tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'x86-urgent-2026-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Ingo Molnar:

- Fix an early boot crash in AMD SEV-SNP guests, caused by incorrect
FSGSBASE init ordering (Nikunj A Dadhania)

- Remove X86_CR4_FRED from the CR4 pinned bits mask, to fix a race
window during the bootup of SEV-{ES,SNP} or TDX guests, which can
crash them if they trigger exceptions in that window (Borislav
Petkov)

- Fix early boot failures on SEV-ES/SNP guests, due to incorrect early
GHCB access (Nikunj A Dadhania)

- Add clarifying comment to the CRn pinning logic, to avoid future
confusion & bugs (Peter Zijlstra)

* tag 'x86-urgent-2026-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/cpu: Add comment clarifying CRn pinning
x86/fred: Fix early boot failures on SEV-ES/SNP guests
x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask
x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()

Linus Torvalds f242ac4a 47e3f23f

+46 -7
+6
arch/x86/coco/sev/noinstr.c
··· 121 121 122 122 WARN_ON(!irqs_disabled()); 123 123 124 + if (!sev_cfg.ghcbs_initialized) 125 + return boot_ghcb; 126 + 124 127 data = this_cpu_read(runtime_data); 125 128 ghcb = &data->ghcb_page; 126 129 ··· 166 163 struct ghcb *ghcb; 167 164 168 165 WARN_ON(!irqs_disabled()); 166 + 167 + if (!sev_cfg.ghcbs_initialized) 168 + return; 169 169 170 170 data = this_cpu_read(runtime_data); 171 171 ghcb = &data->ghcb_page;
+14
arch/x86/entry/entry_fred.c
··· 177 177 } 178 178 } 179 179 180 + #ifdef CONFIG_AMD_MEM_ENCRYPT 181 + noinstr void exc_vmm_communication(struct pt_regs *regs, unsigned long error_code) 182 + { 183 + if (user_mode(regs)) 184 + return user_exc_vmm_communication(regs, error_code); 185 + else 186 + return kernel_exc_vmm_communication(regs, error_code); 187 + } 188 + #endif 189 + 180 190 static noinstr void fred_hwexc(struct pt_regs *regs, unsigned long error_code) 181 191 { 182 192 /* Optimize for #PF. That's the only exception which matters performance wise */ ··· 217 207 #ifdef CONFIG_X86_CET 218 208 case X86_TRAP_CP: return exc_control_protection(regs, error_code); 219 209 #endif 210 + #ifdef CONFIG_AMD_MEM_ENCRYPT 211 + case X86_TRAP_VC: return exc_vmm_communication(regs, error_code); 212 + #endif 213 + 220 214 default: return fred_bad_type(regs, error_code); 221 215 } 222 216
+26 -7
arch/x86/kernel/cpu/common.c
··· 433 433 434 434 /* These bits should not change their value after CPU init is finished. */ 435 435 static const unsigned long cr4_pinned_mask = X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP | 436 - X86_CR4_FSGSBASE | X86_CR4_CET | X86_CR4_FRED; 436 + X86_CR4_FSGSBASE | X86_CR4_CET; 437 + 438 + /* 439 + * The CR pinning protects against ROP on the 'mov %reg, %CRn' instruction(s). 440 + * Since you can ROP directly to these instructions (barring shadow stack), 441 + * any protection must follow immediately and unconditionally after that. 442 + * 443 + * Specifically, the CR[04] write functions below will have the value 444 + * validation controlled by the @cr_pinning static_branch which is 445 + * __ro_after_init, just like the cr4_pinned_bits value. 446 + * 447 + * Once set, an attacker will have to defeat page-tables to get around these 448 + * restrictions. Which is a much bigger ask than 'simple' ROP. 449 + */ 437 450 static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning); 438 451 static unsigned long cr4_pinned_bits __ro_after_init; 439 452 ··· 2063 2050 setup_umip(c); 2064 2051 setup_lass(c); 2065 2052 2066 - /* Enable FSGSBASE instructions if available. */ 2067 - if (cpu_has(c, X86_FEATURE_FSGSBASE)) { 2068 - cr4_set_bits(X86_CR4_FSGSBASE); 2069 - elf_hwcap2 |= HWCAP2_FSGSBASE; 2070 - } 2071 - 2072 2053 /* 2073 2054 * The vendor-specific functions might have changed features. 2074 2055 * Now we do "generic changes." ··· 2422 2415 2423 2416 /* GHCB needs to be setup to handle #VC. */ 2424 2417 setup_ghcb(); 2418 + 2419 + /* 2420 + * On CPUs with FSGSBASE support, paranoid_entry() uses 2421 + * ALTERNATIVE-patched RDGSBASE/WRGSBASE instructions. Secondary CPUs 2422 + * boot after alternatives are patched globally, so early exceptions 2423 + * execute patched code that depends on FSGSBASE. Enable the feature 2424 + * before any exceptions occur. 2425 + */ 2426 + if (cpu_feature_enabled(X86_FEATURE_FSGSBASE)) { 2427 + cr4_set_bits(X86_CR4_FSGSBASE); 2428 + elf_hwcap2 |= HWCAP2_FSGSBASE; 2429 + } 2425 2430 2426 2431 if (cpu_feature_enabled(X86_FEATURE_FRED)) { 2427 2432 /* The boot CPU has enabled FRED during early boot */