|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [PATCH v2 for-4.14] x86/livepatch: Make livepatching compatible with CET Shadow Stacks
> -----Original Message-----
> From: Jan Beulich <jbeulich@xxxxxxxx>
> Sent: 26 June 2020 14:15
> To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>; Wei Liu <wl@xxxxxxx>; Roger
> Pau Monné
> <roger.pau@xxxxxxxxxx>; Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; Ross
> Lagerwall
> <ross.lagerwall@xxxxxxxxxx>; Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>; Paul
> Durrant <paul@xxxxxxx>
> Subject: Re: [PATCH v2 for-4.14] x86/livepatch: Make livepatching compatible
> with CET Shadow Stacks
>
> On 26.06.2020 14:24, Andrew Cooper wrote:
> > Just like the alternatives infrastructure, the livepatch infrastructure
> > disables CR0.WP to perform patching, which is not permitted with CET active.
> >
> > Modify arch_livepatch_{quiesce,revive}() to disable CET before disabling WP,
> > and reset the dirty bits on all virtual regions before re-enabling CET.
> >
> > One complication is that arch_livepatch_revive() has to fix up the top of
> > the
> > shadow stack. This depends on the functions not being inlined, even under
> > LTO. Another limitation is that reset_virtual_region_perms() may shatter
> > the
> > final superpage of .text depending on alignment.
> >
> > This logic, and its downsides, are temporary until the patching
> > infrastructure
> > can be adjusted to not use CR0.WP.
>
> In particular on this basis ...
>
> > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Release-acked-by: Paul Durrant <paul@xxxxxxx>
>
> Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |