Xen project Mailing List

[PATCH] x86/cet: Force -fno-jump-tables for CET-IBT

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 7 Mar 2022 13:26:51 +0000

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Mon, 07 Mar 2022 13:27:29 +0000

Ironport-data: A9a23:BQT+96yWp9c93w7XsaN6t+dHxirEfRIJ4+MujC+fZmUNrF6WrkVUz zQeW2qBOKzfYjGgLdsiPIm28R8FsceGyoJjGVZkrSAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnj/0bv656yMUOZigHtIQMsadUsxKbVIiGX9JZS5LwbZj2NYz2YfhWWthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NpljMaMR18HfazwpOUxVzcbOHlxIIRn5+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO pRBNGYwPXwsZTVWJXwnLb03tdz3j3bZegZXhm6QnfIotj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO9Rg1A/V5OnV3zqYKmwqDRUZZ8EPldBjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtAKzARVodt/xory9U J8swZT20Qz2JcvR/BFhuc1UdF1T296LMSfHnXlkFIQ7+jKm9haLJN4Mvmwveh82aZZUJVcFh XM/XisLuPdu0IaCN/crM+pd9exwpUQfKTgVfq+NNYcfCnSAXASG4DtvdSatM5PFyyARfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T8vhS+efHDJJjYexeawXmgyFQxP7snTg5B P4Eb5rak0gECbamCsQVmKZKRW03wbEALcieg6RqmiSreGKKxElJ5yft/I4c

Ironport-hdrordr: A9a23:MM0rHKO6eOw0tMBcTs2jsMiBIKoaSvp037Eqv3oedfUzSL3+qy nOpoV+6faaslYssR0b9exoW5PwJE80l6QFgrX5VI3KNGKN1VdARLsSi7cKqAeAJ8SRzIFgPN 9bAspDNOE=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Both GCC and Clang have a (mis)feature where, even with -fcf-protection=branch, jump tables are created using a notrack jump rather than using endbr's in each case statement. This is incompatible with the safety properties we want in Xen, and enforced by not setting MSR_S_CET.NOTRACK_EN. The consequence is a fatal #CP[endbr]. -fno-jump-tables is generally active as a side effect of CONFIG_INDIRECT_THUNK (retpoline), but as of c/s 95d9ab461436 ("x86/Kconfig: introduce option to select retpoline usage"), we explicitly support turning retpoline off. Fixes: 3667f7f8f7c4 ("x86: Introduce support for CET-IBT") Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> --- xen/arch/x86/arch.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index f6fc852b5767..8e57476d6573 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -51,7 +51,10 @@ CFLAGS-$(CONFIG_CC_IS_CLANG) += -mretpoline-external-thunk endif ifdef CONFIG_XEN_IBT -CFLAGS += -fcf-protection=branch -mmanual-endbr +# Force -fno-jump-tables to work around +# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816 +# https://github.com/llvm/llvm-project/issues/54247 +CFLAGS += -fcf-protection=branch -mmanual-endbr -fno-jump-tables $(call cc-option-add,CFLAGS,CC,-fcf-check-attribute=no) else $(call cc-option-add,CFLAGS,CC,-fcf-protection=none) -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.