[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Thu, 17 Mar 2022 16:32:30 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SGXdJ1Chgk6Q4jFtlmKlAGEb7fNnZXg7s9I74lR5Li0=; b=VdQGYJn5NKHz1cOEwGZK0k4XXkfcQZNrF9DTYhh5jCsDVtHAD6MqDum7q+msUhFn2Yp9kq9ZsUijz1wcmMknEtMAp5MxFfU9ROBF8kAugD6O3BVG5ODDYpBLp7ZRFP6Ki5laXa1wHmuj+dTN1whehq7nMdru/aHZwc65qbATnOE19p5UQ/pDagmH8ZSJ0TiuMu7RJQ/LwlRXwDxmkYpxYfGE+YU9sU87FJApIwaYyFrRRvFa8EVqFg/ixX7tom0+hDOcPbrwnNqEcVjhqcdVvP5p8F9oupjbTUX3qV+39H3O6Gt9oeFovQABQTKiVuRrIiiFhxHW8IQxq+wknC8ikw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NJK/YTrUEAw9UxBwPK7illeYYwZbj/VavazdNbrxBsPlDs/jEsMm7QMYS5ga7kKpFwB6bhYabDGj5jVkQTx7ptYzsZm9jCXfeUKYJFkUbt8VcqNByFOlYCizB6x/E8gSwW34lXGwTob/SztL9TzQRlOrcfMa4WQlvRG05Cx7ZLoAzO1fJ4zNbsqIQL0iLqVwt816nAsm95FUEspaMFO3wfP2HnXhfIrZDBZYwwaLQJioL+dOV5tc4nZta7MCYvLdLu9L0h+JD/LE4G0Yc/IA4oxfhykGPlZWbA/YJBJJrM1uQ3fPvqkSerPl22YSqn+R+FxqHoaxrKkOvm7IpMoxaw==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 17 Mar 2022 16:32:39 +0000
  • Ironport-data: A9a23:GJfa2Kq30r7K85KmrkesoI+XBgVeBmIlZRIvgKrLsJaIsI4StFCzt garIBmFOfiPNGGjethxPYWz9UoBu5WEyYQwGlBpryhhQn5B+ZuZCYyVIHmrMnLJJKUvbq7GA +byyDXkBJppJpMJjk71atANlVEliefQAOCU5NfsYkidfyc9IMsaoU8lyrZRbrJA24DjWVvW4 Iyq+aUzBXf+s9JKGjNMg068gEsHUMTa4Fv0aXRnOJinFHeH/5UkJMp3yZOZdhMUcaENdgKOf M7RzanRw4/s10xF5uVJMFrMWhZirrb6ZWBig5fNMkSoqkAqSicais7XOBeAAKv+Zvrgc91Zk b1wWZKMpQgBD43PiudeQgtjAQZyGbwX2LT4JXmuvpnGp6HGWyOEL/RGCUg3OcsT+/ptAHEI/ vsdQNwPRknd3aTsmuv9E7QywJR4RCXoFNp3VnVI5DfVF/s5B7vERL3H/4Rw1zYsnMFeW/3ZY qL1bBIxPESROUIfYD/7DroUguu3iCS8UQFXl1SyubQr3kHtx1V+he2F3N39JYXRGJQ9clyjj mfP5WHwGBwZHN2Z1zue83ioi/PPnCX0Q4YbHvuz8fsCqE2ewCkfBQMbUXO/oOKlkQiuVtRHM UsW9yEy668o+ySDTNPwQhm5q36spQMHVpxbFOhSwB6J4rrZ5UCeHGdsc9JaQIV47olsH2Vsj wLX2YOybdByjFGLYUO99aWX7iKgAjoyIUsTNA8Pcg8E8ta29enfkSnzZtpkFae0iPj8Fjfx3 y2GoUACulkDsSIY//7lpA6a2lpAsrCMF1dovVuPAgpJ+ysjPOaYi5qUBU83BBqqBKKQVRG/s XcNgKByB8heXMjWxERhrAjgdYxFBspp0hWB2TaD/LF7rlxBHkJPm6gKvFmSw28zbq45lcfBO hO7hO+ozMY70IGWRaF2eZmtLM8h0LLtE9/oPtiNMIYRPsUuLVXZpH4zDaJ144wLuBJw+U3YE c3HGftA8F5AUfg3pNZIb7p1PUAXKtAWmjqIGMGTI+WP2ruCfn+FIYrpw3PVBt3VGJis+V2Pm /4GbpPi40wGDIXWP3mGmaZOfAtiBSVqWvjLRzl/K7frzvxOQzp6VZc8ANoJJuRYokiivryRr y/nBRMAlgaXaL+uAVziV02PoYjHBP5XhXk6ITYtLRCv3X0iapyo96ARa908erxPyQCp5aMco yUtEylYPslydw==
  • Ironport-hdrordr: A9a23:TNxw9qtTOWcdPo1ZsDUCMNFj7skDotV00zEX/kB9WHVpm5Sj5q eTdPRy73DJYUUqKRcdcLG7SdS9qBznhP1ICOUqUItKGTOW3FdAT7sSkbcKoQeQeREWn9Q1vc wLT0E9MqyUMbEQt6jHCXyDc+rIt+PnzEnHv4vjJjxWPHhXgulbnn9EIxfeGBZuXw9NCYAiGJ eb/cQvnUvbRZ04VLXBOkU4
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYOI1bRL6jiuzp4UWoineooRKJ46zBsAOAgAC1YICAAOkogIAAdcwAgAACp4CAAAEXgA==
  • Thread-topic: [PATCH] x86/cet: Remove writeable mapping of the BSPs shadow stack
On 17/03/2022 16:28, Jan Beulich wrote:
> On 17.03.2022 17:19, Andrew Cooper wrote:
>> On 17/03/2022 09:17, Jan Beulich wrote:
>>> On 16.03.2022 20:23, Andrew Cooper wrote:
>>>> On 16/03/2022 08:33, Jan Beulich wrote:
>>>>> On 15.03.2022 17:53, Andrew Cooper wrote:
>>>>>> --- a/xen/arch/x86/xen.lds.S
>>>>>> +++ b/xen/arch/x86/xen.lds.S
>>>>>> @@ -215,8 +215,9 @@ SECTIONS
>>>>>>    } PHDR(text)
>>>>>>    DECL_SECTION(.init.data) {
>>>>>>  #endif
>>>>>> +       . = ALIGN(STACK_SIZE);
>>>>>> +       *(.init.bss.stack_aligned)
>>>>> No real need for the ALIGN() here - it's the contributions to the
>>>>> section which ought to come with proper alignment. Imo ALIGN()
>>>>> should only ever be there ahead of a symbol definition, as otherwise
>>>>> the symbol might not mark what it is intended to mark due to padding
>>>>> which might be inserted. See also 01fe4da6243b ("x86: force suitable
>>>>> alignment in sources rather than in linker script").
>>>>>
>>>>> Really we should consider using
>>>>>
>>>>>     *(SORT_BY_ALIGNMENT(.init.data .init.data.* .init.bss.*))
>>>>>
>>>>> While I can see your point against forcing sorting by alignment
>>>>> globally, this very argument doesn't apply here (at least until
>>>>> there appeared a way for the section attribute and -fdata-sections
>>>>> to actually interact, such that .init.* could also become per-
>>>>> function/object).
>>>>>
>>>>> Then again - this block of zeroes doesn't need to occupy space in
>>>>> the binary.
>>>> It already occupies space, because of mkelf32.
>>> Hmm, yes, and not just because of mkelf32: Since we munge everything
>>> in a single PT_LOAD segment in the linker script, all of .init.*
>>> necessarily has space allocated.
>>>
>>>>>  It could very well live in a @nobits .init.bss in the
>>>>> final ELF binary. But sadly the section isn't @nobits in the object
>>>>> file, and with that there would need to be a way to make the linker
>>>>> convert it to @nobits (and I'm unaware of such). What would work is
>>>>> naming the section .bss.init.stack_aligned (or e.g.
>>>>> .bss..init.stack_aligned to make it easier to separate it from
>>>>> .bss.* in the linker script) - that'll make gcc mark it @nobits.
>>>> Living in .bss would prevent it from being reclaimed.  We've got several
>>>> nasty bugs from shooting holes in the Xen image, and too many special
>>>> cases already.
>>> I didn't suggest to put it in .bss; the suggested name was merely so
>>> that gcc would mark the section @nobits and we could exclude the
>>> section from what makes in into .bss in the final image independent
>>> of .init.* vs .bss.* ordering in the linker script. But anyway - with
>>> the above this aspect is now moot anyway.
>> So can I take this as an ack with the .init typo fixed?
> R-b, yes, as long as the ALIGN(STACK_SIZE) is also dropped and the
> other ALIGN() is retained (the latter you did already indicate you
> would do).

Ah yes.  Thanks.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.