Xen project Mailing List

Re: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Thu, 17 Mar 2022 16:19:07 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A0rxCl6BuqrJGmVUpAJ5lvZd2V6Vom0RNBwPgn/WC3s=; b=npnrySYyew/mCTQw54YYVEJf8B1ODqxbyxxEXwr8PThu7q6jmbmhCngb/gHESAd0Usrfvsl0+1ycwulZ1cbEAuovlc4OZ5Lt7tmBreIKBia4tLMMpoPmQuHh6nuv3ZJAMxN8MVLh55P/Y2ye8T4LU5uT9+BTbmFAyu7Wyhww1EZWSp8E46Je8qi+IEZYRA80CJCKVL5hR9glBWq9Wf2Mjz/1t/sUM01nDGKFURiaev5fJeVdT2pZiVuVti7sLLlCX+UyAhUeR4TTd1qEqepEw/6erhCCBHzNMCrilOTxMqFThHYsfbFAjAlShi0LKlphbAGQrIQJEn8DkJoPH9fSjQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J8/iHo9GsqtAq+dKn+Y2WxKsnCrQlaDT3S4pBPm8kAuFTUYw01s+vkZOksX5DDjjTVcP0WXHkn2WTb39ukGwIsKXsBVn0QZXmCigixOJDxZqegvMlJe1ls4xO9wjik5/SuBjDhvde/b2KFdsodDMAHVHHLwzrpHkAFn8oXy94jY3ldrFq3+y1HjC6S97C39yeqzlF0K5Aib4nlTPn1Y1eUIpjfYP3iVNmoEnNN8Yj/Hv/2S8SsOnH4mTHZs6avCXvdFdn0mv9Az9xxoh86gw6dhm0bZ/5uJX9eDrl70AD3YfPI0tXQTFomToRaWJajgYk/VNCfawc4JuCNMJCVFBeQ==

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 17 Mar 2022 16:19:26 +0000

Ironport-data: A9a23:3dd4xqzmtArB3q9Iq716t+cKxirEfRIJ4+MujC+fZmUNrF6WrkUCx mdMW2yOOv+OYzejco9yPITi8UgA7MCGyYNhTQY4+SAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnj/0bv656yMUOZigHtIQMsadUsxKbVIiGX9JZS5LwbZj2NYz2IfhWWthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ Nplu8S8RiIuN5bwnOUHTSN3KyY5bJYf5+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO ZtDMms/MHwsZTVQGw4ONK5gh9ymm1jvWBQA92O5j4A4tj27IAtZj+G2bYu9lsaxbcBchEORv G/F12X/HBABNdabxCaF83SjnevGl2XwX4d6PK218LtmjUOewkQXCQYKTh2rrP+hkEm8VtlDb UsO9UIGr6I/6UiqRdnVRACjrTiPuRt0c8VUO/037keK0KW83uqCLjFaFHgbMoVg7ZJoA2xxv rOUoz/3LTI3vLKwTnumyrOVty2IFhASaj45PDBRGGPp/OLfiI00ixvOSPNqH6i0ksD5FFnM/ tyakMQtr+5N1JBWjs1X6XiC2mvx/caREmbZ8y2NBgqYAhVFiJlJjmBCwXzS9r5+IYmQVTFtV 1BUypHFvIji4Xxg/RFhodnh/pn0v55p0xWG2DaD+qXNERz3pxZPmqgKvFlDyL9BaJpsRNMQS Ba7VfltzJFSJmC2SqR8fpi8Dc8npYC5S4i6Cq2LN4AQOscsHONiwM2ITRTMt4wKuBJw+ZzTx L/BKZr8ZZrkIfkPIMWKqxc1juZwm3FWKZL7TpHn1RW3uYdyl1bOIYrpxGCmN7hjhIvd+V292 48Ga6OilkUOOMWjM3K/2dNCcjg3wY0TWMmeRzp/LbXYfGKL2QgJVpfs/F/WU9c8zvoPybuQo C3Vt40x4AOXuEAr4D6iMxhLQLjuQYx+vTQ8OyktNkyvwH8tfcCk66J3Snf9VeVPGDBLpRKsc 8Q4Rg==

Ironport-hdrordr: A9a23:Kajvma75SawlHsKelQPXwWaBI+orL9Y04lQ7vn2ZFiY7TiXIra yTdaoguCMc0AxhJU3Jmbi7Scy9qeu1z+873WBjB8bfYOCAghrnEGgC1/qv/9SEIUPDH4FmpN 5dmsRFeb7N5B1B/LzHCWqDYpcdKbu8gdiVbI7lph8HJ2ALV0gj1XYDNu/yKDwseOAsP+tcKH Po3Lsgm9PWQwVxUi3UPAhmY8Hz4/nw0L72ax8PABAqrCOUiymz1bL8Gx+Emj8DTjJm294ZgC j4uj28wp/mn+Cwyxfa2WOWxY9RgsHdxtxKA9HJotQJKw/rlh2jaO1aKv6/VXEO0aOSAWQR4Z 3xSiQbToNOArTqDyeISC7WqkzdOfAVmibfIBGj8CPeSIfCNU0H4oJ69Pxkm13imhAdVZhHod J2NyjyjesnMTrQ2Cv6/NTGTBdsiw69pmcji/caizhFXZIZc6I5l/1VwKp5KuZIIMvB0vFuLA CuNrCp2N9GNVeBK3zJtGhmx9KhGnw1AxedW0AH/siYySJfknx1x1YRgJV3pAZMyLstD51fo+ jUOKVhk79DCscQcKJmHe8EBc+6EHbETx7AOH+bZV7nCKYEMXTQrIOf2sR+2Mi6PJgTiJcikp XIV11V8WY0ZkL1EMWLmIZG9xjcKV/NKwgFCvsukKSRloeMNoYDaxfzO2zGu/HQ1skiPg==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYOI1bRL6jiuzp4UWoineooRKJ46zBsAOAgAC1YICAAOkogIAAdcwA

Thread-topic: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack

On 17/03/2022 09:17, Jan Beulich wrote: > On 16.03.2022 20:23, Andrew Cooper wrote: >> On 16/03/2022 08:33, Jan Beulich wrote: >>> On 15.03.2022 17:53, Andrew Cooper wrote: >>>> --- a/xen/arch/x86/xen.lds.S >>>> +++ b/xen/arch/x86/xen.lds.S >>>> @@ -215,8 +215,9 @@ SECTIONS >>>> } PHDR(text) >>>> DECL_SECTION(.init.data) { >>>> #endif >>>> + . = ALIGN(STACK_SIZE); >>>> + *(.init.bss.stack_aligned) >>> No real need for the ALIGN() here - it's the contributions to the >>> section which ought to come with proper alignment. Imo ALIGN() >>> should only ever be there ahead of a symbol definition, as otherwise >>> the symbol might not mark what it is intended to mark due to padding >>> which might be inserted. See also 01fe4da6243b ("x86: force suitable >>> alignment in sources rather than in linker script"). >>> >>> Really we should consider using >>> >>> *(SORT_BY_ALIGNMENT(.init.data .init.data.* .init.bss.*)) >>> >>> While I can see your point against forcing sorting by alignment >>> globally, this very argument doesn't apply here (at least until >>> there appeared a way for the section attribute and -fdata-sections >>> to actually interact, such that .init.* could also become per- >>> function/object). >>> >>> Then again - this block of zeroes doesn't need to occupy space in >>> the binary. >> It already occupies space, because of mkelf32. > Hmm, yes, and not just because of mkelf32: Since we munge everything > in a single PT_LOAD segment in the linker script, all of .init.* > necessarily has space allocated. > >>> It could very well live in a @nobits .init.bss in the >>> final ELF binary. But sadly the section isn't @nobits in the object >>> file, and with that there would need to be a way to make the linker >>> convert it to @nobits (and I'm unaware of such). What would work is >>> naming the section .bss.init.stack_aligned (or e.g. >>> .bss..init.stack_aligned to make it easier to separate it from >>> .bss.* in the linker script) - that'll make gcc mark it @nobits. >> Living in .bss would prevent it from being reclaimed. We've got several >> nasty bugs from shooting holes in the Xen image, and too many special >> cases already. > I didn't suggest to put it in .bss; the suggested name was merely so > that gcc would mark the section @nobits and we could exclude the > section from what makes in into .bss in the final image independent > of .init.* vs .bss.* ordering in the linker script. But anyway - with > the above this aspect is now moot anyway. So can I take this as an ack with the .init typo fixed? ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.