Corentin xcpng 9/xenserver rebased patchqueue

arch/x86/boot/Makefile

@@ -63,7 +63,7 @@ $(obj)/bzImage: asflags-y  := $(SVGA_MODE)
 quiet_cmd_image = BUILD   $@
 silent_redirect_image = >/dev/null
 cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \
-			       $(obj)/zoffset.h $@ $($(quiet)redirect_image)
+			       $(obj)/zoffset.h $@ $($(quiet)redirect_image) $(srctree)/arch/x86/boot/sbat.csv
 
 $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE
 	$(call if_changed,image)
@@ -88,7 +88,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE
 AFLAGS_header.o += -I$(objtree)/$(obj)
 $(obj)/header.o: $(obj)/zoffset.h
 
-LDFLAGS_setup.elf	:= -m elf_i386 -z noexecstack -T
+LDFLAGS_setup.elf	:= --defsym CONFIG_EFI_STUB=$(if $(CONFIG_EFI_STUB),1,0) -m elf_i386 -z noexecstack -T
 $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE
 	$(call if_changed,ld)
 

arch/x86/boot/header.S

@@ -177,8 +177,22 @@ pecompat_fstart:
 	.byte	0x0				# Sentinel
 	.popsection
 #else
-	.set	pecompat_fstart, setup_size
+	.set	pecompat_fstart, sbat_fstart
 #endif
+
+	.ascii	".sbat\0\0\0"
+	.long	sbat_fsize	                    # VirtualSize
+	.long	sbat_fstart	                    # VirtualAddress
+	.long	sbat_fsize	                    # SizeOfRawData
+	.long	sbat_fstart	                    # PointerToRawData
+	.long	0	                              # PointerToRelocations
+	.long	0	                              # PointerToLineNumbers
+	.word	0	                              # NumberOfRelocations
+	.word	0	                              # NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_INITIALIZED_DATA	| \
+		IMAGE_SCN_MEM_READ                  | \
+		IMAGE_SCN_ALIGN_16BYTES             # Characteristics
+
 	.ascii	".text"
 	.byte	0
 	.byte	0

arch/x86/boot/sbat.csv

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+linux.xs,1,Cloud Software Group,linux,1,mailto:security@xenserver.com

arch/x86/boot/setup.ld

@@ -25,7 +25,11 @@ SECTIONS
 	.text32		: { *(.text32) }
 
 	.pecompat	: { *(.pecompat) }
-	PROVIDE(pecompat_fsize = setup_size - pecompat_fstart);
+	PROVIDE(pecompat_fsize = sbat_fstart - pecompat_fstart);
+
+	.sbat	: { *(.sbat) }
+	PROVIDE(sbat_fsize = 0x1000);
+	PROVIDE(sbat_fstart = CONFIG_EFI_STUB == 1 ? setup_size - sbat_fsize : setup_size);
 
 	. = ALIGN(16);
 	.rodata		: { *(.rodata*) }
@@ -43,7 +47,8 @@ SECTIONS
 		setup_sig = .;
 		LONG(0x5a5aaa55)
 
-		setup_size = ALIGN(ABSOLUTE(.), 4096);
+		setup_size = ALIGN(ABSOLUTE(.) + (CONFIG_EFI_STUB == 1 ? sbat_fsize : 0), 4096);
+
 		setup_sects = ABSOLUTE(setup_size / 512);
 	}
 

arch/x86/boot/tools/build.c

@@ -47,6 +47,8 @@ typedef unsigned int   u32;
 /* This must be large enough to hold the entire setup */
 u8 buf[SETUP_SECT_MAX*512];
 
+#define SBAT_FSIZE 0x1000
+
 static unsigned long _edata;
 
 /*----------------------------------------------------------------------*/
@@ -130,7 +132,11 @@ static void die(const char * str, ...)
 
 static void usage(void)
 {
+#ifdef CONFIG_EFI_STUB
+	die("Usage: build setup system zoffset.h image sbat");
+#else
 	die("Usage: build setup system zoffset.h image");
+#endif
 }
 
 /*
@@ -178,8 +184,15 @@ int main(int argc, char ** argv)
 	int fd;
 	void *kernel;
 	u32 crc = 0xffffffffUL;
+	int expect_argc;
+
+#ifdef CONFIG_EFI_STUB
+	expect_argc = 6;
+#else
+	expect_argc = 5;
+#endif
 
-	if (argc != 5)
+	if (argc < expect_argc)
 		usage();
 	parse_zoffset(argv[3]);
 
@@ -200,6 +213,11 @@ int main(int argc, char ** argv)
 		die("Boot block hasn't got boot flag (0xAA55)");
 	fclose(file);
 
+#if CONFIG_EFI_STUB
+	/* Reserve space for .sbat section */
+	c += SBAT_FSIZE;
+#endif
+
 	/* Pad unused space with zeros */
 	setup_sectors = (c + 4095) / 4096;
 	setup_sectors *= 8;
@@ -208,6 +226,26 @@ int main(int argc, char ** argv)
 	i = setup_sectors*512;
 	memset(buf+c, 0, i-c);
 
+#if CONFIG_EFI_STUB
+	{
+		const char *sbat_filename = argv[5];
+		const unsigned int sbat_section_offset = i - SBAT_FSIZE;
+
+		FILE *file = fopen(sbat_filename, "rb");
+		if (!file)
+			die("Unable to open '%s': %m", sbat_filename);
+
+		fread(buf + sbat_section_offset, 1, SBAT_FSIZE-1, file);
+		if (ferror(file))
+			die("read-error on '%s'", sbat_filename);
+
+		if (!feof(file))
+			die("SBAT file too large '%s'", sbat_filename);
+
+		fclose(file);
+	}
+#endif
+
 	/* Open and stat the kernel file */
 	fd = open(argv[2], O_RDONLY);
 	if (fd < 0)

arch/x86/include/asm/cpufeature.h

@@ -99,7 +99,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 22, feature_bit) ||    \
 	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 23, feature_bit) ||    \
 	   REQUIRED_MASK_CHECK					  ||	\
-	   BUILD_BUG_ON_ZERO(NCAPINTS != 24))
+	   BUILD_BUG_ON_ZERO(NCAPINTS != 30))
 
 #define DISABLED_MASK_BIT_SET(feature_bit)				\
 	 ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  0, feature_bit) ||	\
@@ -127,7 +127,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 22, feature_bit) ||    \
 	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 23, feature_bit) ||    \
 	   DISABLED_MASK_CHECK					  ||	\
-	   BUILD_BUG_ON_ZERO(NCAPINTS != 24))
+	   BUILD_BUG_ON_ZERO(NCAPINTS != 30))
 
 #define cpu_has(c, bit)							\
 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\

arch/x86/include/asm/cpufeatures.h

@@ -13,8 +13,8 @@
 /*
  * Defines x86 CPU feature bits
  */
-#define NCAPINTS			24	   /* N 32-bit words worth of info */
-#define NBUGINTS			3	   /* N 32-bit bug flags */
+#define NCAPINTS			30	   /* N 32-bit words worth of info */
+#define NBUGINTS			4	   /* N 32-bit bug flags */
 
 /*
  * Note: If the comment begins with a quoted string, that string is used

arch/x86/include/asm/disabled-features.h

@@ -158,6 +158,6 @@
 #define DISABLED_MASK21	0
 #define DISABLED_MASK22	0
 #define DISABLED_MASK23	0
-#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 24)
+#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 30)
 
 #endif /* _ASM_X86_DISABLED_FEATURES_H */

arch/x86/include/asm/required-features.h

@@ -102,6 +102,6 @@
 #define REQUIRED_MASK21	0
 #define REQUIRED_MASK22	0
 #define REQUIRED_MASK23	0
-#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 24)
+#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 30)
 
 #endif /* _ASM_X86_REQUIRED_FEATURES_H */

arch/x86/include/asm/xen/hypercall.h

@@ -493,6 +493,13 @@ HYPERVISOR_hvm_op(int op, void *arg)
        return _hypercall2(unsigned long, hvm_op, op, arg);
 }
 
+static inline int __must_check
+HYPERVISOR_kexec_op(
+        unsigned long op, void *args)
+{
+	return _hypercall2(int, kexec_op, op, args);
+}
+
 static inline int
 HYPERVISOR_xenpmu_op(unsigned int op, void *arg)
 {

arch/x86/include/asm/xen/swiotlb-xen.h

@@ -2,7 +2,8 @@
 #ifndef _ASM_X86_SWIOTLB_XEN_H
 #define _ASM_X86_SWIOTLB_XEN_H
 
-int xen_swiotlb_fixup(void *buf, unsigned long nslabs);
+int xen_swiotlb_fixup(void *buf, unsigned long nslabs,
+		      unsigned long *contig_pages);
 int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
 				unsigned int address_bits,
 				dma_addr_t *dma_handle);

arch/x86/kernel/asm-offsets.c

@@ -10,6 +10,7 @@
 #include <crypto/aria.h>
 #include <linux/sched.h>
 #include <linux/stddef.h>
+#include <linux/list.h>
 #include <linux/hardirq.h>
 #include <linux/suspend.h>
 #include <linux/kbuild.h>
@@ -139,5 +140,22 @@ static void __used common(void)
 	OFFSET(SL_rlp_wakeup_addr, txt_sinit_mle_data, rlp_wakeup_addr);
 	OFFSET(SL_rlp_gdt_base, smx_rlp_mle_join, rlp_gdt_base);
 	OFFSET(SL_rlp_entry_point, smx_rlp_mle_join, rlp_entry_point);
+#endif
+	BLANK();
+	OFFSET(MODULE_LIST_HEAD_next, list_head, next);
+	OFFSET(MODULE_state, module, state);
+	OFFSET(MODULE_next, module, list);
+	OFFSET(MODULE_name, module, name);
+	DEFINE(MODULE_name_len, MODULE_NAME_LEN);
+#ifdef CONFIG_KALLSYMS
+	OFFSET(MODULE_notes_attrs, module, notes_attrs);
+	OFFSET(MODULE_notes_count, module_notes_attrs, notes);
+	OFFSET(MODULE_binattrs, module_notes_attrs, attrs);
+	DEFINE(SIZEOF_binattr, sizeof(struct bin_attribute));
+	OFFSET(MODULE_noteattr, bin_attribute, attr);
+	OFFSET(MODULE_notesize, bin_attribute, size);
+	OFFSET(MODULE_notedata, bin_attribute, private);
+	OFFSET(MODULE_notename, attribute, name);
+	DEFINE(MODULE_notename_len, PAGE_SIZE);
 #endif
 }

arch/x86/kernel/cpu/bugs.c

@@ -253,8 +253,7 @@ static void x86_amd_ssb_disable(void)
 #define pr_fmt(fmt)	"MDS: " fmt
 
 /* Default mitigation for MDS-affected CPUs */
-static enum mds_mitigations mds_mitigation __ro_after_init =
-	IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_FULL : MDS_MITIGATION_OFF;
+static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_OFF;
 static bool mds_nosmt __ro_after_init = false;
 
 static const char * const mds_strings[] = {
@@ -314,8 +313,7 @@ enum taa_mitigations {
 };
 
 /* Default mitigation for TAA-affected CPUs */
-static enum taa_mitigations taa_mitigation __ro_after_init =
-	IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_VERW : TAA_MITIGATION_OFF;
+static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_OFF;
 static bool taa_nosmt __ro_after_init;
 
 static const char * const taa_strings[] = {
@@ -413,8 +411,7 @@ enum mmio_mitigations {
 };
 
 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
-static enum mmio_mitigations mmio_mitigation __ro_after_init =
-	IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_VERW : MMIO_MITIGATION_OFF;
+static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_OFF;
 static bool mmio_nosmt __ro_after_init = false;
 
 static const char * const mmio_strings[] = {

arch/x86/kernel/setup.c

@@ -714,6 +714,17 @@ static void __init x86_report_nx(void)
 	}
 }
 
+static bool lockdown_disabled;
+
+static int __init lockdown_disable_param(char *str)
+{
+	lockdown_disabled = true;
+
+	return 0;
+}
+
+early_param("lockdown_disable", lockdown_disable_param);
+
 /*
  * Determine if we were loaded by an EFI loader.  If so, then we have also been
  * passed the efi memmap, systab, etc., so we should use these data structures
@@ -906,6 +917,13 @@ void __init setup_arch(char **cmdline_p)
 		efi_init();
 
 	efi_set_secure_boot(boot_params.secure_boot);
+	if (boot_params.secure_boot == efi_secureboot_mode_enabled)
+		security_lock_kernel_down("EFI Secure Boot mode",
+					  LOCKDOWN_INTEGRITY_MAX);
+	else if (!lockdown_disabled)
+		security_lock_kernel_down("vendor policy",
+					  LOCKDOWN_INTEGRITY_MAX);
+
 	reserve_ibft_region();
 	x86_init.resources.dmi_setup();
 

arch/x86/xen/efi.c

@@ -7,6 +7,7 @@
 #include <linux/efi.h>
 #include <linux/init.h>
 #include <linux/string.h>
+#include <linux/security.h>
 
 #include <xen/xen.h>
 #include <xen/xen-ops.h>

arch/x86/xen/enlighten_pv.c

@@ -94,7 +94,7 @@ void *xen_initial_gdt;
 static int xen_cpu_up_prepare_pv(unsigned int cpu);
 static int xen_cpu_dead_pv(unsigned int cpu);
 
-#ifndef CONFIG_PREEMPTION
+#ifndef CONFIG_PREEMPT
 /*
  * Some hypercalls issued by the toolstack can take many 10s of
  * seconds. Allow tasks running hypercalls via the privcmd driver to
@@ -746,7 +746,7 @@ __visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
 
 	inhcall = get_and_clear_inhcall();
 	if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
-		irqentry_exit_cond_resched();
+		raw_irqentry_exit_cond_resched();
 		instrumentation_end();
 		restore_inhcall(inhcall);
 	} else {

arch/x86/xen/xen-head.S

@@ -21,6 +21,7 @@
 #include <xen/interface/xen.h>
 #include <xen/interface/xen-mca.h>
 #include <asm/xen/interface.h>
+#include <xen/filter-hypercall.h>
 
 #ifdef CONFIG_XEN_PV
 	__INIT
@@ -181,5 +182,6 @@ SYM_FUNC_END(xen_hypercall_intel)
 		.long FEATURES_PV | FEATURES_PVH | FEATURES_DOM0)
 	ELFNOTE(Xen, XEN_ELFNOTE_LOADER,         .asciz "generic")
 	ELFNOTE(Xen, XEN_ELFNOTE_SUSPEND_CANCEL, .long 1)
+	ELFNOTE(XS, XS_ELFNOTE_PRIVCMD_FILTERING, .long PRIVCMD_FILTERING_ABI_VERSION)
 
 #endif /*CONFIG_XEN */

block/elevator.h

@@ -4,6 +4,7 @@
 
 #include <linux/percpu.h>
 #include <linux/hashtable.h>
+#include <linux/uek_kabi.h>
 #include "blk-mq.h"
 
 struct io_cq;
@@ -48,6 +49,11 @@ struct elevator_mq_ops {
 	struct request *(*next_request)(struct request_queue *, struct request *);
 	void (*init_icq)(struct io_cq *);
 	void (*exit_icq)(struct io_cq *);
+
+	UEK_KABI_RESERVE(1)
+	UEK_KABI_RESERVE(2)
+	UEK_KABI_RESERVE(3)
+	UEK_KABI_RESERVE(4)
 };
 
 #define ELV_NAME_MAX	(16)
@@ -83,6 +89,11 @@ struct elevator_type
 	/* managed by elevator core */
 	char icq_cache_name[ELV_NAME_MAX + 6];	/* elvname + "_io_cq" */
 	struct list_head list;
+
+	UEK_KABI_RESERVE(1)
+	UEK_KABI_RESERVE(2)
+	UEK_KABI_RESERVE(3)
+	UEK_KABI_RESERVE(4)
 };
 
 static inline bool elevator_tryget(struct elevator_type *e)

drivers/acpi/osl.c

@@ -174,7 +174,7 @@ void __printf(1, 0) acpi_os_vprintf(const char *fmt, va_list args)
 #endif
 }
 
-#ifdef CONFIG_KEXEC
+#ifdef CONFIG_KEXEC_CORE
 static unsigned long acpi_rsdp;
 static int __init setup_acpi_rsdp(char *arg)
 {
@@ -187,7 +187,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
 {
 	acpi_physical_address pa;
 
-#ifdef CONFIG_KEXEC
+#ifdef CONFIG_KEXEC_CORE
 	/*
 	 * We may have been provided with an RSDP on the command line,
 	 * but if a malicious user has done so they may be pointing us