[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 0/7] x86: Further harden function pointers

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 14 Feb 2022 12:56:25 +0000
Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 14 Feb 2022 12:56:59 +0000
Ironport-data: A9a23:ePkb+qK4Skc9wNJgFE+RRJIlxSXFcZb7ZxGr2PjKsXjdYENS1jUEy jZKWGHUbPnbamf8eNxybI6+/UoPvpHVmtVhHgBlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokcxIn5BC5C5xZVG/fjgqoHUVaiUakideSc+EH170Ug6x7Zg6mJVqYPR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyB94KYkDbOwNxPFrrx8RYZWc QphIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGvaUXe345iXMfwZ3u7hB2GvMBw9 tF1jKXvChUlbqyct9keURxhRnQW0a1uoNcrIFC6uM2XiUbHb2Ht07NlC0Re0Y8wo7gtRzsUr LpBdW5LPkvra+GemdpXTsFFgMg5IdatF4QYonx6lhnSDOo8QICFSKLPjTNd9Gls35weQKmPD yYfQT9oVBHhWixLBm4sOowwxs2E2CPTcRQN/Tp5ooJoujOOnWSdyoPFPNXZd9OQTO1Jj02Yo STA5G2/DRYEXPST0SGA826srubXkDnnRZkJE7ml6v9thkbVzWsWYDUTXEG+qOO0iWa/XcxeM E0e/icyrak0+1evR9O7VBq9yFaUsxhZV9dOHukS7ACW1rGS8wufHnIDTDNKdJohrsBebR4A2 0KNntjpLSdyq7DTQnWYnp+LqRuiNC5TKnUNDRLoViNcvYOl+ttqyEuSEJAzS8ZZk+EZBxn/4 CCLkiwGvoxMztwHh6Tr0m3EgTeV882hohEO2i3bWWes7wVcbYGjZpC15VWz0cusPLp1XXHa4 iFaxpH2APQmSMjUyXfTGLll8KSBuq7dWAAwl2KDCHXIG96F33e4Nb5d7zhlTKuCGpZVIGS5C KM/VO442XOyAJdIRfItC25SI55zpUQFKTgCfqqKBueimrArKGe6ENhGPCZ8JVzFnkk2ir0YM pyGa8uqBntyIf05kGbpF7dAjOdynXpWKYbvqXfTlUrP7FZjTCTNFedt3KWmMojVE59oUC2Kq o0CZqNmOj1UUfHkYzm/zGLgBQtiEJTPPriv85Y/XrfaemJOQTh9Y9eMkeJJU9E0xMx9y7aXl kxRr2cFkTITc1Wccl7UAp2iAZuyNatCQYUTY3B9YwbwgyJ7CWtthY9GH6YKkXAc3LQL5ZZJo zMtIq1s29xDFWbK/Sozd574oNAwfRinn1vWbSGkfCI+b9hrQAmQoo3oeQ7m9S8vCCurtJRh/ +38h12DGZdTFR5/CMv2ae60yw/jt3Yqh+8vDVDDJcNeeRuw/dEyeTDxlPI+P+oFNQ7HmmmBz w+TDBpB/bvNroY5/cPnn6eBq4v1QeJyElADRzvQ7KqsNDmc9W2mmNcSXOGNdDHbdWX15KT9O rkFk6CiaKUKxQ8YvZB9HrBnybMFy+Hu/7IKnB55GHjrbkiwDu8yKHexwsQS5LZGwaVUuFXqV xvXqMVaI7iAJOjsDEUVeFg+du2G2PwZxmvS4PAyLBmo7SN75uPaA0BbPh3Kgy1BNrpldogix L556sIR7gW+jDssM8qH0X8IpzjdcCRYXvV1rIweDa/qlhEvmwNLbpHrAyPr5I2CNodXOU4wL z7I3KfPitywHKYZn6bfwZQV4ddguA==
Ironport-hdrordr: A9a23:hsOKxKvj6IGAgV5qXFgxSCD37skDdNV00zEX/kB9WHVpmszxra 6TdZUgpGbJYVkqOE3I9ertBEDEewK4yXcX2/h2AV7BZniEhILAFugLhuGO/9SjIVybygc079 YGT0EUMrzN5DZB4voSmDPIceod/A==
Ironport-sdr: YQW0OeKcfGXIF1O+BL1fXYN9H+ypog1sfQo7O0/ICmRRNIFvAV1JPTJ5XWOSLxMkwyfBHBK38y V1J/zg4P+S3lj+VJqwSIC8V0Rk6N7qPpaN8IArKZnxtAP3lVhtiCF+e5VZGbnJqJHhpj9aG6HY KoxRRqUoJCqqQuUwuuZ1Mmm0xak1QPk+vjnaCKC1qvaFBRW336rZLacdnsFgWW74s56rw+/Ltk shPrD8X3VS6+XmYLsqSedNCgHzy5KUzI/kDezz4kbp6kL8Usx8MpHLlalTNlpoXKWdRJ7igAB9 F5qptJ/XI6TdzllDTUozedP8
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Additional runtime hardning of indirect branches.  Depends on the CET-IBT
series.

Andrew Cooper (7):
  xen/altcall: Use __ro_after_init now that it exists
  x86/altcall: Check and optimise altcall targets
  x86/altcall: Optimise away endbr64 instruction where possible
  xsm: Use __initconst_cf_clobber for xsm_ops
  x86/hvm: Use __initdata_cf_clobber for hvm_funcs
  x86/ucode: Use altcall, and __initconst_cf_clobber
  x86/vpmu: Harden indirect branches

 xen/arch/x86/alternative.c         | 61 ++++++++++++++++++++++++++++++++++++++
 xen/arch/x86/cpu/microcode/amd.c   |  2 +-
 xen/arch/x86/cpu/microcode/core.c  | 38 +++++++++++++-----------
 xen/arch/x86/cpu/microcode/intel.c |  2 +-
 xen/arch/x86/cpu/vpmu_amd.c        |  2 +-
 xen/arch/x86/cpu/vpmu_intel.c      |  2 +-
 xen/arch/x86/hvm/hvm.c             |  2 +-
 xen/arch/x86/hvm/svm/svm.c         |  2 +-
 xen/arch/x86/hvm/vmx/vmx.c         |  2 +-
 xen/arch/x86/xen.lds.S             |  6 ++++
 xen/include/xen/alternative-call.h |  2 +-
 xen/include/xen/init.h             |  3 ++
 xen/xsm/dummy.c                    |  2 +-
 xen/xsm/flask/hooks.c              |  2 +-
 xen/xsm/silo.c                     |  2 +-
 15 files changed, 101 insertions(+), 29 deletions(-)

-- 
2.11.0

Follow-Ups:
- [PATCH v2.2 8/7] x86/IOMMU: Use altcall, and __initconst_cf_clobber
  - From: Andrew Cooper
- [PATCH v2.1 8/7] x86/IOMMU: Use altcall, and __initconst_cf_clobber
  - From: Andrew Cooper
- [PATCH v2 4/7] xsm: Use __initconst_cf_clobber for xsm_ops
  - From: Andrew Cooper
- [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible
  - From: Andrew Cooper
- [PATCH v2 5/7] x86/hvm: Use __initdata_cf_clobber for hvm_funcs
  - From: Andrew Cooper
- [PATCH v2 6/7] x86/ucode: Use altcall, and __initconst_cf_clobber
  - From: Andrew Cooper
- [PATCH v2 1/7] xen/altcall: Use __ro_after_init now that it exists
  - From: Andrew Cooper
- [PATCH v2 2/7] x86/altcall: Check and optimise altcall targets
  - From: Andrew Cooper
- [PATCH v2 7/7] x86/vpmu: Harden indirect branches
  - From: Andrew Cooper

Prev by Date: [PATCH v2 2/7] x86/altcall: Check and optimise altcall targets
Next by Date: [PATCH v2 1/7] xen/altcall: Use __ro_after_init now that it exists
Previous by thread: [PATCH v2 00/70] x86: Support for CET Indirect Branch Tracking
Next by thread: [PATCH v2 7/7] x86/vpmu: Harden indirect branches
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.