[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced functions


  • To: "Doebel, Bjoern" <doebel@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
  • Date: Tue, 8 Mar 2022 16:01:13 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cLI8XwUm361KPfZfHzF/rVWZ9+I9y0FLXC4erMvoFRA=; b=KnFPRiD1Y5axl+sqygDaxKwaccEw5sKYkc/9BxV/hF6B5r4oHF/a+y5RSjnf5ZMsAcMgu+p8a1ECArVDO6jZ26zVmlQDZf20h+QTkucTho9x7/Lip3LgINzBh430J1tclJcT2tZy3KE82yFoM5Aa5WFeM080Khv4gkFOCsvouJDAFBalSSdPr9IwscUXSrha5p2OMGK1NC8AVxbyofR2BXuPWznLGJbcGMNVGB3YhsFi9EQPYQRE6apmODejB3QAJmiqKVh1LsQOAflpw8rJ/GLxI6UL/lF7DYP0i9oIUPX2RJ2xYMzz2iz6CLhz2+y202plsap6cU1OUde74xaTnw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VgVgwiNd+ZM7HHvLw7J9s/h3ac7IoBXxtD/l6Kui6lku1/m/HL/ijaLTYp1iz/YaUGSXNDannaKyxxgUfVKQJKHin8asVlW++zfQlL3PNvT2rlTuLhPv7ICVMFbbXE4IgPd9XWtvCRCkWdegCXJFq9w2jECiCDOiOB4iRQ24aj54n+FegIs2DJHxGGxa3ggzj1bY6G6kJmdtNwv66/WbqW1bxZzb1gp3tc4+OpOneC/RlCrQBpHigeayAXAsn+3CR7CoBBc9zyX3vjTJv7x/SvXjfvbYzH6FL+3Vze1ZOGP2cHvvWMq/kb7CpGx8v9SFaBpJuQRfa6VL8cu2pdR6Rg==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Michael Kurth <mku@xxxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, "Roger Pau Monne" <roger.pau@xxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  • Delivery-date: Tue, 08 Mar 2022 16:01:30 +0000
  • Ironport-data: A9a23:UQjeyKO2Qnqwwq3vrR1ml8FynXyQoLVcMsEvi/4bfWQNrUpw1WdWn 2UZWz3VPKnZZmT8LtFxbYuyoxxU7JLXy9VqSgto+SlhQUwRpJueD7x1DKtR0wB+jCHnZBg6h ynLQoCYdKjYdleF+lH1dOKJQUBUjclkfJKlYAL/En03FFcMpBsJ00o5wbZi2t4w27BVPivW0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pGTU2FFFPqQ5E8IwKPb 72rIIdVXI/u10xF5tuNyt4Xe6CRK1LYFVDmZnF+A8BOjvXez8CbP2lS2Pc0MC9qZzu1c99Z5 dsK9pKqUCoQYKzMxLtFfABZEA5yIvgTkFPHCSDXXc27ykTHdz3nwul0DVFwNoodkgp1KTgQr 7pCcmlLN03dwbLtqF64YrAEasALNs7wJ8Ubs35t1y7QCfIOSpHfWaTao9Rf2V/cg+gQQKmEO JZHMlKDajyeexNEEF4lMKkDt+6XhCD+aj9guQmK8P9fD2/7k1UqjemF3MDuUtmSQsVRl02bj mvD9nb+BFcWObS3yj2D6HugwPDOmSDTX5gbH7m1sPVthTW7w28OIBQTXEm8p7+1hyaWV9VSI UEQ0iMrpLo18gqnQ7HVTxC+5XKJoBMYc95RCPEhrhGAzLLO5ASUDXRCSSROAOHKr+dvG2Zsj AXQ2Yq0W3o/69V5VE5x6J+5o3TxNzIMAFZcZC9YElMq+tjgj40s20enoslYLIa5idj8GDfVy j+MrTQji7h7sfPnx5lX7nic3Wvy+8Ghohodo1yOAzn7tl8RiJuNOtTwgWU3+8qsO2pworOpm HEf0/aT4+kVZX1mvHzcGb5ddF1FChvsDdE9vbKNN8R5n9hO0yT6FWy13N2YDB0xWirjUWW1C HI/QSsLuPdu0IKCNMebmb6ZBcUw1rTHHt/4TP3SZdcmSsEvKFHZo3EzPhfAgjuFfK0QfUcXY 8zznSGEVypyNEia5GDuG7d1PUEDnEjSOl8/tbiklk/6gNJylVaeSKsfMUvmUwzKxPjsnekhy P4Gb5Hi40wGCIXWO3CLmaZOfQFiBSVqXvje9p0IHtNv1yI7QQnN/deKmuh/E2Gk9owI/tr1E oaVBhcImACh1CecdW1nqBlLMdvSYHq2llpiVQQENle0wXkzJ4Gp6aYUbZwserc7sudkyJZJo zMtIa1s3twnpuz7xgkg
  • Ironport-hdrordr: A9a23:Nt461Ky7dgNOrhQwGsSsKrPxeegkLtp133Aq2lEZdPULSKOlfp GV8MjziyWYtN9IYgBcpTiBUJPwJE80hqQFnbX5Wo3SEzUO2VHYYL2KiLGN/9SOIVyGygcw79 YCT0E6MqyLMbEYt7e13ODbKadZ/DDvysnB7o2+r0uFDzsaEJ2Ihz0JUjpzeXcGIDWucKBJcq Z0kfA3wAZIF05nDPiTNz0gZazuttfLnJXpbVotHBg88jSDijuu9frTDwWY9g12aUIP/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc23jNQPIDmEsHfpWG0hYczAgNkGmpDr1L8Yqq iJn/7mBbU115rlRBD2nfIq4Xin7N9h0Q669bbSuwqdnSWwfkNFNyMGv/MDTvKR0TtRgPhnzK xE03iFu5dgBQ7clC7949TOSidxmlCvoXwkp+4f5kYvILc2eftfq5cS81hSF4pFFCXm6Jo/GO 0rF83E4u1KGGnqJEwxk1MfieBEZE5DVitug3JyzvC9wnxThjR03kEYzMsQkjMJ8488UYBN46 DBPr5znL9DQ8cKZeYlbd1xDPefGyjIW1bBIWiSKVPoGOUOPG/MsYf+5PEw6PuxcJIFwZMukN DKUU9et2Q1Z0XyYPf+lqFj41TIWiGwTD7twsZR69xwvaD9XqPiNWmZRFUng6Kb0oMi6w3gKo GO0b5tco3exDHVaPV0NiXFKuxvFUU=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Suggested_attachment_session_id: f0076554-7567-3c14-3226-d1dbe962566f
  • Thread-index: AQHYMteGyv4uMb9n4kauwbWKAS/6qKy1mRGggAAHVwCAAAGqhg==
  • Thread-topic: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced functions

> From: Doebel, Bjoern <doebel@xxxxxxxxx>
> Sent: Tuesday, March 8, 2022 3:41 PM
> To: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>; 
> xen-devel@xxxxxxxxxxxxxxxxxxxx <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Cc: Michael Kurth <mku@xxxxxxxxx>; Martin Pohlack <mpohlack@xxxxxxxxx>; Roger 
> Pau Monne <roger.pau@xxxxxxxxxx>; Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; 
> Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> Subject: Re: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced 
> functions 
>  
> 
> On 08.03.22 16:25, Ross Lagerwall wrote:
> > CAUTION: This email originated from outside of the organization. Do not 
> > click links or open attachments unless you can confirm the sender and know 
> > the content is safe.
> > 
> > 
> > 
> >> From: Bjoern Doebel <doebel@xxxxxxxxx>
> >> Sent: Tuesday, March 8, 2022 10:29 AM
> >> To: xen-devel@xxxxxxxxxxxxxxxxxxxx <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> >> Cc: Michael Kurth <mku@xxxxxxxxx>; Martin Pohlack <mpohlack@xxxxxxxxx>; 
> >> Roger Pau Monne <roger.pau@xxxxxxxxxx>; Andrew Cooper 
> >> <Andrew.Cooper3@xxxxxxxxxx>; Bjoern Doebel <doebel@xxxxxxxxx>; Konrad 
> >> Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; Ross Lagerwall 
> >> <ross.lagerwall@xxxxxxxxxx>
> >> Subject: [PATCH v3 2/2] xen/x86: Livepatch: support patching CET-enhanced 
> >> functions
> >>
> >> Xen enabled CET for supporting architectures. The control flow aspect of
> >> CET expects functions that can be called indirectly (i.e., via function
> >> pointers) to start with an ENDBR64 instruction. Otherwise a control flow
> >> exception is raised.
> >>
> >> This expectation breaks livepatching flows because we patch functions by
> >> overwriting their first 5 bytes with a JMP + <offset>, thus breaking the
> >> ENDBR64. We fix this by checking the start of a patched function for
> >> being ENDBR64. In the positive case we move the livepatch JMP to start
> >> behind the ENDBR64 instruction.
> >>
> >> To avoid having to guess the ENDBR64 offset again on patch reversal
> >> (which might race with other mechanisms adding/removing ENDBR
> >> dynamically), use the livepatch metadata to store the computed offset
> >> along with the saved bytes of the overwritten function.
> >>
> >> Signed-off-by: Bjoern Doebel <doebel@xxxxxxxxx>
> >> CC: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> >> CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> >> ----
> >> Note that on top of livepatching functions, Xen supports an additional
> >> mode where we can "remove" a function by overwriting it with NOPs. This
> >> is only supported for functions up to 31 bytes in size and this patch
> >> reduces this limit to 30 bytes.
> >>
> >> Changes since r1:
> >> * use sizeof_field() to avoid unused variable warning
> >> * make metadata variable const in arch_livepatch_revert
> >> ---
> >>   xen/arch/x86/livepatch.c | 61 ++++++++++++++++++++++++++++++++++------
> >>   1 file changed, 53 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
> >> index 65530c1e57..0fd97f2a00 100644
> >> --- a/xen/arch/x86/livepatch.c
> >> +++ b/xen/arch/x86/livepatch.c
> >> @@ -14,11 +14,29 @@
> >>   #include <xen/vm_event.h>
> >>   #include <xen/virtual_region.h>
> >>
> >> +#include <asm/endbr.h>
> >>   #include <asm/fixmap.h>
> >>   #include <asm/nmi.h>
> >>   #include <asm/livepatch.h>
> >>   #include <asm/setup.h>
> >>
> >> +/*
> >> + * CET hotpatching support: We may have functions starting with an ENDBR64
> >> + * instruction that MUST remain the first instruction of the function, 
> >> hence
> >> + * we need to move any hotpatch trampoline further into the function. For 
> >> that
> >> + * we need to keep track of the patching offset used for any loaded 
> >> hotpatch
> >> + * (to avoid racing against other fixups adding/removing ENDBR64 or 
> >> similar
> >> + * instructions).
> >> + *
> >> + * We do so by making use of the existing opaque metadata area. We use its
> >> + * first 4 bytes to track the offset into the function used for patching 
> >> and
> >> + * the remainder of the data to store overwritten code bytes.
> >> + */
> >> +struct x86_livepatch_meta {
> >> +    uint8_t patch_offset;
> >> +    uint8_t instruction[LIVEPATCH_OPAQUE_SIZE - sizeof(uint8_t)];
> >> +};
> >> +
> > 
> > I think it would make things a bit simpler to use one of the spare _pad bits
> > from struct livepatch_func  ather than hacking it into the opaque area. Is
> > there a reason you chose this approach?
> 
> No specific reason. Are you suggesting updating the public livepatch 
> interface to add a new member and reduce the padding size by 1 byte? I 
> guess that will also require a patch to livepatch-build-tools?
> 
> Bjoern

struct livepatch_func contains info that the build tool needs to
communicate to Xen as well as space for Xen's internal book keeping
while the live patch is applied. This includes the array for storing
instructions, the applied flag, and now additionally the patch offset.
(It's a somewhat odd arrangement but it's what we've got...)

The build tool does not need to know the details about any of Xen's internal
book keeping. So my preference would be to have patch_offset as an additional
member next to applied (reducing padding by 1) and then in livepatch-build-tools
replace:

        unsigned char pad[MAX_REPLACEMENT_SIZE];
        uint8_t applied;
        uint8_t _pad[7];

with simply:

        uint8_t opaque[39];

                
What do you think?

Ross


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.