From patchwork Thu Feb 13 22:00:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Volodymyr Babchuk X-Patchwork-Id: 13974102 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 56DC6C021A6 for ; Thu, 13 Feb 2025 22:00:50 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.888112.1297532 (Exim 4.92) (envelope-from ) id 1tihG9-00054i-TH; Thu, 13 Feb 2025 22:00:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 888112.1297532; Thu, 13 Feb 2025 22:00:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tihG9-00054Z-Pe; Thu, 13 Feb 2025 22:00:37 +0000 Received: by outflank-mailman (input) for mailman id 888112; Thu, 13 Feb 2025 22:00:36 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tihG8-0004bW-L4 for xen-devel@lists.xenproject.org; Thu, 13 Feb 2025 22:00:36 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20606.outbound.protection.outlook.com [2a01:111:f403:2614::606]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id f380d785-ea55-11ef-9896-31a8f345e629; Thu, 13 Feb 2025 23:00:35 +0100 (CET) Received: from GV1PR03MB10456.eurprd03.prod.outlook.com (2603:10a6:150:16a::21) by PA4PR03MB7069.eurprd03.prod.outlook.com (2603:10a6:102:e4::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.13; Thu, 13 Feb 2025 22:00:29 +0000 Received: from GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e]) by GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e%4]) with mapi id 15.20.8445.013; Thu, 13 Feb 2025 22:00:29 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: f380d785-ea55-11ef-9896-31a8f345e629 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VtoOlouxSce9q7zFuCWmziUZGDwSWgaMmUf9NFhHi+uAvOPpoGNw/CIm72QOzWyUAp37rnBtI9jYDZj/h+wTWRtAQce6lIhHdT8lQxzOwoxPqIUdas83C2tk+mDb9kVZXsqgQ0Z5eTHadepqUgAjQ2/S0S70DGPihXDE16bynSQJEiznJG6vffYw8N8D1WxZ+ymN1bKNYOdShCZMaILNHXf/T+OhELH/8lEgz5rLTqbxzAkVBoUvNzstoxQchHOz6JOFHScVhKLSwwDncRF2aW42A2fxA1ofb/AnN1n9sgyNcwiE/BG8JXO+qhnhkrnXpLHdNA7SACP1tlOrvK7eQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=g1uQdAGwFGGyhk0UmxlV4ntFJuw/pAbi5iT6SVTTNG8=; b=GN1eCVGfQ7C45x35XR/xnHq+k6RzLyjckIU5vaX0lQRddWso2ENuBG9IuNahgPF0+ynrFNyPoNb1QEzFqauTL1Z+nIddrX6pWjciBB8qlXz0hXi8MC4JCmSXXJd4ymYFyra83JKFhqDIi3mcvscfIB6UyQe1Y1i1It4yUWr9t6GKTDQpLAKaZ7S4tw3g41556ZhaFl09rqLSIozZXzBLTyf303IWfSAz4KULRSvU/xXN1hBC/pf5ruVaCTN0qtbfIJ0HvRqox6E1mCOQlkwjL0iiJsKnHN7Qu5NuM5Ma0G1CiCEK0bhT9IT0hXCfINXE+0fgW5e5L/tKRlhdidCP6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g1uQdAGwFGGyhk0UmxlV4ntFJuw/pAbi5iT6SVTTNG8=; b=it497oKdonehtCCF1IU7J3FEnkO8u1g+ePwPyyV3S60EywULjX9ejMK4AiLJvT+j22MVtyWJPx1+OcJZHshD2HQap1CHxMP71JpMt0Ly7LU29xfwrMppPRoRSfXbPibFJkiJgIqCOQ3LRxxU2MC/ZmGXjgJaZtVjz6/ZDQW+W4fUKqdpamElCgSEayWE70PBUPS2TfyCLdFxHO2AcDerlYdpNUzTPo8vl71vSFc0XqE0dUQKTTeyfAKhdvR6cp3+rZKpdgSTK/LCJQ2iN4Bvl9mPcqYJz2ZXjk8LYmOZJ5/Njb+DrX0Ahc7YZz86Xhx5i6g4iar/ImjwXI81u7IVoQ== From: Volodymyr Babchuk To: "xen-devel@lists.xenproject.org" CC: Volodymyr Babchuk , Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH v5 2/4] xen: common: add ability to enable stack protector Thread-Topic: [PATCH v5 2/4] xen: common: add ability to enable stack protector Thread-Index: AQHbfmKwgsjxBZVOSE6qB7f/GfKgPA== Date: Thu, 13 Feb 2025 22:00:27 +0000 Message-ID: <20250213220021.2897526-3-volodymyr_babchuk@epam.com> References: <20250213220021.2897526-1-volodymyr_babchuk@epam.com> In-Reply-To: <20250213220021.2897526-1-volodymyr_babchuk@epam.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.47.1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV1PR03MB10456:EE_|PA4PR03MB7069:EE_ x-ms-office365-filtering-correlation-id: 2d660be8-1a62-474b-7148-08dd4c79d473 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?vOKKTxnb11UouWklbvqJchVOwzGGkiZ?= =?utf-8?q?wNoydx5+ydvCIf4ltuaLtLfKp5217UKKBKwWvX/7hYDJPUBjfqvf25srJA5vbOTpi?= =?utf-8?q?VNGJm17Bk09UEMT7/o90PF5vmeEcTDyRZVRhNtgdCcPRQy4+mFhgs1eTmKgnMPVxy?= =?utf-8?q?KrQmCPZoE+dDhcLxfnAr3QEgUuI9tgL3cjka8TzN9x4/ULsBgTYvBfCom1LmBQZM5?= =?utf-8?q?rri87NaBrWTjQKRh4t1ZM1ZIHtFv+74XBx84+Eyj9PcAP2iYQEMSc+yyW/DOdRuxp?= =?utf-8?q?WcGN+J7Hs9vn2RX5Hlljv+Lu4f9JrO1eNuozj+4MYTfnVNUmb6LjK6S3kYai2Ku9h?= =?utf-8?q?Pm6xb0bmrT28RQYEff6RqObT8PrFxdSTMuZrJ3583qvxvEN9g2nJR3HXCCMQ291KS?= =?utf-8?q?x94CwGsmKDhbKVcAqqPG9OAK7XbOBEc/pPOZu+URfGwzGGcmIe2qgh0ZxIx5ChAXf?= =?utf-8?q?dfJ9ubIlaDpuuNQrcX9hKlWysi5PBsvng97ezvzah2/owGL0qjdJ9P3qe08XhY2R7?= =?utf-8?q?LlnUiPJD4/P35TPn3R8OkxB+YhMjDGDamvkTY6wLDcT5BxGoXlN5VVEUgkfEbdjGF?= =?utf-8?q?FhvVhJfsSSrqGu1lwhViLpA27aC2JC3CyrDMtiP4feetoRxliWLcZ5AuP09qkDdsZ?= =?utf-8?q?GVkfYiM//DZGgLpbOE7LXKylY3Mv4c2GGwXAP5KVgvIwLq4sQDU9D/Er/n/I495vl?= =?utf-8?q?q6UfezXsCvvcZTVreRwGxwfa9MvhQH1L3/eBFXFzHurZy61+Jlz8O+/k2zMVWGrlS?= =?utf-8?q?TQxBeei8kLPpKJdm04kq6DF93qpLZVAp9HHQ5APambQ+ZsoKf+PWjXDAjlxSIhwPH?= =?utf-8?q?ba3E5lEqdyCAE2MIZdPh7lxRD+nHDqFsmq2rwpKv0jFUaS4HIXrY6Ye0R2ZeX22ZQ?= =?utf-8?q?NT36nFgsv8myxBHhks0BI9dRx36N1rD4Y92sBVnZrECnxapVDx4e2ymzZur1N9VCd?= =?utf-8?q?IA4y2YxZrbRqe14YlDSU+GCt8mGUWpRp4wJuOd5CtfM777m4faotGf9h7ML9R3TVI?= =?utf-8?q?THsrEuVCUNFheT4UAiYZwjKc2OkXoB/3r2TSROhIs0meZ1QOC+7KrcIm8ecW/rYxM?= =?utf-8?q?NDfUR3xCL89rlcwJfLCWmYgY7ZMm+qgcUIPx5HGZXe+JJOOIiaJ8MYiSoBRoHh3wx?= =?utf-8?q?prb6OW0uYm8r8CBFDqcMmtTZizjR+hptY6D3Iwyn7plbw+efBKPZqAj9C+kPfFhxV?= =?utf-8?q?HxUZQqh22pshZqRFYW9j/r4fEz4YNmmwOXvRt/bS8k9O3idzgd85Ex+ae0DxXdUge?= =?utf-8?q?h76smKDbTK4I7U0NMw7HldLUyrwXPYO599RVyJZnxN3uaEpT/9D+TypF4Eq7OmepX?= =?utf-8?q?FkKSBDNFzCYbBQWHRKUwrDxAOTbVf3quJEDpoYpto7PWahinJxqrCgpewBIz1Mahl?= =?utf-8?q?/XyPCdMr8P7?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR03MB10456.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?nJemuhD/KGz3LhOhIq9ojcPp4OZb?= =?utf-8?q?DEP9YEvbjFm0mt54Lq3CrahMB3N8EL0KFg99GvhBuihCbWh3ZZSpOhYW8niQ1dtmb?= =?utf-8?q?LoaCNKMY1JhbIoiGtLRZbnMSXgwcSO0wynbJ6oGUAgEZvy0+9E+0bii5Dqyid1+oA?= =?utf-8?q?V42/9sqnaoK3rviXR9UB5qHCBPrlIO2uGhLebEm24qGIW/zk+bQhH4tBBEoIA4con?= =?utf-8?q?CaXKdTXU4ay5qlAR9Hu1YE8erfrDjMoZ5Ef+rmdLXffLAkCbKR4hsEa+gFJO6sH/D?= =?utf-8?q?1sujhXvmdbWfZZpSe7gKYdXG6aqVRr6pf/0H2jT2EHoK97SkZgnILFKsTOm2wc6mk?= =?utf-8?q?9pc7LXNFEgJcEQXG5VvYYtxnmxhBOtLSXi6MMUoUPoGMAo8qPBcFbNW6YpB2/qCkc?= =?utf-8?q?ku/QoVDPTaIjqkcUEK7xkfsQJlpFGn5HRCbudRM3VZ/lni48+nHYV9ZTPaVzBMyaR?= =?utf-8?q?Q5ombncT/3Hlr9ILYJKX4JdjlmMXmgko7FVZOR2TQOpREdwbLeQrLdJhG/zxW9gbD?= =?utf-8?q?8UxR7KBPi/PqXS1h8lSna40nzeDtprsYTaVMFlnrOO9fw85wVZLwpabekeSiD+2H7?= =?utf-8?q?RDMYngOycnRAc834oD7ZgT57IMVEcooi6UHw/8Z5Ah7aM7Rbv5XuY6YIcgP1lins0?= =?utf-8?q?3iJiQON2TS+dKqFnqRXBCphgAZw+fD/SV1aTZBt537gU0GQpBiYXj37Yv4Mdk0VJP?= =?utf-8?q?YxstQkGYzbJZQ3V9kkpycsRxT3MQfcHt02KtNKe1nwn+fZKUpdVFCMu2VGt9Jc7YR?= =?utf-8?q?pM3mZ8vOlrA/RNYrM5fUHBEjx/sIlUpF5VRUTQsDsZ6tt1isjFNVlHiiKi1BQST8A?= =?utf-8?q?32bWQ51peZjFgkZO3GDYln9p6OS5kJzrgwwKOcMyOCeUGwZN7nSfsnrgi+R/ZBDg3?= =?utf-8?q?jWiUI9+i/NcwoDsYDW2hTNN6t6uATUM+tuK6JhsjbSvlpSx2nc+rcuhmDESATNWCM?= =?utf-8?q?lbs64lk9Z43OthDbEQujDhayBusBWjdBN8UxGncJUIf49j82jGfKmE5GwOtL9tq79?= =?utf-8?q?f5wGyurS31SSv2A05ZsMrEfIbONHy/vz8MPlo+OHHGb4beAJGOEJwWZ/KzirbjLrJ?= =?utf-8?q?z3iPsTwq9wO70kmdfz0HxmxYrF+4xvQGg2Se4xYcXm3cyIwfJT019LXfzroJDTPQH?= =?utf-8?q?ePX4t/zq2VtJhHw9AbjxWqr0Hh0HPUsVVR6m0Mh7gRwtX5MlDkubc68uGsEvaaHFb?= =?utf-8?q?NkKsba0zwpecVKM7xIdZhloBNF4PZqjSKfJhX8cCJo8XZATgAUrnb/0prhVZFysCQ?= =?utf-8?q?tYudtsRGIinQuTAA62wKQVo2NNr8jRflW7pqWUynZWQmRnWkBU9OTZLK5hpCQm3XV?= =?utf-8?q?5vLoouYMYqCMmJbXI9uDFHqajl3rJ4wyJNKrPr3hyf7tFc5WAqGl/lelKBadltz88?= =?utf-8?q?FiMyJ3wBLREjPRFyaF5ZYnFLsBRcPWKs8XWaD1AcYEKCb2eN8KosSRVbXXY51tnZr?= =?utf-8?q?byAPFUKtpiLslEYEekpPaybLLFg/tftMyYl4XxJ+ApQuVHue2K2PFoJWM1bBSysdX?= =?utf-8?q?xzXnxqQvMd5GCSROcLSg/rFhi5sO68kXMg=3D=3D?= Content-ID: <2E84844C2EAB3148B75ADF4EB1E8D68B@eurprd03.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: epam.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d660be8-1a62-474b-7148-08dd4c79d473 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2025 22:00:27.0708 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: P/EsKjMUnLwJVFv4dmu2Amw9ymz0p/8OUslV90I/TOq01bwMqc+w6Ba51+wKtg0Vh4K+HAzuem9tJaMOL04bRVgV3wzhS0JSOcP8+/L5F9s= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR03MB7069 Both GCC and Clang support -fstack-protector feature, which add stack canaries to functions where stack corruption is possible. This patch makes general preparations to enable this feature on different supported architectures: - Added CONFIG_HAS_STACK_PROTECTOR option so each architecture can enable this feature individually - Added user-selectable CONFIG_STACK_PROTECTOR option - Implemented code that sets up random stack canary and a basic handler for stack protector failures Stack guard value is initialized in two phases: 1. Pre-defined randomly-selected value. 2. Own implementation linear congruent random number generator. It relies on get_cycles() being available very early. If get_cycles() returns zero, it would leave pre-defined value from the previous step. Signed-off-by: Volodymyr Babchuk Reviewed-by: Andrew Cooper --- Changes in v5: - Fixed indentation - Added stack-protector.h --- xen/Makefile | 4 +++ xen/common/Kconfig | 15 +++++++++ xen/common/Makefile | 1 + xen/common/stack-protector.c | 51 +++++++++++++++++++++++++++++++ xen/include/xen/stack-protector.h | 14 +++++++++ 5 files changed, 85 insertions(+) create mode 100644 xen/common/stack-protector.c create mode 100644 xen/include/xen/stack-protector.h diff --git a/xen/Makefile b/xen/Makefile index a0c774ab7d..48bc17c418 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -435,7 +435,11 @@ else CFLAGS_UBSAN := endif +ifeq ($(CONFIG_STACK_PROTECTOR),y) +CFLAGS += -fstack-protector +else CFLAGS += -fno-stack-protector +endif ifeq ($(CONFIG_LTO),y) CFLAGS += -flto diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 6166327f4d..bd53dae43c 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -83,6 +83,9 @@ config HAS_PMAP config HAS_SCHED_GRANULARITY bool +config HAS_STACK_PROTECTOR + bool + config HAS_UBSAN bool @@ -216,6 +219,18 @@ config SPECULATIVE_HARDEN_LOCK endmenu +menu "Other hardening" + +config STACK_PROTECTOR + bool "Stack protector" + depends on HAS_STACK_PROTECTOR + help + Enable the Stack Protector compiler hardening option. This inserts a + canary value in the stack frame of functions, and performs an integrity + check on function exit. + +endmenu + config DIT_DEFAULT bool "Data Independent Timing default" depends on HAS_DIT diff --git a/xen/common/Makefile b/xen/common/Makefile index cba3b32733..8adbf6a3b5 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -46,6 +46,7 @@ obj-y += shutdown.o obj-y += softirq.o obj-y += smp.o obj-y += spinlock.o +obj-$(CONFIG_STACK_PROTECTOR) += stack-protector.o obj-y += stop_machine.o obj-y += symbols.o obj-y += tasklet.o diff --git a/xen/common/stack-protector.c b/xen/common/stack-protector.c new file mode 100644 index 0000000000..286753a1b1 --- /dev/null +++ b/xen/common/stack-protector.c @@ -0,0 +1,51 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#include +#include +#include +#include + +/* + * Initial value is chosen by a fair dice roll. + * It will be updated during boot process. + */ +#if BITS_PER_LONG == 32 +unsigned long __ro_after_init __stack_chk_guard = 0xdd2cc927UL; +#else +unsigned long __ro_after_init __stack_chk_guard = 0x2d853605a4d9a09cUL; +#endif + +/* + * This function should be called from early asm or from a C function + * that escapes stack canary tracking (by calling + * reset_stack_and_jump() for example). + */ +void __init asmlinkage boot_stack_chk_guard_setup(void) +{ + /* + * Linear congruent generator (X_n+1 = X_n * a + c). + * + * Constant is taken from "Tables Of Linear Congruential + * Generators Of Different Sizes And Good Lattice Structure" by + * Pierre L’Ecuyer. + */ +#if BITS_PER_LONG == 32 + const unsigned long a = 2891336453UL; +#else + const unsigned long a = 2862933555777941757UL; +#endif + const unsigned long c = 1; + + unsigned long cycles = get_cycles(); + + /* Use the initial value if we can't generate random one */ + if ( !cycles ) + return; + + __stack_chk_guard = cycles * a + c; +} + +void asmlinkage __stack_chk_fail(void) +{ + dump_execution_state(); + panic("Stack Protector integrity violation identified\n"); +} diff --git a/xen/include/xen/stack-protector.h b/xen/include/xen/stack-protector.h new file mode 100644 index 0000000000..714116498b --- /dev/null +++ b/xen/include/xen/stack-protector.h @@ -0,0 +1,14 @@ +#ifndef __XEN_STACK_PROTECTOR_H__ +#define __XEN_STACK_PROTECTOR_H__ + +#ifdef CONFIG_STACK_PROTECTOR + +void asmlinkage boot_stack_chk_guard_setup(void); + +#else + +static inline void boot_stack_chk_guard_setup(void) {}; + +#endif + +#endif /* __XEN_STACK_PROTECTOR_H__ */