kernel/idt.c @@ -109,7 +109,7 @@ static const __initconst struct idt_data def_idts[] = { SYSG(X86_TRAP_OF, asm_exc_overflow), #if defined(CONFIG_IA32_EMULATION) - SYSG(IA32_SYSCALL_VECTOR, entry_INT80_compat), + SYSG(IA32_SYSCALL_VECTOR, asm_int80_emulation), #elif defined(CONFIG_X86_32) SYSG(IA32_SYSCALL_VECTOR, entry_INT80_32), #endif diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c index 998db0257e2ad..47aabc173b108 100644 --- a/arch/x86/xen/enlighten_pv.c +++ b/arch/x86/xen/enlighten_pv.c @@ -609,7 +609,7 @@ static struct trap_array_entry trap_array[] = { TRAP_ENTRY(exc_int3, false ), TRAP_ENTRY(exc_overflow, false ), #ifdef CONFIG_IA32_EMULATION - { entry_INT80_compat, xen_entry_INT80_compat, false }, + TRAP_ENTRY(int80_emulation, false ), #endif TRAP_ENTRY(exc_page_fault, false ), TRAP_ENTRY(exc_divide_error, false ), diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S index 1b757a1ee1bb6..56f2407564c2a 100644 --- a/arch/x86/xen/xen-asm.S +++ b/arch/x86/xen/xen-asm.S @@ -151,7 +151,7 @@ xen_pv_trap asm_xenpv_exc_machine_check #endif /* CONFIG_X86_MCE */ xen_pv_trap asm_exc_simd_coprocessor_error #ifdef CONFIG_IA32_EMULATION -xen_pv_trap entry_INT80_compat +xen_pv_trap asm_int80_emulation #endif xen_pv_trap asm_exc_xen_unknown_trap xen_pv_trap asm_exc_xen_hypervisor_callback From patchwork Tue Jun 11 20:11:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1946549 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VzKb257PBz20Tk for ; Wed, 12 Jun 2024 06:12:14 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sH7qh-0004hZ-Dm; Tue, 11 Jun 2024 20:12:07 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sH7qd-0004at-VO for kernel-team@lists.ubuntu.com; Tue, 11 Jun 2024 20:12:03 +0000 Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BD5093F63C for ; Tue, 11 Jun 2024 20:12:03 +0000 (UTC) Received: by mail-qt1-f198.google.com with SMTP id d75a77b69052e-4405af5cf90so15309091cf.1 for ; Tue, 11 Jun 2024 13:12:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718136722; x=1718741522; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EcBO7ZS7O/0U2CWD0eytewGghZzO2bx2R7QB4uw8sHg=; b=ijl5vTecQXiJ8Y2OWVAKI6IWXyM9ltWFNTTEjKXAO3i7t8shITiiUSMxGTF8uNV2Xj C0SgGevFC6vVptZ97M91gykDrSGk+wVku2XEqimk9GyGm92Qac84HscZ32dpswyXpEq4 Tojm+xzdTGZcCojq4zK753xeNeXQWCGUAtJ9c7n0MWyWZnY/uFamLgcWhOO5TfCMUnAB DgW2D6Q73kfZE8X43cernmjvbIy6phOnfZngRmrXT71h77XHYg8P9vx3pNdbHPAw1lr3 8hfwGLW6a42zCNAMFfzRBeT148nmx9w0iUvLQheshnjEmL1HETyECy4XUecA2hWjL8fm e4Wg== X-Gm-Message-State: AOJu0Yx1BuSoxwW6I1cVhZE8/MvbdVa6iTcTv3+D8aYVJ8AEgtvBGdGZ /9vhUs5ztSgE6jJT7779PVc9ZPxjiqveLYgiuOj3ERMOJwn6QFriSqhinjv4mAokDI0MQX10jFq Q4ynbtQt2Ws91qWGHYU6RPClGrR48xLwubVn6p8IDY1RaVlwHP05dnJ+d8WOXuI+y/DEFNqO/2V hejT/R1iJbcw== X-Received: by 2002:a05:620a:4628:b0:795:5ad1:a218 with SMTP id af79cd13be357-7955ad1a2aamr901743185a.17.1718136721774; Tue, 11 Jun 2024 13:12:01 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFo0d3w/e1aYFoghfliQA/Fm+FBMyQvpmv+yf5ZbkK9vgNsDUMG3MZZkNyXw+bh+jp7OPeMSw== X-Received: by 2002:a05:620a:4628:b0:795:5ad1:a218 with SMTP id af79cd13be357-7955ad1a2aamr901741185a.17.1718136721393; Tue, 11 Jun 2024 13:12:01 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id af79cd13be357-795331c493asm545340885a.104.2024.06.11.13.12.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:12:00 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Jammy][PATCH 6/6] x86/entry: Do not allow external 0x80 interrupts Date: Tue, 11 Jun 2024 16:11:45 -0400 Message-Id: <20240611201145.183510-10-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240611201145.183510-1-yuxuan.luo@canonical.com> References: <20240611201145.183510-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Thomas Gleixner The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The kernel expects to receive a software interrupt as a result of the INT 0x80 instruction. However, an external interrupt on the same vector also triggers the same codepath. An external interrupt on vector 0x80 will currently be interpreted as a 32-bit system call, and assuming that it was a user context. Panic on external interrupts on the vector. To distinguish software interrupts from external ones, the kernel checks the APIC ISR bit relevant to the 0x80 vector. For software interrupts, this bit will be 0. Signed-off-by: Thomas Gleixner Signed-off-by: Kirill A. Shutemov Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Cc: # v6.0+ (cherry picked from commit 55617fb991df535f953589586468612351575704) CVE-2024-25744 Signed-off-by: Yuxuan Luo --- arch/x86/entry/common.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 5adc7a17f37c9..d1594b4acf485 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -25,6 +25,7 @@ #include #endif +#include #include #include #include @@ -120,6 +121,25 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) } #ifdef CONFIG_IA32_EMULATION +static __always_inline bool int80_is_external(void) +{ + const unsigned int offs = (0x80 / 32) * 0x10; + const u32 bit = BIT(0x80 % 32); + + /* The local APIC on XENPV guests is fake */ + if (cpu_feature_enabled(X86_FEATURE_XENPV)) + return false; + + /* + * If vector 0x80 is set in the APIC ISR then this is an external + * interrupt. Either from broken hardware or injected by a VMM. + * + * Note: In guest mode this is only valid for secure guests where + * the secure module fully controls the vAPIC exposed to the guest. + */ + return apic_read(APIC_ISR + offs) & bit; +} + /** * int80_emulation - 32-bit legacy syscall entry * @@ -143,12 +163,27 @@ DEFINE_IDTENTRY_RAW(int80_emulation) { int nr; - /* Establish kernel context. */ + /* Kernel does not use INT $0x80! */ + if (unlikely(!user_mode(regs))) { + irqentry_enter(regs); + instrumentation_begin(); + panic("Unexpected external interrupt 0x80\n"); + } + + /* + * Establish kernel context for instrumentation, including for + * int80_is_external() below which calls into the APIC driver. + * Identical for soft and external interrupts. + */ enter_from_user_mode(regs); instrumentation_begin(); add_random_kstack_offset(); + /* Validate that this is a soft interrupt to the extent possible */ + if (unlikely(int80_is_external())) + panic("Unexpected external interrupt 0x80\n"); + /* * The low level idtentry code pushed -1 into regs::orig_ax * and regs::ax contains the syscall number.