[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 01/65] x86: Introduce support for CET-IBT

On 29/11/2021 09:21, Jan Beulich wrote:
> On 26.11.2021 16:21, Andrew Cooper wrote:
>> On 26/11/2021 14:10, Jan Beulich wrote:
>>> On 26.11.2021 13:33, Andrew Cooper wrote:
>>>> @@ -124,6 +129,18 @@ config XEN_SHSTK
>>>>      When CET-SS is active, 32bit PV guests cannot be used.  Backwards
>>>>      compatiblity can be provided via the PV Shim mechanism.
>>>>  
>>>> +config XEN_IBT
>>>> +  bool "Supervisor Indirect Branch Tracking"
>>>> +  depends on HAS_CC_CET_IBT
>>>> +  default y
>>>> +  help
>>>> +    Control-flow Enforcement Technology (CET) is a set of features in
>>>> +    hardware designed to combat Return-oriented Programming (ROP, also
>>>> +    call/jump COP/JOP) attacks.  Indirect Branch Tracking is one CET
>>>> +    feature designed to provide function pointer protection.
>>>> +
>>>> +    This option arranges for Xen to use CET-IBT for its own protection.
>>> Shouldn't this depend on BROKEN until it's actually functional?
>> It compiles fine right from now, and making it BROKEN would inhibit
>> bisection through the series.
>>
>> Nothing actually matters until patch 65 turns on MSR_S_CET.ENDBR_EN.
> "Nothing" except that until then the promised extra security isn't
> there.

The series is very likely to be committed in one fell swoop, but even
that aside, it really doesn't matter until 4.17-rc1

As it stands, this is ~65 patches of incremental changes to the binary,
and oughtn't to be 65 nops and a massive switch at the end.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.