| Message ID | 20240126163918.2908990-2-ardb+git@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:1350:b0:103:8516:c03d with SMTP id f16csp3697dyg;
Fri, 26 Jan 2024 08:47:05 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IGjRrDdB+GfuRYSYEN0FFSY62pEZKRFmPJXEcXAkAEYmwQLprNBORks3lhvYIVobKSKf60S
X-Received: by 2002:a17:90b:19d4:b0:28e:82c0:db91 with SMTP id
nm20-20020a17090b19d400b0028e82c0db91mr185129pjb.43.1706287624834;
Fri, 26 Jan 2024 08:47:04 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706287624; cv=pass;
d=google.com; s=arc-20160816;
b=nnee2CVesDER0qepbXdiRr5BUCR4WNbKyiXzUhxhR69byJbiX+BGLauo7nP46e6Uce
NNxQQa/XAP2DifbtfIlUPWnju84WLhidUQ86TBYoMBiiyLHctOPwmxF84JZ1MuAt5Dw2
wyovpXdbhLmy+JuSJiXNylsySkRfMzZ/dJxBPocHkoulQm77isLcafo+tGyl10bbYtTV
tNoosmpzorNQvgw/soYE6ssgOb/ag779bHyFEVLacD0vWNxQrJGSBTg5MDJLfUJ4r6f+
TIONIkd2VqKV8vc3lszUFjaDfgpvv7Y41TCFCNuXy4UAVBtuU7Ots/AGjxDv4z7ILGW6
+okA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=cc:to:from:subject:message-id:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:date:dkim-signature;
bh=xlBgugPCo2xMSajYDfdTWi2w+CeDhsQ4ciWdtvT0oGo=;
fh=o5qWVygOwNP6v68AC+fevRwE/t3KR/dniE70roBmCe0=;
b=vUtEhKN5za71sJweKiX5a/Jezf7Srt9ILuan29NSkRuwoibrjMFOg7MZZSxv+/YrRT
q8BRJdkzPN68h7Jiqq66dxZH146A+p40yyelC/nHj1v0U2xXtWOyHJqDaMXrj4BiW8Tj
7wGhZjwD4JDZw/sdbRYBOL5cau5yrW1xjKqsosNFCWaDlkWKOHGy6TeOOqIa95OnIhdI
ab+mv1j99EqLll5xHXtjluyqdNNJHZI4TIIiYeNeU9ZdE3obBp+liEWw8MHEkFl58Ny2
kVXo6QnD1i4Jx6TlcMo2BQOXCdurp3IHC3RGFMmdtP7NAg5EiUOs3GaFyodBpsbaebVn
mkiA==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@google.com header.s=20230601 header.b="z/HaRRbu";
arc=pass (i=1 spf=pass spfdomain=flex--ardb.bounces.google.com
dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
spf=pass (google.com: domain of
linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
[2604:1380:45e3:2400::1])
by mx.google.com with ESMTPS id
g12-20020a17090ace8c00b0029265c01893si1418049pju.179.2024.01.26.08.47.04
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 26 Jan 2024 08:47:04 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20230601 header.b="z/HaRRbu";
arc=pass (i=1 spf=pass spfdomain=flex--ardb.bounces.google.com
dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
spf=pass (google.com: domain of
linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-40354-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7069028CA2F
for <ouuuleilei@gmail.com>; Fri, 26 Jan 2024 16:39:59 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 004B21EB49;
Fri, 26 Jan 2024 16:39:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
header.b="z/HaRRbu"
Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com
[209.85.128.201])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 460631EA8A
for <linux-kernel@vger.kernel.org>; Fri, 26 Jan 2024 16:39:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=209.85.128.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706287172; cv=none;
b=txTZxPVgJZLpjDwk4Vb10YMJWda9RvPdLa9PHNuPWsGob/sKB/AEDP+ZYuo4VE9fqecUlAfEyW8TmU1rvoAgTFcDVe8DruO8aZ68cvQskxz7aEdc7mV+gGkRRM5S9BHlwSCoppAbipDWs9d2MtaIappN9xxL/UVBbQoxT3gvY6E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706287172; c=relaxed/simple;
bh=EFByUhMn6o7EKK+3IwvtG+AnT/BrGHBsR+easKAMjCg=;
h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type;
b=amY3XHlxqpqmEWAgF3BTljfHdd3m9B4S2PQ1iiFclz34mvlixEHWEr44rSVMxKyGdmLNvFJr52kAVdtHOGmM4pwBfedsmRWGlzPbNC3WVGcEbI9ZAYdEI7ltSLGPaYksMNtXd+Qn2O68RICIkV/ZseK4+x3TuzR19sIqg6alVVw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=reject dis=none) header.from=google.com;
spf=pass smtp.mailfrom=flex--ardb.bounces.google.com;
dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
header.b=z/HaRRbu; arc=none smtp.client-ip=209.85.128.201
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=flex--ardb.bounces.google.com
Received: by mail-yw1-f201.google.com with SMTP id
00721157ae682-5ffee6e316bso18306087b3.0
for <linux-kernel@vger.kernel.org>;
Fri, 26 Jan 2024 08:39:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20230601; t=1706287169; x=1706891969;
darn=vger.kernel.org;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=xlBgugPCo2xMSajYDfdTWi2w+CeDhsQ4ciWdtvT0oGo=;
b=z/HaRRbuOSuWhhEq8DUTAuoMTtEsbV/qxaYuTUMdv2U4dkLcNoGSUOZBFRQkALmegD
lcX69E1OBzFEjC7Lz7OiUMh10bHNrnWaOE/VkEVg9jKEIB73HUVBqC7MLSPnP24/30bD
YqlolR753MdEr892HsERHYPSXkvcayF8Nwbb8pY+rTxDxtpf3W9SHo0UiSd3nP/nWLzF
wWSMbusqotYBNHEDDue3GB2x/7xAQMNKZl+0cRYm+elCCtS0ItYSO0h2RIZexxaemKQu
/VMiaQBxnCd6a2oUZD/47psKPoX2KBCVLIu+EkGyoKjt6j+nHSNGE46sut/lndv2HCMI
E0GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1706287169; x=1706891969;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=xlBgugPCo2xMSajYDfdTWi2w+CeDhsQ4ciWdtvT0oGo=;
b=tkMExTTZFsH0ueo7kYzIKvVxIRSxvd97j1ljmGBVIzIVJLRQ8FQAi+S1ZopEA+gj2P
VGCQuVtLXrUxE+gNTe9s54fUzPH/+PiLnG+6936BK4ftHYnNfWTVGbRBwXK1HGC7l70s
3yS0KHyr/RYaL5K+LvTiJeUU5e0XRS0lTqYB8btDsvw3FnsnmqrjbQFkd+dbP6o0HQyA
JsqbD6g1Aiq4Z7wx3qBnkF3L4HxuYDt/qcp/gH+9gd3/69CLVFPBFWfUD5Z9rMTuvo/j
8PqPaULc+IOyz2rwCfhsrJRlFFMQCiZV3c29NZ+WMzVY92on8czAWjXzXFIPBiwvD/yS
nepA==
X-Gm-Message-State: AOJu0Ywaoe3LpLJl7QbPG5B3KWPeChi8RbwR8CQxH8WA15T5hs2Rlc0r
Hu/RVk8g8pPFB7aZOArhO7jeHcVpzUxmQyCUap4sPakVFhCDlQO/U7EPx3kTJSgVwfN0dpg2Tpc
AbiBoAjBhUQyAkDArjwi0vOEtGDpmMAJbDsu8XYiRd2JjwJJBQE6PvtCiVx8ibiSmkITXCo9AKl
kr8QuCLMBnHawJiSNvL89+geYKfYCIlQ==
X-Received: from palermo.c.googlers.com
([fda3:e722:ac3:cc00:28:9cb1:c0a8:118a])
(user=ardb job=sendgmr) by 2002:a81:794d:0:b0:5ff:8269:26 with SMTP id
u74-20020a81794d000000b005ff82690026mr9234ywc.10.1706287169275; Fri, 26 Jan
2024 08:39:29 -0800 (PST)
Date: Fri, 26 Jan 2024 17:39:19 +0100
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
fpr=F43D03328115A198C90016883D200E9CA6329909
X-Developer-Signature: v=1; a=openpgp-sha256; l=2049; i=ardb@kernel.org;
h=from:subject; bh=WUJPBTvb1mHWIXBiHT1P0Ob/I8UvCbEpFlwskhtt8WU=;
b=owGbwMvMwCFmkMcZplerG8N4Wi2JIXXzA/MGZR6dfy8uCy1aFy6e2FouXMhTerVceoPs51Otb
x+nfIvpKGVhEONgkBVTZBGY/ffdztMTpWqdZ8nCzGFlAhnCwMUpABO594Phn+W+76uuXlgXblcp
1uQ8x7zC+fnDzOTdrWUePpPmbypj2cfIcOTL5oVHD8j5OKRul1tRzbdBVPFrjmoEQ86bXasFC75
vYgYA
X-Mailer: git-send-email 2.43.0.429.g432eaa2c6b-goog
Message-ID: <20240126163918.2908990-2-ardb+git@google.com>
Subject: [PATCH] x86/sme: Fix memory encryption if enabled by default and not
overridden
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Ard Biesheuvel <ardb@kernel.org>,
Borislav Petkov <bp@alien8.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
Nikita Zhandarovich <n.zhandarovich@fintech.ru>,
Kevin Loughlin <kevinloughlin@google.com>
Content-Type: text/plain; charset="UTF-8"
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789172252803254611
X-GMAIL-MSGID: 1789172252803254611
|
| Series |
x86/sme: Fix memory encryption if enabled by default and not overridden
|
|
Commit Message
Ard Biesheuvel
Jan. 26, 2024, 4:39 p.m. UTC
From: Ard Biesheuvel <ardb@kernel.org> Commit cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in sme_enable()") 'fixed' an issue in sme_enable() detected by static analysis, and broke the common case in the process. cmdline_find_option() will return < 0 on an error, or when the command line argument does not appear at all. In this particular case, the latter is not an error condition, and so the early exit is wrong. Instead, without mem_encrypt= on the command line, the compile time default should be honoured, which could be to enable memory encryption, and this is currently broken. Fix it by setting sme_me_mask to a preliminary value based on the compile time default, and only omitting the command line argument test when cmdline_find_option() returns an error. Cc: Borislav Petkov (AMD) <bp@alien8.de> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Cc: Kevin Loughlin <kevinloughlin@google.com> Fixes: cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in sme_enable()") Signed-off-by: Ard Biesheuvel <ardb@kernel.org> --- arch/x86/mm/mem_encrypt_identity.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
Comments
On 1/26/24 10:39, Ard Biesheuvel wrote: > From: Ard Biesheuvel <ardb@kernel.org> > > Commit cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in > sme_enable()") 'fixed' an issue in sme_enable() detected by static > analysis, and broke the common case in the process. > > cmdline_find_option() will return < 0 on an error, or when the command > line argument does not appear at all. In this particular case, the > latter is not an error condition, and so the early exit is wrong. > > Instead, without mem_encrypt= on the command line, the compile time > default should be honoured, which could be to enable memory encryption, > and this is currently broken. > > Fix it by setting sme_me_mask to a preliminary value based on the > compile time default, and only omitting the command line argument test > when cmdline_find_option() returns an error. > > Cc: Borislav Petkov (AMD) <bp@alien8.de> > Cc: Tom Lendacky <thomas.lendacky@amd.com> > Cc: Nikita Zhandarovich <n.zhandarovich@fintech.ru> > Cc: Kevin Loughlin <kevinloughlin@google.com> > Fixes: cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in sme_enable()") > Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Nice catch. Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> > --- > arch/x86/mm/mem_encrypt_identity.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c > index d73aeb16417f..30df4f1725f4 100644 > --- a/arch/x86/mm/mem_encrypt_identity.c > +++ b/arch/x86/mm/mem_encrypt_identity.c > @@ -600,15 +600,14 @@ void __init sme_enable(struct boot_params *bp) > cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | > ((u64)bp->ext_cmd_line_ptr << 32)); > > + sme_me_mask = active_by_default ? me_mask : 0; > if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) > - return; > + goto out; > > if (!strncmp(buffer, cmdline_on, sizeof(buffer))) > sme_me_mask = me_mask; > else if (!strncmp(buffer, cmdline_off, sizeof(buffer))) > sme_me_mask = 0; > - else > - sme_me_mask = active_by_default ? me_mask : 0; > out: > if (sme_me_mask) { > physical_mask &= ~sme_me_mask;
On Fri, Jan 26, 2024 at 05:39:19PM +0100, Ard Biesheuvel wrote: > From: Ard Biesheuvel <ardb@kernel.org> > > Commit cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in > sme_enable()") 'fixed' an issue in sme_enable() detected by static > analysis, and broke the common case in the process. > > cmdline_find_option() will return < 0 on an error, or when the command > line argument does not appear at all. Is it just me or cmdline_find_option() should be fixed to return 0 when there's no cmdline argument and < 0 only when there was a real error parsing? Hohumm, sounds like a TODO for me or someone who wants to audit all callers and fix them up accordingly.
On Sat, 27 Jan 2024 at 11:53, Borislav Petkov <bp@alien8.de> wrote: > > On Fri, Jan 26, 2024 at 05:39:19PM +0100, Ard Biesheuvel wrote: > > From: Ard Biesheuvel <ardb@kernel.org> > > > > Commit cbebd68f59f0 ("x86/mm: Fix use of uninitialized buffer in > > sme_enable()") 'fixed' an issue in sme_enable() detected by static > > analysis, and broke the common case in the process. > > > > cmdline_find_option() will return < 0 on an error, or when the command > > line argument does not appear at all. > > Is it just me or cmdline_find_option() should be fixed to return 0 when > there's no cmdline argument and < 0 only when there was a real error > parsing? > > Hohumm, sounds like a TODO for me or someone who wants to audit all > callers and fix them up accordingly. > I intend to propose removing this occurrence entirely, and move it into the EFI stub/decompressor. Parsing external input in security related code when the entire kernel is still mapped writable is kind of gross, and since I'm cleaning up the early PIC code anyway, might just as well rip this out. Another issue here is that it does not honor CONFIG_CMDLINE_BOOL/CONFIG_CMDLINE_OVERRIDE. I.e., if memory encryption is enabled by default, and the kernel is configured to ignore the command line, the current code will still disable memory encryption when mem_encrypt=off is passed. Probably not a big deal, but unintuitive nonetheless. For the other cases, I agree that this would be a good thing to clean up. Note that someone has been looking into the handling of the command line recently. https://lore.kernel.org/all/20231110013817.2378507-6-danielwa@cisco.com/T/#m817c573e25f6f7da237272178a8f6b116192a6ad but I am not sure what the state of the code is, or whether the approach is the right one. I was meaning to look at that but haven't found the time yet.
diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c index d73aeb16417f..30df4f1725f4 100644 --- a/arch/x86/mm/mem_encrypt_identity.c +++ b/arch/x86/mm/mem_encrypt_identity.c @@ -600,15 +600,14 @@ void __init sme_enable(struct boot_params *bp) cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | ((u64)bp->ext_cmd_line_ptr << 32)); + sme_me_mask = active_by_default ? me_mask : 0; if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) - return; + goto out; if (!strncmp(buffer, cmdline_on, sizeof(buffer))) sme_me_mask = me_mask; else if (!strncmp(buffer, cmdline_off, sizeof(buffer))) sme_me_mask = 0; - else - sme_me_mask = active_by_default ? me_mask : 0; out: if (sme_me_mask) { physical_mask &= ~sme_me_mask;