From patchwork Fri Nov 22 21:07:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
X-Patchwork-Id: 13883614
Return-Path: <xen-devel-bounces@lists.xenproject.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 3D908E69193
	for <xen-devel@archiver.kernel.org>; Fri, 22 Nov 2024 21:08:08 +0000 (UTC)
Received: from list by lists.xenproject.org with
 outflank-mailman.842002.1257463 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1tEasR-0007BX-OC; Fri, 22 Nov 2024 21:07:43 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
Received: by outflank-mailman (output) from mailman id 842002.1257463;
 Fri, 22 Nov 2024 21:07:43 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1tEasR-0007BQ-Kw; Fri, 22 Nov 2024 21:07:43 +0000
Received: by outflank-mailman (input) for mailman id 842002;
 Fri, 22 Nov 2024 21:07:42 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=Tm/o=SR=epam.com=Volodymyr_Babchuk@srs-se1.protection.inumbo.net>)
 id 1tEasQ-0006xA-Cp
 for xen-devel@lists.xenproject.org; Fri, 22 Nov 2024 21:07:42 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on20624.outbound.protection.outlook.com
 [2a01:111:f403:2614::624])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id cded252b-a915-11ef-a0cc-8be0dac302b0;
 Fri, 22 Nov 2024 22:07:38 +0100 (CET)
Received: from GV1PR03MB10456.eurprd03.prod.outlook.com
 (2603:10a6:150:16a::21) by PAWPR03MB9738.eurprd03.prod.outlook.com
 (2603:10a6:102:2ed::15) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.20; Fri, 22 Nov
 2024 21:07:33 +0000
Received: from GV1PR03MB10456.eurprd03.prod.outlook.com
 ([fe80::a41e:5aa8:e298:757e]) by GV1PR03MB10456.eurprd03.prod.outlook.com
 ([fe80::a41e:5aa8:e298:757e%7]) with mapi id 15.20.8182.016; Fri, 22 Nov 2024
 21:07:33 +0000
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: cded252b-a915-11ef-a0cc-8be0dac302b0
X-Custom-Connection: 
 eyJyZW1vdGVpcCI6IjJhMDE6MTExOmY0MDM6MjYxNDo6NjI0IiwiaGVsbyI6IkVVUjA1LURCOC1vYmUub3V0Ym91bmQucHJvdGVjdGlvbi5vdXRsb29rLmNvbSJ9
X-Custom-Transaction: 
 eyJpZCI6ImNkZWQyNTJiLWE5MTUtMTFlZi1hMGNjLThiZTBkYWMzMDJiMCIsInRzIjoxNzMyMzA5NjU4LjcxODkwMiwic2VuZGVyIjoidm9sb2R5bXlyX2JhYmNodWtAZXBhbS5jb20iLCJyZWNpcGllbnQiOiJ4ZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcifQ==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=KOhZIL40V/Nn3Nr8jf7dyQjk78wYeb7xRrCxGc/tHb3ui5uRjtOmc1Mno5oZBuCQugk1pomgajMBOZJHTkFExDDjNXZNiTLBq4yPFC5eNg/gR/aH6MnVBbbs0hc8yVOmNRd0bQobbBJfdE786Gb5HUBdPNtaTg5AfnQlOdxAu0upPLbpAauHZbTlVHHp9Y5SOrLeb441Jfkx4yQ8R0yHaLiuEpYqbsNx501ju9fkbpI9Z1cOIaT9D1212Fy4AmRPwLtVbVdN6Tj6QwfQ632bc7a7+P5pHOX4JDHSFdICpvjFk6gjxvQB5xs22DNp7ZHIf2GfTQ+amCHCaFul42ZjzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=FNlNjXvfJVm1fbN8Mlag5X39oGFDKabRNL8lFdyjINQ=;
 b=ETfWokfsftBTMWlAP2/XzVckgU0HSJ+jX7Lm02TZhCrgq6flzj+s/R0qUfRiyJADrMk9Em8VAgzbDbxrvJ27hFXn2oSdqnhwlxTrR3cTkFrOdYsEQ0Q6zmk9oyvhzBD2pG0WRLroeXyIehvhrcMswsuMSZftbvX2tB45V9E89YqoPDEAW0uIGaPbUFVq5qYRfVZvCGyOn5L74TZTZOVfAUVlomLTat4Fvl0sU7rvUf0ki3EEoeowTlItbRzo4TuiADcBAM+UMQHz/xZRWACBpooEUAzIi8uadYd+x2nRf1y6zsJVdZVwmPKATL7h3904H6GMUcYYNkd4tim0csu7uw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com;
 dkim=pass header.d=epam.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=FNlNjXvfJVm1fbN8Mlag5X39oGFDKabRNL8lFdyjINQ=;
 b=DMMeYNkOxbZ63EYB8U867/Ri28w2iqf4yLgi9C6wnY+3OGD6qda4OZh5YHmOOM8XjkZ6Dn5hFN5ZYh42WGCzGrxQwJNCsB56TWKkXnDVDLiQSruAR37IAMlHlI7i7wlIfa+FMzPCY/1vtBqE8Ry7PhYv9QzXDLg+bo0IRdxzXOyWGlikqnZQ+ep1AL8cXbRueeKZEoLey16nG6Pi05BnEEpDxlonkUyxAB2DH4PhGhZZXidj4ryXEoFLH9fp9MQmTkpZ3c/S3uP0XndDuSvQZaLbdRws8IspzR6tT00uzhpwpoj/OkT3gV3/n2eNTvXE/CVzL5DtYRGdKRrcCYFAng==
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich <jbeulich@suse.com>,
 Julien Grall <julien@xen.org>, Stefano Stabellini <sstabellini@kernel.org>,
 Anthony PERARD <anthony.perard@vates.tech>,
 Samuel Thibault <samuel.thibault@ens-lyon.org>, =?iso-8859-1?q?Roger_Pau_Mo?=
	=?iso-8859-1?q?nn=E9?= <roger.pau@citrix.com>
Subject: [PATCH 1/3] xen: common: add ability to enable stack protector
Thread-Topic: [PATCH 1/3] xen: common: add ability to enable stack protector
Thread-Index: AQHbPSKKCRg4722UIUuMGLA9PEEyZg==
Date: Fri, 22 Nov 2024 21:07:29 +0000
Message-ID: <20241122210719.2572072-2-volodymyr_babchuk@epam.com>
References: <20241122210719.2572072-1-volodymyr_babchuk@epam.com>
In-Reply-To: <20241122210719.2572072-1-volodymyr_babchuk@epam.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-mailer: git-send-email 2.47.0
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=epam.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR03MB10456:EE_|PAWPR03MB9738:EE_
x-ms-office365-filtering-correlation-id: b0bbdf27-da14-4f83-6faa-08dd0b39af00
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018;
x-microsoft-antispam-message-info: =?iso-8859-1?q?DKQUg+TzQpo7IG5DnsdqPQbmPA?=
	=?iso-8859-1?q?+uelJ8+lUk/CUrhsgqFveQlfih7HiyumJ7a7+WAvqr/PlW83ZNsCRwpeluSw?=
	=?iso-8859-1?q?R7tcyW53Wi4ZU/+pe/6olSpTnbTZsOFxUqSsj8889gcYw9auQPozOjTQUriM?=
	=?iso-8859-1?q?KwIPfp/im/gn51yXHt2F89dR2t7JX3KtJDTWzP9t59lRRGuzlUdyZj6fxfLv?=
	=?iso-8859-1?q?7uhoG8LSVCzZ5J+2gYSqMQDBhop1sfsIxrPWJHNjb/TObyfYW03jly3Llm9Z?=
	=?iso-8859-1?q?+PXecGdp1PrfsLT6e1n1DEblOT89yeyT6AcBBTNFNzop28ukPf6p28XbF7JN?=
	=?iso-8859-1?q?PdP6VImyvI59Edmuxxo5Fj4SrChCQWZXzEYMc46tT6EkePVNxOaj55UMCdg7?=
	=?iso-8859-1?q?XoMNrD5JX2vDKGzkym0ux8hZORVDjNPdKbGMwTaYGwUWxIEpLkLBpMoV2W7a?=
	=?iso-8859-1?q?j6wAZS42Q3bcm4uT9Wyh7FLvDor26veWeQiUlCgYgNAuDsdzMbbdgeOi6jh8?=
	=?iso-8859-1?q?cBJawE0/074oqRhnbJzSWrX/vt5jY3TfiG8aqj7JN7nRHmWVqzHELJmXS2Pu?=
	=?iso-8859-1?q?E97hzT2Kbgq/QvKGsqEtoTwHye/P3bJ2i2OpZQHND0JbQ+PPtG1BvI9TufRL?=
	=?iso-8859-1?q?1tcD4VaJ6J93HeMocA26fLaCZaGlm7AnxTmJdZNIej+T/MNRkbgw9TPS2pwL?=
	=?iso-8859-1?q?T9lUD6QGEztigrb6sqPU1CCJCZALF29ErlsMwifE/CzuKt7f4vrV9eyM3mft?=
	=?iso-8859-1?q?cMYs7t5N8/h1NR2RiECxNvtd9eFh21W0FYJDg7+y/qEBhpgbq+uKB3IBFMxj?=
	=?iso-8859-1?q?XkQjUoPO/nZPVBbnwSSNNvIZXjCK84hk6bNuYYGPszqp8veJ+Uxbnqb5h8Ca?=
	=?iso-8859-1?q?WyajRLIEyWp3xCKAU91i9sQnDepWrM93cRB20DL6SnVfCsKKgmQulqBj9wuX?=
	=?iso-8859-1?q?ydJWtc91+/l3Q+5vb4LFerhhcCFhPKdYwtrpXf4s5Lhccm495j6l1dEDMbQP?=
	=?iso-8859-1?q?zAVIK2utkvZbAIhXi3Mbkq7SqJ5KGyvtEtxu50gn4ihddkPbSwNq2HUdNtfy?=
	=?iso-8859-1?q?9CioL9pnlK7cbEk8q+ddoKi7ufVS4GgDb33vnJGFF2TyAjvPEXPsle5wSVTc?=
	=?iso-8859-1?q?pVCOW/ZUmcfE7RgTCyKOHZOXEngRsUhlZ7MQ6recSU45Z+18hcBSbRNnsDw2?=
	=?iso-8859-1?q?cikGZ7etOMNnd04Js6Vh6GjDOQZrGuo1P5euH7To8UFAktIqeYkAccnjZW1Z?=
	=?iso-8859-1?q?nmAUO8pwgBpol+x2xncgWqEo7vPqmYpSXwWytx4LjA05OBTVBafC0ja4FpO6?=
	=?iso-8859-1?q?74WMFeg/BlWy15RiX2A9SM9DnRW09nLdZKM+p3UZrBMethQvtJciEK+ZgQ?=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR03MB10456.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?vj0VqqDdUDo4X3IZXk197zO?=
	=?iso-8859-1?q?xV7GKHVIwcibUexws1BOQRvJPwBsOV0vprLnNXTlwdri6k53ngQFmUazmb7m?=
	=?iso-8859-1?q?JuB2v37vOlxBuuVBqDSjfFPZZTwuSyFahRXQNaipwLzEqOJPtPskjPr/HDpK?=
	=?iso-8859-1?q?8oGx47wL1d8pt2uRakChgtxyoj87gqT1iGchD0E5uZbAcbbAPPRK5REbNwcM?=
	=?iso-8859-1?q?DoMbdrFGNoJIYtoQi2EoaR8HbbWNtf2b28qOgS3nKqN8CIWUu4BhT3paHQDu?=
	=?iso-8859-1?q?FZl895H4aQTe6vmIcfwiO0q+KGUHq1nUyPvqNXU2YIT8gbbifYHZKkVRmdzw?=
	=?iso-8859-1?q?XMbj/KZuPkHl+oYY5C/xc502AmWiyNTV9T0STyjrE2juKQoSH81hS2+mIynV?=
	=?iso-8859-1?q?nF5eyurtjB0+g4kMg1bhOcaT3ARsBVmvCowKXX4uUPVrkQlnqhjNcfqBQweh?=
	=?iso-8859-1?q?HRtiZzHQxbkf7v6YkE2jouCd1BQ2d/ZbYt+2Bveq2SErWKd6GUyP8kTUkq+Z?=
	=?iso-8859-1?q?BCdWcEIBBljWKG51TLOsedU0MNb16MMARtKnwQgckTeRox3O3zwi7yVj36Xq?=
	=?iso-8859-1?q?jTyoLHSXuXwAWNEu13QDGR4OInac4UsHVzvgrnyOXmHomzpHN9m4zfxF6cQX?=
	=?iso-8859-1?q?5/FEz7YJQ7Br8JEzLXeg5a2JPNUN6NEqCSJmaBzuryyImWUlRRlXyDtidBZv?=
	=?iso-8859-1?q?67lip7ZH6aHRuHErnMApARIUTKdE9ANPSuinszRyp/K3ldXz/plAk4OcQxaF?=
	=?iso-8859-1?q?3qX63TuXVYJIIPkvdnpmUeM57O5010zTGfxBo6kWvJWsBAHSD31hI09V554E?=
	=?iso-8859-1?q?DOflpIi2LqcIvQPsrioF1k+7AqjH1jGAgnADecli2PD17YOgfOXYt3qtY42P?=
	=?iso-8859-1?q?4V8BzzVAEf8IsIoxHa7gsSCelD8r7MXkamBNPaRUT3kQGwkvnnHvgc+tCCQU?=
	=?iso-8859-1?q?U6E+StGRfF4U9Y0CgtGyvI45cGGJWuqeEN3dREtg5QyVKycV8Tk4Gba1FJnE?=
	=?iso-8859-1?q?nwqebHDtmxUFjQcaYKJuLjs3hiDiFVvquyvolT7TM+R+tClMzKKD0DjbwsE3?=
	=?iso-8859-1?q?hJePpFdumyx/nlEE8PLdGRSBlfPzmW0oM2SBBqVIz8tYrVfqsp10wT2wtnaI?=
	=?iso-8859-1?q?r0wkRMAR/U9SLduOpgkkGOvR3KQTEDjmQdDzIVvJFKt54CbGm5rg9ZyALMPD?=
	=?iso-8859-1?q?GoYxB6oPP9t6ClGu4FfioZNSkVootbK2DWPC5aKmckD+ou89uORWb6T6MKlc?=
	=?iso-8859-1?q?u66KuDUu0GATwKdPRV+xpp+xlBOJyJQJ9GiYOc5KwcrCe2C3xmystIGXNcM6?=
	=?iso-8859-1?q?5/m+jU2CyE/Q5VnadKbjAYF376fTg1MNVY+Q6e4cO2lGq7G4DJvVrYxRKJzO?=
	=?iso-8859-1?q?/DxixC1Ylr0ZjYBLNSHdBPwUro5z0rzqON/X3ZfZRqOJegC9lz0yFI/kSN/y?=
	=?iso-8859-1?q?mGLeLI7b5nVotHJYR7DFhHx8lLD0ccZg/2IdqhC31/kjPIMXfmQaS4JTWmcb?=
	=?iso-8859-1?q?bmJOANFPIJlufO012/76N2Q9Sp61HZdTr6SL08ED44sS9zXdrUo4Wutmg5Qs?=
	=?iso-8859-1?q?ZuSETztNOmiLx3aKknOeWKc4Au4rEpdmujSP6+b7/G+Tmoz122NqaoR08no9?=
	=?iso-8859-1?q?S74WgRiPO6hHSmqdCcCuPY9kGtL2/AO4Pik0AdA=3D=3D?=
MIME-Version: 1.0
X-OriginatorOrg: epam.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 b0bbdf27-da14-4f83-6faa-08dd0b39af00
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2024 21:07:29.6659
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 igXOCkrOe4Tzz2Nto8WxFLZSW9QJuA3B5aSPjw/Qi2duMO3zOp1ofuQrO+6V+PR3YgNhZof61iQQ6cBY8KKuS1CkOt4BYBzJW4yng1xaWhg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR03MB9738

Both GCC and Clang support -fstack-protector feature, which add stack
canaries to functions where stack corruption is possible. This patch
makes general preparations to enable this feature on different
supported architectures:

 - "-fno-stack-protector" is removed from global config
 - Added CONFIG_HAS_STACK_PROTECTOR option so each architecture
   can enable this feature individually
 - Added user-selectable CONFIG_STACK_PROTECTOR option
 - Implemented code that sets up random stack canary and a basic
   handler for stack protector failures

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
---
 Config.mk                            |  2 +-
 stubdom/Makefile                     |  2 ++
 tools/firmware/Rules.mk              |  2 ++
 tools/tests/x86_emulator/testcase.mk |  2 ++
 xen/Makefile                         |  6 ++++++
 xen/common/Kconfig                   | 13 ++++++++++++
 xen/common/Makefile                  |  1 +
 xen/common/stack_protector.c         | 16 +++++++++++++++
 xen/include/xen/stack_protector.h    | 30 ++++++++++++++++++++++++++++
 9 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 xen/common/stack_protector.c
 create mode 100644 xen/include/xen/stack_protector.h

diff --git a/Config.mk b/Config.mk
index f1eab9a20a..c9fef4659f 100644
--- a/Config.mk
+++ b/Config.mk
@@ -190,7 +190,7 @@ endif
 APPEND_LDFLAGS += $(foreach i, $(APPEND_LIB), -L$(i))
 APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 
-EMBEDDED_EXTRA_CFLAGS := -fno-pie -fno-stack-protector -fno-stack-protector-all
+EMBEDDED_EXTRA_CFLAGS := -fno-pie
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
 XEN_EXTFILES_URL ?= https://xenbits.xen.org/xen-extfiles
diff --git a/stubdom/Makefile b/stubdom/Makefile
index 2a81af28a1..41424f6aca 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -54,6 +54,8 @@ TARGET_CFLAGS += $(CFLAGS)
 TARGET_CPPFLAGS += $(CPPFLAGS)
 $(call cc-options-add,TARGET_CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
+$(call cc-option-add,TARGET_CFLAGS,CC,-fno-stack-protector)
+
 # Do not use host headers and libs
 GCC_INSTALL = $(shell LANG=C gcc -print-search-dirs | sed -n -e 's/install: \(.*\)/\1/p')
 TARGET_CPPFLAGS += -U __linux__ -U __FreeBSD__ -U __sun__
diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk
index d3482c9ec4..b3f29556b7 100644
--- a/tools/firmware/Rules.mk
+++ b/tools/firmware/Rules.mk
@@ -15,6 +15,8 @@ $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
 $(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
 
+$(call cc-option-add,CFLAGS,CC,-fno-stack-protector)
+
 # Do not add the .note.gnu.property section to any of the firmware objects: it
 # breaks the rombios binary and is not useful for firmware anyway.
 $(call cc-option-add,CFLAGS,CC,-Wa$$(comma)-mx86-used-note=no)
diff --git a/tools/tests/x86_emulator/testcase.mk b/tools/tests/x86_emulator/testcase.mk
index fc95e24589..49a7a8dee9 100644
--- a/tools/tests/x86_emulator/testcase.mk
+++ b/tools/tests/x86_emulator/testcase.mk
@@ -4,6 +4,8 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
+$(call cc-option-add,CFLAGS,CC,-fno-stack-protector)
+
 CFLAGS += -fno-builtin -g0 $($(TESTCASE)-cflags)
 
 LDFLAGS_DIRECT += $(shell { $(LD) -v --warn-rwx-segments; } >/dev/null 2>&1 && echo --no-warn-rwx-segments)
diff --git a/xen/Makefile b/xen/Makefile
index 2e1a925c84..0de0101fd0 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -432,6 +432,12 @@ else
 CFLAGS_UBSAN :=
 endif
 
+ifeq ($(CONFIG_STACK_PROTECTOR),y)
+CFLAGS += -fstack-protector
+else
+CFLAGS += -fno-stack-protector
+endif
+
 ifeq ($(CONFIG_LTO),y)
 CFLAGS += -flto
 LDFLAGS-$(CONFIG_CC_IS_CLANG) += -plugin LLVMgold.so
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 90268d9249..0ffd825510 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -86,6 +86,9 @@ config HAS_UBSAN
 config HAS_VMAP
 	bool
 
+config HAS_STACK_PROTECTOR
+	bool
+
 config MEM_ACCESS_ALWAYS_ON
 	bool
 
@@ -516,4 +519,14 @@ config TRACEBUFFER
 	  to be collected at run time for debugging or performance analysis.
 	  Memory and execution overhead when not active is minimal.
 
+config STACK_PROTECTOR
+	bool "Stack protection"
+	depends on HAS_STACK_PROTECTOR
+	help
+	  Use compiler's option -fstack-protector (supported both by GCC
+	  and clang) to generate code that checks for corrupted stack
+	  and halts the system in case of any problems.
+
+	  Please note that this option will impair performance.
+
 endmenu
diff --git a/xen/common/Makefile b/xen/common/Makefile
index b279b09bfb..a9f2d05476 100644
--- a/xen/common/Makefile
+++ b/xen/common/Makefile
@@ -45,6 +45,7 @@ obj-y += shutdown.o
 obj-y += softirq.o
 obj-y += smp.o
 obj-y += spinlock.o
+obj-$(CONFIG_STACK_PROTECTOR) += stack_protector.o
 obj-y += stop_machine.o
 obj-y += symbols.o
 obj-y += tasklet.o
diff --git a/xen/common/stack_protector.c b/xen/common/stack_protector.c
new file mode 100644
index 0000000000..de7c20f682
--- /dev/null
+++ b/xen/common/stack_protector.c
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <xen/lib.h>
+#include <xen/random.h>
+
+#ifndef CONFIG_X86
+/*
+ * GCC uses TLS to store stack canary value on x86.
+ * All other platforms use this global variable.
+ */
+unsigned long __stack_chk_guard;
+#endif
+
+void __stack_chk_fail(void)
+{
+	panic("Detected stack corruption\n");
+}
diff --git a/xen/include/xen/stack_protector.h b/xen/include/xen/stack_protector.h
new file mode 100644
index 0000000000..97f1eb5ac0
--- /dev/null
+++ b/xen/include/xen/stack_protector.h
@@ -0,0 +1,30 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef XEN__STACK_PROTECTOR_H
+#define XEN__STACK_PROTECTOR_H
+
+#ifdef CONFIG_STACKPROTECTOR
+
+#ifndef CONFIG_X86
+extern unsigned long __stack_chk_guard;
+#endif
+
+/*
+ * This function should be always inlined. Also it should be called
+ * from a function that never returns.
+ */
+static inline void boot_stack_chk_guard_setup(void)
+{
+	__stack_chk_guard = get_random();
+	if (BITS_PER_LONG == 64)
+		__stack_chk_guard |= ((unsigned long)get_random()) << 32;
+}
+
+#else
+
+static inline void boot_stack_chk_guard_setup(void) {}
+
+#endif /* CONFIG_STACKPROTECTOR  */
+
+#endif /* XEN__STACK_PROTECTOR_H */
+