| Message ID | 1689885237-32662-1-git-send-email-mikelley@microsoft.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp3389878vqt;
Thu, 20 Jul 2023 14:29:33 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlFh/4hgZMFwySmaC7I+yECcEbuXNx9W84F3zjs1c+qEoulh4Y+u3d0Q7IPivlQON35Ww/1T
X-Received: by 2002:a17:906:74de:b0:993:dcca:9607 with SMTP id
z30-20020a17090674de00b00993dcca9607mr20157ejl.2.1689888573398;
Thu, 20 Jul 2023 14:29:33 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1689888573; cv=pass;
d=google.com; s=arc-20160816;
b=ts7gVM+S+UqNiGJGoBrzt+lE1q37KA8sa0ZKLWULGNyuC+4BkRM07Y1dJ036PeGZ0y
RuEhaAj07FlMJB9TkaqyzwiCKNWyARJQKWKPiLFv1e/1J4WGqY1JnAA6R+EzKwumc4GE
GFYunfyGDpTH8DrOI6tzGGUY141SvO9u0o9IohCrpT+PH3LCwG3kJ5uvF9UxtHMn/A2G
UbbZ92k5CVkE/xMo/J6hMDEj8NgZ34Y4iZRHYzduhY0Fffsnjv/fgPJ9V2yrX2lBK0Y9
m5YfLWOjgmSy4sfIWqIa1uzOpx8YR8mx8E37ippGMg2aAuH4ryp3L1Tmjf1RHIrh7C9x
ozKw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from
:dkim-signature;
bh=AsErRc8q7g4PRs57iAEj54hLYOnhzglg+Hh42DSFbZQ=;
fh=4GTM/DtkL/ChcbZ8S0EfU1nMHoS3H+LWV5UhNAyfvXI=;
b=lyDsDs0F9M6cxYEIfGn9pJP3zKFfkARHAv4yOwDj9KT1WQM/5EIm5oEmEGhGrCe9Sl
oScJcWeseClxJz6f9STZdwHrWLHi2QXO7xntQJzD27g+iK7/K/otr/DLwJ4qBXP0uPI0
9JzX4Y1mXj+xyOOdp2xxX73qtd/e3lJR7lyx+yugS5rtKZUDZZwbmOp7bEiqP7g9hYVx
YYfMbESLRHIk7CUczjErUVC+mlHfWw1KTpxWjnzyq3I8Se/QhQXIBpIZp3VJPT8AnCPp
iRN80M0ZXf5dWeOiDIElGxGVAlDpCH0tvJlbOfoF551q8bbyYexDap0nin1WMaVsGuab
UjbA==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@microsoft.com header.s=selector2 header.b=IfeAXTQ2;
arc=pass (i=1 spf=pass spfdomain=microsoft.com dkim=pass
dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
h27-20020a1709063c1b00b00987ffac6129si1198804ejg.930.2023.07.20.14.29.07;
Thu, 20 Jul 2023 14:29:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@microsoft.com header.s=selector2 header.b=IfeAXTQ2;
arc=pass (i=1 spf=pass spfdomain=microsoft.com dkim=pass
dkdomain=microsoft.com dmarc=pass fromdomain=microsoft.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229926AbjGTUeh (ORCPT <rfc822;assdfgzxcv4@gmail.com>
+ 99 others); Thu, 20 Jul 2023 16:34:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35094 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229452AbjGTUef (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 20 Jul 2023 16:34:35 -0400
Received: from DM6FTOPR00CU001.outbound.protection.outlook.com
(mail-centralusazon11020021.outbound.protection.outlook.com [52.101.61.21])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 862121731;
Thu, 20 Jul 2023 13:34:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=WzrXYMqNNi+rwUP0uG/yvkom2TBl1aIAQcWqCDmPM2oabPimSnsnyMQNcZ1qvnw1p7rVcSs8BIWn4arr7Azb3MX/Ui58pr9YMMD+qIU7meHwuQkFTKX1QwPx6WhEIcrykmU1/kMc0U6Lv09aNcDS2ZpXLFK6Utt6G71WsLsC73iIKXuli3Z3CLfr9aSagKcLC+hQcH1rYAOtPP6Zv9lO7KO/iDaRkP485hX/uZzPoe9cEH30KjbbvpegNTmgBSlqEcVgsNcu0BYg4Zip+qwph/fJpv5q1Ws9Gh4mIEqFjG4Y65qGh6XFwECQWIIHUsaOsKucisriZ1MMArrST8KpdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=AsErRc8q7g4PRs57iAEj54hLYOnhzglg+Hh42DSFbZQ=;
b=JD5IHxOinx3ESTjKjwNMzZ3j4vmoXplExUQZF6999nfPQDHQahV2G93XQFHGWNEeJkZSazvfC44eZ3l63dW7D39h0fJxite9yPRyROwNFHxE+ZkiwKssy1zn62ZyZWM6QSTU+FkojUbBBnkkSwH9/AVfusQkN1PnsIBx4Q/pcHR0tpexL0ApF6R7yl8qnMe+jB5FtRmq6GljfO8EPGLszh6CgKws3vCs08Z1PmBovTa5z6p8dvDNW2VDZfsTfVyGqxLB5yBdGtPpMcYfom8BbeeOKpqn0NXlTHFp3OfggmghEbsSzK2VfJY0L1lUJcZyJyZc73dulKxC1OGkY5lU4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=microsoft.com; dmarc=pass action=none
header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=AsErRc8q7g4PRs57iAEj54hLYOnhzglg+Hh42DSFbZQ=;
b=IfeAXTQ2Z4LJamWMaDueK7v1dOPS5yTPvVOiYx/VYry8e/5LxEH+J0blygysY3Qa1YjW19MdaYZYDeSoyHnkEOUKbL4fJe4KWrQEKgF8ukVOJEppZREvAoetcnSMZd3Jrl2FUl/4Zt8bJjphW02gAuDfLSH6aSWmys94i5XZzu8=
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=microsoft.com;
Received: from DM6PR21MB1370.namprd21.prod.outlook.com (2603:10b6:5:16b::28)
by LV2PR21MB3372.namprd21.prod.outlook.com (2603:10b6:408:14e::13) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.8; Thu, 20 Jul
2023 20:34:31 +0000
Received: from DM6PR21MB1370.namprd21.prod.outlook.com
([fe80::58ed:9fb:47a9:13df]) by DM6PR21MB1370.namprd21.prod.outlook.com
([fe80::58ed:9fb:47a9:13df%7]) with mapi id 15.20.6631.011; Thu, 20 Jul 2023
20:34:31 +0000
From: Michael Kelley <mikelley@microsoft.com>
To: kys@microsoft.com, haiyangz@microsoft.com, wei.liu@kernel.org,
decui@microsoft.com, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
peterz@infradead.org, x86@kernel.org, linux-kernel@vger.kernel.org,
linux-hyperv@vger.kernel.org
Cc: mikelley@microsoft.com, stable@vger.kernel.org
Subject: [PATCH 1/1] x86/hyperv: Disable IBT when hypercall page lacks ENDBR
instruction
Date: Thu, 20 Jul 2023 13:33:57 -0700
Message-Id: <1689885237-32662-1-git-send-email-mikelley@microsoft.com>
X-Mailer: git-send-email 1.8.3.1
Content-Type: text/plain
X-ClientProxiedBy: MW4P222CA0009.NAMP222.PROD.OUTLOOK.COM
(2603:10b6:303:114::14) To DM6PR21MB1370.namprd21.prod.outlook.com
(2603:10b6:5:16b::28)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6PR21MB1370:EE_|LV2PR21MB3372:EE_
X-MS-Office365-Filtering-Correlation-Id: f0676b1c-2d56-49f0-b2a1-08db8960b86e
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
J82f3JfiRciJEAz6GB7qcUZ5TKCxe565KVitsiyHWgf4zjC0eTwB6qeQwpJGmCMB0e+HKjtt0wosr0mCxqLxTpEBDwiyhOWW/dlwhDt+VSZd+P8GXePNH+gm6iDTNdZ+p9S3Wy6zRjCkPiEp9nhaSQFoxm23t1wMt4xVYpAPKZQryIfhLuz7UUXdcJdh4g6iVNhCG/xvrHYus/YKr2Ku04FD7Wt6Xng77KwLHSfBJay19/3ECvfTHFpgoLeV0d3Du3J66EnHWrPnNHB5NCaMpCXTVVzQezjaPvaiXBtM9KXZ+B9jmHmJI2DwjjCqi4UlItxeTM7aYoE6Pjcf6KephSITwnP38MlJI3U0x3BupTgfbczEHQejXY4k10t5GCHeTlqvef7I+oaT9ZWrjaVUyXxBO/JPMp4/Xvhs0fB0X2jHURpPjmAjBSFtkMUlHQTrUxquDoCEKEQncnG00r7CMf2m73C/MnDd/X2XVGNXYQ0XJ9H3LOInr6V9v2NtiMN1DGELZ4RmCy4HbcuUDRKLjrQs/e8K9QOafWgAN+MYvVmWCap6oIsVKNMwR23A5mmCHEvUQEy7FBAN4zhJtAJlWPD+WDKHYm2/Fsnzik0Pduxf3kUnKaRvsm5ALr+tfvZDz5njP6Q6werKGUL6rLI9ILglxJKkgmDH7jKKCJELDJF7KCQp8W4kktdr5aHr8Qb0
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR21MB1370.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(366004)(346002)(39860400002)(376002)(136003)(396003)(451199021)(66556008)(4326008)(66946007)(316002)(38350700002)(38100700002)(5660300002)(7416002)(36756003)(8676002)(41300700001)(8936002)(82960400001)(82950400001)(86362001)(921005)(66476007)(6512007)(6506007)(26005)(2906002)(186003)(10290500003)(478600001)(6666004)(6486002)(52116002)(2616005);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
NuG83c40c2HCcrQhiS/EmkYyntXSr+fAFSoM0YUWxUch/if3VA3XTZlrdDzKCDGJUyKzsPJTWisA6u609o7g6I4odk7OGIF1UEKqtfX9kGk2YFPeZ3BaiaGwSOOokv9eqIxHZ+Dj4n6HtVgj3nCepSkRXzbCYNrOFYqiL2gjNzXQ1E6URclBMtxK5EYMORRkIYJZWlJKTciv24CXeHN3FiYyJ/shhs29w+XvzaWnZRfXCifHmwRUhG+5q4H3gS+NzLKMft6HuH8FuO5R5Isk620WvjOeREynOYjinhD9qr+d3cArWWDy67G5BeltgiZ9OZmHfWJJuNaE1DCARN47Zj9PTFQPKq5d/fwuNSRi2JJJBtCBI1WlL6pNiOGbqSQRLIP/k0Pttsx8sP8+Ql7PB1hTUNDm65ZJHTQ3KULB3AbBuqMLmA5ifeBID0cWoEPIGO9ITU1W23Uynj2XmbpIX5fa8pdqrwP4aNE21C8ygmdiVuNAsja2lhLQ/gOViQkm7u2ite7Lt6iMpMmpHDImh6sfTLowvHGKda8jg+SOsqlsJRbuhmhADVh88iwTE2rNiUj5uN0ta1pJa0hbAbR33DrLTpxD4etY/s2zA+4dG6z19iXElj06U6iJ6ehi7Of1bFlObnzemPh6uUNsTiFx047sNO9uC51ZoSHX0RxY+/R2Jt+OcJbN7Ri4ycjy/sc4pVC0p2wFgEj5bgrtAzlkGrAVaV4N7lsX9jefU4iDydqAVagUKVfqJqYEpY8akVXDtKBvmOWNt+52V4JQiKnM4LUOz0ZsJCLznrkb4BucqN7+TM3naFuVHN29ShVJvwgh06LbjoCd09Wq75Jn61R2YfK3q936yombG5KWNhRVkis2RPeTp2RVoRNPKqHR9/96UiNvTn+w5AUuGMiXc+Ro0HcwellV7QFMbZrblDlSBRetKNWgLpdLn9pzPJ16+QdqwQYXbqK9UcGisWi6j8fKMXN7DeY4U8Fz6PD4KpSCMdN8pMoXQpkN4JmveCwAN5ejeqgTr393uIrj9hOTNsW4W5Ja7a7zpdEo3nTojZ9yAK9VRtDk+NCPZvC8wPOSvKNYgUOh+JIYPwK42L9A8wjLdUjHykwUZ2q6Mj0sah4GiOh6hipPEEr2uqTjuUBFv66sCiqYlCc0AHLyOg+rBOuRxx2SBWdp04yX4MNzgRCokYWWB7JtLmKhMHkdid8NcoMF/YZok2jJByAva0fB1k9G7BeGwtyovrrN8DnHJFt1v7PdlhfHrFT1tA0V/tKBUWyd32N8pY3q8hyjjxClEKfgFja3exy1NXjoQE2wiNOxceomkEajLu1NtK+frp9xu86wducP4EP0d1BOuFkmLI2SXILesaftPUkMTfueNOBEp5UtMNEDhPN4iwjKZxg16r5uuWeY+xIscBG2BQeGvkTqN4tOacdnAL+1n8ycwgGvuBf+GXbNuz6YhyUhCuJaWoWbOvya5H1YVzcX7dOO2McC07W0M+df+3sK7Brr7QxEGLgNmZnxR8dYiv+RigqPOumDroN3BCXTOvXiaPRKxRP68qpN7/OJMhDuw7XK193EIuDgNdsXWPwVt7Pf+sPeHp0W
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
f0676b1c-2d56-49f0-b2a1-08db8960b86e
X-MS-Exchange-CrossTenant-AuthSource: DM6PR21MB1370.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2023 20:34:30.8260
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
A+RHfffXSZyvzSLyusr0lOqGj5OnmoGoAAwtQff//vUhmmV6DClL8vHdJoHJKTlW6nLIGA9pFp6zVbVryq4iYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR21MB3372
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,
RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,
T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771976600253907909
X-GMAIL-MSGID: 1771976600253907909
|
| Series |
[1/1] x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction
|
|
Commit Message
Michael Kelley (LINUX)
July 20, 2023, 8:33 p.m. UTC
On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs
with ConfigVersion 9.3 or later support IBT in the guest. However,
current versions of Hyper-V have a bug in that there's not an ENDBR64
instruction at the beginning of the hypercall page. Since hypercalls are
made with an indirect call to the hypercall page, all hypercall attempts
fail with an exception and Linux panics.
A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux
panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start
with ENDBR. The VM will boot and run without IBT.
If future Linux 32-bit kernels were to support IBT, additional hypercall
page hackery would be needed to make IBT work for such kernels in a
Hyper-V VM.
Cc: stable@vger.kernel.org
Signed-off-by: Michael Kelley <mikelley@microsoft.com>
---
arch/x86/hyperv/hv_init.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
Comments
On Thu, Jul 20, 2023 at 01:33:57PM -0700, Michael Kelley wrote: > On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs > with ConfigVersion 9.3 or later support IBT in the guest. However, > current versions of Hyper-V have a bug in that there's not an ENDBR64 > instruction at the beginning of the hypercall page. Whoops :/ > Since hypercalls are > made with an indirect call to the hypercall page, all hypercall attempts > fail with an exception and Linux panics. > > A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux > panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start > with ENDBR. The VM will boot and run without IBT. > > If future Linux 32-bit kernels were to support IBT, additional hypercall > page hackery would be needed to make IBT work for such kernels in a > Hyper-V VM. There are currently no plans to add IBT support to 32bit. > Cc: stable@vger.kernel.org > Signed-off-by: Michael Kelley <mikelley@microsoft.com> > --- > arch/x86/hyperv/hv_init.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c > index 6c04b52..5cbee24 100644 > --- a/arch/x86/hyperv/hv_init.c > +++ b/arch/x86/hyperv/hv_init.c > @@ -14,6 +14,7 @@ > #include <asm/apic.h> > #include <asm/desc.h> > #include <asm/sev.h> > +#include <asm/ibt.h> > #include <asm/hypervisor.h> > #include <asm/hyperv-tlfs.h> > #include <asm/mshyperv.h> > @@ -472,6 +473,26 @@ void __init hyperv_init(void) > } > > /* > + * Some versions of Hyper-V that provide IBT in guest VMs have a bug > + * in that there's no ENDBR64 instruction at the entry to the > + * hypercall page. Because hypercalls are invoked via an indirect call > + * to the hypercall page, all hypercall attempts fail when IBT is > + * enabled, and Linux panics. For such buggy versions, disable IBT. > + * > + * Fixed versions of Hyper-V always provide ENDBR64 on the hypercall > + * page, so if future Linux kernel versions enable IBT for 32-bit > + * builds, additional hypercall page hackery will be required here > + * to provide an ENDBR32. > + */ > +#ifdef CONFIG_X86_KERNEL_IBT > + if (cpu_feature_enabled(X86_FEATURE_IBT) && > + *(u32 *)hv_hypercall_pg != gen_endbr()) { > + setup_clear_cpu_cap(X86_FEATURE_IBT); > + pr_info("Hyper-V: Disabling IBT because of Hyper-V bug\n"); > + } > +#endif pr_warn() perhaps? Other than that, this seems fairly straight forward. One thing I wondered about; wouldn't it be possible to re-write the indirect hypercall thingies to a direct call? I mean, once we have the hypercall page mapped, the address is known right?
From: Peter Zijlstra <peterz@infradead.org> Sent: Thursday, July 20, 2023 2:16 PM > > On Thu, Jul 20, 2023 at 01:33:57PM -0700, Michael Kelley wrote: > > On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs > > with ConfigVersion 9.3 or later support IBT in the guest. However, > > current versions of Hyper-V have a bug in that there's not an ENDBR64 > > instruction at the beginning of the hypercall page. > > Whoops :/ > > > Since hypercalls are > > made with an indirect call to the hypercall page, all hypercall attempts > > fail with an exception and Linux panics. > > > > A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux > > panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start > > with ENDBR. The VM will boot and run without IBT. > > > > If future Linux 32-bit kernels were to support IBT, additional hypercall > > page hackery would be needed to make IBT work for such kernels in a > > Hyper-V VM. > > There are currently no plans to add IBT support to 32bit. That's what I thought. > > > Cc: stable@vger.kernel.org > > Signed-off-by: Michael Kelley <mikelley@microsoft.com> > > --- > > arch/x86/hyperv/hv_init.c | 21 +++++++++++++++++++++ > > 1 file changed, 21 insertions(+) > > > > diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c > > index 6c04b52..5cbee24 100644 > > --- a/arch/x86/hyperv/hv_init.c > > +++ b/arch/x86/hyperv/hv_init.c > > @@ -14,6 +14,7 @@ > > #include <asm/apic.h> > > #include <asm/desc.h> > > #include <asm/sev.h> > > +#include <asm/ibt.h> > > #include <asm/hypervisor.h> > > #include <asm/hyperv-tlfs.h> > > #include <asm/mshyperv.h> > > @@ -472,6 +473,26 @@ void __init hyperv_init(void) > > } > > > > /* > > + * Some versions of Hyper-V that provide IBT in guest VMs have a bug > > + * in that there's no ENDBR64 instruction at the entry to the > > + * hypercall page. Because hypercalls are invoked via an indirect call > > + * to the hypercall page, all hypercall attempts fail when IBT is > > + * enabled, and Linux panics. For such buggy versions, disable IBT. > > + * > > + * Fixed versions of Hyper-V always provide ENDBR64 on the hypercall > > + * page, so if future Linux kernel versions enable IBT for 32-bit > > + * builds, additional hypercall page hackery will be required here > > + * to provide an ENDBR32. > > + */ > > +#ifdef CONFIG_X86_KERNEL_IBT > > + if (cpu_feature_enabled(X86_FEATURE_IBT) && > > + *(u32 *)hv_hypercall_pg != gen_endbr()) { > > + setup_clear_cpu_cap(X86_FEATURE_IBT); > > + pr_info("Hyper-V: Disabling IBT because of Hyper-V bug\n"); > > + } > > +#endif > > pr_warn() perhaps? I wanted pr_info() so there's an immediate way to check for this case in the dmesg output if a user complains about IBT not being enabled when he expects it. In some sense, the message is temporary because once the Hyper-V patch is available and users install it, the message will go away. The pipeline for the Hyper-V patch is a bit long, so availability is at least several months away. This Linux workaround will be available much faster. Once it is picked up on stable branches, we will avoid the situations like we saw where someone upgraded Fedora 38 from a 6.2 to a 6.3 kernel, and the 6.3 kernel wouldn't boot because it has kernel IBT enabled. > > Other than that, this seems fairly straight forward. One thing I > wondered about; wouldn't it be possible to re-write the indirect > hypercall thingies to a direct call? I mean, once we have the hypercall > page mapped, the address is known right? Yes, the address is known. It does not change across things like hibernation. But the indirect call instruction is part of an inline assembly sequence, so the call instructions that need re-writing are scattered throughout the code. There's also the SEV-SNP case from the latest version of Tianyu Lan's patch set [1] where vmmcall may be used instead, based on your recent enhancement for nested ALTERNATIVE. Re-writing seems like that's more complexity than warranted for a mostly interim situation until the Hyper-V patch is available and users install it. Michael [1] https://lore.kernel.org/lkml/20230718032304.136888-6-ltykernel@gmail.com/
On Fri, Jul 21, 2023 at 12:41:35AM +0000, Michael Kelley (LINUX) wrote: > > Other than that, this seems fairly straight forward. One thing I > > wondered about; wouldn't it be possible to re-write the indirect > > hypercall thingies to a direct call? I mean, once we have the hypercall > > page mapped, the address is known right? > > Yes, the address is known. It does not change across things like > hibernation. But the indirect call instruction is part of an inline assembly > sequence, so the call instructions that need re-writing are scattered > throughout the code. There's also the SEV-SNP case from the > latest version of Tianyu Lan's patch set [1] where vmmcall may be used > instead, based on your recent enhancement for nested ALTERNATIVE. > Re-writing seems like that's more complexity than warranted for a > mostly interim situation until the Hyper-V patch is available and > users install it. Well, we have a lot of infrastructure for this already. Specifically this is very like the paravirt patching. Also, direct calls are both faster and have less speculation issues, so it might still be worth looking at. The way to do something like this would be: asm volatile (" ANNOTATE_RETPOLINE_SAFE \n\t" "1: call *hv_hypercall_page \n\t" ".pushsection .hv_call_sites \n\t" ".long 1b - . \n\t" ".popsection \n\t"); And then (see alternative.c for many other examples): patch_hypercalls() { s32 *s; for (s = __hv_call_sites_begin; s < __hv_call_sites_end; s++) { void *addr = (void *)s + *s; struct insn insn; ret = insn_decode_kernel(&insn, addr); if (WARN_ON_ONCE(ret < 0)) continue; /* * indirect call: ff 15 disp32 * direct call: 2e e8 disp32 */ if (insn.length == 6 && insn.opcode.bytes[0] == 0xFF && X86_MODRM_REG(insn.modrm.bytes[0]) == 2) { /* verify it was calling hy_hypercall_page */ if (WARN_ON_ONCE(addr + 6 + insn.displacement.value != &hv_hypercall_page)) continue; /* * write a CS padded direct call -- assumes the * hypercall page is in the 2G immediate range * of the kernel text */ addr[0] = 0x2e; /* CS prefix */ addr[1] = CALL_INSN_OPCODE; (s32 *)&Addr[2] = *hv_hypercall_page - (addr + 6); } } } See, easy :-)
From: Peter Zijlstra <peterz@infradead.org> Sent: Friday, July 21, 2023 12:59 AM > > On Fri, Jul 21, 2023 at 12:41:35AM +0000, Michael Kelley (LINUX) wrote: > > > > Other than that, this seems fairly straight forward. One thing I > > > wondered about; wouldn't it be possible to re-write the indirect > > > hypercall thingies to a direct call? I mean, once we have the hypercall > > > page mapped, the address is known right? > > > > Yes, the address is known. It does not change across things like > > hibernation. But the indirect call instruction is part of an inline assembly > > sequence, so the call instructions that need re-writing are scattered > > throughout the code. There's also the SEV-SNP case from the > > latest version of Tianyu Lan's patch set [1] where vmmcall may be used > > instead, based on your recent enhancement for nested ALTERNATIVE. > > Re-writing seems like that's more complexity than warranted for a > > mostly interim situation until the Hyper-V patch is available and > > users install it. > > Well, we have a lot of infrastructure for this already. Specifically > this is very like the paravirt patching. > > Also, direct calls are both faster and have less speculation issues, so > it might still be worth looking at. > > The way to do something like this would be: > > > asm volatile (" ANNOTATE_RETPOLINE_SAFE \n\t" > "1: call *hv_hypercall_page \n\t" > ".pushsection .hv_call_sites \n\t" > ".long 1b - . \n\t" > ".popsection \n\t"); > > > And then (see alternative.c for many other examples): > > > patch_hypercalls() > { > s32 *s; > > for (s = __hv_call_sites_begin; s < __hv_call_sites_end; s++) { > void *addr = (void *)s + *s; > struct insn insn; > > ret = insn_decode_kernel(&insn, addr); > if (WARN_ON_ONCE(ret < 0)) > continue; > > /* > * indirect call: ff 15 disp32 > * direct call: 2e e8 disp32 > */ > if (insn.length == 6 && > insn.opcode.bytes[0] == 0xFF && > X86_MODRM_REG(insn.modrm.bytes[0]) == 2) { > > /* verify it was calling hy_hypercall_page */ > if (WARN_ON_ONCE(addr + 6 + insn.displacement.value != &hv_hypercall_page)) > continue; > > /* > * write a CS padded direct call -- assumes the > * hypercall page is in the 2G immediate range > * of the kernel text Probably not true -- the hypercall page has a vmalloc address. > */ > addr[0] = 0x2e; /* CS prefix */ > addr[1] = CALL_INSN_OPCODE; > (s32 *)&Addr[2] = *hv_hypercall_page - (addr + 6); > } > } > } > > > See, easy :-) OK, worth looking into. This is a corner of the Linux kernel code that I've never looked at before. I appreciate the pointers. Hypercall sites also exist in loadable modules, so would need to hook into module_finalize() as well. Processing a new section type looks straightforward. But altogether, this feels like more change than should go as a bug fix to be backported to stable kernels. It's something to look at for a future kernel release. Michael
From: Michael Kelley (LINUX) <mikelley@microsoft.com> Sent: Thursday, July 20, 2023 5:42 PM > > From: Peter Zijlstra <peterz@infradead.org> Sent: Thursday, July 20, 2023 2:16 PM > > > > > @@ -472,6 +473,26 @@ void __init hyperv_init(void) > > > } > > > > > > /* > > > + * Some versions of Hyper-V that provide IBT in guest VMs have a bug > > > + * in that there's no ENDBR64 instruction at the entry to the > > > + * hypercall page. Because hypercalls are invoked via an indirect call > > > + * to the hypercall page, all hypercall attempts fail when IBT is > > > + * enabled, and Linux panics. For such buggy versions, disable IBT. > > > + * > > > + * Fixed versions of Hyper-V always provide ENDBR64 on the hypercall > > > + * page, so if future Linux kernel versions enable IBT for 32-bit > > > + * builds, additional hypercall page hackery will be required here > > > + * to provide an ENDBR32. > > > + */ > > > +#ifdef CONFIG_X86_KERNEL_IBT > > > + if (cpu_feature_enabled(X86_FEATURE_IBT) && > > > + *(u32 *)hv_hypercall_pg != gen_endbr()) { > > > + setup_clear_cpu_cap(X86_FEATURE_IBT); > > > + pr_info("Hyper-V: Disabling IBT because of Hyper-V bug\n"); > > > + } > > > +#endif > > > > pr_warn() perhaps? > > I wanted pr_info() so there's an immediate way to check for this > case in the dmesg output if a user complains about IBT not being > enabled when he expects it. In some sense, the message is temporary > because once the Hyper-V patch is available and users install it, > the message will go away. The pipeline for the Hyper-V patch is a > bit long, so availability is at least several months away. This Linux > workaround will be available much faster. Once it is picked up on > stable branches, we will avoid the situations like we saw where > someone upgraded Fedora 38 from a 6.2 to a 6.3 kernel, and the 6.3 > kernel wouldn't boot because it has kernel IBT enabled. > I realized in the middle of the night that my reply was nonsense. :-( pr_warn() makes the message visible when pr_info() might not. I'm happy to change to pr_warn(). Michael
... > I realized in the middle of the night that my reply was nonsense. :-( > pr_warn() makes the message visible when pr_info() might not. I'm > happy to change to pr_warn(). PANIC_ON_WARN?? David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
From: David Laight <David.Laight@ACULAB.COM> Sent: Friday, July 21, 2023 7:07 AM > > ... > > I realized in the middle of the night that my reply was nonsense. :-( > > pr_warn() makes the message visible when pr_info() might not. I'm > > happy to change to pr_warn(). > > PANIC_ON_WARN?? > panic_on_warn applies to WARN() and variants. pr_warn() is unrelated; it's just kernel logging level 4 vs. logging level 6 for pr_info(). Michael
On Fri, Jul 21, 2023 at 02:00:35PM +0000, Michael Kelley (LINUX) wrote: > > Well, we have a lot of infrastructure for this already. Specifically > > this is very like the paravirt patching. > > > > Also, direct calls are both faster and have less speculation issues, so > > it might still be worth looking at. > > > > The way to do something like this would be: > > > > > > asm volatile (" ANNOTATE_RETPOLINE_SAFE \n\t" > > "1: call *hv_hypercall_page \n\t" > > ".pushsection .hv_call_sites \n\t" > > ".long 1b - . \n\t" > > ".popsection \n\t"); > > > > > > And then (see alternative.c for many other examples): > > > > > > patch_hypercalls() > > { > > s32 *s; > > > > for (s = __hv_call_sites_begin; s < __hv_call_sites_end; s++) { > > void *addr = (void *)s + *s; > > struct insn insn; > > > > ret = insn_decode_kernel(&insn, addr); > > if (WARN_ON_ONCE(ret < 0)) > > continue; > > > > /* > > * indirect call: ff 15 disp32 > > * direct call: 2e e8 disp32 > > */ > > if (insn.length == 6 && > > insn.opcode.bytes[0] == 0xFF && > > X86_MODRM_REG(insn.modrm.bytes[0]) == 2) { > > > > /* verify it was calling hy_hypercall_page */ > > if (WARN_ON_ONCE(addr + 6 + insn.displacement.value != &hv_hypercall_page)) > > continue; > > > > /* > > * write a CS padded direct call -- assumes the > > * hypercall page is in the 2G immediate range > > * of the kernel text > > Probably not true -- the hypercall page has a vmalloc address. See module_alloc(), that uses vmalloc but constrains the address to stay within the 2G immediate address limit. > > */ > > addr[0] = 0x2e; /* CS prefix */ > > addr[1] = CALL_INSN_OPCODE; > > (s32 *)&Addr[2] = *hv_hypercall_page - (addr + 6); *(s32 *)... > > } > > } > > } > > > > > > See, easy :-) > > OK, worth looking into. This is a corner of the Linux kernel code that > I've never looked at before. I appreciate the pointers. No problem, I've been doing too much of this the past few years :-) > Hypercall sites also exist in loadable modules, so would need to hook > into module_finalize() as well. Processing a new section type looks > straightforward. Yep, > But altogether, this feels like more change than should go as a bug > fix to be backported to stable kernels. It's something to look at for a > future kernel release. Agreed!
diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 6c04b52..5cbee24 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -14,6 +14,7 @@ #include <asm/apic.h> #include <asm/desc.h> #include <asm/sev.h> +#include <asm/ibt.h> #include <asm/hypervisor.h> #include <asm/hyperv-tlfs.h> #include <asm/mshyperv.h> @@ -472,6 +473,26 @@ void __init hyperv_init(void) } /* + * Some versions of Hyper-V that provide IBT in guest VMs have a bug + * in that there's no ENDBR64 instruction at the entry to the + * hypercall page. Because hypercalls are invoked via an indirect call + * to the hypercall page, all hypercall attempts fail when IBT is + * enabled, and Linux panics. For such buggy versions, disable IBT. + * + * Fixed versions of Hyper-V always provide ENDBR64 on the hypercall + * page, so if future Linux kernel versions enable IBT for 32-bit + * builds, additional hypercall page hackery will be required here + * to provide an ENDBR32. + */ +#ifdef CONFIG_X86_KERNEL_IBT + if (cpu_feature_enabled(X86_FEATURE_IBT) && + *(u32 *)hv_hypercall_pg != gen_endbr()) { + setup_clear_cpu_cap(X86_FEATURE_IBT); + pr_info("Hyper-V: Disabling IBT because of Hyper-V bug\n"); + } +#endif + + /* * hyperv_init() is called before LAPIC is initialized: see * apic_intr_mode_init() -> x86_platform.apic_post_init() and * apic_bsp_setup() -> setup_local_APIC(). The direct-mode STIMER