Xen project Mailing List

Re: [PATCH v2 00/70] x86: Support for CET Indirect Branch Tracking

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Thu, 17 Feb 2022 10:56:20 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gekqWGqOBjPGU1p+uQpZXjt//QFLg7yP/cvraATeqBs=; b=e4miC+LMli3S9BIUbNjGmPBJwMrdcRiwghT6pKViohNSxydwuRVIXiyg0MiUveF5teT2k0rlDuPXb/yzMxJED3orLvIb72CAxZrzVUxn+Azx4e3cIFQ5u6+1STqJ/s8QRiBF56qXwokxXMeoBhf8GLDW0U7kKwNULugKkoB0FyEgdCtCKA7AijC8xEiVLy0HXCkkMAb5ahsLfNbrZm57l5ZOUZFTX+2434Gv+iqWL3PHakhfBeNb9nDRJiaZq0ocjKlxWWjTbleE6f8BCj2xkHT9aYcAVfZPAHTtFA0fplI9r5RuGK/49+i/JapOYoB/1KRIfMSEo4GW3GuGPRZ83w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MWrGjO52+3uC5JELaXbpamcvAmBqVT3CZxB+ulO0qxaLJ7UH9z2BWroxQZY7OrvXq33ooeWPUUxnVHevQQGKinJf/M/w+r7KRbBL32fPAV+17FoX3dt5MsZp3oXHqSVHsk6AnXAWlpDQ7Y2ueBIlP47oDj/jXwWj3yZey86VSUqVDt8q7Uf5PC4pDPIKe7FzikOwLhl2f8zRdce40X5AlQlPMUCBLThPNYvC6TfxTOsHCIqVndmpkBNXmYszra+S/31258GGs20acYdFlP23pkcFWiIS+2hS7Sc85yIL6gkXM+IYTlofkDRNQ0EApaGe04B86M3AaBnYlgPdjIOODA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 17 Feb 2022 09:56:32 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16.02.2022 22:59, Andrew Cooper wrote: > On 14/02/2022 14:38, Jan Beulich wrote: >> On 14.02.2022 15:15, Andrew Cooper wrote: >>> On 14/02/2022 13:43, Jan Beulich wrote: >>>> On 14.02.2022 14:10, Andrew Cooper wrote: >>>>> On 14/02/2022 12:50, Andrew Cooper wrote: >>>>>> CET Indirect Branch Tracking is a hardware feature designed to protect >>>>>> against >>>>>> forward-edge control flow hijacking (Call/Jump oriented programming), >>>>>> and is a >>>>>> companion feature to CET Shadow Stacks added in Xen 4.14. >>>>>> >>>>>> Patches 1 thru 5 are prerequisites. Patches 6 thru 60 are fairly >>>>>> mechanical >>>>>> annotations of function pointer targets. Patches 61 thru 70 are the >>>>>> final >>>>>> enablement of CET-IBT. >>>>>> >>>>>> This series functions correctly with GCC 9 and later, although an >>>>>> experimental >>>>>> GCC patch is required to get more helpful typechecking at build time. >>>>>> >>>>>> Tested on a TigerLake NUC. >>>>>> >>>>>> CI pipelines: >>>>>> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/470453652 >>>>>> https://cirrus-ci.com/build/4962308362338304 >>>>>> >>>>>> Major changes from v1: >>>>>> * Boilerplate for mechanical commits >>>>>> * UEFI runtime services unconditionally disable IBT >>>>>> * Comprehensive build time check for embedded endbr's >>>>> There's one thing I considered, and wanted to discuss. >>>>> >>>>> I'm tempted to rename cf_check to cfi for the function annotation, as >>>>> it's shorter without reducing clarity. >>>> What would the 'i' stand for in this acronym? >>> The class of techniques is called Control Flow Integrity. >>> >>>> Irrespective of the answer >>>> I'd like to point out the name collision with the CFI directives at >>>> assembler level. This isn't necessarily an objection (I'm certainly for >>>> shortening), but we want to avoid introducing confusion. >>> I doubt there is confusion to be had here. One is entirely a compiler >>> construct which turns into ENDBR64 instructions in the assembler, and >>> one is a general toolchain construct we explicitly disable. >> Hmm. I'm still at best half convinced. Plus we generally have been >> naming our shorthands after the actual attribute names. By using >> "cfi" such a connection would also be largely lost. Roger, Wei, >> others - do you opinions either way? > > My point is this. Doing nothing is my easiest option. > > But if anyone has length/alternative suggestions, dealing with them now > is going to be infinitely easier than once this series is committed. Understood. My personal preference then is to stick with cf_check. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.