On Tue, Jul 14, 2020 at 02:08:36PM +0200, Joerg Roedel wrote: > From: Joerg Roedel <jroedel@xxxxxxx> > > The code inserted by the stack protector does not work in the early > boot environment because it uses the GS segment, at least with memory > encryption enabled. Make sure the early code is compiled without this > feature enabled. > > Signed-off-by: Joerg Roedel <jroedel@xxxxxxx> > --- > arch/x86/kernel/Makefile | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile > index e77261db2391..1b166b866059 100644 > --- a/arch/x86/kernel/Makefile > +++ b/arch/x86/kernel/Makefile > @@ -39,6 +39,10 @@ ifdef CONFIG_FRAME_POINTER > OBJECT_FILES_NON_STANDARD_ftrace_$(BITS).o := y > endif > > +# make sure head64.c is built without stack protector > +nostackp := $(call cc-option, -fno-stack-protector) > +CFLAGS_head64.o := $(nostackp) Recent refactoring[1] for stack protector suggests this should just unconditionally be: CFLAGS_head64.o += -fno-stack-protector But otherwise, yeah, this should be fine here -- it's all early init stuff. Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> [1] https://lore.kernel.org/lkml/20200626185913.92890-1-masahiroy@xxxxxxxxxx/ > + > # If instrumentation of this dir is enabled, boot hangs during first second. > # Probably could be more selective here, but note that files related to irqs, > # boot, dumpstack/stacktrace, etc are either non-interesting or can lead to > -- > 2.27.0 > -- Kees Cook