[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 01/65] x86: Introduce support for CET-IBT
- To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Fri, 26 Nov 2021 15:10:16 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YD0O1Cb5LPjOUy6fPt9e1rTxX0nxSQaYxZVe4srj4u8=; b=D9h62Wkxu+g+wbG94N/KKmjssRA595LZo+HrprsgHGJEtlTDhLcSXFhK3gJf6mqQums50b1ySKjAJhzQqkJ3uw7PhnAP0jwc/pHs8t1uHYV0cpR2LxApVUzVAnfOQN26U/D7OpSpBpxJShHmM45rnodAattiJ3B1cIuP8tyu58xab/Lw/bevY7+uGLS95ZAgMJWYOHUHaUafAWzJw1q0/rVSzYSlFUFUZfcCXcsWvxPxdm2rGr+z1+L5KwzfEbLmZgGIidcntvOf+JYyvhmrzIH0R8B0P7HE/pbJCHmk1ruzar0j6Br43Mht4OljNjTqh2TnDuErfQ6SPtsmxiIhVA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jqtu/EqtYpLTkPq+LxgAJXb9OOCut7ZsApIak6FJwLb+Vq6C4RB1W1gdg7t0ARCp6BSHReLdBC5gD/NJW94vhsJ0axwftZsDT8qqJ4uu4ZZRi6Bw4c9HKdCrJEfHRCMylYxd8J9pI4P+PfmDUCFilpsKfIusEjEW5hDJUhuSBE1mbU66J/bKzvhCU7toBa3/OomBwOhpv4qPrzu0trX0mLohEuDyAney7iDKZvm4dtPUHlj3wmtySB+DsbZ+I9xE/49iM2ST3y6dxV6u81o8KIpB+j+wkjKbn1UfiGvJpqg/E1jJBxEo3T88kV8AKRSyROuORtBK0scYbRrP416RgQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 26 Nov 2021 14:10:44 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 26.11.2021 13:33, Andrew Cooper wrote:
> @@ -124,6 +129,18 @@ config XEN_SHSTK
> When CET-SS is active, 32bit PV guests cannot be used. Backwards
> compatiblity can be provided via the PV Shim mechanism.
>
> +config XEN_IBT
> + bool "Supervisor Indirect Branch Tracking"
> + depends on HAS_CC_CET_IBT
> + default y
> + help
> + Control-flow Enforcement Technology (CET) is a set of features in
> + hardware designed to combat Return-oriented Programming (ROP, also
> + call/jump COP/JOP) attacks. Indirect Branch Tracking is one CET
> + feature designed to provide function pointer protection.
> +
> + This option arranges for Xen to use CET-IBT for its own protection.
Shouldn't this depend on BROKEN until it's actually functional?
> --- a/xen/arch/x86/x86_emulate/x86_emulate.h
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.h
> @@ -35,6 +35,11 @@
> # error Unknown compilation width
> #endif
>
> +#ifndef cf_check
> +/* Cope with userspace build not knowing about CET-IBT */
> +#define cf_check
> +#endif
Imo this shouldn't go here, but in tools/tests/x86_emulator/x86-emulate.h,
and then presumably without #ifdef.
Jan
|