[PATCH] x86/microcode/intel: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY

[Borislav Petkov]

From: Borislav Petkov <b...@suse.de>

CONFIG_RANDOMIZE_MEMORY randomizes the physical memmap and thus the
address where the initrd is located. Therefore, we need to add the
offset KASLR put us to in order to find the initrd again on the AP path.

In the future, we will get rid of the initrd address caching and query
the address on both the BSP and AP paths but that would need more work.

Thanks to Nicolai Stange for the good bisection and debugging work.

Reported-and-tested-by: Nicolai Stange <nics...@gmail.com>
Signed-off-by: Borislav Petkov <b...@suse.de>
Cc: Kees Cook <kees...@chromium.org>
---
arch/x86/kernel/cpu/microcode/intel.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 6515c802346a..c5a7d74a9fa6 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -793,10 +793,10 @@ void __init load_ucode_intel_bsp(void)
void load_ucode_intel_ap(void)
{
struct ucode_blobs *blobs_p;
+ unsigned long *ptrs, start = 0;
struct mc_saved_data *mcs;
struct ucode_cpu_info uci;
enum ucode_state ret;
- unsigned long *ptrs;

#ifdef CONFIG_X86_32
mcs = (struct mc_saved_data *)__pa_nodebug(&mc_saved_data);
@@ -815,8 +815,20 @@ void load_ucode_intel_ap(void)
if (!mcs->num_saved)
return;

+ if (blobs_p->valid) {
+ start = blobs_p->start;
+
+#ifdef CONFIG_RANDOMIZE_MEMORY
+ /*
+ * Pay attention to CONFIG_RANDOMIZE_MEMORY as it shuffles
+ * physmem mapping too and there we have the initrd.
+ */
+ start += (PAGE_OFFSET - __PAGE_OFFSET_BASE);
+#endif
+ }
+
collect_cpu_info_early(&uci);
- ret = load_microcode(mcs, ptrs, blobs_p->start, &uci);
+ ret = load_microcode(mcs, ptrs, start, &uci);
if (ret != UCODE_OK)
return;

--
2.8.4

[tip-bot for Borislav Petkov]

Commit-ID: efaad554b4ffae1840a2759e09e21325ddbc8b05
Gitweb: http://git.kernel.org/tip/efaad554b4ffae1840a2759e09e21325ddbc8b05
Author: Borislav Petkov <b...@suse.de>
AuthorDate: Tue, 26 Jul 2016 11:51:38 +0200
Committer: Ingo Molnar <mi...@kernel.org>
CommitDate: Tue, 26 Jul 2016 19:32:57 +0200

x86/microcode/intel: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y

CONFIG_RANDOMIZE_MEMORY=y randomizes the physical memmap and thus the

address where the initrd is located. Therefore, we need to add the
offset KASLR put us to in order to find the initrd again on the AP path.

In the future, we will get rid of the initrd address caching and query
the address on both the BSP and AP paths but that would need more work.

Thanks to Nicolai Stange for the good bisection and debugging work.

Reported-and-tested-by: Nicolai Stange <nics...@gmail.com>
Signed-off-by: Borislav Petkov <b...@suse.de>
Cc: Kees Cook <kees...@chromium.org>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Link: http://lkml.kernel.org/r/201607260951...@alien8.de
Signed-off-by: Ingo Molnar <mi...@kernel.org>

---
arch/x86/kernel/cpu/microcode/intel.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c

index 6515c80..0f97ae9 100644

--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -793,10 +793,10 @@ void __init load_ucode_intel_bsp(void)
void load_ucode_intel_ap(void)
{
struct ucode_blobs *blobs_p;
+ unsigned long *ptrs, start = 0;
struct mc_saved_data *mcs;
struct ucode_cpu_info uci;
enum ucode_state ret;
- unsigned long *ptrs;

#ifdef CONFIG_X86_32
mcs = (struct mc_saved_data *)__pa_nodebug(&mc_saved_data);
@@ -815,8 +815,20 @@ void load_ucode_intel_ap(void)
if (!mcs->num_saved)
return;

+ if (blobs_p->valid) {
+ start = blobs_p->start;
+
+#ifdef CONFIG_RANDOMIZE_MEMORY
+ /*

+ * Pay attention to CONFIG_RANDOMIZE_MEMORY=y as it shuffles

+ * physmem mapping too and there we have the initrd.
+ */

+ start += PAGE_OFFSET - __PAGE_OFFSET_BASE;

[Kees Cook]

These ifdefs aren't needed if we added a no-op __PAGE_OFFSET_BASE to
the 32-bit page table headers. Then the compiler will DTRT with the
start calculation. When CONFIG_RANDOMIZE_MEMORY is set, start will
have a non-zero value, and when not set it'll be 0.

> + /*
> + * Pay attention to CONFIG_RANDOMIZE_MEMORY=y as it shuffles
> + * physmem mapping too and there we have the initrd.
> + */
> + start += PAGE_OFFSET - __PAGE_OFFSET_BASE;
> +#endif
> + }
> +
> collect_cpu_info_early(&uci);
> - ret = load_microcode(mcs, ptrs, blobs_p->start, &uci);
> + ret = load_microcode(mcs, ptrs, start, &uci);
> if (ret != UCODE_OK)
> return;
>

--
Kees Cook
Chrome OS & Brillo Security

[Borislav Petkov]

On Tue, Jul 26, 2016 at 01:37:07PM -0700, Kees Cook wrote:
> These ifdefs aren't needed if we added a no-op __PAGE_OFFSET_BASE to
> the 32-bit page table headers. Then the compiler will DTRT with the
> start calculation. When CONFIG_RANDOMIZE_MEMORY is set, start will
> have a non-zero value, and when not set it'll be 0.

Something like this? I'm trying to mimick the 64-bit version:

---
diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index 3a52ee0e726d..3bae4969ac65 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -13,7 +13,8 @@
* If you want more physical memory than this then see the CONFIG_HIGHMEM4G
* and CONFIG_HIGHMEM64G options in the kernel configuration.
*/
-#define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET_BASE _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET __PAGE_OFFSET_BASE

#define __START_KERNEL_map __PAGE_OFFSET

--
Regards/Gruss,
Boris.

ECO tip #101: Trim your mails when you reply.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--

[Borislav Petkov]

From: Borislav Petkov <b...@suse.de>

CONFIG_RANDOMIZE_MEMORY randomizes the physical memmap and thus the

address where the initrd is located. Therefore, we need to add the
offset KASLR put us to in order to find the initrd again on the AP path.

In the future, we will get rid of the initrd address caching and query
the address on both the BSP and AP paths but that would need more work.

Thanks to Nicolai Stange for the good bisection and debugging work.

Reported-and-tested-by: Nicolai Stange <nics...@gmail.com>
Signed-off-by: Borislav Petkov <b...@suse.de>
Cc: Kees Cook <kees...@chromium.org>

---
arch/x86/kernel/cpu/microcode/intel.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 6515c802346a..2a542b71d910 100644

--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -793,10 +793,10 @@ void __init load_ucode_intel_bsp(void)
void load_ucode_intel_ap(void)
{
struct ucode_blobs *blobs_p;
+ unsigned long *ptrs, start = 0;
struct mc_saved_data *mcs;
struct ucode_cpu_info uci;
enum ucode_state ret;
- unsigned long *ptrs;

#ifdef CONFIG_X86_32
mcs = (struct mc_saved_data *)__pa_nodebug(&mc_saved_data);

@@ -815,8 +815,18 @@ void load_ucode_intel_ap(void)

if (!mcs->num_saved)
return;

+ if (blobs_p->valid) {
+ start = blobs_p->start;
+

+ /*
+ * Pay attention to CONFIG_RANDOMIZE_MEMORY as it shuffles

+ * physmem mapping too and there we have the initrd.
+ */

+ start += (PAGE_OFFSET - __PAGE_OFFSET_BASE);

+ }
+
collect_cpu_info_early(&uci);
- ret = load_microcode(mcs, ptrs, blobs_p->start, &uci);
+ ret = load_microcode(mcs, ptrs, start, &uci);
if (ret != UCODE_OK)
return;

--

2.8.4

[Borislav Petkov]

From: Borislav Petkov <b...@suse.de>

... in order to avoid ifdeffery in code computing the ASLR randomization
offset.

Suggested-by: Kees Cook <kees...@chromium.org>
Signed-off-by: Borislav Petkov <b...@suse.de>
---
arch/x86/include/asm/page_32_types.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index 3a52ee0e726d..3bae4969ac65 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -13,7 +13,8 @@
* If you want more physical memory than this then see the CONFIG_HIGHMEM4G
* and CONFIG_HIGHMEM64G options in the kernel configuration.
*/
-#define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET_BASE _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET __PAGE_OFFSET_BASE

#define __START_KERNEL_map __PAGE_OFFSET

--

2.8.4

[Ingo Molnar]

* Borislav Petkov <b...@suse.de> wrote:

> From: Borislav Petkov <b...@suse.de>
>
> ... in order to avoid ifdeffery in code computing the ASLR randomization
> offset.
>
> Suggested-by: Kees Cook <kees...@chromium.org>
> Signed-off-by: Borislav Petkov <b...@suse.de>
> ---
> arch/x86/include/asm/page_32_types.h | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
> index 3a52ee0e726d..3bae4969ac65 100644
> --- a/arch/x86/include/asm/page_32_types.h
> +++ b/arch/x86/include/asm/page_32_types.h
> @@ -13,7 +13,8 @@
> * If you want more physical memory than this then see the CONFIG_HIGHMEM4G
> * and CONFIG_HIGHMEM64G options in the kernel configuration.
> */
> -#define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
> +#define __PAGE_OFFSET_BASE _AC(CONFIG_PAGE_OFFSET, UL)
> +#define __PAGE_OFFSET __PAGE_OFFSET_BASE

Could you please send a delta patch for this? I've already applied the original
fix, with a few minor edits.

Thanks,

Ingo

[Borislav Petkov]

On Wed, Jul 27, 2016 at 11:05:16AM +0200, Ingo Molnar wrote:
> Could you please send a delta patch for this? I've already applied the original
> fix, with a few minor edits.

Ontop of this?

http://git.kernel.org/tip/efaad554b4ffae1840a2759e09e21325ddbc8b05

[Ingo Molnar]

* Borislav Petkov <b...@suse.de> wrote:

> On Wed, Jul 27, 2016 at 11:05:16AM +0200, Ingo Molnar wrote:
> > Could you please send a delta patch for this? I've already applied the original
> > fix, with a few minor edits.
>
> Ontop of this?
>
> http://git.kernel.org/tip/efaad554b4ffae1840a2759e09e21325ddbc8b05

On top of:

tip/x86/microcode df15929f8f5c: Merge branch 'linus' into x86/microcode, to pick up merge window changes

(the merge commit is fresh, I just pushed it out)

... because this way there's actually a CONFIG_RANDOMIZE_MEMORY option available
in that kernel tree.

Thanks,

Ingo

[Borislav Petkov]

On Wed, Jul 27, 2016 at 12:36:55PM +0200, Ingo Molnar wrote:
> On top of:
>
> tip/x86/microcode df15929f8f5c: Merge branch 'linus' into x86/microcode, to pick up merge window changes
>
> (the merge commit is fresh, I just pushed it out)
>
> ... because this way there's actually a CONFIG_RANDOMIZE_MEMORY option available
> in that kernel tree.

Here it is:

---
From: Borislav Petkov <b...@suse.de>
Subject: [PATCH] x86/asm, microcode: Add __PAGE_OFFSET_BASE define on 32-bit

... in order to avoid ifdeffery in code computing the ASLR randomization

offset. Remove that ifdeffery in the microcode loader.

Suggested-by: Kees Cook <kees...@chromium.org>
Signed-off-by: Borislav Petkov <b...@suse.de>
---
arch/x86/include/asm/page_32_types.h | 3 ++-

arch/x86/kernel/cpu/microcode/intel.c | 2 --
2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index 3a52ee0e726d..3bae4969ac65 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -13,7 +13,8 @@
* If you want more physical memory than this then see the CONFIG_HIGHMEM4G
* and CONFIG_HIGHMEM64G options in the kernel configuration.
*/
-#define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET_BASE _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET __PAGE_OFFSET_BASE

#define __START_KERNEL_map __PAGE_OFFSET

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 0f97ae93441b..cdc0deab00c9 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -818,13 +818,11 @@ void load_ucode_intel_ap(void)
if (blobs_p->valid) {
start = blobs_p->start;

-#ifdef CONFIG_RANDOMIZE_MEMORY
/*

* Pay attention to CONFIG_RANDOMIZE_MEMORY=y as it shuffles

* physmem mapping too and there we have the initrd.

*/

start += PAGE_OFFSET - __PAGE_OFFSET_BASE;

-#endif
}

collect_cpu_info_early(&uci);
--
2.8.4

[tip-bot for Borislav Petkov]

Commit-ID: 4a1a8e1b8f9f37bdbba416eb0a5ff3f47d31cb28
Gitweb: http://git.kernel.org/tip/4a1a8e1b8f9f37bdbba416eb0a5ff3f47d31cb28
Author: Borislav Petkov <b...@suse.de>
AuthorDate: Wed, 27 Jul 2016 14:09:39 +0200
Committer: Ingo Molnar <mi...@kernel.org>
CommitDate: Wed, 27 Jul 2016 14:59:59 +0200

x86/asm, x86/microcode: Add __PAGE_OFFSET_BASE define on 32-bit

... in order to avoid #ifdeffery in code computing the ASLR randomization
offset. Remove that #ifdeffery in the microcode loader.

Suggested-by: Kees Cook <kees...@chromium.org>
Signed-off-by: Borislav Petkov <b...@suse.de>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Nicolai Stange <nics...@gmail.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Garnier <thga...@google.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Link: http://lkml.kernel.org/r/20160727120...@nazgul.tnic
Signed-off-by: Ingo Molnar <mi...@kernel.org>

---
arch/x86/include/asm/page_32_types.h | 3 ++-
arch/x86/kernel/cpu/microcode/intel.c | 2 --
2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h

index 3a52ee0..3bae496 100644

--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -13,7 +13,8 @@
* If you want more physical memory than this then see the CONFIG_HIGHMEM4G
* and CONFIG_HIGHMEM64G options in the kernel configuration.
*/
-#define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET_BASE _AC(CONFIG_PAGE_OFFSET, UL)
+#define __PAGE_OFFSET __PAGE_OFFSET_BASE

#define __START_KERNEL_map __PAGE_OFFSET

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c

index 0f97ae9..cdc0dea 100644