|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v3 00/70 (not all posted)] x86: Support for CET Indirect Branch Tracking
To avoid spamming everyone, I have only re-sent patches with changes in v3. CET Indirect Branch Tracking is a hardware feature designed to protect against forward-edge control flow hijacking (Call/Jump oriented programming), and is a companion feature to CET Shadow Stacks added in Xen 4.14. Patches 1 thru 5 are prerequisites. Patches 6 thru 59 are fairly mechanical annotations of function pointer targets. Patches 60 thru 70 are the final enablement of CET-IBT. This series functions correctly with GCC 9 and later, although an experimental GCC patch is required to get more helpful typechecking at build time. A container with this fix has been added to CI. Tested on a TigerLake NUC by me, and by Marek also. CI pipelines: https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/476819536 https://cirrus-ci.com/build/4634902334275584 Andrew Cooper (67): xen/sort: Switch to an extern inline implementation xen/xsm: Move {do,compat}_flask_op() declarations into a header x86/kexec: Annotate embedded data with ELF metadata x86: Introduce support for CET-IBT xen: CFI hardening for x86 hypercalls xen: CFI hardening for custom_param() xen: CFI hardening for __initcall() xen: CFI hardening for notifier callbacks xen: CFI hardening for acpi_table_parse() xen: CFI hardening for continue_hypercall_on_cpu() xen: CFI hardening for init_timer() xen: CFI hardening for call_rcu() xen: CFI hardening for IPIs xen: CFI hardening for open_softirq() xsm/flask/ss: CFI hardening xsm: CFI hardening xen/sched: CFI hardening xen/evtchn: CFI hardening xen/hypfs: CFI hardening xen/tasklet: CFI hardening xen/keyhandler: CFI hardening xen/vpci: CFI hardening xen/decompress: CFI hardening xen/iommu: CFI hardening xen/video: CFI hardening xen/console: CFI hardening xen/misc: CFI hardening x86: CFI hardening for request_irq() x86/hvm: CFI hardening for hvm_funcs x86/hvm: CFI hardening for device emulation x86/emul: CFI hardening x86/ucode: CFI hardening x86/power: CFI hardening x86/apic: CFI hardening x86/nmi: CFI hardening x86/mtrr: CFI hardening x86/idle: CFI hardening x86/quirks: CFI hardening x86/hvmsave: CFI hardening x86/mce: CFI hardening x86/pmu: CFI hardening x86/cpu: CFI hardening x86/guest: CFI hardening x86/logdirty: CFI hardening x86/shadow: CFI hardening x86/hap: CFI hardening x86/p2m: CFI hardening x86/irq: CFI hardening x86/apei: CFI hardening x86/psr: CFI hardening x86/dpci: CFI hardening x86/pt: CFI hardening x86/time: CFI hardening x86/misc: CFI hardening x86/stack: CFI hardening x86/bugframe: CFI hardening x86: Use control flow typechecking where possible x86/setup: Read CR4 earlier in __start_xen() x86/alternatives: Clear CR4.CET when clearing CR0.WP x86/traps: Rework write_stub_trampoline() to not hardcode the jmp x86: Introduce helpers/checks for endbr64 instructions x86/emul: Update emulation stubs to be CET-IBT compatible x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible x86/entry: Make IDT entrypoints CET-IBT compatible x86/setup: Rework MSR_S_CET handling for CET-IBT x86/efi: Disable CET-IBT around Runtime Services calls x86: Enable CET Indirect Branch Tracking Juergen Gross (2): x86/pv-shim: Don't modify the hypercall table x86: Don't use the hypercall table for calling compat hypercalls Marek Marczykowski-Górecki (1): x86: Build check for embedded endbr64 instructions Config.mk | 1 - README | 1 + automation/build/debian/buster-gcc-ibt.dockerfile | 66 ++++ automation/gitlab-ci/build.yaml | 6 + automation/scripts/containerize | 1 + docs/misc/xen-command-line.pandoc | 16 +- tools/firmware/Makefile | 2 + tools/libs/guest/xg_dom_decompress_unsafe.h | 2 + tools/tests/x86_emulator/x86-emulate.h | 2 + xen/arch/arm/bootfdt.c | 9 +- xen/arch/arm/io.c | 9 +- xen/arch/x86/Kconfig | 17 + xen/arch/x86/Makefile | 6 + xen/arch/x86/acpi/boot.c | 24 +- xen/arch/x86/acpi/cpu_idle.c | 43 ++- xen/arch/x86/acpi/cpufreq/cpufreq.c | 24 +- xen/arch/x86/acpi/cpufreq/powernow.c | 21 +- xen/arch/x86/acpi/cpuidle_menu.c | 6 +- xen/arch/x86/acpi/lib.c | 2 +- xen/arch/x86/acpi/power.c | 4 +- xen/arch/x86/acpi/wakeup_prot.S | 38 +- xen/arch/x86/alternative.c | 13 +- xen/arch/x86/apic.c | 12 +- xen/arch/x86/arch.mk | 7 + xen/arch/x86/boot/x86_64.S | 30 +- xen/arch/x86/compat.c | 21 +- xen/arch/x86/configs/pvshim_defconfig | 1 + xen/arch/x86/cpu/amd.c | 8 +- xen/arch/x86/cpu/centaur.c | 2 +- xen/arch/x86/cpu/common.c | 3 +- xen/arch/x86/cpu/cpu.h | 2 +- xen/arch/x86/cpu/hygon.c | 2 +- xen/arch/x86/cpu/intel.c | 6 +- xen/arch/x86/cpu/mcheck/amd_nonfatal.c | 4 +- xen/arch/x86/cpu/mcheck/mce.c | 22 +- xen/arch/x86/cpu/mcheck/mce.h | 2 +- xen/arch/x86/cpu/mcheck/mce_amd.c | 9 +- xen/arch/x86/cpu/mcheck/mce_amd.h | 4 +- xen/arch/x86/cpu/mcheck/mce_intel.c | 49 ++- xen/arch/x86/cpu/mcheck/non-fatal.c | 6 +- xen/arch/x86/cpu/mcheck/vmce.c | 4 +- xen/arch/x86/cpu/microcode/amd.c | 9 +- xen/arch/x86/cpu/microcode/core.c | 15 +- xen/arch/x86/cpu/microcode/intel.c | 10 +- xen/arch/x86/cpu/mtrr/generic.c | 20 +- xen/arch/x86/cpu/mtrr/main.c | 4 +- xen/arch/x86/cpu/mtrr/mtrr.h | 8 +- xen/arch/x86/cpu/mwait-idle.c | 12 +- xen/arch/x86/cpu/shanghai.c | 2 +- xen/arch/x86/cpu/vpmu.c | 13 +- xen/arch/x86/cpu/vpmu_amd.c | 16 +- xen/arch/x86/cpu/vpmu_intel.c | 16 +- xen/arch/x86/cpuid.c | 8 +- xen/arch/x86/crash.c | 7 +- xen/arch/x86/dmi_scan.c | 10 +- xen/arch/x86/dom0_build.c | 8 +- xen/arch/x86/domain.c | 16 +- xen/arch/x86/emul-i8254.c | 14 +- xen/arch/x86/extable.c | 18 +- xen/arch/x86/genapic/bigsmp.c | 4 +- xen/arch/x86/genapic/delivery.c | 12 +- xen/arch/x86/genapic/probe.c | 2 +- xen/arch/x86/genapic/x2apic.c | 18 +- xen/arch/x86/guest/hyperv/hyperv.c | 10 +- xen/arch/x86/guest/xen/xen.c | 15 +- xen/arch/x86/hpet.c | 29 +- xen/arch/x86/hvm/dm.c | 5 +- xen/arch/x86/hvm/dom0_build.c | 16 +- xen/arch/x86/hvm/emulate.c | 93 +++-- xen/arch/x86/hvm/hpet.c | 12 +- xen/arch/x86/hvm/hvm.c | 47 +-- xen/arch/x86/hvm/hypercall.c | 5 +- xen/arch/x86/hvm/intercept.c | 28 +- xen/arch/x86/hvm/io.c | 38 +- xen/arch/x86/hvm/ioreq.c | 2 +- xen/arch/x86/hvm/irq.c | 16 +- xen/arch/x86/hvm/mtrr.c | 8 +- xen/arch/x86/hvm/nestedhvm.c | 6 +- xen/arch/x86/hvm/pmtimer.c | 10 +- xen/arch/x86/hvm/quirks.c | 4 +- xen/arch/x86/hvm/rtc.c | 18 +- xen/arch/x86/hvm/stdvga.c | 19 +- xen/arch/x86/hvm/svm/nestedsvm.c | 22 +- xen/arch/x86/hvm/svm/svm.c | 404 +++++++++++----------- xen/arch/x86/hvm/svm/vmcb.c | 2 +- xen/arch/x86/hvm/vioapic.c | 12 +- xen/arch/x86/hvm/viridian/time.c | 2 +- xen/arch/x86/hvm/viridian/viridian.c | 17 +- xen/arch/x86/hvm/vlapic.c | 25 +- xen/arch/x86/hvm/vmsi.c | 16 +- xen/arch/x86/hvm/vmx/intr.c | 2 +- xen/arch/x86/hvm/vmx/vmcs.c | 22 +- xen/arch/x86/hvm/vmx/vmx.c | 155 +++++---- xen/arch/x86/hvm/vmx/vvmx.c | 16 +- xen/arch/x86/hvm/vpic.c | 8 +- xen/arch/x86/hvm/vpt.c | 2 +- xen/arch/x86/i8259.c | 10 +- xen/arch/x86/include/asm/asm-defns.h | 6 + xen/arch/x86/include/asm/bug.h | 10 +- xen/arch/x86/include/asm/cpufeature.h | 1 + xen/arch/x86/include/asm/cpufeatures.h | 1 + xen/arch/x86/include/asm/cpuidle.h | 4 +- xen/arch/x86/include/asm/current.h | 6 +- xen/arch/x86/include/asm/endbr.h | 55 +++ xen/arch/x86/include/asm/flushtlb.h | 2 +- xen/arch/x86/include/asm/genapic.h | 18 +- xen/arch/x86/include/asm/hpet.h | 8 +- xen/arch/x86/include/asm/hvm/emulate.h | 8 +- xen/arch/x86/include/asm/hvm/save.h | 2 +- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 18 +- xen/arch/x86/include/asm/hvm/svm/svm.h | 1 - xen/arch/x86/include/asm/hvm/vioapic.h | 2 +- xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 8 +- xen/arch/x86/include/asm/hvm/vmx/vmx.h | 4 +- xen/arch/x86/include/asm/hvm/vmx/vvmx.h | 18 +- xen/arch/x86/include/asm/hypercall.h | 81 +++-- xen/arch/x86/include/asm/irq.h | 24 +- xen/arch/x86/include/asm/machine_kexec.h | 2 +- xen/arch/x86/include/asm/mm.h | 16 +- xen/arch/x86/include/asm/msi.h | 8 +- xen/arch/x86/include/asm/msr-index.h | 1 + xen/arch/x86/include/asm/mtrr.h | 2 +- xen/arch/x86/include/asm/p2m.h | 4 +- xen/arch/x86/include/asm/paging.h | 2 +- xen/arch/x86/include/asm/processor.h | 4 +- xen/arch/x86/include/asm/pv/domain.h | 4 +- xen/arch/x86/include/asm/pv/shim.h | 11 +- xen/arch/x86/include/asm/shadow.h | 2 +- xen/arch/x86/include/asm/smp.h | 6 +- xen/arch/x86/include/asm/tboot.h | 2 +- xen/arch/x86/include/asm/time.h | 6 +- xen/arch/x86/io_apic.c | 28 +- xen/arch/x86/ioport_emulate.c | 4 +- xen/arch/x86/irq.c | 28 +- xen/arch/x86/livepatch.c | 2 +- xen/arch/x86/machine_kexec.c | 2 +- xen/arch/x86/mm.c | 35 +- xen/arch/x86/mm/hap/guest_walk.c | 4 +- xen/arch/x86/mm/hap/hap.c | 29 +- xen/arch/x86/mm/hap/nested_hap.c | 2 +- xen/arch/x86/mm/hap/private.h | 30 +- xen/arch/x86/mm/mem_sharing.c | 2 +- xen/arch/x86/mm/p2m-ept.c | 34 +- xen/arch/x86/mm/p2m-pt.c | 19 +- xen/arch/x86/mm/paging.c | 3 +- xen/arch/x86/mm/shadow/common.c | 33 +- xen/arch/x86/mm/shadow/hvm.c | 16 +- xen/arch/x86/mm/shadow/multi.c | 80 +++-- xen/arch/x86/mm/shadow/multi.h | 20 +- xen/arch/x86/mm/shadow/none.c | 20 +- xen/arch/x86/mm/shadow/private.h | 12 +- xen/arch/x86/mm/shadow/pv.c | 4 +- xen/arch/x86/msi.c | 18 +- xen/arch/x86/nmi.c | 16 +- xen/arch/x86/numa.c | 10 +- xen/arch/x86/oprofile/nmi_int.c | 16 +- xen/arch/x86/oprofile/op_model_athlon.c | 18 +- xen/arch/x86/oprofile/op_model_p4.c | 14 +- xen/arch/x86/oprofile/op_model_ppro.c | 26 +- xen/arch/x86/percpu.c | 6 +- xen/arch/x86/physdev.c | 2 +- xen/arch/x86/platform_hypercall.c | 11 +- xen/arch/x86/psr.c | 41 +-- xen/arch/x86/pv/callback.c | 25 +- xen/arch/x86/pv/descriptor-tables.c | 14 +- xen/arch/x86/pv/domain.c | 12 +- xen/arch/x86/pv/emul-gate-op.c | 9 +- xen/arch/x86/pv/emul-priv-op.c | 71 ++-- xen/arch/x86/pv/emulate.h | 7 - xen/arch/x86/pv/hypercall.c | 11 +- xen/arch/x86/pv/iret.c | 4 +- xen/arch/x86/pv/misc-hypercalls.c | 10 +- xen/arch/x86/pv/ro-page-fault.c | 31 +- xen/arch/x86/pv/shim.c | 60 ++-- xen/arch/x86/pv/traps.c | 2 +- xen/arch/x86/setup.c | 80 ++++- xen/arch/x86/shutdown.c | 10 +- xen/arch/x86/smp.c | 20 +- xen/arch/x86/smpboot.c | 2 +- xen/arch/x86/spec_ctrl.c | 6 +- xen/arch/x86/srat.c | 4 +- xen/arch/x86/sysctl.c | 4 +- xen/arch/x86/tboot.c | 2 +- xen/arch/x86/time.c | 68 ++-- xen/arch/x86/traps.c | 8 +- xen/arch/x86/tsx.c | 2 +- xen/arch/x86/x86_64/acpi_mmcfg.c | 2 +- xen/arch/x86/x86_64/compat.c | 1 - xen/arch/x86/x86_64/compat/entry.S | 1 + xen/arch/x86/x86_64/compat/mm.c | 7 +- xen/arch/x86/x86_64/entry.S | 49 ++- xen/arch/x86/x86_64/kexec_reloc.S | 23 +- xen/arch/x86/x86_64/mmconfig-shared.c | 10 +- xen/arch/x86/x86_64/mmconfig.h | 2 +- xen/arch/x86/x86_64/platform_hypercall.c | 2 +- xen/arch/x86/x86_64/traps.c | 42 ++- xen/arch/x86/x86_emulate.c | 34 +- xen/arch/x86/x86_emulate/x86_emulate.c | 10 +- xen/arch/x86/x86_emulate/x86_emulate.h | 33 +- xen/arch/x86/xen.lds.S | 3 +- xen/common/argo.c | 6 +- xen/common/bunzip2.c | 2 +- xen/common/compat/domain.c | 3 +- xen/common/compat/grant_table.c | 5 +- xen/common/compat/kernel.c | 2 +- xen/common/compat/memory.c | 7 +- xen/common/compat/multicall.c | 3 +- xen/common/core_parking.c | 10 +- xen/common/coverage/gcov.c | 8 +- xen/common/cpu.c | 4 +- xen/common/debugtrace.c | 10 +- xen/common/decompress.c | 2 +- xen/common/dm.c | 6 +- xen/common/domain.c | 15 +- xen/common/domctl.c | 2 +- xen/common/efi/boot.c | 6 +- xen/common/efi/runtime.c | 18 + xen/common/event_2l.c | 21 +- xen/common/event_channel.c | 18 +- xen/common/event_fifo.c | 30 +- xen/common/gdbstub.c | 9 +- xen/common/grant_table.c | 29 +- xen/common/hypfs.c | 63 ++-- xen/common/irq.c | 6 +- xen/common/kernel.c | 6 +- xen/common/kexec.c | 18 +- xen/common/keyhandler.c | 47 +-- xen/common/livepatch.c | 15 +- xen/common/memory.c | 8 +- xen/common/multicall.c | 2 +- xen/common/page_alloc.c | 14 +- xen/common/perfc.c | 4 +- xen/common/radix-tree.c | 8 +- xen/common/random.c | 2 +- xen/common/rangeset.c | 2 +- xen/common/rcupdate.c | 8 +- xen/common/sched/arinc653.c | 20 +- xen/common/sched/compat.c | 2 +- xen/common/sched/core.c | 40 +-- xen/common/sched/cpupool.c | 35 +- xen/common/sched/credit.c | 59 ++-- xen/common/sched/credit2.c | 55 ++- xen/common/sched/null.c | 60 ++-- xen/common/sched/rt.c | 47 +-- xen/common/spinlock.c | 12 +- xen/common/stop_machine.c | 6 +- xen/common/sysctl.c | 2 +- xen/common/tasklet.c | 4 +- xen/common/timer.c | 6 +- xen/common/trace.c | 4 +- xen/common/unlzma.c | 2 +- xen/common/vm_event.c | 6 +- xen/common/xenoprof.c | 2 +- xen/common/xmalloc_tlsf.c | 4 +- xen/common/zstd/zstd_common.c | 4 +- xen/common/zstd/zstd_internal.h | 4 +- xen/drivers/acpi/apei/apei-base.c | 32 +- xen/drivers/acpi/apei/apei-internal.h | 20 +- xen/drivers/acpi/apei/erst.c | 57 ++- xen/drivers/acpi/apei/hest.c | 4 +- xen/drivers/acpi/numa.c | 10 +- xen/drivers/acpi/tables.c | 2 +- xen/drivers/char/console.c | 36 +- xen/drivers/char/ehci-dbgp.c | 28 +- xen/drivers/char/ns16550.c | 34 +- xen/drivers/cpufreq/cpufreq.c | 6 +- xen/drivers/cpufreq/cpufreq_misc_governors.c | 22 +- xen/drivers/cpufreq/cpufreq_ondemand.c | 10 +- xen/drivers/passthrough/amd/iommu.h | 45 +-- xen/drivers/passthrough/amd/iommu_acpi.c | 15 +- xen/drivers/passthrough/amd/iommu_guest.c | 12 +- xen/drivers/passthrough/amd/iommu_init.c | 49 +-- xen/drivers/passthrough/amd/iommu_intr.c | 20 +- xen/drivers/passthrough/amd/iommu_map.c | 22 +- xen/drivers/passthrough/amd/pci_amd_iommu.c | 32 +- xen/drivers/passthrough/iommu.c | 56 ++- xen/drivers/passthrough/pci.c | 18 +- xen/drivers/passthrough/vtd/dmar.c | 7 +- xen/drivers/passthrough/vtd/extern.h | 38 +- xen/drivers/passthrough/vtd/intremap.c | 14 +- xen/drivers/passthrough/vtd/iommu.c | 94 ++--- xen/drivers/passthrough/vtd/qinval.c | 28 +- xen/drivers/passthrough/vtd/quirks.c | 2 +- xen/drivers/passthrough/vtd/utils.c | 2 +- xen/drivers/passthrough/vtd/x86/hvm.c | 4 +- xen/drivers/passthrough/x86/hvm.c | 14 +- xen/drivers/video/lfb.c | 4 +- xen/drivers/video/lfb.h | 4 +- xen/drivers/video/vesa.c | 6 +- xen/drivers/video/vga.c | 6 +- xen/drivers/vpci/header.c | 18 +- xen/drivers/vpci/msi.c | 42 +-- xen/drivers/vpci/msix.c | 20 +- xen/drivers/vpci/vpci.c | 16 +- xen/include/acpi/cpufreq/cpufreq.h | 1 - xen/include/xen/acpi.h | 2 +- xen/include/xen/compiler.h | 6 + xen/include/xen/domain.h | 2 +- xen/include/xen/hypercall.h | 69 ++-- xen/include/xen/hypfs.h | 49 ++- xen/include/xen/irq.h | 6 +- xen/include/xen/lib.h | 2 +- xen/include/xen/perfc.h | 4 +- xen/include/xen/sched.h | 2 +- xen/include/xen/sort.h | 55 ++- xen/include/xen/spinlock.h | 4 +- xen/include/xen/vpci.h | 8 +- xen/include/xsm/dummy.h | 211 +++++------ xen/lib/sort.c | 80 +---- xen/tools/check-endbr.sh | 85 +++++ xen/xsm/flask/avc.c | 2 +- xen/xsm/flask/flask_op.c | 8 +- xen/xsm/flask/hooks.c | 236 +++++++------ xen/xsm/flask/private.h | 9 + xen/xsm/flask/ss/avtab.c | 4 +- xen/xsm/flask/ss/conditional.c | 10 +- xen/xsm/flask/ss/conditional.h | 6 +- xen/xsm/flask/ss/policydb.c | 53 +-- xen/xsm/flask/ss/services.c | 6 +- xen/xsm/flask/ss/symtab.c | 5 +- xen/xsm/silo.c | 24 +- xen/xsm/xsm_core.c | 6 +- 322 files changed, 3316 insertions(+), 2739 deletions(-) create mode 100644 automation/build/debian/buster-gcc-ibt.dockerfile create mode 100644 xen/arch/x86/include/asm/endbr.h create mode 100755 xen/tools/check-endbr.sh create mode 100644 xen/xsm/flask/private.h -- 2.11.0
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |