[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.14] x86: Introduce support for CET-IBT
commit d220178b3cad69a4d9a6bd0ec80bca75ff701586 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Thu Oct 21 18:38:50 2021 +0100 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Fri Mar 25 17:11:55 2022 +0000 x86: Introduce support for CET-IBT CET Indirect Branch Tracking is a hardware feature designed to provide forward-edge control flow integrity, protecting against jump/call oriented programming. IBT requires the placement of endbr{32,64} instructions at the target of every indirect call/jmp, and every entrypoint. It is necessary to check for both compiler and assembler support, as the notrack prefix can be emitted in certain cases. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Acked-by: Jan Beulich <jbeulich@xxxxxxxx> (cherry picked from commit 3667f7f8f7c471e94e58cf35a95f09a0fe5c1290) Note: For backports to 4.14 thru 4.16, we are deliberately not using -mmanual-endbr as done in staging, as an intermediate approach which is not too invasive to backport. x86/cet: Force -fno-jump-tables for CET-IBT Both GCC and Clang have a (mis)feature where, even with -fcf-protection=branch, jump tables are created using a notrack jump rather than using endbr's in each case statement. This is incompatible with the safety properties we want in Xen, and enforced by not setting MSR_S_CET.NOTRACK_EN. The consequence is a fatal #CP[endbr]. -fno-jump-tables is generally active as a side effect of CONFIG_INDIRECT_THUNK (retpoline), but as of c/s 95d9ab461436 ("x86/Kconfig: introduce option to select retpoline usage"), we explicitly support turning retpoline off. Fixes: 3667f7f8f7c4 ("x86: Introduce support for CET-IBT") Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> (cherry picked from commit 9d4a44380d273de22d5753883cbf5581795ff24d) --- Config.mk | 1 - xen/arch/x86/Kconfig | 17 +++++++++++++++++ xen/arch/x86/arch.mk | 9 +++++++++ xen/arch/x86/configs/pvshim_defconfig | 1 + xen/include/asm-x86/cpufeature.h | 1 + xen/include/asm-x86/cpufeatures.h | 1 + xen/include/asm-x86/indirect_thunk_asm.h | 6 ++++++ 7 files changed, 35 insertions(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index 1356e6e151..69ea750856 100644 --- a/Config.mk +++ b/Config.mk @@ -205,7 +205,6 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables -EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles # All the files at that location were downloaded from elsewhere on diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 8af5d6be80..950deaa032 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -38,6 +38,11 @@ config HAS_AS_CET_SS # binutils >= 2.29 or LLVM >= 6 def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy) +config HAS_CC_CET_IBT + # GCC >= 9 and binutils >= 2.29 + # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654 + def_bool $(cc-option,-fcf-protection=branch -mindirect-branch=thunk-extern) && $(as-instr,endbr64) + menu "Architecture Features" source "arch/Kconfig" @@ -118,6 +123,18 @@ config XEN_SHSTK When CET-SS is active, 32bit PV guests cannot be used. Backwards compatiblity can be provided via the PV Shim mechanism. +config XEN_IBT + bool "Supervisor Indirect Branch Tracking" + depends on HAS_CC_CET_IBT + default y + help + Control-flow Enforcement Technology (CET) is a set of features in + hardware designed to combat Return-oriented Programming (ROP, also + call/jump COP/JOP) attacks. Indirect Branch Tracking is one CET + feature designed to provide function pointer protection. + + This option arranges for Xen to use CET-IBT for its own protection. + config SHADOW_PAGING bool "Shadow Paging" default y diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index 04e967436b..7a7ff7dd7d 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -45,6 +45,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables +ifdef CONFIG_XEN_IBT +# Force -fno-jump-tables to work around +# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816 +# https://github.com/llvm/llvm-project/issues/54247 +CFLAGS += -fcf-protection=branch -fno-jump-tables +else +$(call cc-option-add,CFLAGS,CC,-fcf-protection=none) +endif + # If supported by the compiler, reduce stack alignment to 8 bytes. But allow # this to be overridden elsewhere. $(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3) diff --git a/xen/arch/x86/configs/pvshim_defconfig b/xen/arch/x86/configs/pvshim_defconfig index 3af48d6c06..6da7ecb595 100644 --- a/xen/arch/x86/configs/pvshim_defconfig +++ b/xen/arch/x86/configs/pvshim_defconfig @@ -10,6 +10,7 @@ CONFIG_SCHED_NULL=y # Disable features not used by the PV shim # CONFIG_HVM is not set # CONFIG_XEN_SHSTK is not set +# CONFIG_XEN_IBT is not set # CONFIG_HYPFS is not set # CONFIG_SHADOW_PAGING is not set # CONFIG_BIGMEM is not set diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 004cbdcb10..e93e72bbbd 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -149,6 +149,7 @@ #define cpu_has_lfence_dispatch boot_cpu_has(X86_FEATURE_LFENCE_DISPATCH) #define cpu_has_xen_lbr boot_cpu_has(X86_FEATURE_XEN_LBR) #define cpu_has_xen_shstk boot_cpu_has(X86_FEATURE_XEN_SHSTK) +#define cpu_has_xen_ibt boot_cpu_has(X86_FEATURE_XEN_IBT) #define cpu_has_msr_tsc_aux (cpu_has_rdtscp || cpu_has_rdpid) diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index 6c8f432aee..fe2f97354f 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -39,6 +39,7 @@ XEN_CPUFEATURE(SC_VERW_PV, X86_SYNTH(23)) /* VERW used by Xen for PV */ XEN_CPUFEATURE(SC_VERW_HVM, X86_SYNTH(24)) /* VERW used by Xen for HVM */ XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ +XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ /* Bug words follow the synthetic words. */ #define X86_NR_BUG 1 diff --git a/xen/include/asm-x86/indirect_thunk_asm.h b/xen/include/asm-x86/indirect_thunk_asm.h index 71e6de5bf7..26874bb0d8 100644 --- a/xen/include/asm-x86/indirect_thunk_asm.h +++ b/xen/include/asm-x86/indirect_thunk_asm.h @@ -50,4 +50,10 @@ asm ( "\t.include \"asm/indirect_thunk_asm.h\"" ); INDIRECT_BRANCH jmp \arg .endm +#ifdef CONFIG_XEN_IBT +# define ENDBR64 endbr64 +#else +# define ENDBR64 +#endif + #endif -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.14
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |