[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/cet: Force -fno-jump-tables for CET-IBT


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 7 Mar 2022 14:56:54 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pKOtJ5rZ/cCNRnJt8oBduFecx7Vl6nC0sAX2vRaNI9Y=; b=epPYjMzNMIThQuBEPpNizE89esIe8HWD8swvVER63PKl5m2tg/zMf9699y72cdts8a1cHYHvgqM5q8lFKGeaLiNNkqnXy0ypheseyEetAAdIjEATcUcnFUPRuBVq8efCssOMNYDYt8ZQrip4bYg6V4PV5fBQPUvJ1gGeNT8BUiprsiCNgvrXT1NXoZghpoMUq26DmMXaP/VuQu3QHnsKFnP3hXdqrRWjhRVyH1UgJR+iZkX7UE0qik2VVQVhGcYrcEO53VLM3csl6FgqShisCc9A03LIlB07D8uutEDJ0YTOxRGF+radRrvei27q8WmhK4t+yVB69EYOw5iLkihNmg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LYi2iquip4/8ecs2S8ry9kzDOUPCbqVFUujGsb9XEpeuygzI/laxw+e042WVNi0naN0c7E+4xtEuJt7DdGMvtH4etNOSIEXq2UzqsAlLtOcH2pav/2j18mlv6ufvCNgi8Sg2++vx5XI3af7aVixCvytiJ83x+bhCJi8bHYy+1x5bkT69WYTWlvis49FGEXaNcC+nUo5nikLg9P+RIho2n9tOoKePHRDYENa20aqv74+45Tg2uVeYu7zs49Yw73DGhrZkPiDNedruYNpJ7fluaG85YtDgASyYcdOCMTtq6f1xV5bLcvbo3FaUn3R44wMPfgjsvoD8sXzZXnLIzh8BqA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 07 Mar 2022 13:57:00 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.03.2022 14:26, Andrew Cooper wrote:
> Both GCC and Clang have a (mis)feature where, even with
> -fcf-protection=branch, jump tables are created using a notrack jump rather
> than using endbr's in each case statement.
> 
> This is incompatible with the safety properties we want in Xen, and enforced
> by not setting MSR_S_CET.NOTRACK_EN.  The consequence is a fatal #CP[endbr].
> 
> -fno-jump-tables is generally active as a side effect of
> CONFIG_INDIRECT_THUNK (retpoline), but as of c/s 95d9ab461436 ("x86/Kconfig:
> introduce option to select retpoline usage"), we explicitly support turning
> retpoline off.
> 
> Fixes: 3667f7f8f7c4 ("x86: Introduce support for CET-IBT")
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.