[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced functions
- To: Bjoern Doebel <doebel@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
- Date: Tue, 8 Mar 2022 15:25:50 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oPAv92jPuHB14ndvhEZ3S+svqIwXKnZgm+8ruqbnaOY=; b=X/h1Gg+NusAObW1coHPy8T/K0B18LAvp0l4837Qs3i8OBdAmJUN4cc6vtzjhOkPtPvQW+eyrrr6h8liyDLndNsdjzj+L8+lZ7axLH6DZLTEdAWcxP6RpAOrosgRgN836Mq6w31Ug0LchNprCXDzRCfN8coEDxJ/Y90mK4ZLKtQ4aSDlp2QelAZwbWZNQZzJ38oYj5iDdNrQ+UgBaxHol5w7bOrRFvSpg0gp/UQQCud9q68oQygrAVkxBy9bL9tAiuMxinbmMMsekIrNf8410xIJ02lUCuHL1M7J+421+ZF5zY3WH+ZfjUesHO4XkEC3F2VkG7/yxiuRuNIuEiym2UQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LP1iD3IeeCmcPd/qUdY/mXgIrrEOYJCStbVfbbjIvv4Jm5IiHdJEZzEjOSuU9XGuDmWyXAyzc6kR/cRPBRxmpDPNpy3EvJ7QuezuwTPhiCloklXBjAHrCxdsjLcCdUJerC+M/KAddJokzxFtj6UaGp8n800j7q36y88neam28hpRAJCjZ2c4zCPEbxlaaBkwEEJINLLi/Cv4ch2qWD/hpWVJWCRrde7m+gul/pVw4fcL/HBftqh7a3q7ZsUThAOzOGazlHAJF81XKLErQw5sp03uOTj0/OHm5qHaxzV8wBode+huL1VbRr1tiV6O+/wv8mAPDA6xwArUMNS/YqaV8g==
- Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Michael Kurth <mku@xxxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, "Roger Pau Monne" <roger.pau@xxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
- Delivery-date: Tue, 08 Mar 2022 15:26:19 +0000
- Ironport-data: A9a23:FO+cXq9jV0uCQRr9FC+sDrUDQ36TJUtcMsCJ2f8bNWPcYEJGY0x3z zMfX22DO/vcNzfwc9siat7i/U0OusKDzNdhS1Zvr3o8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9T8mvU2xbuKU5NTsY0idfic5DnZ54f5fs7Rh2NQw2oDpW1nlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCnbKSDiYWAr3govQASUQHOBAlGqJs/bCSdBBTseTLp6HHW37lwvEoB0AqJ4wIvO1wBAmi9 9RBdmpLNErawbvrnvTrEYGAhex6RCXvFJkYoWomyTjWAOw5SJTHa67L+cVZzHE7gcUm8fP2O ZpBN2UwM0iojxtnKl4IBs8Hgd6Tryfwb2Bdl0+/rLglyj2GpOB2+Oe0a4eEEjCQfu1QhkGYo mvN/EzwBxgIM9rZxTft2nGrgPXGkWXkWYYRPLqi//VujRuYwWl7IBgVSHOypPCrjUj4V983A 0AT9yAjqYA78UW5Sd+7UxDQiG6JuFsQVsRdF8U+6RqR0ezE7gCBHG8GQzVdLts8u6cLqScCj wHT2YmzXHo27ePTGSn1GqqoQS2aFwpSDFA+dQM+XRYfvobIkdoUgTjKQYM2eEKqteHdFTb1y jGMiSExgbQPkMIGv5mGEUD7byGE/caQEFNsjunDdif8t14iOtb5D2C9wQWDtZ59wJClok5tV ZTus+yX96gwAJ6Ej0Rhq81dTejyt55p3NAx6GOD/qXNFRzwoxZPnqgKuVmSwXuF1O5eIVcFh 2eJ5WtsCGd7ZifCUEOOS9vZ5z4W5abhD8/5cfvfc8BDZJN8HCfeon0wOxHAgju0wBV3+U3aB Xt9WZz3ZZr9If47pAdaus9HieN7rszA7Tm7qW/HI+SPjuPFOS/9pUYtO1qSdOEphJ5oUy2Om +uzw/Cikk0FOMWnO3G/2ddKcTgicChqbbir+pc/XrPSfWJb9JQJVqa5LUUJINc+wcy4V47go xmAZ6Ov4Aan1S2dd1TQMSwLhXGGdc8XkE/X9BcEZD6A83MifZyu/OEYcZ42dqMg7+tt0bh/S PxtRilKKq8npujvk9jFUaTAkQ==
- Ironport-hdrordr: A9a23:0foDyakciddr3BmKn+S+dV9kt2XpDfN5iWdD5ihNYBxZY6Wkfp +V88jzhCWZtN9OYhwdcIi7SdS9qXO1z+8R3WBjB8bfYOCAghrmEGgC1/qv/9SEIUPDH4FmpN 5dmsRFeb7N5B1B/LzHCWqDYpgdKbu8gdiVbI7lph8HJ2ALV0gj1XYDNu/yKDwveOAsP+tcKH Po3Lsgm9PWQwVxUi3UPAhmY8Hz4/nw0L72ax8PABAqrCOUiymz1bL8Gx+Emj8DTjJm294ZgC n4uj28wp/mn+Cwyxfa2WOWxY9RgsHdxtxKA9HJotQJKw/rlh2jaO1aKv2/VXEO0aKSAWQR4Z zxSiQbToBOArTqDyaISC7WqkvdOfAVmjnfIBGj8CLeSIfCNU0H4oJ69Pxkm13imhEdVZhHod J29niEuZRaFw7NkRL0+sXBXRBvmk2ol2Avi/QSiXtoUYZ2Us4hkaUPuExSC5sOByT89cQuF/ RvFtjV4LJMfUqddG2xhBgl/DWAZAV7Iv69eDlLhiVV6UkjoFlpi08DgMAPlHYJ85wwD5FC+u TfK6xt0LVDVNUfY65xDPoIBZLfMB2BfTvcdGaJZVj3HqAOPHzA75bx/bUu/emvPJgF1oE7lp jNWE5R8WQyZ0XtA8uT24AjyGGGfEytGTD2js1O7ZlwvbPxALLtLC2YUVgr19Ctpv0Oa/erLc pb+KgmdMMLAVGea7qhhTeOKKW6AUNuJfEohg==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Suggested_attachment_session_id: 9c74656d-553e-1bcc-9b84-b4b87c226532
- Thread-index: AQHYMteGyv4uMb9n4kauwbWKAS/6qKy1mRGg
- Thread-topic: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced functions
> From: Bjoern Doebel <doebel@xxxxxxxxx>
> Sent: Tuesday, March 8, 2022 10:29 AM
> To: xen-devel@xxxxxxxxxxxxxxxxxxxx <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Cc: Michael Kurth <mku@xxxxxxxxx>; Martin Pohlack <mpohlack@xxxxxxxxx>; Roger
> Pau Monne <roger.pau@xxxxxxxxxx>; Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>;
> Bjoern Doebel <doebel@xxxxxxxxx>; Konrad Rzeszutek Wilk
> <konrad.wilk@xxxxxxxxxx>; Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> Subject: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced
> functions
>
> Xen enabled CET for supporting architectures. The control flow aspect of
> CET expects functions that can be called indirectly (i.e., via function
> pointers) to start with an ENDBR64 instruction. Otherwise a control flow
> exception is raised.
>
> This expectation breaks livepatching flows because we patch functions by
> overwriting their first 5 bytes with a JMP + <offset>, thus breaking the
> ENDBR64. We fix this by checking the start of a patched function for
> being ENDBR64. In the positive case we move the livepatch JMP to start
> behind the ENDBR64 instruction.
>
> To avoid having to guess the ENDBR64 offset again on patch reversal
> (which might race with other mechanisms adding/removing ENDBR
> dynamically), use the livepatch metadata to store the computed offset
> along with the saved bytes of the overwritten function.
>
> Signed-off-by: Bjoern Doebel <doebel@xxxxxxxxx>
> CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> ----
> Note that on top of livepatching functions, Xen supports an additional
> mode where we can "remove" a function by overwriting it with NOPs. This
> is only supported for functions up to 31 bytes in size and this patch
> reduces this limit to 30 bytes.
>
> Changes since r1:
> * use sizeof_field() to avoid unused variable warning
> * make metadata variable const in arch_livepatch_revert
> ---
> xen/arch/x86/livepatch.c | 61 ++++++++++++++++++++++++++++++++++------
> 1 file changed, 53 insertions(+), 8 deletions(-)
>
> diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
> index 65530c1e57..0fd97f2a00 100644
> --- a/xen/arch/x86/livepatch.c
> +++ b/xen/arch/x86/livepatch.c
> @@ -14,11 +14,29 @@
> #include <xen/vm_event.h>
> #include <xen/virtual_region.h>
>
> +#include <asm/endbr.h>
> #include <asm/fixmap.h>
> #include <asm/nmi.h>
> #include <asm/livepatch.h>
> #include <asm/setup.h>
>
> +/*
> + * CET hotpatching support: We may have functions starting with an ENDBR64
> + * instruction that MUST remain the first instruction of the function, hence
> + * we need to move any hotpatch trampoline further into the function. For
> that
> + * we need to keep track of the patching offset used for any loaded hotpatch
> + * (to avoid racing against other fixups adding/removing ENDBR64 or similar
> + * instructions).
> + *
> + * We do so by making use of the existing opaque metadata area. We use its
> + * first 4 bytes to track the offset into the function used for patching and
> + * the remainder of the data to store overwritten code bytes.
> + */
> +struct x86_livepatch_meta {
> + uint8_t patch_offset;
> + uint8_t instruction[LIVEPATCH_OPAQUE_SIZE - sizeof(uint8_t)];
> +};
> +
I think it would make things a bit simpler to use one of the spare _pad bits
from struct livepatch_func ather than hacking it into the opaque area. Is
there a reason you chose this approach?
|
