|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] x86/shstk: Introduce Supervisor Shadow Stack support
commit d3fb3ed32fc8ee4cb453058e54e7c317a9b93922
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Fri Feb 21 17:56:57 2020 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri May 29 23:09:46 2020 +0100
x86/shstk: Introduce Supervisor Shadow Stack support
Introduce CONFIG_HAS_AS_CET_SS to determine whether CET Shadow Stack
instructions are supported in the assembler, and CONFIG_XEN_SHSTK as the
main
build option.
Introduce cet={no-,}shstk to for a user to select whether or not to use
shadow
stacks at runtime, and X86_FEATURE_XEN_SHSTK to determine Xen's overall
enablement of shadow stacks.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
docs/misc/xen-command-line.pandoc | 17 +++++++++++++++++
xen/arch/x86/Kconfig | 18 ++++++++++++++++++
xen/arch/x86/setup.c | 30 ++++++++++++++++++++++++++++++
xen/include/asm-x86/cpufeature.h | 1 +
xen/include/asm-x86/cpufeatures.h | 1 +
xen/scripts/Kconfig.include | 4 ++++
6 files changed, 71 insertions(+)
diff --git a/docs/misc/xen-command-line.pandoc
b/docs/misc/xen-command-line.pandoc
index 1787f2c8fb..ec1c12cbe0 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -270,6 +270,23 @@ and not running softirqs. Reduce this if softirqs are not
being run frequently
enough. Setting this to a high value may cause boot failure, particularly if
the NMI watchdog is also enabled.
+### cet
+ = List of [ shstk=<bool> ]
+
+ Applicability: x86
+
+Controls for the use of Control-flow Enforcement Technology. CET is group a
+of hardware features designed to combat Return-oriented Programming (ROP, also
+call/jmp COP/JOP) attacks.
+
+* The `shstk=` boolean controls whether Xen uses Shadow Stacks for its own
+ protection.
+
+ The option is available when `CONFIG_XEN_SHSTK` is compiled in, and
+ defaults to `true` on hardware supporting CET-SS. Specifying
+ `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support
+ is available in hardware.
+
### clocksource (x86)
> `= pit | hpet | acpi | tsc`
diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index b565f6831d..4a2ec87ff5 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -34,6 +34,10 @@ config ARCH_DEFCONFIG
config INDIRECT_THUNK
def_bool $(cc-option,-mindirect-branch-register)
+config HAS_AS_CET_SS
+ # binutils >= 2.29 or LLVM >= 6
+ def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)
+
menu "Architecture Features"
source "arch/Kconfig"
@@ -97,6 +101,20 @@ config HVM
If unsure, say Y.
+config XEN_SHSTK
+ bool "Supervisor Shadow Stacks"
+ depends on HAS_AS_CET_SS && EXPERT
+ default y
+ ---help---
+ Control-flow Enforcement Technology (CET) is a set of features in
+ hardware designed to combat Return-oriented Programming (ROP, also
+ call/jump COP/JOP) attacks. Shadow Stacks are one CET feature
+ designed to provide return address protection.
+
+ This option arranges for Xen to use CET-SS for its own protection.
+ When CET-SS is active, 32bit PV guests cannot be used. Backwards
+ compatiblity can be provided vai the PV Shim mechanism.
+
config SHADOW_PAGING
bool "Shadow Paging"
default y
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 2dec7a3fc6..584589baff 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -95,6 +95,36 @@ unsigned long __initdata highmem_start;
size_param("highmem-start", highmem_start);
#endif
+static bool __initdata opt_xen_shstk = true;
+
+static int __init parse_cet(const char *s)
+{
+ const char *ss;
+ int val, rc = 0;
+
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( (val = parse_boolean("shstk", s, ss)) >= 0 )
+ {
+#ifdef CONFIG_XEN_SHSTK
+ opt_xen_shstk = val;
+#else
+ no_config_param("XEN_SHSTK", "cet", s, ss);
+#endif
+ }
+ else
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+custom_param("cet", parse_cet);
+
cpumask_t __read_mostly cpu_present_map;
unsigned long __read_mostly xen_phys_start;
diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h
index 025f29e83e..f790d5c1f8 100644
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -140,6 +140,7 @@
#define cpu_has_aperfmperf boot_cpu_has(X86_FEATURE_APERFMPERF)
#define cpu_has_lfence_dispatch boot_cpu_has(X86_FEATURE_LFENCE_DISPATCH)
#define cpu_has_xen_lbr boot_cpu_has(X86_FEATURE_XEN_LBR)
+#define cpu_has_xen_shstk boot_cpu_has(X86_FEATURE_XEN_SHSTK)
#define cpu_has_msr_tsc_aux (cpu_has_rdtscp || cpu_has_rdpid)
diff --git a/xen/include/asm-x86/cpufeatures.h
b/xen/include/asm-x86/cpufeatures.h
index b9d3cac975..d7e42d9bb6 100644
--- a/xen/include/asm-x86/cpufeatures.h
+++ b/xen/include/asm-x86/cpufeatures.h
@@ -38,6 +38,7 @@ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses
MSR_DEBUGCTL.LBR */
XEN_CPUFEATURE(SC_VERW_PV, X86_SYNTH(23)) /* VERW used by Xen for PV */
XEN_CPUFEATURE(SC_VERW_HVM, X86_SYNTH(24)) /* VERW used by Xen for HVM */
XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle
*/
+XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks
*/
/* Bug words follow the synthetic words. */
#define X86_NR_BUG 1
diff --git a/xen/scripts/Kconfig.include b/xen/scripts/Kconfig.include
index 8221095ca3..e1f13e1720 100644
--- a/xen/scripts/Kconfig.include
+++ b/xen/scripts/Kconfig.include
@@ -31,6 +31,10 @@ cc-option = $(success,$(CC) -Werror $(CLANG_FLAGS) $(1) -E
-x c /dev/null -o /de
# Return y if the linker supports <flag>, n otherwise
ld-option = $(success,$(LD) -v $(1))
+# $(as-instr,<instr>)
+# Return y if the assembler supports <instr>, n otherwise
+as-instr = $(success,printf "%b\n" "$(1)" | $(CC) $(CLANG_FLAGS) -c -x
assembler -o /dev/null -)
+
# check if $(CC) and $(LD) exist
$(error-if,$(failure,command -v $(CC)),compiler '$(CC)' not found)
$(error-if,$(failure,command -v $(LD)),linker '$(LD)' not found)
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |