[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 01/65] x86: Introduce support for CET-IBT

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 26 Nov 2021 15:10:16 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YD0O1Cb5LPjOUy6fPt9e1rTxX0nxSQaYxZVe4srj4u8=; b=D9h62Wkxu+g+wbG94N/KKmjssRA595LZo+HrprsgHGJEtlTDhLcSXFhK3gJf6mqQums50b1ySKjAJhzQqkJ3uw7PhnAP0jwc/pHs8t1uHYV0cpR2LxApVUzVAnfOQN26U/D7OpSpBpxJShHmM45rnodAattiJ3B1cIuP8tyu58xab/Lw/bevY7+uGLS95ZAgMJWYOHUHaUafAWzJw1q0/rVSzYSlFUFUZfcCXcsWvxPxdm2rGr+z1+L5KwzfEbLmZgGIidcntvOf+JYyvhmrzIH0R8B0P7HE/pbJCHmk1ruzar0j6Br43Mht4OljNjTqh2TnDuErfQ6SPtsmxiIhVA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jqtu/EqtYpLTkPq+LxgAJXb9OOCut7ZsApIak6FJwLb+Vq6C4RB1W1gdg7t0ARCp6BSHReLdBC5gD/NJW94vhsJ0axwftZsDT8qqJ4uu4ZZRi6Bw4c9HKdCrJEfHRCMylYxd8J9pI4P+PfmDUCFilpsKfIusEjEW5hDJUhuSBE1mbU66J/bKzvhCU7toBa3/OomBwOhpv4qPrzu0trX0mLohEuDyAney7iDKZvm4dtPUHlj3wmtySB+DsbZ+I9xE/49iM2ST3y6dxV6u81o8KIpB+j+wkjKbn1UfiGvJpqg/E1jJBxEo3T88kV8AKRSyROuORtBK0scYbRrP416RgQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 26 Nov 2021 14:10:44 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 26.11.2021 13:33, Andrew Cooper wrote:
> @@ -124,6 +129,18 @@ config XEN_SHSTK
>         When CET-SS is active, 32bit PV guests cannot be used.  Backwards
>         compatiblity can be provided via the PV Shim mechanism.
>  
> +config XEN_IBT
> +     bool "Supervisor Indirect Branch Tracking"
> +     depends on HAS_CC_CET_IBT
> +     default y
> +     help
> +       Control-flow Enforcement Technology (CET) is a set of features in
> +       hardware designed to combat Return-oriented Programming (ROP, also
> +       call/jump COP/JOP) attacks.  Indirect Branch Tracking is one CET
> +       feature designed to provide function pointer protection.
> +
> +       This option arranges for Xen to use CET-IBT for its own protection.

Shouldn't this depend on BROKEN until it's actually functional?

> --- a/xen/arch/x86/x86_emulate/x86_emulate.h
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.h
> @@ -35,6 +35,11 @@
>  # error Unknown compilation width
>  #endif
>  
> +#ifndef cf_check
> +/* Cope with userspace build not knowing about CET-IBT */
> +#define cf_check
> +#endif

Imo this shouldn't go here, but in tools/tests/x86_emulator/x86-emulate.h,
and then presumably without #ifdef.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.