| Message ID | 20220214125127.17985-1-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | x86: Support for CET Indirect Branch Tracking | expand |
On 14/02/2022 12:50, Andrew Cooper wrote: > CET Indirect Branch Tracking is a hardware feature designed to protect against > forward-edge control flow hijacking (Call/Jump oriented programming), and is a > companion feature to CET Shadow Stacks added in Xen 4.14. > > Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical > annotations of function pointer targets. Patches 61 thru 70 are the final > enablement of CET-IBT. > > This series functions correctly with GCC 9 and later, although an experimental > GCC patch is required to get more helpful typechecking at build time. > > Tested on a TigerLake NUC. > > CI pipelines: > https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 > https://cirrus-ci.com/build/4962308362338304 > > Major changes from v1: > * Boilerplate for mechanical commits > * UEFI runtime services unconditionally disable IBT > * Comprehensive build time check for embedded endbr's There's one thing I considered, and wanted to discuss. I'm tempted to rename cf_check to cfi for the function annotation, as it's shorter without reducing clarity. Changing now (i.e. before I commit) is easy. Once committed, changing is far harder. ~Andrew
On 14.02.2022 14:10, Andrew Cooper wrote: > On 14/02/2022 12:50, Andrew Cooper wrote: >> CET Indirect Branch Tracking is a hardware feature designed to protect against >> forward-edge control flow hijacking (Call/Jump oriented programming), and is a >> companion feature to CET Shadow Stacks added in Xen 4.14. >> >> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical >> annotations of function pointer targets. Patches 61 thru 70 are the final >> enablement of CET-IBT. >> >> This series functions correctly with GCC 9 and later, although an experimental >> GCC patch is required to get more helpful typechecking at build time. >> >> Tested on a TigerLake NUC. >> >> CI pipelines: >> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >> https://cirrus-ci.com/build/4962308362338304 >> >> Major changes from v1: >> * Boilerplate for mechanical commits >> * UEFI runtime services unconditionally disable IBT >> * Comprehensive build time check for embedded endbr's > > There's one thing I considered, and wanted to discuss. > > I'm tempted to rename cf_check to cfi for the function annotation, as > it's shorter without reducing clarity. What would the 'i' stand for in this acronym? Irrespective of the answer I'd like to point out the name collision with the CFI directives at assembler level. This isn't necessarily an objection (I'm certainly for shortening), but we want to avoid introducing confusion. Jan
On 14/02/2022 13:43, Jan Beulich wrote: > On 14.02.2022 14:10, Andrew Cooper wrote: >> On 14/02/2022 12:50, Andrew Cooper wrote: >>> CET Indirect Branch Tracking is a hardware feature designed to protect against >>> forward-edge control flow hijacking (Call/Jump oriented programming), and is a >>> companion feature to CET Shadow Stacks added in Xen 4.14. >>> >>> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical >>> annotations of function pointer targets. Patches 61 thru 70 are the final >>> enablement of CET-IBT. >>> >>> This series functions correctly with GCC 9 and later, although an experimental >>> GCC patch is required to get more helpful typechecking at build time. >>> >>> Tested on a TigerLake NUC. >>> >>> CI pipelines: >>> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >>> https://cirrus-ci.com/build/4962308362338304 >>> >>> Major changes from v1: >>> * Boilerplate for mechanical commits >>> * UEFI runtime services unconditionally disable IBT >>> * Comprehensive build time check for embedded endbr's >> There's one thing I considered, and wanted to discuss. >> >> I'm tempted to rename cf_check to cfi for the function annotation, as >> it's shorter without reducing clarity. > What would the 'i' stand for in this acronym? The class of techniques is called Control Flow Integrity. > Irrespective of the answer > I'd like to point out the name collision with the CFI directives at > assembler level. This isn't necessarily an objection (I'm certainly for > shortening), but we want to avoid introducing confusion. I doubt there is confusion to be had here. One is entirely a compiler construct which turns into ENDBR64 instructions in the assembler, and one is a general toolchain construct we explicitly disable. ~Andrew
On 14.02.2022 15:15, Andrew Cooper wrote: > On 14/02/2022 13:43, Jan Beulich wrote: >> On 14.02.2022 14:10, Andrew Cooper wrote: >>> On 14/02/2022 12:50, Andrew Cooper wrote: >>>> CET Indirect Branch Tracking is a hardware feature designed to protect against >>>> forward-edge control flow hijacking (Call/Jump oriented programming), and is a >>>> companion feature to CET Shadow Stacks added in Xen 4.14. >>>> >>>> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical >>>> annotations of function pointer targets. Patches 61 thru 70 are the final >>>> enablement of CET-IBT. >>>> >>>> This series functions correctly with GCC 9 and later, although an experimental >>>> GCC patch is required to get more helpful typechecking at build time. >>>> >>>> Tested on a TigerLake NUC. >>>> >>>> CI pipelines: >>>> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >>>> https://cirrus-ci.com/build/4962308362338304 >>>> >>>> Major changes from v1: >>>> * Boilerplate for mechanical commits >>>> * UEFI runtime services unconditionally disable IBT >>>> * Comprehensive build time check for embedded endbr's >>> There's one thing I considered, and wanted to discuss. >>> >>> I'm tempted to rename cf_check to cfi for the function annotation, as >>> it's shorter without reducing clarity. >> What would the 'i' stand for in this acronym? > > The class of techniques is called Control Flow Integrity. > >> Irrespective of the answer >> I'd like to point out the name collision with the CFI directives at >> assembler level. This isn't necessarily an objection (I'm certainly for >> shortening), but we want to avoid introducing confusion. > > I doubt there is confusion to be had here. One is entirely a compiler > construct which turns into ENDBR64 instructions in the assembler, and > one is a general toolchain construct we explicitly disable. Hmm. I'm still at best half convinced. Plus we generally have been naming our shorthands after the actual attribute names. By using "cfi" such a connection would also be largely lost. Roger, Wei, others - do you opinions either way? Jan
On 14/02/2022 14:38, Jan Beulich wrote: > On 14.02.2022 15:15, Andrew Cooper wrote: >> On 14/02/2022 13:43, Jan Beulich wrote: >>> On 14.02.2022 14:10, Andrew Cooper wrote: >>>> On 14/02/2022 12:50, Andrew Cooper wrote: >>>>> CET Indirect Branch Tracking is a hardware feature designed to protect against >>>>> forward-edge control flow hijacking (Call/Jump oriented programming), and is a >>>>> companion feature to CET Shadow Stacks added in Xen 4.14. >>>>> >>>>> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical >>>>> annotations of function pointer targets. Patches 61 thru 70 are the final >>>>> enablement of CET-IBT. >>>>> >>>>> This series functions correctly with GCC 9 and later, although an experimental >>>>> GCC patch is required to get more helpful typechecking at build time. >>>>> >>>>> Tested on a TigerLake NUC. >>>>> >>>>> CI pipelines: >>>>> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >>>>> https://cirrus-ci.com/build/4962308362338304 >>>>> >>>>> Major changes from v1: >>>>> * Boilerplate for mechanical commits >>>>> * UEFI runtime services unconditionally disable IBT >>>>> * Comprehensive build time check for embedded endbr's >>>> There's one thing I considered, and wanted to discuss. >>>> >>>> I'm tempted to rename cf_check to cfi for the function annotation, as >>>> it's shorter without reducing clarity. >>> What would the 'i' stand for in this acronym? >> The class of techniques is called Control Flow Integrity. >> >>> Irrespective of the answer >>> I'd like to point out the name collision with the CFI directives at >>> assembler level. This isn't necessarily an objection (I'm certainly for >>> shortening), but we want to avoid introducing confusion. >> I doubt there is confusion to be had here. One is entirely a compiler >> construct which turns into ENDBR64 instructions in the assembler, and >> one is a general toolchain construct we explicitly disable. > Hmm. I'm still at best half convinced. Plus we generally have been > naming our shorthands after the actual attribute names. By using > "cfi" such a connection would also be largely lost. Roger, Wei, > others - do you opinions either way? My point is this. Doing nothing is my easiest option. But if anyone has length/alternative suggestions, dealing with them now is going to be infinitely easier than once this series is committed. ~Andrew
On 16.02.2022 22:59, Andrew Cooper wrote: > On 14/02/2022 14:38, Jan Beulich wrote: >> On 14.02.2022 15:15, Andrew Cooper wrote: >>> On 14/02/2022 13:43, Jan Beulich wrote: >>>> On 14.02.2022 14:10, Andrew Cooper wrote: >>>>> On 14/02/2022 12:50, Andrew Cooper wrote: >>>>>> CET Indirect Branch Tracking is a hardware feature designed to protect against >>>>>> forward-edge control flow hijacking (Call/Jump oriented programming), and is a >>>>>> companion feature to CET Shadow Stacks added in Xen 4.14. >>>>>> >>>>>> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical >>>>>> annotations of function pointer targets. Patches 61 thru 70 are the final >>>>>> enablement of CET-IBT. >>>>>> >>>>>> This series functions correctly with GCC 9 and later, although an experimental >>>>>> GCC patch is required to get more helpful typechecking at build time. >>>>>> >>>>>> Tested on a TigerLake NUC. >>>>>> >>>>>> CI pipelines: >>>>>> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >>>>>> https://cirrus-ci.com/build/4962308362338304 >>>>>> >>>>>> Major changes from v1: >>>>>> * Boilerplate for mechanical commits >>>>>> * UEFI runtime services unconditionally disable IBT >>>>>> * Comprehensive build time check for embedded endbr's >>>>> There's one thing I considered, and wanted to discuss. >>>>> >>>>> I'm tempted to rename cf_check to cfi for the function annotation, as >>>>> it's shorter without reducing clarity. >>>> What would the 'i' stand for in this acronym? >>> The class of techniques is called Control Flow Integrity. >>> >>>> Irrespective of the answer >>>> I'd like to point out the name collision with the CFI directives at >>>> assembler level. This isn't necessarily an objection (I'm certainly for >>>> shortening), but we want to avoid introducing confusion. >>> I doubt there is confusion to be had here. One is entirely a compiler >>> construct which turns into ENDBR64 instructions in the assembler, and >>> one is a general toolchain construct we explicitly disable. >> Hmm. I'm still at best half convinced. Plus we generally have been >> naming our shorthands after the actual attribute names. By using >> "cfi" such a connection would also be largely lost. Roger, Wei, >> others - do you opinions either way? > > My point is this. Doing nothing is my easiest option. > > But if anyone has length/alternative suggestions, dealing with them now > is going to be infinitely easier than once this series is committed. Understood. My personal preference then is to stick with cf_check. Jan
CET Indirect Branch Tracking is a hardware feature designed to protect against forward-edge control flow hijacking (Call/Jump oriented programming), and is a companion feature to CET Shadow Stacks added in Xen 4.14. Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly mechanical annotations of function pointer targets. Patches 61 thru 70 are the final enablement of CET-IBT. This series functions correctly with GCC 9 and later, although an experimental GCC patch is required to get more helpful typechecking at build time. Tested on a TigerLake NUC. CI pipelines: https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 https://cirrus-ci.com/build/4962308362338304 Major changes from v1: * Boilerplate for mechanical commits * UEFI runtime services unconditionally disable IBT * Comprehensive build time check for embedded endbr's Andrew Cooper (67): xen/domain: Improve pirq handling xen/sort: Switch to an extern inline implementation xen/xsm: Move {do,compat}_flask_op() declarations into a header x86: Introduce support for CET-IBT xen: CFI hardening for x86 hypercalls xen: CFI hardening for custom_param() xen: CFI hardening for __initcall() xen: CFI hardening for notifier callbacks xen: CFI hardening for acpi_table_parse() xen: CFI hardening for continue_hypercall_on_cpu() xen: CFI hardening for init_timer() xen: CFI hardening for call_rcu() xen: CFI hardening for IPIs xen: CFI hardening for open_softirq() xsm/flask/ss: CFI hardening xsm: CFI hardening xen/sched: CFI hardening xen/evtchn: CFI hardening xen/hypfs: CFI hardening xen/tasklet: CFI hardening xen/keyhandler: CFI hardening xen/vpci: CFI hardening xen/decompress: CFI hardening xen/iommu: CFI hardening xen/video: CFI hardening xen/console: CFI hardening xen/misc: CFI hardening x86: CFI hardening for request_irq() x86/hvm: CFI hardening for hvm_funcs x86/hvm: CFI hardening for device emulation x86/emul: CFI hardening x86/ucode: CFI hardening x86/power: CFI hardening x86/apic: CFI hardening x86/nmi: CFI hardening x86/mtrr: CFI hardening x86/idle: CFI hardening x86/quirks: CFI hardening x86/hvmsave: CFI hardening x86/mce: CFI hardening x86/pmu: CFI hardening x86/cpu: CFI hardening x86/guest: CFI hardening x86/logdirty: CFI hardening x86/shadow: CFI hardening x86/hap: CFI hardening x86/p2m: CFI hardening x86/irq: CFI hardening x86/apei: CFI hardening x86/psr: CFI hardening x86/dpci: CFI hardening x86/pt: CFI hardening x86/time: CFI hardening x86/misc: CFI hardening x86/stack: CFI hardening x86/bugframe: CFI hardening x86: Use control flow typechecking where possible x86/setup: Read CR4 earlier in __start_xen() x86/alternatives: Clear CR4.CET when clearing CR0.WP x86/traps: Rework write_stub_trampoline() to not hardcode the jmp x86: Introduce helpers/checks for endbr64 instructions x86/emul: Update emulation stubs to be CET-IBT compatible x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible x86/entry: Make IDT entrypoints CET-IBT compatible x86/setup: Rework MSR_S_CET handling for CET-IBT x86/efi: Disable CET-IBT around Runtime Services calls x86: Enable CET Indirect Branch Tracking Juergen Gross (2): x86/pv-shim: Don't modify the hypercall table x86: Don't use the hypercall table for calling compat hypercalls Marek Marczykowski-Górecki (1): x86: Build check for embedded endbr64 instructions Config.mk | 1 - docs/misc/xen-command-line.pandoc | 16 +- tools/firmware/Makefile | 2 + tools/libs/guest/xg_dom_decompress_unsafe.h | 2 + tools/tests/x86_emulator/x86-emulate.h | 2 + xen/arch/arm/bootfdt.c | 9 +- xen/arch/arm/io.c | 9 +- xen/arch/x86/Kconfig | 17 ++ xen/arch/x86/Makefile | 3 + xen/arch/x86/acpi/boot.c | 24 +- xen/arch/x86/acpi/cpu_idle.c | 43 ++- xen/arch/x86/acpi/cpufreq/cpufreq.c | 24 +- xen/arch/x86/acpi/cpufreq/powernow.c | 21 +- xen/arch/x86/acpi/cpuidle_menu.c | 6 +- xen/arch/x86/acpi/lib.c | 2 +- xen/arch/x86/acpi/power.c | 4 +- xen/arch/x86/acpi/wakeup_prot.S | 38 ++- xen/arch/x86/alternative.c | 13 +- xen/arch/x86/apic.c | 12 +- xen/arch/x86/arch.mk | 7 + xen/arch/x86/boot/x86_64.S | 30 +- xen/arch/x86/compat.c | 21 +- xen/arch/x86/cpu/amd.c | 8 +- xen/arch/x86/cpu/centaur.c | 2 +- xen/arch/x86/cpu/common.c | 3 +- xen/arch/x86/cpu/cpu.h | 2 +- xen/arch/x86/cpu/hygon.c | 2 +- xen/arch/x86/cpu/intel.c | 6 +- xen/arch/x86/cpu/mcheck/amd_nonfatal.c | 4 +- xen/arch/x86/cpu/mcheck/mce.c | 22 +- xen/arch/x86/cpu/mcheck/mce.h | 2 +- xen/arch/x86/cpu/mcheck/mce_amd.c | 9 +- xen/arch/x86/cpu/mcheck/mce_amd.h | 4 +- xen/arch/x86/cpu/mcheck/mce_intel.c | 49 ++-- xen/arch/x86/cpu/mcheck/non-fatal.c | 6 +- xen/arch/x86/cpu/mcheck/vmce.c | 4 +- xen/arch/x86/cpu/microcode/amd.c | 9 +- xen/arch/x86/cpu/microcode/core.c | 15 +- xen/arch/x86/cpu/microcode/intel.c | 10 +- xen/arch/x86/cpu/mtrr/generic.c | 20 +- xen/arch/x86/cpu/mtrr/main.c | 4 +- xen/arch/x86/cpu/mtrr/mtrr.h | 8 +- xen/arch/x86/cpu/mwait-idle.c | 12 +- xen/arch/x86/cpu/shanghai.c | 2 +- xen/arch/x86/cpu/vpmu.c | 13 +- xen/arch/x86/cpu/vpmu_amd.c | 16 +- xen/arch/x86/cpu/vpmu_intel.c | 16 +- xen/arch/x86/cpuid.c | 8 +- xen/arch/x86/crash.c | 7 +- xen/arch/x86/dmi_scan.c | 10 +- xen/arch/x86/dom0_build.c | 8 +- xen/arch/x86/domain.c | 16 +- xen/arch/x86/emul-i8254.c | 14 +- xen/arch/x86/extable.c | 18 +- xen/arch/x86/genapic/bigsmp.c | 4 +- xen/arch/x86/genapic/delivery.c | 12 +- xen/arch/x86/genapic/probe.c | 2 +- xen/arch/x86/genapic/x2apic.c | 18 +- xen/arch/x86/guest/hyperv/hyperv.c | 10 +- xen/arch/x86/guest/xen/xen.c | 15 +- xen/arch/x86/hpet.c | 29 +- xen/arch/x86/hvm/dm.c | 5 +- xen/arch/x86/hvm/dom0_build.c | 16 +- xen/arch/x86/hvm/emulate.c | 93 +++--- xen/arch/x86/hvm/hpet.c | 12 +- xen/arch/x86/hvm/hvm.c | 47 ++-- xen/arch/x86/hvm/hypercall.c | 5 +- xen/arch/x86/hvm/intercept.c | 28 +- xen/arch/x86/hvm/io.c | 38 +-- xen/arch/x86/hvm/ioreq.c | 2 +- xen/arch/x86/hvm/irq.c | 16 +- xen/arch/x86/hvm/mtrr.c | 8 +- xen/arch/x86/hvm/nestedhvm.c | 6 +- xen/arch/x86/hvm/pmtimer.c | 10 +- xen/arch/x86/hvm/quirks.c | 4 +- xen/arch/x86/hvm/rtc.c | 18 +- xen/arch/x86/hvm/stdvga.c | 19 +- xen/arch/x86/hvm/svm/nestedsvm.c | 22 +- xen/arch/x86/hvm/svm/svm.c | 404 ++++++++++++++------------- xen/arch/x86/hvm/svm/vmcb.c | 2 +- xen/arch/x86/hvm/vioapic.c | 12 +- xen/arch/x86/hvm/viridian/time.c | 2 +- xen/arch/x86/hvm/viridian/viridian.c | 17 +- xen/arch/x86/hvm/vlapic.c | 25 +- xen/arch/x86/hvm/vmsi.c | 16 +- xen/arch/x86/hvm/vmx/intr.c | 2 +- xen/arch/x86/hvm/vmx/vmcs.c | 22 +- xen/arch/x86/hvm/vmx/vmx.c | 155 +++++----- xen/arch/x86/hvm/vmx/vvmx.c | 16 +- xen/arch/x86/hvm/vpic.c | 8 +- xen/arch/x86/hvm/vpt.c | 2 +- xen/arch/x86/i8259.c | 10 +- xen/arch/x86/include/asm/asm-defns.h | 6 + xen/arch/x86/include/asm/bug.h | 10 +- xen/arch/x86/include/asm/cpufeature.h | 1 + xen/arch/x86/include/asm/cpufeatures.h | 1 + xen/arch/x86/include/asm/cpuidle.h | 4 +- xen/arch/x86/include/asm/current.h | 6 +- xen/arch/x86/include/asm/endbr.h | 53 ++++ xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/genapic.h | 18 +- xen/arch/x86/include/asm/hpet.h | 8 +- xen/arch/x86/include/asm/hvm/emulate.h | 8 +- xen/arch/x86/include/asm/hvm/save.h | 2 +- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 18 +- xen/arch/x86/include/asm/hvm/svm/svm.h | 1 - xen/arch/x86/include/asm/hvm/vioapic.h | 2 +- xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 8 +- xen/arch/x86/include/asm/hvm/vmx/vmx.h | 4 +- xen/arch/x86/include/asm/hvm/vmx/vvmx.h | 18 +- xen/arch/x86/include/asm/hypercall.h | 81 +++--- xen/arch/x86/include/asm/irq.h | 24 +- xen/arch/x86/include/asm/mm.h | 16 +- xen/arch/x86/include/asm/msi.h | 8 +- xen/arch/x86/include/asm/msr-index.h | 1 + xen/arch/x86/include/asm/mtrr.h | 2 +- xen/arch/x86/include/asm/p2m.h | 4 +- xen/arch/x86/include/asm/paging.h | 2 +- xen/arch/x86/include/asm/processor.h | 4 +- xen/arch/x86/include/asm/pv/domain.h | 4 +- xen/arch/x86/include/asm/pv/shim.h | 7 +- xen/arch/x86/include/asm/shadow.h | 2 +- xen/arch/x86/include/asm/smp.h | 6 +- xen/arch/x86/include/asm/tboot.h | 2 +- xen/arch/x86/include/asm/time.h | 6 +- xen/arch/x86/io_apic.c | 28 +- xen/arch/x86/ioport_emulate.c | 4 +- xen/arch/x86/irq.c | 28 +- xen/arch/x86/livepatch.c | 2 +- xen/arch/x86/mm.c | 35 +-- xen/arch/x86/mm/hap/guest_walk.c | 4 +- xen/arch/x86/mm/hap/hap.c | 29 +- xen/arch/x86/mm/hap/nested_hap.c | 2 +- xen/arch/x86/mm/hap/private.h | 30 +- xen/arch/x86/mm/mem_sharing.c | 2 +- xen/arch/x86/mm/p2m-ept.c | 34 ++- xen/arch/x86/mm/p2m-pt.c | 19 +- xen/arch/x86/mm/paging.c | 3 +- xen/arch/x86/mm/shadow/common.c | 33 +-- xen/arch/x86/mm/shadow/hvm.c | 16 +- xen/arch/x86/mm/shadow/multi.c | 80 +++--- xen/arch/x86/mm/shadow/multi.h | 20 +- xen/arch/x86/mm/shadow/private.h | 12 +- xen/arch/x86/mm/shadow/pv.c | 4 +- xen/arch/x86/msi.c | 18 +- xen/arch/x86/nmi.c | 16 +- xen/arch/x86/numa.c | 10 +- xen/arch/x86/oprofile/nmi_int.c | 16 +- xen/arch/x86/oprofile/op_model_athlon.c | 18 +- xen/arch/x86/oprofile/op_model_p4.c | 14 +- xen/arch/x86/oprofile/op_model_ppro.c | 26 +- xen/arch/x86/percpu.c | 6 +- xen/arch/x86/physdev.c | 2 +- xen/arch/x86/platform_hypercall.c | 11 +- xen/arch/x86/psr.c | 41 +-- xen/arch/x86/pv/callback.c | 25 +- xen/arch/x86/pv/descriptor-tables.c | 14 +- xen/arch/x86/pv/domain.c | 12 +- xen/arch/x86/pv/emul-gate-op.c | 9 +- xen/arch/x86/pv/emul-priv-op.c | 71 +++-- xen/arch/x86/pv/emulate.h | 7 - xen/arch/x86/pv/hypercall.c | 11 +- xen/arch/x86/pv/iret.c | 4 +- xen/arch/x86/pv/misc-hypercalls.c | 10 +- xen/arch/x86/pv/ro-page-fault.c | 31 +- xen/arch/x86/pv/shim.c | 60 ++-- xen/arch/x86/pv/traps.c | 2 +- xen/arch/x86/setup.c | 80 ++++-- xen/arch/x86/shutdown.c | 10 +- xen/arch/x86/smp.c | 20 +- xen/arch/x86/smpboot.c | 2 +- xen/arch/x86/spec_ctrl.c | 6 +- xen/arch/x86/srat.c | 4 +- xen/arch/x86/sysctl.c | 4 +- xen/arch/x86/tboot.c | 2 +- xen/arch/x86/time.c | 68 ++--- xen/arch/x86/traps.c | 8 +- xen/arch/x86/tsx.c | 2 +- xen/arch/x86/x86_64/acpi_mmcfg.c | 2 +- xen/arch/x86/x86_64/compat.c | 1 - xen/arch/x86/x86_64/compat/entry.S | 1 + xen/arch/x86/x86_64/compat/mm.c | 7 +- xen/arch/x86/x86_64/entry.S | 49 +++- xen/arch/x86/x86_64/mmconfig-shared.c | 10 +- xen/arch/x86/x86_64/mmconfig.h | 2 +- xen/arch/x86/x86_64/platform_hypercall.c | 2 +- xen/arch/x86/x86_64/traps.c | 42 ++- xen/arch/x86/x86_emulate.c | 34 ++- xen/arch/x86/x86_emulate/x86_emulate.c | 10 +- xen/arch/x86/x86_emulate/x86_emulate.h | 33 +-- xen/common/argo.c | 6 +- xen/common/bunzip2.c | 2 +- xen/common/compat/domain.c | 3 +- xen/common/compat/grant_table.c | 5 +- xen/common/compat/kernel.c | 2 +- xen/common/compat/memory.c | 7 +- xen/common/compat/multicall.c | 3 +- xen/common/core_parking.c | 10 +- xen/common/cpu.c | 4 +- xen/common/debugtrace.c | 10 +- xen/common/decompress.c | 2 +- xen/common/dm.c | 6 +- xen/common/domain.c | 73 ++--- xen/common/domctl.c | 2 +- xen/common/efi/boot.c | 6 +- xen/common/efi/runtime.c | 18 ++ xen/common/event_2l.c | 21 +- xen/common/event_channel.c | 18 +- xen/common/event_fifo.c | 30 +- xen/common/gdbstub.c | 9 +- xen/common/grant_table.c | 29 +- xen/common/hypfs.c | 63 ++--- xen/common/irq.c | 6 +- xen/common/kernel.c | 6 +- xen/common/kexec.c | 18 +- xen/common/keyhandler.c | 47 ++-- xen/common/livepatch.c | 15 +- xen/common/memory.c | 8 +- xen/common/multicall.c | 2 +- xen/common/page_alloc.c | 14 +- xen/common/perfc.c | 4 +- xen/common/radix-tree.c | 8 +- xen/common/random.c | 2 +- xen/common/rangeset.c | 2 +- xen/common/rcupdate.c | 8 +- xen/common/sched/arinc653.c | 20 +- xen/common/sched/compat.c | 2 +- xen/common/sched/core.c | 40 +-- xen/common/sched/cpupool.c | 35 +-- xen/common/sched/credit.c | 59 ++-- xen/common/sched/credit2.c | 55 ++-- xen/common/sched/null.c | 60 ++-- xen/common/sched/rt.c | 47 ++-- xen/common/spinlock.c | 12 +- xen/common/stop_machine.c | 6 +- xen/common/sysctl.c | 2 +- xen/common/tasklet.c | 4 +- xen/common/timer.c | 6 +- xen/common/trace.c | 4 +- xen/common/unlzma.c | 2 +- xen/common/vm_event.c | 6 +- xen/common/xenoprof.c | 2 +- xen/common/xmalloc_tlsf.c | 4 +- xen/common/zstd/zstd_common.c | 4 +- xen/common/zstd/zstd_internal.h | 4 +- xen/drivers/acpi/apei/apei-base.c | 32 +-- xen/drivers/acpi/apei/apei-internal.h | 20 +- xen/drivers/acpi/apei/erst.c | 57 ++-- xen/drivers/acpi/apei/hest.c | 4 +- xen/drivers/acpi/numa.c | 10 +- xen/drivers/acpi/tables.c | 2 +- xen/drivers/char/console.c | 36 +-- xen/drivers/char/ehci-dbgp.c | 28 +- xen/drivers/char/ns16550.c | 34 +-- xen/drivers/cpufreq/cpufreq.c | 6 +- xen/drivers/cpufreq/cpufreq_misc_governors.c | 22 +- xen/drivers/cpufreq/cpufreq_ondemand.c | 10 +- xen/drivers/passthrough/amd/iommu.h | 45 +-- xen/drivers/passthrough/amd/iommu_acpi.c | 15 +- xen/drivers/passthrough/amd/iommu_guest.c | 12 +- xen/drivers/passthrough/amd/iommu_init.c | 49 ++-- xen/drivers/passthrough/amd/iommu_intr.c | 20 +- xen/drivers/passthrough/amd/iommu_map.c | 22 +- xen/drivers/passthrough/amd/pci_amd_iommu.c | 32 +-- xen/drivers/passthrough/iommu.c | 56 ++-- xen/drivers/passthrough/pci.c | 18 +- xen/drivers/passthrough/vtd/dmar.c | 7 +- xen/drivers/passthrough/vtd/extern.h | 38 +-- xen/drivers/passthrough/vtd/intremap.c | 14 +- xen/drivers/passthrough/vtd/iommu.c | 96 +++---- xen/drivers/passthrough/vtd/qinval.c | 28 +- xen/drivers/passthrough/vtd/quirks.c | 2 +- xen/drivers/passthrough/vtd/utils.c | 2 +- xen/drivers/passthrough/vtd/x86/hvm.c | 4 +- xen/drivers/passthrough/x86/hvm.c | 14 +- xen/drivers/video/lfb.c | 4 +- xen/drivers/video/lfb.h | 4 +- xen/drivers/video/vesa.c | 6 +- xen/drivers/video/vga.c | 6 +- xen/drivers/vpci/header.c | 18 +- xen/drivers/vpci/msi.c | 42 +-- xen/drivers/vpci/msix.c | 20 +- xen/drivers/vpci/vpci.c | 16 +- xen/include/acpi/cpufreq/cpufreq.h | 1 - xen/include/xen/acpi.h | 2 +- xen/include/xen/compiler.h | 6 + xen/include/xen/domain.h | 1 - xen/include/xen/hypercall.h | 69 ++--- xen/include/xen/hypfs.h | 49 ++-- xen/include/xen/irq.h | 6 +- xen/include/xen/lib.h | 2 +- xen/include/xen/perfc.h | 4 +- xen/include/xen/sched.h | 2 +- xen/include/xen/sort.h | 55 +++- xen/include/xen/spinlock.h | 4 +- xen/include/xen/vpci.h | 8 +- xen/include/xsm/dummy.h | 211 +++++++------- xen/lib/sort.c | 80 +----- xen/tools/check-endbr.sh | 76 +++++ xen/xsm/flask/avc.c | 2 +- xen/xsm/flask/flask_op.c | 8 +- xen/xsm/flask/hooks.c | 236 +++++++++------- xen/xsm/flask/private.h | 9 + xen/xsm/flask/ss/avtab.c | 4 +- xen/xsm/flask/ss/conditional.c | 10 +- xen/xsm/flask/ss/conditional.h | 6 +- xen/xsm/flask/ss/policydb.c | 53 ++-- xen/xsm/flask/ss/services.c | 6 +- xen/xsm/flask/ss/symtab.c | 5 +- xen/xsm/silo.c | 24 +- xen/xsm/xsm_core.c | 6 +- 311 files changed, 3220 insertions(+), 2743 deletions(-) create mode 100644 xen/arch/x86/include/asm/endbr.h create mode 100755 xen/tools/check-endbr.sh create mode 100644 xen/xsm/flask/private.h