Xen project Mailing List

Re: [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Mon, 14 Feb 2022 13:31:02 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Z+cB0sqWlgdnGR5o8AFGcjMgr10K4PMs89dkpQ3ajkQ=; b=hqG1yb2+V9BwrrmJ37vGn5Qy5DkISGUS7wnavArg376IKqY+f8Ct2CAbbpWm3ui9lOxADk3hlrm+LHKLV/9Za5RVnIKAw6aERiLKyDVpfwTCMG4gliTO3pOklnPUa1ajMsjKb2SW0/UUhyhEz8O1duGg6kFwnJjjiAxkC7/r+L14f4X/eKWPZtTK/GqPJMPJiYcb6wwqEYfwlzxpG5nDyAUCaDxVF28OtRThidmaLkhuCS0ccuxh0aFQhIWge2mVchqgcFtVgpYR51so9KtDDX1NaMoPO9Ic+w4QcK6W2lbPiDXOEL2gQMYb5Pg2FOUdlWaY4VEkaJpmTQGubgEFkQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TQv6jwnEJ+sNr7lIfHqyqyIwCuR5pgqxWkTeYNolqiXKDGETv6sYOPRhawYlU4s7gGEeBx3mf/vN8K/lEz2jyXffM2jAEkqBQf0uEezQE0urst83LWd9bX5l4xug+YP9N4wsVEcnUH3uTOi+0kJdOzFq1VcDdLmp8ZO87n3JOPL2CvOu93Zs/ifKe7+QSvcG/NdUvy9dfd2MojW69NLg8u/qcXTj86OBe6mpLYa9L9anAyc9/5arVmO1jUmWm1slkg72AnnUYeluFrK8CgrZWKPh/cx5q+0mGcxgdj4y41+V2K52fufGYBbKRazsFurNZOikp80I8Kt+BDPQIlbu4w==

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 14 Feb 2022 13:31:37 +0000

Ironport-data: A9a23:m0OtxK/afDobQ1pCdAQEDrUDV3mTJUtcMsCJ2f8bNWPcYEJGY0x3x jdLWGGHaa6MYzb0eNBzOYiy8UpQsZbWyNRiHVNvqy08E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si9AttENlFEkvU2ybuOU5NXsZ2YhFWeIdA970Ug5w7Rg3tYy6TSEK1jlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJMt3yZWKB2n5WuFp8tuSH I4v+l0bElTxpH/BAvv9+lryn9ZjrrT6ZWBigVIOM0Sub4QrSoXfHc/XOdJFAXq7hQllkPhcx 4lkp5qwTD0JAZHotcY9agQJTgNHaPguFL/veRBTsOSWxkzCNXDt3+9vHAc9OohwFuRfWD8Us 6ZCcXZUM07F17neLLGTE4GAguwKKsXxMZxZkXZn1TzDVt4tQIzZQrWM7thdtNs1rp4SQKuAO ZtGAdZpRBOeehAIE1wVMZsjzcew2XXyWWUClE3A8MLb5ECMlVcsgdABKuH9atGMAMlYgEucj mbH5HjiRAEXMsSFzjiI+W7qgfXA9QvkXKoCGbv+8eRl6HWRzGEODBwdVXOgvOK0zEW5Xrpix 1c8o3R06/JorQryE4e7D0bQTGO4UgA0dtUMOv886AS36pXoxyu7JlEZH2NjUYlz3CMpfgAC2 liMltLvIDVgtryJVH6QnoupQSOO1Ts9djFbO3JdJecRy5y6+dxo0EqTJjp2OPPt1rXI9SfML ydmRcTUr5EaloY12qqy5jgraBr898GSHmbZCug6N19JDz+Vhqb4PeRECnCBtJ6sybp1qXHb4 hA5dzC2trxmMH10vHXlrB8xNL+o/e2ZFzbXnERiGZIsnxz0pSL/ItAAvWwmfRwzWirhRdMOS BWN0T69GbcJZCf6BUOJS97Z5zsWIVjISo2+C6G8gitmaZltbg6XlByClmbLt10BZHMEyPllU b/CKJ7EJS9DVcxPkWrnL89AgORD7n1vmgvuqWXTkk3PPUy2PyXOF9/o8TKmM4gE0U9ziFuJo ogPb5PQk32ykoTWO0HqzGLaFnhTRVATDpHqsc1HMOmFJwttAmY6DPHNh7gmfuRYc259yrigE qiVVhAKxVzhq2fALAnWOHlvZKm2BcR0rG4hPDxqNlGtgiBxbYGq5aYZVp02Ybh4q7Azka8qF 6EIK5eaH/BCajXb4DBBP5Pzm5NvKUawjgWUMiv7PDVmJ8x8RxbE88PPdxf08HVcFTK+sMYz+ uXy1g7STZcZaR5lCcLaNKCmw1+r5CBPk+NuRUrYZNJUfRy0ooRtLiXwiN4xIt0NdkqflmfLi V7ODE5B9+fXooIz/N3Yvoy+rt+kQ7lkA05XP2jH9rLqZyPUyXWunN1bW+GScDGDCG6toPe+Z f9Yxu3XOeEcmAoYqJJ1FrtmwP5s59broLMGnA1oEG+SMgauA7JkZHKHwdNOputGwboA4Vm6X UeG+997P7SVOZy6TA5NdVR9NunTh+sJnjTy7OguJBSo7SB6y7OLTEFOMkTekydaNrZ0bNsoz OpJVBT6MOBjZs7G6uq7sx0=

Ironport-hdrordr: A9a23:hL3YSa2XWPgRoHp2eYJFkAqjBRZyeYIsimQD101hICG9Lfb2qy n+ppgmPEHP5Qr5AEtQ5OxpOMG7MBbhHQYc2/heAV7QZnibhILOFvAi0WKC+UyuJ8SazIBgPM hbAtFD4bHLfDtHZIPBkXOF+rUbsZm6GcKT9J/jJh5WJGkAAcAB0+46MHfhLqQffngdOXNTLu v52iMznUvHRZ1hVLXdOpBqZZmgm/T70LbdJTIWDR8u7weDyRmy7qThLhSe1hACFxtS3LYL6w H+4k/Ez5Tml8v+5g7X1mfV4ZgTssDm0MF/CMuFjdVQAinwizyveJ9qV9S5zXIISaCUmRMXee v30lAd1vdImjXsl6aO0ELQMjzboXITArnZuAelaDXY0JfErXkBerV8bMpiA2XkAgwbzYxBOe twrhKkX9A8N2KwoA3to9fPTB1kjUyyvD4rlvMSlWVWVc8EZKZWtpF3xjIeLH4sJlOz1GkcKp gkMCgc3ocjTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNwd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDmRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dg/22J6IJzIEUaICbQxFreWpe5PdI+c9vcfEzc8 zDTa5rPw==

Ironport-sdr: TE7x6ORfD0MEURW9mKjik0/+tKEU336540cdf0OjtjVsqZckuLMp0vPlq8ABUcrdfRW7jWr8uz PjQaGIyx+8eZ+QsTrVLUT8VI6grnSWiyuawBl9tIZo8O/V13GdoaCIRS+A3dx6ogZeFE+Lo51b rHqeYJTq6RpHQmAKnE/HNUBEp9egvH/qTJxg3BZ5/dAUDTH+CqP8bnar7xIsChSWpIsgsuR0r5 lFB6YQsOsL42/7HfJSdAJxIOfrScuNeJKQ58/4twZTJfceejAX+Ii8RsnmVMFjjxN28/PxQfAM 6sXn48W+mwPpMhDD0k95UiAR

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYIaJdlBm1laP+30eCBtzXO5xQTKyTA/+AgAAG84A=

Thread-topic: [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible

On 14/02/2022 13:06, Jan Beulich wrote: > On 14.02.2022 13:56, Andrew Cooper wrote: >> With altcall, we convert indirect branches into direct ones. With that >> complete, none of the potential targets need an endbr64 instruction. >> >> Furthermore, removing the endbr64 instructions is a security defence-in-depth >> improvement, because it limits the options available to an attacker who has >> managed to hijack a function pointer. >> >> Introduce new .init.{ro,}data.cf_clobber sections. Have >> _apply_alternatives() >> walk over this, looking for any pointers into .text, and clobber an endbr64 >> instruction if found. This is some minor structure (ab)use but it works >> alarmingly well. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Thanks, > with two remarks, which ideally would be addressed by respective > small adjustments: > >> @@ -330,6 +333,41 @@ static void init_or_livepatch >> _apply_alternatives(struct alt_instr *start, >> add_nops(buf + a->repl_len, total_len - a->repl_len); >> text_poke(orig, buf, total_len); >> } >> + >> + /* >> + * Clobber endbr64 instructions now that altcall has finished optimising >> + * all indirect branches to direct ones. >> + */ >> + if ( force && cpu_has_xen_ibt ) >> + { >> + void *const *val; >> + unsigned int clobbered = 0; >> + >> + /* >> + * This is some minor structure (ab)use. We walk the entire >> contents >> + * of .init.{ro,}data.cf_clobber as if it were an array of pointers. >> + * >> + * If the pointer points into .text, and at an endbr64 instruction, >> + * nop out the endbr64. This causes the pointer to no longer be a >> + * legal indirect branch target under CET-IBT. This is a >> + * defence-in-depth measure, to reduce the options available to an >> + * adversary who has managed to hijack a function pointer. >> + */ >> + for ( val = __initdata_cf_clobber_start; >> + val < __initdata_cf_clobber_end; >> + val++ ) >> + { >> + void *ptr = *val; >> + >> + if ( !is_kernel_text(ptr) || !is_endbr64(ptr) ) >> + continue; >> + >> + add_nops(ptr, 4); > This literal 4 would be nice to have a #define next to where the ENDBR64 > encoding has its central place. We don't have an encoding of ENDBR64 in a central place. The best you can probably have is #define ENDBR64_LEN 4 in endbr.h ? > >> --- a/xen/arch/x86/xen.lds.S >> +++ b/xen/arch/x86/xen.lds.S >> @@ -221,6 +221,12 @@ SECTIONS >> *(.initcall1.init) >> __initcall_end = .; >> >> + . = ALIGN(POINTER_ALIGN); >> + __initdata_cf_clobber_start = .; >> + *(.init.data.cf_clobber) >> + *(.init.rodata.cf_clobber) >> + __initdata_cf_clobber_end = .; >> + >> *(.init.data) >> *(.init.data.rel) >> *(.init.data.rel.*) > With r/o data ahead and r/w data following, may I suggest to flip the > order of the two section specifiers you add? I don't follow. This is all initdata which is merged together into a single section. The only reason const data is split out in the first place is to appease the toolchains, not because it makes a difference. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.