[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 2/2] xen/x86: Livepatch: support patching CET-enhanced functions

  • To: Bjoern Doebel <doebel@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
  • Date: Wed, 9 Mar 2022 17:12:05 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LXCHWgR96Dq0l1hW3035Mr/bLkazQ/bxND2RZzQbHO0=; b=KmoyTcXuUF7oF0qx2DNjwb5o+Bb3VptR3OPZOo6GoiKq5lK+WPGiFEGD4lccs7ljHukGN/vlrb0sDGUY6SyMA1hQrtqnwbEjcKM86ych4ee1NglDAzgM7sXOlRE1WGKzD0vRuAj5DcRQTeKKyZYRGzUfw3Aw6evCAm0lHfCMXqaq2AULp7o0aYnFem4ASRZejkTbyy3yH+rGmbUnYoX6vLFeDPdEJNNUECC03vHqt/i2CMAsYw7MlNYqouMmeKNR0sl/6CdPGAmmcWNaBpVEbp0GYEm867bfAAtfDYK988sn8X4BguPvVAznntsKq0A14OMqG2fruXFWxSSZUOucBQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=azpBWBr+FUZs4T5G2I4C7S/tLKaK6pTIQdBeUoozr3I7cjcxGb+jruzS/Du1+Rj3ksP7krJwur/neiAgQIohd0LPS7oPk45KjC8Q0Y+3PIBy90Hdm7LwCfCGH8EL/f01paNUV90IOfhulIP+LrZTIBxnxYbJ81ox6IJGLU2vvbpMjPr5kRgVKp7avu8PnEGqjkojDLaol/Sq3yQwIFEiQ0Y9pGgXxb6K1sl1QAMfUMkjeVlqIXObA5oGSEgM5ZlHozR4QQhkLqqNDdJOgjyK79yxd5seaOoEJe3QZQ/dUqlFohOm0mCELtSdT+x1yaUS58u164MIQKptcrYPg5IuaA==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Michael Kurth <mku@xxxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, "Roger Pau Monne" <roger.pau@xxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  • Delivery-date: Wed, 09 Mar 2022 17:12:20 +0000
  • Ironport-data: A9a23:y5t3OaB6m5KnqxVW/+rjw5YqxClBgxIJ4kV8jS/XYbTApDwk0jMFz GoZUD2CPPzfM2P9e9B2OYzjoBgCvsLdyNBkQQY4rX1jcSlH+JHPbTi7wuYcHM8wwunrFh8PA xA2M4GYRCwMZiaA4E/raNANlFEkvU2ybuOU5NXsZ2YgHWeIdA970Ug5w7Vh09Yy6TSEK1jlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJMt3yZWKB2n5WuFp8tuSH I4v+l0bElTxpH/BAvv9+lryn9ZjrrT6ZWBigVIOM0Sub4QrSoXfHc/XOdJFAXq7hQllkPhK8 8lRuLquFjsyBZ/Ak8NBax1qHRpHaPguFL/veRBTsOSWxkzCNXDt3+9vHAc9OohwFuRfWD8Us 6ZCcXZUM07F17neLLGTE4GAguw5K9LweocWtXx60jjdCd4tQIzZQrWM7thdtNs1rp4eRKeDN 5tEAdZpRDvjUk1mZUUFMZ03rre4lnugWnpakHvA8MLb5ECMlVcsgdABKuH9f8SNRcFclUWwr 2fP7WP/RB0XXPSczjyf+37qme7Lngv8QosZELD+/flv6HWWxXE7ARgfR1y95/W04mayXN9VJ kg88y8nv680skCmJvHtUhv9rHOasxo0X9tLD/Z8+AyL0rDT4QuSGi4DVDEpVTA9nJZoH3pwj AbPxo63Q2w02FGIdZ6D3oyvsS+/HzZKEXQ5VyMPalc95+vtm7hm23ojUe1fOKKyi9T0HxT5z DaLsDUyit0vsCIb60mo1QuZ2mzx//AlWiZwv1yKBTz9smuVcab4P9TA1LTN0RpXwG91pHGlt WNMpcWR5ftm4XqlxH3UG7Vl8F1ECp+43NzgbbxHQsFJG9eFoSfLkWVsDNdWfhkB3iEsI2OBX aMrkVkNjKK/xVPzBUONX6q/Ct4x0Y/rHsn/W/bfY7JmO8YtKlDZoHs+ORLMgQgBdXTAd4lla f93lu72UR4n5VlPlmLqF4/xL5dwrszB+Y8jbc+ilEn2uVZvTHWUVa0EIDOzghMRt8u5TPHu2 48HbaOikkwHOMWnO3W/2dNDfDgicClgbbir+pM/SwJ2Clc/cI3XI6SKmu1Jlk0Mt/k9q9okC VnmAx4GkgWj3SObQehIA1g6AI7SsV9EhStTFQQnPEqy2mhlZoCq7awFcIAwc6Vh/+tmpcOYh dFfEylcKpyjkgj6xgk=
  • Ironport-hdrordr: A9a23:Hl3LvqmzgnirDrjX8uuhU3sEhSfpDfN7iWdD5ihNYBxZY6Wkfp +V8sjzhCWatN9OYh0dcIi7SdW9qXO1z+8Q3WBjB8bcYOCAghrnEGgC1/qs/9SEIUzDH4FmpN 9dmsRFeb/N5B1B/LvHCWqDYpcdKbu8gduVbI7lph8HJ2wLGsJdBkVCe3ym+yVNNVJ77PECZf 2hD7981kOdkAMsH6KG7xc+Lo3+juyOsKijTQ8NBhYh5gXLpyiv8qTGHx+R2Qpbey9TwJ85mF K10zDR1+GGibWW2xXc32jc49B9g9360OZOA8SKl4w8NijssAC1f45sMofy/wzd4dvfqmrCou O85yvIDP4DrE85uVvF5ycF7jOQlQrGLUWSkGNwz0GT+fARDwhKdfapzbgpAycxrXBQ5u2UmZ g7rF6xrYZYAx/bgSjx0dDUShlhl065pmcVi+IIlXxYVr0fZdZq3Pwi1VIQH5EaEC3g7oc7VO FoEcHH/f5TNUiXdnbDowBUsZaRt1kIb1+7q3I5y4eoOvlt7QdE5lpdwNZakmYL9Zo7RZUB7+ PYMr5wnLULSsMNd6pyCOoIXMPyUwX2MF7xGXPXJU6iGLAMOnrLpZKy6LIp5PuycJhNyJcpgp zOXF5RqGZ3cUPzDs+F2oFN73n2MSiAdCWoztsb64lyu7X6SrauOSqfSEo2m8/luPkbCt2zYY f7BHuXOY6UEYLDI/c94+SlYeghFZA3arxghuoG
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Suggested_attachment_session_id: f77ff0d1-a564-c56b-6576-c0136644f957
  • Thread-index: AQHYM8WNub5GgrUMA0aIU5Ob+nmmXay3SbM/
  • Thread-topic: [PATCH v5 2/2] xen/x86: Livepatch: support patching CET-enhanced functions
> From: Bjoern Doebel <doebel@xxxxxxxxx>
> Sent: Wednesday, March 9, 2022 2:53 PM
> To: xen-devel@xxxxxxxxxxxxxxxxxxxx <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Cc: Michael Kurth <mku@xxxxxxxxx>; Martin Pohlack <mpohlack@xxxxxxxxx>; Roger 
> Pau Monne <roger.pau@xxxxxxxxxx>; Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; 
> Bjoern Doebel <doebel@xxxxxxxxx>; Konrad Rzeszutek Wilk 
> <konrad.wilk@xxxxxxxxxx>; Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> Subject: [PATCH v5 2/2] xen/x86: Livepatch: support patching CET-enhanced 
> functions 
>  
> Xen enabled CET for supporting architectures. The control flow aspect of
> CET expects functions that can be called indirectly (i.e., via function
> pointers) to start with an ENDBR64 instruction. Otherwise a control flow
> exception is raised.
> 
> This expectation breaks livepatching flows because we patch functions by
> overwriting their first 5 bytes with a JMP + <offset>, thus breaking the
> ENDBR64. We fix this by checking the start of a patched function for
> being ENDBR64. In the positive case we move the livepatch JMP to start
> behind the ENDBR64 instruction.
> 
> To avoid having to guess the ENDBR64 offset again on patch reversal
> (which might race with other mechanisms adding/removing ENDBR
> dynamically), use the livepatch metadata to store the computed offset
> along with the saved bytes of the overwritten function.
> 
> Signed-off-by: Bjoern Doebel <doebel@xxxxxxxxx>
> Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Reviewed-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.