[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH] x86/tboot: Drop mfn_in_guarded_stack()
To support CET Shadow Stacks, guard pages changed from being holes to being read-only. As such, they can be read. Moreover, they should be included in the integrity check. Fixes: 60016604739b ("x86/shstk: Rework the stack layout to support shadow stacks") Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> --- xen/arch/x86/tboot.c | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c index fe1abfdf08ff..03098450f788 100644 --- a/xen/arch/x86/tboot.c +++ b/xen/arch/x86/tboot.c @@ -242,29 +242,6 @@ static void tboot_gen_domain_integrity(const uint8_t key[TB_KEY_SIZE], memset(&ctx, 0, sizeof(ctx)); } -/* - * For stack overflow detection in debug build, a guard page is set up. - * This fn is used to detect whether a page is in the guarded pages for - * the above reason. - */ -static int mfn_in_guarded_stack(unsigned long mfn) -{ - void *p; - int i; - - for ( i = 0; i < nr_cpu_ids; i++ ) - { - if ( !stack_base[i] ) - continue; - p = (void *)((unsigned long)stack_base[i] + STACK_SIZE - - PRIMARY_STACK_SIZE - PAGE_SIZE); - if ( mfn == virt_to_mfn(p) ) - return -1; - } - - return 0; -} - static void tboot_gen_xenheap_integrity(const uint8_t key[TB_KEY_SIZE], vmac_t *mac) { @@ -288,15 +265,7 @@ static void tboot_gen_xenheap_integrity(const uint8_t key[TB_KEY_SIZE], continue; /* skip tboot and its page tables */ if ( is_page_in_use(page) && is_special_page(page) ) - { - void *pg; - - if ( mfn_in_guarded_stack(mfn) ) - continue; /* skip guard stack, see memguard_guard_stack() in mm.c */ - - pg = mfn_to_virt(mfn); - vmac_update((uint8_t *)pg, PAGE_SIZE, &ctx); - } + vmac_update(mfn_to_virt(mfn), PAGE_SIZE, &ctx); } *mac = vmac(NULL, 0, nonce, NULL, &ctx); -- 2.11.0
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |