Message ID | 20220222152645.8844-1-andrew.cooper3@citrix.com (mailing list archive) |
---|---|
Headers | show |
Series | x86: Support for CET Indirect Branch Tracking | expand |
On 22.02.2022 16:26, Andrew Cooper wrote: > To avoid spamming everyone, I have only re-sent patches with changes in v3. Could you enumerate which ones these are? Otherwise it's hard to tell whether everything you did send did arrive in the recipients' mailboxes. Thanks, Jan > CET Indirect Branch Tracking is a hardware feature designed to protect against > forward-edge control flow hijacking (Call/Jump oriented programming), and is a > companion feature to CET Shadow Stacks added in Xen 4.14. > > Patches 1 thru 5 are prerequisites. Patches 6 thru 59 are fairly mechanical > annotations of function pointer targets. Patches 60 thru 70 are the final > enablement of CET-IBT. > > This series functions correctly with GCC 9 and later, although an experimental > GCC patch is required to get more helpful typechecking at build time. A > container with this fix has been added to CI. > > Tested on a TigerLake NUC by me, and by Marek also. > > CI pipelines: > https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/476819536 > https://cirrus-ci.com/build/4634902334275584 > > Andrew Cooper (67): > xen/sort: Switch to an extern inline implementation > xen/xsm: Move {do,compat}_flask_op() declarations into a header > x86/kexec: Annotate embedded data with ELF metadata > x86: Introduce support for CET-IBT > xen: CFI hardening for x86 hypercalls > xen: CFI hardening for custom_param() > xen: CFI hardening for __initcall() > xen: CFI hardening for notifier callbacks > xen: CFI hardening for acpi_table_parse() > xen: CFI hardening for continue_hypercall_on_cpu() > xen: CFI hardening for init_timer() > xen: CFI hardening for call_rcu() > xen: CFI hardening for IPIs > xen: CFI hardening for open_softirq() > xsm/flask/ss: CFI hardening > xsm: CFI hardening > xen/sched: CFI hardening > xen/evtchn: CFI hardening > xen/hypfs: CFI hardening > xen/tasklet: CFI hardening > xen/keyhandler: CFI hardening > xen/vpci: CFI hardening > xen/decompress: CFI hardening > xen/iommu: CFI hardening > xen/video: CFI hardening > xen/console: CFI hardening > xen/misc: CFI hardening > x86: CFI hardening for request_irq() > x86/hvm: CFI hardening for hvm_funcs > x86/hvm: CFI hardening for device emulation > x86/emul: CFI hardening > x86/ucode: CFI hardening > x86/power: CFI hardening > x86/apic: CFI hardening > x86/nmi: CFI hardening > x86/mtrr: CFI hardening > x86/idle: CFI hardening > x86/quirks: CFI hardening > x86/hvmsave: CFI hardening > x86/mce: CFI hardening > x86/pmu: CFI hardening > x86/cpu: CFI hardening > x86/guest: CFI hardening > x86/logdirty: CFI hardening > x86/shadow: CFI hardening > x86/hap: CFI hardening > x86/p2m: CFI hardening > x86/irq: CFI hardening > x86/apei: CFI hardening > x86/psr: CFI hardening > x86/dpci: CFI hardening > x86/pt: CFI hardening > x86/time: CFI hardening > x86/misc: CFI hardening > x86/stack: CFI hardening > x86/bugframe: CFI hardening > x86: Use control flow typechecking where possible > x86/setup: Read CR4 earlier in __start_xen() > x86/alternatives: Clear CR4.CET when clearing CR0.WP > x86/traps: Rework write_stub_trampoline() to not hardcode the jmp > x86: Introduce helpers/checks for endbr64 instructions > x86/emul: Update emulation stubs to be CET-IBT compatible > x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible > x86/entry: Make IDT entrypoints CET-IBT compatible > x86/setup: Rework MSR_S_CET handling for CET-IBT > x86/efi: Disable CET-IBT around Runtime Services calls > x86: Enable CET Indirect Branch Tracking > > Juergen Gross (2): > x86/pv-shim: Don't modify the hypercall table > x86: Don't use the hypercall table for calling compat hypercalls > > Marek Marczykowski-Górecki (1): > x86: Build check for embedded endbr64 instructions > > Config.mk | 1 - > README | 1 + > automation/build/debian/buster-gcc-ibt.dockerfile | 66 ++++ > automation/gitlab-ci/build.yaml | 6 + > automation/scripts/containerize | 1 + > docs/misc/xen-command-line.pandoc | 16 +- > tools/firmware/Makefile | 2 + > tools/libs/guest/xg_dom_decompress_unsafe.h | 2 + > tools/tests/x86_emulator/x86-emulate.h | 2 + > xen/arch/arm/bootfdt.c | 9 +- > xen/arch/arm/io.c | 9 +- > xen/arch/x86/Kconfig | 17 + > xen/arch/x86/Makefile | 6 + > xen/arch/x86/acpi/boot.c | 24 +- > xen/arch/x86/acpi/cpu_idle.c | 43 ++- > xen/arch/x86/acpi/cpufreq/cpufreq.c | 24 +- > xen/arch/x86/acpi/cpufreq/powernow.c | 21 +- > xen/arch/x86/acpi/cpuidle_menu.c | 6 +- > xen/arch/x86/acpi/lib.c | 2 +- > xen/arch/x86/acpi/power.c | 4 +- > xen/arch/x86/acpi/wakeup_prot.S | 38 +- > xen/arch/x86/alternative.c | 13 +- > xen/arch/x86/apic.c | 12 +- > xen/arch/x86/arch.mk | 7 + > xen/arch/x86/boot/x86_64.S | 30 +- > xen/arch/x86/compat.c | 21 +- > xen/arch/x86/configs/pvshim_defconfig | 1 + > xen/arch/x86/cpu/amd.c | 8 +- > xen/arch/x86/cpu/centaur.c | 2 +- > xen/arch/x86/cpu/common.c | 3 +- > xen/arch/x86/cpu/cpu.h | 2 +- > xen/arch/x86/cpu/hygon.c | 2 +- > xen/arch/x86/cpu/intel.c | 6 +- > xen/arch/x86/cpu/mcheck/amd_nonfatal.c | 4 +- > xen/arch/x86/cpu/mcheck/mce.c | 22 +- > xen/arch/x86/cpu/mcheck/mce.h | 2 +- > xen/arch/x86/cpu/mcheck/mce_amd.c | 9 +- > xen/arch/x86/cpu/mcheck/mce_amd.h | 4 +- > xen/arch/x86/cpu/mcheck/mce_intel.c | 49 ++- > xen/arch/x86/cpu/mcheck/non-fatal.c | 6 +- > xen/arch/x86/cpu/mcheck/vmce.c | 4 +- > xen/arch/x86/cpu/microcode/amd.c | 9 +- > xen/arch/x86/cpu/microcode/core.c | 15 +- > xen/arch/x86/cpu/microcode/intel.c | 10 +- > xen/arch/x86/cpu/mtrr/generic.c | 20 +- > xen/arch/x86/cpu/mtrr/main.c | 4 +- > xen/arch/x86/cpu/mtrr/mtrr.h | 8 +- > xen/arch/x86/cpu/mwait-idle.c | 12 +- > xen/arch/x86/cpu/shanghai.c | 2 +- > xen/arch/x86/cpu/vpmu.c | 13 +- > xen/arch/x86/cpu/vpmu_amd.c | 16 +- > xen/arch/x86/cpu/vpmu_intel.c | 16 +- > xen/arch/x86/cpuid.c | 8 +- > xen/arch/x86/crash.c | 7 +- > xen/arch/x86/dmi_scan.c | 10 +- > xen/arch/x86/dom0_build.c | 8 +- > xen/arch/x86/domain.c | 16 +- > xen/arch/x86/emul-i8254.c | 14 +- > xen/arch/x86/extable.c | 18 +- > xen/arch/x86/genapic/bigsmp.c | 4 +- > xen/arch/x86/genapic/delivery.c | 12 +- > xen/arch/x86/genapic/probe.c | 2 +- > xen/arch/x86/genapic/x2apic.c | 18 +- > xen/arch/x86/guest/hyperv/hyperv.c | 10 +- > xen/arch/x86/guest/xen/xen.c | 15 +- > xen/arch/x86/hpet.c | 29 +- > xen/arch/x86/hvm/dm.c | 5 +- > xen/arch/x86/hvm/dom0_build.c | 16 +- > xen/arch/x86/hvm/emulate.c | 93 +++-- > xen/arch/x86/hvm/hpet.c | 12 +- > xen/arch/x86/hvm/hvm.c | 47 +-- > xen/arch/x86/hvm/hypercall.c | 5 +- > xen/arch/x86/hvm/intercept.c | 28 +- > xen/arch/x86/hvm/io.c | 38 +- > xen/arch/x86/hvm/ioreq.c | 2 +- > xen/arch/x86/hvm/irq.c | 16 +- > xen/arch/x86/hvm/mtrr.c | 8 +- > xen/arch/x86/hvm/nestedhvm.c | 6 +- > xen/arch/x86/hvm/pmtimer.c | 10 +- > xen/arch/x86/hvm/quirks.c | 4 +- > xen/arch/x86/hvm/rtc.c | 18 +- > xen/arch/x86/hvm/stdvga.c | 19 +- > xen/arch/x86/hvm/svm/nestedsvm.c | 22 +- > xen/arch/x86/hvm/svm/svm.c | 404 +++++++++++----------- > xen/arch/x86/hvm/svm/vmcb.c | 2 +- > xen/arch/x86/hvm/vioapic.c | 12 +- > xen/arch/x86/hvm/viridian/time.c | 2 +- > xen/arch/x86/hvm/viridian/viridian.c | 17 +- > xen/arch/x86/hvm/vlapic.c | 25 +- > xen/arch/x86/hvm/vmsi.c | 16 +- > xen/arch/x86/hvm/vmx/intr.c | 2 +- > xen/arch/x86/hvm/vmx/vmcs.c | 22 +- > xen/arch/x86/hvm/vmx/vmx.c | 155 +++++---- > xen/arch/x86/hvm/vmx/vvmx.c | 16 +- > xen/arch/x86/hvm/vpic.c | 8 +- > xen/arch/x86/hvm/vpt.c | 2 +- > xen/arch/x86/i8259.c | 10 +- > xen/arch/x86/include/asm/asm-defns.h | 6 + > xen/arch/x86/include/asm/bug.h | 10 +- > xen/arch/x86/include/asm/cpufeature.h | 1 + > xen/arch/x86/include/asm/cpufeatures.h | 1 + > xen/arch/x86/include/asm/cpuidle.h | 4 +- > xen/arch/x86/include/asm/current.h | 6 +- > xen/arch/x86/include/asm/endbr.h | 55 +++ > xen/arch/x86/include/asm/flushtlb.h | 2 +- > xen/arch/x86/include/asm/genapic.h | 18 +- > xen/arch/x86/include/asm/hpet.h | 8 +- > xen/arch/x86/include/asm/hvm/emulate.h | 8 +- > xen/arch/x86/include/asm/hvm/save.h | 2 +- > xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 18 +- > xen/arch/x86/include/asm/hvm/svm/svm.h | 1 - > xen/arch/x86/include/asm/hvm/vioapic.h | 2 +- > xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 8 +- > xen/arch/x86/include/asm/hvm/vmx/vmx.h | 4 +- > xen/arch/x86/include/asm/hvm/vmx/vvmx.h | 18 +- > xen/arch/x86/include/asm/hypercall.h | 81 +++-- > xen/arch/x86/include/asm/irq.h | 24 +- > xen/arch/x86/include/asm/machine_kexec.h | 2 +- > xen/arch/x86/include/asm/mm.h | 16 +- > xen/arch/x86/include/asm/msi.h | 8 +- > xen/arch/x86/include/asm/msr-index.h | 1 + > xen/arch/x86/include/asm/mtrr.h | 2 +- > xen/arch/x86/include/asm/p2m.h | 4 +- > xen/arch/x86/include/asm/paging.h | 2 +- > xen/arch/x86/include/asm/processor.h | 4 +- > xen/arch/x86/include/asm/pv/domain.h | 4 +- > xen/arch/x86/include/asm/pv/shim.h | 11 +- > xen/arch/x86/include/asm/shadow.h | 2 +- > xen/arch/x86/include/asm/smp.h | 6 +- > xen/arch/x86/include/asm/tboot.h | 2 +- > xen/arch/x86/include/asm/time.h | 6 +- > xen/arch/x86/io_apic.c | 28 +- > xen/arch/x86/ioport_emulate.c | 4 +- > xen/arch/x86/irq.c | 28 +- > xen/arch/x86/livepatch.c | 2 +- > xen/arch/x86/machine_kexec.c | 2 +- > xen/arch/x86/mm.c | 35 +- > xen/arch/x86/mm/hap/guest_walk.c | 4 +- > xen/arch/x86/mm/hap/hap.c | 29 +- > xen/arch/x86/mm/hap/nested_hap.c | 2 +- > xen/arch/x86/mm/hap/private.h | 30 +- > xen/arch/x86/mm/mem_sharing.c | 2 +- > xen/arch/x86/mm/p2m-ept.c | 34 +- > xen/arch/x86/mm/p2m-pt.c | 19 +- > xen/arch/x86/mm/paging.c | 3 +- > xen/arch/x86/mm/shadow/common.c | 33 +- > xen/arch/x86/mm/shadow/hvm.c | 16 +- > xen/arch/x86/mm/shadow/multi.c | 80 +++-- > xen/arch/x86/mm/shadow/multi.h | 20 +- > xen/arch/x86/mm/shadow/none.c | 20 +- > xen/arch/x86/mm/shadow/private.h | 12 +- > xen/arch/x86/mm/shadow/pv.c | 4 +- > xen/arch/x86/msi.c | 18 +- > xen/arch/x86/nmi.c | 16 +- > xen/arch/x86/numa.c | 10 +- > xen/arch/x86/oprofile/nmi_int.c | 16 +- > xen/arch/x86/oprofile/op_model_athlon.c | 18 +- > xen/arch/x86/oprofile/op_model_p4.c | 14 +- > xen/arch/x86/oprofile/op_model_ppro.c | 26 +- > xen/arch/x86/percpu.c | 6 +- > xen/arch/x86/physdev.c | 2 +- > xen/arch/x86/platform_hypercall.c | 11 +- > xen/arch/x86/psr.c | 41 +-- > xen/arch/x86/pv/callback.c | 25 +- > xen/arch/x86/pv/descriptor-tables.c | 14 +- > xen/arch/x86/pv/domain.c | 12 +- > xen/arch/x86/pv/emul-gate-op.c | 9 +- > xen/arch/x86/pv/emul-priv-op.c | 71 ++-- > xen/arch/x86/pv/emulate.h | 7 - > xen/arch/x86/pv/hypercall.c | 11 +- > xen/arch/x86/pv/iret.c | 4 +- > xen/arch/x86/pv/misc-hypercalls.c | 10 +- > xen/arch/x86/pv/ro-page-fault.c | 31 +- > xen/arch/x86/pv/shim.c | 60 ++-- > xen/arch/x86/pv/traps.c | 2 +- > xen/arch/x86/setup.c | 80 ++++- > xen/arch/x86/shutdown.c | 10 +- > xen/arch/x86/smp.c | 20 +- > xen/arch/x86/smpboot.c | 2 +- > xen/arch/x86/spec_ctrl.c | 6 +- > xen/arch/x86/srat.c | 4 +- > xen/arch/x86/sysctl.c | 4 +- > xen/arch/x86/tboot.c | 2 +- > xen/arch/x86/time.c | 68 ++-- > xen/arch/x86/traps.c | 8 +- > xen/arch/x86/tsx.c | 2 +- > xen/arch/x86/x86_64/acpi_mmcfg.c | 2 +- > xen/arch/x86/x86_64/compat.c | 1 - > xen/arch/x86/x86_64/compat/entry.S | 1 + > xen/arch/x86/x86_64/compat/mm.c | 7 +- > xen/arch/x86/x86_64/entry.S | 49 ++- > xen/arch/x86/x86_64/kexec_reloc.S | 23 +- > xen/arch/x86/x86_64/mmconfig-shared.c | 10 +- > xen/arch/x86/x86_64/mmconfig.h | 2 +- > xen/arch/x86/x86_64/platform_hypercall.c | 2 +- > xen/arch/x86/x86_64/traps.c | 42 ++- > xen/arch/x86/x86_emulate.c | 34 +- > xen/arch/x86/x86_emulate/x86_emulate.c | 10 +- > xen/arch/x86/x86_emulate/x86_emulate.h | 33 +- > xen/arch/x86/xen.lds.S | 3 +- > xen/common/argo.c | 6 +- > xen/common/bunzip2.c | 2 +- > xen/common/compat/domain.c | 3 +- > xen/common/compat/grant_table.c | 5 +- > xen/common/compat/kernel.c | 2 +- > xen/common/compat/memory.c | 7 +- > xen/common/compat/multicall.c | 3 +- > xen/common/core_parking.c | 10 +- > xen/common/coverage/gcov.c | 8 +- > xen/common/cpu.c | 4 +- > xen/common/debugtrace.c | 10 +- > xen/common/decompress.c | 2 +- > xen/common/dm.c | 6 +- > xen/common/domain.c | 15 +- > xen/common/domctl.c | 2 +- > xen/common/efi/boot.c | 6 +- > xen/common/efi/runtime.c | 18 + > xen/common/event_2l.c | 21 +- > xen/common/event_channel.c | 18 +- > xen/common/event_fifo.c | 30 +- > xen/common/gdbstub.c | 9 +- > xen/common/grant_table.c | 29 +- > xen/common/hypfs.c | 63 ++-- > xen/common/irq.c | 6 +- > xen/common/kernel.c | 6 +- > xen/common/kexec.c | 18 +- > xen/common/keyhandler.c | 47 +-- > xen/common/livepatch.c | 15 +- > xen/common/memory.c | 8 +- > xen/common/multicall.c | 2 +- > xen/common/page_alloc.c | 14 +- > xen/common/perfc.c | 4 +- > xen/common/radix-tree.c | 8 +- > xen/common/random.c | 2 +- > xen/common/rangeset.c | 2 +- > xen/common/rcupdate.c | 8 +- > xen/common/sched/arinc653.c | 20 +- > xen/common/sched/compat.c | 2 +- > xen/common/sched/core.c | 40 +-- > xen/common/sched/cpupool.c | 35 +- > xen/common/sched/credit.c | 59 ++-- > xen/common/sched/credit2.c | 55 ++- > xen/common/sched/null.c | 60 ++-- > xen/common/sched/rt.c | 47 +-- > xen/common/spinlock.c | 12 +- > xen/common/stop_machine.c | 6 +- > xen/common/sysctl.c | 2 +- > xen/common/tasklet.c | 4 +- > xen/common/timer.c | 6 +- > xen/common/trace.c | 4 +- > xen/common/unlzma.c | 2 +- > xen/common/vm_event.c | 6 +- > xen/common/xenoprof.c | 2 +- > xen/common/xmalloc_tlsf.c | 4 +- > xen/common/zstd/zstd_common.c | 4 +- > xen/common/zstd/zstd_internal.h | 4 +- > xen/drivers/acpi/apei/apei-base.c | 32 +- > xen/drivers/acpi/apei/apei-internal.h | 20 +- > xen/drivers/acpi/apei/erst.c | 57 ++- > xen/drivers/acpi/apei/hest.c | 4 +- > xen/drivers/acpi/numa.c | 10 +- > xen/drivers/acpi/tables.c | 2 +- > xen/drivers/char/console.c | 36 +- > xen/drivers/char/ehci-dbgp.c | 28 +- > xen/drivers/char/ns16550.c | 34 +- > xen/drivers/cpufreq/cpufreq.c | 6 +- > xen/drivers/cpufreq/cpufreq_misc_governors.c | 22 +- > xen/drivers/cpufreq/cpufreq_ondemand.c | 10 +- > xen/drivers/passthrough/amd/iommu.h | 45 +-- > xen/drivers/passthrough/amd/iommu_acpi.c | 15 +- > xen/drivers/passthrough/amd/iommu_guest.c | 12 +- > xen/drivers/passthrough/amd/iommu_init.c | 49 +-- > xen/drivers/passthrough/amd/iommu_intr.c | 20 +- > xen/drivers/passthrough/amd/iommu_map.c | 22 +- > xen/drivers/passthrough/amd/pci_amd_iommu.c | 32 +- > xen/drivers/passthrough/iommu.c | 56 ++- > xen/drivers/passthrough/pci.c | 18 +- > xen/drivers/passthrough/vtd/dmar.c | 7 +- > xen/drivers/passthrough/vtd/extern.h | 38 +- > xen/drivers/passthrough/vtd/intremap.c | 14 +- > xen/drivers/passthrough/vtd/iommu.c | 94 ++--- > xen/drivers/passthrough/vtd/qinval.c | 28 +- > xen/drivers/passthrough/vtd/quirks.c | 2 +- > xen/drivers/passthrough/vtd/utils.c | 2 +- > xen/drivers/passthrough/vtd/x86/hvm.c | 4 +- > xen/drivers/passthrough/x86/hvm.c | 14 +- > xen/drivers/video/lfb.c | 4 +- > xen/drivers/video/lfb.h | 4 +- > xen/drivers/video/vesa.c | 6 +- > xen/drivers/video/vga.c | 6 +- > xen/drivers/vpci/header.c | 18 +- > xen/drivers/vpci/msi.c | 42 +-- > xen/drivers/vpci/msix.c | 20 +- > xen/drivers/vpci/vpci.c | 16 +- > xen/include/acpi/cpufreq/cpufreq.h | 1 - > xen/include/xen/acpi.h | 2 +- > xen/include/xen/compiler.h | 6 + > xen/include/xen/domain.h | 2 +- > xen/include/xen/hypercall.h | 69 ++-- > xen/include/xen/hypfs.h | 49 ++- > xen/include/xen/irq.h | 6 +- > xen/include/xen/lib.h | 2 +- > xen/include/xen/perfc.h | 4 +- > xen/include/xen/sched.h | 2 +- > xen/include/xen/sort.h | 55 ++- > xen/include/xen/spinlock.h | 4 +- > xen/include/xen/vpci.h | 8 +- > xen/include/xsm/dummy.h | 211 +++++------ > xen/lib/sort.c | 80 +---- > xen/tools/check-endbr.sh | 85 +++++ > xen/xsm/flask/avc.c | 2 +- > xen/xsm/flask/flask_op.c | 8 +- > xen/xsm/flask/hooks.c | 236 +++++++------ > xen/xsm/flask/private.h | 9 + > xen/xsm/flask/ss/avtab.c | 4 +- > xen/xsm/flask/ss/conditional.c | 10 +- > xen/xsm/flask/ss/conditional.h | 6 +- > xen/xsm/flask/ss/policydb.c | 53 +-- > xen/xsm/flask/ss/services.c | 6 +- > xen/xsm/flask/ss/symtab.c | 5 +- > xen/xsm/silo.c | 24 +- > xen/xsm/xsm_core.c | 6 +- > 322 files changed, 3316 insertions(+), 2739 deletions(-) > create mode 100644 automation/build/debian/buster-gcc-ibt.dockerfile > create mode 100644 xen/arch/x86/include/asm/endbr.h > create mode 100755 xen/tools/check-endbr.sh > create mode 100644 xen/xsm/flask/private.h >
On 22/02/2022 15:29, Jan Beulich wrote: > On 22.02.2022 16:26, Andrew Cooper wrote: >> To avoid spamming everyone, I have only re-sent patches with changes in v3. > Could you enumerate which ones these are? Otherwise it's hard to tell > whether everything you did send did arrive in the recipients' mailboxes. Oops sorry. 1, 3, 5, 6, 8, 12, 26, 27, 29, 33, 46, 47, 59, 60, 64. All that I'm expecting to see have appeared on the list. ~Andrew