Xen project Mailing List

Re: [PATCH v2 69/70] x86/efi: Disable CET-IBT around Runtime Services calls

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Tue, 15 Feb 2022 23:00:11 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AacAo/eRvfY4J8goeSIPLwJDsg7Ltb3Rmt/eXKozd4g=; b=S7MmEg68P8Iv48LYfcOaHeWqHE0RTmFDRFRvN7J1CKYF8ivp0cZB2nrYa02g2kH+5ARtmxS38MV72v6W0LhqhwxBksSn/9K04tSMeiub4AGVZKluog90A0M0ntLPXtEwpevf1hoFJsbi1LMD5iHjbgykApnfn12T5pPnZNPhzA2VzFSt/QvYJGF15bATNILbKZ7Gg/RqXjg+G7BfuL7UrDfKUQ8v5BoISIewkEVmyLP/R9N7jahXlYKBaW9AC9d1fjOG5xa1vLfNyoJOIwMqESocKpetZo12i8t2nnNuf3dSArRRVv23551dZ8ayVp+wQW5/nj/X+iTVqrpTHzD6dA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QIEmBUrn8tGEB3IsrtlIeau2WpbC9nM5jqnlrHxbNNXIY8UKaX/2cF5KZraT9FGx2VhgzH14ShWqSc4SkkbHQ1mK2Q+9WLk8PofnMVZW5CvVEH7xtl/aclnnvMo+YhkZCH1fgMocb7FAFp4nDvKePSZOH5HV9qYrZsexlAQC1id8JNitIcMd8uO9MZ8oYCYPAGG83aJOc/+B7JECcVwzZm7g3wq1qXpeQBcP96RKFlTA7WRorkOWZ2lLAnUo911z7HnDB9XWaPvd8URffHPLk5JFB5Wdc+L5AQNt7xEnSpsYvP/keIx5WIITNgDzwLsZ8xm6ENvJpMq6gJpeW7kz9A==

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 15 Feb 2022 23:00:21 +0000

Ironport-data: A9a23:fRuHj6tZnRkyoMij7CnKgWZNyefnVI1ZMUV32f8akzHdYApBsoF/q tZmKW/TPf7eYmH1LYsnat6+oE4P6sODyoRnQVRr/n01EXkT+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2IXhWGthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NplmpuZSigxL6L1h88ZdENyLnxOB/Mb0eqSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO ZdDOWU1NXwsZTVLKHMqBa19wNuGvV6ka2EAkVuWq7Q4tj27IAtZj+G2bYu9lsaxbdVYmAOUq 3zL+0z9AwoGL5qPxDyd6HWui+TT2yThV+o6C7mQ5vNsxlqJyQQ7ChcbSF+6qvmRkVOlVpRUL El8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO8I9wQKi0rvb2hmyAk9eZAMcWOZ46eZjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtACzARVodt/xory9U J4swZX2AAcmV8zlqcB1aL9RdIxFHt7cWNEmvXZhHoM66xOm8GO5cIZb7VlWfRk1bpdZIGW4M R6K42u9AaO/2lPwMMebhKrrVawXIVXIT4y5Bpg4kPISCnSOSON31H43PhPBt4wcuEMtjbs+K f+mnTWEVh4n5VBc5GPuHY81iOZzrghnnD+7bc2rnnyPjOvFDFbIGOhtDbd7Rr1ghE9yiF6Oq Ig32grj40g3bdASlQGOqtBNdAhTdyBkbX00wuQOHtO+zsNdMDhJI9fawK87epwjmKJQl+zS+ Wq6VFMew1367UAr4y3QApy6QL+wD5t5s1whOikgYQSh13Q5ON7956YDbZonO7Ig8bU7n/JzS vAEfeSGA+hOFWubq2hMM8GlodwwbgmviCKPIzGhPGo1cal/SlGb4dTjZAbuqnUDV3Llqcskr rS8/QrHWp5fFR96BcPbZav3nVO8tHQQgsxoWE7MLoUBcUng6tEyeSfwkuU2M4cHLhCanmmW0 AOfABE5o+jRotBqrImV1P7c94rwSrlwBEtXGWXf/I2aDyiC8zrx25JEXcaJYSvZCDH+9pK9a LgH1Pr7KvAGwgpH6tIuD7ZxwKsizNLzvLsGnB98FXDGYln3WLNtJn6KgZtGuqFXn+ILvAK3X gSE+8VAOKXPM8TgSQZDKA0gZ+WF9PcVhjiNsqhlfBSkvHd6rOidTEFfHxiQkygMfrJ6PbQsz folpMNLuRe0jQAnM4regy1Zn4hWwqfsj0nzWkkmPbLW

Ironport-hdrordr: A9a23:ymB0Hq2hZl00tVzVp/WvAAqjBRZyeYIsimQD101hICG9Lfb2qy n+ppgmPEHP5Qr5AEtQ5OxpOMG7MBbhHQYc2/heAV7QZnibhILOFvAi0WKC+UyuJ8SazIBgPM hbAtFD4bHLfDtHZIPBkXOF+rUbsZm6GcKT9J/jJh5WJGkAAcAB0+46MHfhLqQffngdOXNTLu v52iMznUvHRZ1hVLXdOpBqZZmgm/T70LbdJTIWDR8u7weDyRmy7qThLhSe1hACFxtS3LYL6w H+4k/Ez5Tml8v+5g7X1mfV4ZgTssDm0MF/CMuFjdVQAinwizyveJ9qV9S5zXIISaCUmRMXee v30lAd1vdImjXsl6aO0ELQMjzboXITArnZuAelaDXY0JfErXkBerV8bMpiA2XkAgwbzYxBOe twrhKkX9A8N2KwoA3to9fPTB1kjUyyvD4rlvMSlWVWVc8EZKZWtpF3xjIeLH4sJlOz1GkcKp gkMCgc3ocjTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNwd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDmRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dg/22J6IJzIEUaICbQxFreWpe5PdI+c9vcfEzc8 zDTa5rPw==

Ironport-sdr: heBUP79en1b5kY6vhmZIxGp+UhymKzWQFQFhN+sUq1omiWbRi3jX7XlGX1kp4Rwu8I71Hg4R+K fesqJW25wFFwgpCUjeGRHFtL0MJCPAcXAJYRXO5i4idr3VhqkuPxzCIPsCy/O15pm1abPAaRdS YzuIZeTva9RnMQe9qrVVXdgKHhbt8YMt4uLwZe1O1GKwtB0t36FXm1SZb/Oo3tT68+ZLvN6/dP 38gkg+h5/4GWS7AQyGSbM6BseREedSEkgEW2vc5fR0s+4M3CeKU9SnTqfHLZssu0yRgZcLr6dm frI+rCK1yMmsyyROgZEBoWQd

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYIaO5yC8LkxEff0u7D+BbmzJONayU1dyAgABmbAA=

Thread-topic: [PATCH v2 69/70] x86/efi: Disable CET-IBT around Runtime Services calls

On 15/02/2022 16:53, Jan Beulich wrote: > On 14.02.2022 13:51, Andrew Cooper wrote: >> UEFI Runtime services, at the time of writing, aren't CET-IBT compatible. >> Work is ongoing to address this. In the meantime, unconditionally disable >> IBT. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Thanks. > >> --- a/xen/common/efi/runtime.c >> +++ b/xen/common/efi/runtime.c >> @@ -21,6 +21,7 @@ struct efi_rs_state { >> * don't strictly need that. >> */ >> unsigned long __aligned(32) cr3; >> + unsigned long msr_s_cet; >> #endif >> }; > The latest with the next addition here we will probably want to ... > >> @@ -113,6 +114,19 @@ struct efi_rs_state efi_rs_enter(void) > ... no longer have this be the function's return type. So about this. why aren't we using __attribute__((force_align_arg_pointer)) ? It exists in at least GCC 4.1 and Clang 6. We're way way overdue bumping the minimum toolchain versions, and Clang 3.5=>6 is still very obsolete minimum version. This way, we're not depending on some very subtle ABI mechanics to try and keep the stack properly aligned. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.