Xen project Mailing List

Re: [PATCH] x86/altcall: silence undue warning

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Tue, 1 Mar 2022 15:54:47 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ijX2WpQj7tEuuyqNL6tA3cFiHwcdr+MngAW3Zh1Lo6s=; b=Ctb1JVmH062s3GGxyFe9/C8jA5EdSF4S3neFzar6AuV3ac1WDcNgZLdrQE1FfDCahBlyqUAsVepa5C/r+zv8CSt+EzPwyOsaujjTNt5x/WhFS0FrUUkwoicOpTzcs7t/q4fow+o2iSA8Adv6Va/g5pBsCqgX1s97E3EKvjq+dN9l3gbyhfQZLXpe6HG23iCH0WImh2+GYiAVTdLYkgKjdF3OSQ48ceWimwgnmjHPBGNGguNeTn1M46M1+CvQU31xxg6tYyWeVgTDHIT/QE+kSYRln9N7qpTTd1AcWmgeSXsZrXu82u9DS/2f+dbZ9XxgjTeyeKh+opxBn1+5T/E5lw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=chHom2qJAfCnO6VF5aT4EeqIgMOvUTCsQSgKmLA8EVw9OEMpNhmw/gGFAAx8JkW0BxrGtVn5KyXNyO74Lk4bFiTI9M73C2aFDa8Sqw0kPLB7i+iUTltvVtUNR8iwmqD6RBSkbqNzSnP8mItRSI2audaMJHvZEhe0JFezdaHlji+uYQyUijIFZaQl5jUdrPxCFT7GpcKw7irOyNZfUl+urkUe4SKIW8EYAK7QzP/bu3V52D2WPRyvT1lCKYaAAuQICwo8frSfassFq/ecw35bz5vlTkP9oYap3ccwzSnKl2gOK0wvC9CkOqv7D+4zJrcVv13sK4+wxaDmzBNvGUP30w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 01 Mar 2022 14:54:58 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01.03.2022 15:23, Andrew Cooper wrote: > On 01/03/2022 13:34, Jan Beulich wrote: >> On 01.03.2022 13:48, Andrew Cooper wrote: >>> On 01/03/2022 11:36, Jan Beulich wrote: >>>> Suitable compiler options are passed only when the actual feature >>>> (XEN_IBT) is enabled, not when merely the compiler capability was found >>>> to be available. >>>> >>>> Fixes: 12e3410e071e ("x86/altcall: Check and optimise altcall targets") >>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >>> Hmm yes. This is fallout from separating CONFIG_HAS_CC_CET_IBT and >>> CONFIG_XEN_IBT. >>> >>> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> Thanks. >> >>>> --- >>>> Furthermore, is "Optimised away ..." really appropriate in what >>>> 37ed5da851b8 ("x86/altcall: Optimise away endbr64 instruction where >>>> possible") added? If this really was an optimization (rather than >>>> hardening), shouldn't we purge ENDBR also when !cpu_has_xen_ibt, and >>>> then ideally all of them? Whereas if this is mainly about hardening, >>>> wouldn't the message better say "Purged" or "Clobbered"? >>> I did have an RFC about this. Turning ENDBR into NOP4 matters, on a >>> CET-IBT-active system, to restrict the available options an attacker has >>> when they have already managed to hijack a function pointer (i.e. >>> already got a partial write gadget). >>> >>> From that point of view, it is hardening. >> But then you don't say whether there's any optimization aspect here. >> My question was really about the wording of that log message. > > The optimisation aspect is direct branch target +4, because that is what > saves on decode bandwidth. But that's the other, entirely independent ENDBR-related piece of code in the function. All we do in the loop ahead of emitting the message here is "add_nops(ptr, ENDBR64_LEN)". There's no counting at all of how many times we advance a call target by 4. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.