[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 1 Mar 2022 14:51:06 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FNt0PkLU/gHV1JfBMjBRBHU+/JETTyZQ8Znho2lLnTw=; b=jeemfDpWe+c7SOIPkznKYrPrJRCtGh/IV/7OsmI5f9WLvgN7m8pz3sZ0cO49yfnsmdyJ0E80Fp5hmsrTOVWMgR8bYkf3KwPIrJvQE/f4ofPS0/5ioxQBZIbC8PySQotpQwrrg/tWzr/PInG4yMoZCQD43q9rAdjOfnQ4IHlg5wX9o/jDQ9wWbyhAxlyfJnm5tUbS71690I2eyLXL6dWMzjsTyrUw1zFflZStd/eYNys5uNxWyhoeFTRUq3flbxJMl5ASOTceSaZ3ACiRScnvg0cf1FQJ8ISxLMEbM5vV9gV3E30sLSzCoSX8+AOF9ShcVPA/9kaCgAz/rfrn+2UwpQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O+M8pOkHIuhicArkjVoKOb4G4PdR2CLVqCC71geT86pMgvjNDl/OHmxRPU4xF2vSkODCV20HLSl01lAhuyWLqcRZp1XTxxJNwmslHbFUtf68l0TsV1rQ41oPH21t7128NZsyQFBqqg5hVz2BqStRVaMMVQDlyyTu+WXiDa7njqye1lcqBcWPj7vLBqRbxOJOpchw+5UBfxssaa8Ro3UovXPVS1Q9faLsVPr3wcnOea3FHP+jCGHxbGaPYoZv5soCJ/ADsDfWQ+n/NJklzhWvmEsxJ/hsMTOVrwOxJ7qLOOhv7v+k5sAjwtGVB+zDv+05+389oOsQD76yWUC1LDAauw==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 01 Mar 2022 14:51:17 +0000
  • Ironport-data: A9a23:zqjnoawIS4rT1CReRC56t+cqxirEfRIJ4+MujC+fZmUNrF6WrkUCx 2NNDGHVPP3fMGXwe41zPt+390oC78XXy4BgTgVs+SAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnj/0bv656yMUOZigHtIQMsadUsxKbVIiGX9JZS5LwbZj2NYz2YHhWWthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ Nplls2we1g3J6L3vssiUyJ7FSpiOZBl0eqSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO pBDNGAxPHwsZTVpNRBHJ6Ma292Qg3LfTG1Bt1O1oJAetj27IAtZj+G2bYu9lsaxbdVYmAOUq 3zL+0z9AwoGL5qPxDyd6HWui+TT2yThV+o6C7mQ5vNsxlqJyQQ7ChcbSF+6qvmRkVOlVpRUL El8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO85r6DPS1LPb2CC2OWg/bThKdNgbl+ZjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtACzARVodt/xory9U J4swZD2AAcmV8zlqcB1aL9RdIxFHt7cWNEmvXZhHoM66xOm8GO5cIZb7VlWfRk1bJ5bImG1O RaK6Gu9AaO/2lPwNsebhKrrVqwXIVXIT4y5Bpg4kPIUCnSOSON31H43PhPBt4wcuEMtjbs+K f+mnTWEVh4n5VBc5GPuHY81iOZzrghnnD+7bc2rnnyPjOvFDFbIGOhtDbd7Rr1ghE9yiF6Oq Ig32grj40g3bdASlQGMqd9DdQ1RdCNjbX00wuQOHtO+zsNdMDhJI9fawK87epwjmKJQl+zS+ Wq6VFMew1367UAr4y3QApy/QNsDhapCkE8=
  • Ironport-hdrordr: A9a23:iTNQxaFYq6Ck1KJppLqEEseALOsnbusQ8zAXPiBKJCC9vPb5qy nOpoV+6faQslwssR4b9uxoVJPvfZq+z+8R3WByB8bAYOCOggLBQL2KhbGI/9SKIVydygcy78 Zdm6gVMqyMMbB55/yKnDVRxbwbsaa6GKPDv5ah8590JzsaDJ2Jd21Ce32m+ksdfnghObMJUK Cyy+BgvDSadXEefq2AdwM4t7iqnayzqHr+CyR2fyIa1A==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYIaJdlBm1laP+30eCBtzXO5xQTKyqhD+AgAAwCwA=
  • Thread-topic: [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible

On 01/03/2022 11:59, Jan Beulich wrote:
> On 14.02.2022 13:56, Andrew Cooper wrote:
>> @@ -330,6 +333,41 @@ static void init_or_livepatch 
>> _apply_alternatives(struct alt_instr *start,
>>          add_nops(buf + a->repl_len, total_len - a->repl_len);
>>          text_poke(orig, buf, total_len);
>>      }
>> +
>> +    /*
>> +     * Clobber endbr64 instructions now that altcall has finished optimising
>> +     * all indirect branches to direct ones.
>> +     */
>> +    if ( force && cpu_has_xen_ibt )
> Btw, this is now also entered when the function is called from
> apply_alternatives() (i.e. when livepatching), but ...
>
>> +    {
>> +        void *const *val;
>> +        unsigned int clobbered = 0;
>> +
>> +        /*
>> +         * This is some minor structure (ab)use.  We walk the entire 
>> contents
>> +         * of .init.{ro,}data.cf_clobber as if it were an array of pointers.
>> +         *
>> +         * If the pointer points into .text, and at an endbr64 instruction,
>> +         * nop out the endbr64.  This causes the pointer to no longer be a
>> +         * legal indirect branch target under CET-IBT.  This is a
>> +         * defence-in-depth measure, to reduce the options available to an
>> +         * adversary who has managed to hijack a function pointer.
>> +         */
>> +        for ( val = __initdata_cf_clobber_start;
>> +              val < __initdata_cf_clobber_end;
> ... this being main binary boundaries, no action would be taken on
> the livepatch binary. Hence (also due to having been here before
> during boot), all that I understand will happen ...
>
>> +              val++ )
>> +        {
>> +            void *ptr = *val;
>> +
>> +            if ( !is_kernel_text(ptr) || !is_endbr64(ptr) )
>> +                continue;
>> +
>> +            add_nops(ptr, 4);
>> +            clobbered++;
>> +        }
>> +
>> +        printk("altcall: Optimised away %u endbr64 instructions\n", 
>> clobbered);
> ... that this message be logged once per patch load (with a number
> of 0). I think the enclosing if() wants to be amended by
> "&& system_state < SYS_STATE_active". If you agree, I can easily
> make a patch.

Hmm.  There are other livepatching fixes going on, but they're starting
with fixing the build system breakage.  (The major livepatching fix is
to adjust how we patch an old function that has an ENDBR64 at the start.)

That said, a livepatch needs to contain a section equivalent to
__initdata_cf_clobber, to be processed during load, dependent on
cpu_has_xen_ibt.

Perhaps the best option is to break the clobber out into a helper that
takes a start/end pair and returns the number clobbered.  That way, it
can be reused by the livepatch logic, and independently of this printk().

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.