[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.15] x86: Introduce support for CET-IBT



commit 96233cf87b4ead3f6480ed21c3ed2836dcc29418
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Oct 21 18:38:50 2021 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Mar 25 17:10:38 2022 +0000

    x86: Introduce support for CET-IBT
    
    CET Indirect Branch Tracking is a hardware feature designed to provide
    forward-edge control flow integrity, protecting against jump/call oriented
    programming.
    
    IBT requires the placement of endbr{32,64} instructions at the target of 
every
    indirect call/jmp, and every entrypoint.
    
    It is necessary to check for both compiler and assembler support, as the
    notrack prefix can be emitted in certain cases.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit 3667f7f8f7c471e94e58cf35a95f09a0fe5c1290)
    
    Note: For backports to 4.14 thru 4.16, we are deliberately not using
          -mmanual-endbr as done in staging, as an intermediate approach which
          is not too invasive to backport.
    
    x86/cet: Force -fno-jump-tables for CET-IBT
    
    Both GCC and Clang have a (mis)feature where, even with
    -fcf-protection=branch, jump tables are created using a notrack jump rather
    than using endbr's in each case statement.
    
    This is incompatible with the safety properties we want in Xen, and enforced
    by not setting MSR_S_CET.NOTRACK_EN.  The consequence is a fatal #CP[endbr].
    
    -fno-jump-tables is generally active as a side effect of
    CONFIG_INDIRECT_THUNK (retpoline), but as of c/s 95d9ab461436 ("x86/Kconfig:
    introduce option to select retpoline usage"), we explicitly support turning
    retpoline off.
    
    Fixes: 3667f7f8f7c4 ("x86: Introduce support for CET-IBT")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit 9d4a44380d273de22d5753883cbf5581795ff24d)
---
 Config.mk                             |  1 -
 xen/arch/x86/Kconfig                  | 17 +++++++++++++++++
 xen/arch/x86/arch.mk                  |  9 +++++++++
 xen/arch/x86/configs/pvshim_defconfig |  1 +
 xen/include/asm-x86/asm-defns.h       |  6 ++++++
 xen/include/asm-x86/cpufeature.h      |  1 +
 xen/include/asm-x86/cpufeatures.h     |  1 +
 7 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/Config.mk b/Config.mk
index f467b43beb..ae5eaecd62 100644
--- a/Config.mk
+++ b/Config.mk
@@ -205,7 +205,6 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
 
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index 27cb793165..4fdb39af3e 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -38,6 +38,11 @@ config HAS_AS_CET_SS
        # binutils >= 2.29 or LLVM >= 6
        def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)
 
+config HAS_CC_CET_IBT
+       # GCC >= 9 and binutils >= 2.29
+       # Retpoline check to work around 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
+       def_bool $(cc-option,-fcf-protection=branch 
-mindirect-branch=thunk-extern) && $(as-instr,endbr64)
+
 menu "Architecture Features"
 
 source "arch/Kconfig"
@@ -119,6 +124,18 @@ config XEN_SHSTK
          When CET-SS is active, 32bit PV guests cannot be used.  Backwards
          compatiblity can be provided via the PV Shim mechanism.
 
+config XEN_IBT
+       bool "Supervisor Indirect Branch Tracking"
+       depends on HAS_CC_CET_IBT
+       default y
+       help
+         Control-flow Enforcement Technology (CET) is a set of features in
+         hardware designed to combat Return-oriented Programming (ROP, also
+         call/jump COP/JOP) attacks.  Indirect Branch Tracking is one CET
+         feature designed to provide function pointer protection.
+
+         This option arranges for Xen to use CET-IBT for its own protection.
+
 config SHADOW_PAGING
        bool "Shadow Paging"
        default !PV_SHIM_EXCLUSIVE
diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index ce0c1a0e7f..033048ab6b 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -46,6 +46,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += 
-mindirect-branch=thunk-extern
 CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
 CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
 
+ifdef CONFIG_XEN_IBT
+# Force -fno-jump-tables to work around
+#   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816
+#   https://github.com/llvm/llvm-project/issues/54247
+CFLAGS += -fcf-protection=branch -fno-jump-tables
+else
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
+endif
+
 # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
 # this to be overridden elsewhere.
 $(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3)
diff --git a/xen/arch/x86/configs/pvshim_defconfig 
b/xen/arch/x86/configs/pvshim_defconfig
index cdf5776610..23ba51e728 100644
--- a/xen/arch/x86/configs/pvshim_defconfig
+++ b/xen/arch/x86/configs/pvshim_defconfig
@@ -9,6 +9,7 @@ CONFIG_EXPERT=y
 CONFIG_SCHED_NULL=y
 # Disable features not used by the PV shim
 # CONFIG_XEN_SHSTK is not set
+# CONFIG_XEN_IBT is not set
 # CONFIG_GRANT_TABLE is not set
 # CONFIG_HYPFS is not set
 # CONFIG_BIGMEM is not set
diff --git a/xen/include/asm-x86/asm-defns.h b/xen/include/asm-x86/asm-defns.h
index 505f39ad5f..8bd9007731 100644
--- a/xen/include/asm-x86/asm-defns.h
+++ b/xen/include/asm-x86/asm-defns.h
@@ -57,6 +57,12 @@
     INDIRECT_BRANCH jmp \arg
 .endm
 
+#ifdef CONFIG_XEN_IBT
+# define ENDBR64 endbr64
+#else
+# define ENDBR64
+#endif
+
 .macro guest_access_mask_ptr ptr:req, scratch1:req, scratch2:req
 #if defined(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS)
     /*
diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h
index fe04d98fa1..460d38356c 100644
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -153,6 +153,7 @@
 #define cpu_has_lfence_dispatch boot_cpu_has(X86_FEATURE_LFENCE_DISPATCH)
 #define cpu_has_xen_lbr         boot_cpu_has(X86_FEATURE_XEN_LBR)
 #define cpu_has_xen_shstk       boot_cpu_has(X86_FEATURE_XEN_SHSTK)
+#define cpu_has_xen_ibt         boot_cpu_has(X86_FEATURE_XEN_IBT)
 
 #define cpu_has_msr_tsc_aux     (cpu_has_rdtscp || cpu_has_rdpid)
 
diff --git a/xen/include/asm-x86/cpufeatures.h 
b/xen/include/asm-x86/cpufeatures.h
index 6c8f432aee..fe2f97354f 100644
--- a/xen/include/asm-x86/cpufeatures.h
+++ b/xen/include/asm-x86/cpufeatures.h
@@ -39,6 +39,7 @@ XEN_CPUFEATURE(SC_VERW_PV,        X86_SYNTH(23)) /* VERW used 
by Xen for PV */
 XEN_CPUFEATURE(SC_VERW_HVM,       X86_SYNTH(24)) /* VERW used by Xen for HVM */
 XEN_CPUFEATURE(SC_VERW_IDLE,      X86_SYNTH(25)) /* VERW used by Xen for idle 
*/
 XEN_CPUFEATURE(XEN_SHSTK,         X86_SYNTH(26)) /* Xen uses CET Shadow Stacks 
*/
+XEN_CPUFEATURE(XEN_IBT,           X86_SYNTH(27)) /* Xen uses CET Indirect 
Branch Tracking */
 
 /* Bug words follow the synthetic words. */
 #define X86_NR_BUG 1
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.15



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.