[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-4.17] xen/arm: Support properly __ro_after_init on Arm
- To: Julien Grall <julien@xxxxxxx>
- From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
- Date: Thu, 18 Aug 2022 14:07:26 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
- Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0T9neOyFXKg5pjw3VJKt5TmkrPIzGHpWSRicmjewUKM=; b=e6w3BD0+I3nuYvj8SiOod9LWh4xJ90tHw9Vru/VhYgfAxeIO9XXYXuNil9pDG3CnvcN458IL4hwBqkO00rP/f7yMjH6esQX9c2ClmkJMNvSk0Mh9YOqMtsrhZYNd7XUipZiyN1qiBA5GPxckHNAKuoQlJ4CJvTBHfozQcwwwqrrUdkc/x6J8/PXiNADhUf1rXdl6IdIynfC/HvtMCr3rOTdsIxpjkn+8jhTiar2ScbvAgTsNklbuEJ8iA1EUBR9O/NASM5iy6MURQmWWjdsF6bYiU2IoF+aIXVVAGM0ax9ISfKAzpM3XJNfmf1AU0O8DDSSnovNpSJy9oXsG+mvIBQ==
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0T9neOyFXKg5pjw3VJKt5TmkrPIzGHpWSRicmjewUKM=; b=k48zWMn9DX1yuDi0sZT1AbAymSQcH7li2pW1GF11+3q1xQLfPPkilWS+IeyQiLhIvroZ2g966lxtJFwh8ho6B4pGSP/v+Ic0+6l1muwJKsgCSxHsj/hJtpAAf8KIXkJMwSsImkyRqidHWUu0EAqU9mp1WPtVYNedGwfF4cQ76o+AkEyLE0rBWB0nnpuTuPHg5xdr0EMVwtSvjZfjucntvzAcL0iEuMl8erGftC6kvRFk44D71EFsQB4gxstPNcmj+OCiFH00HzyB6jPQLpYL4qOyEzXDp5saj89tW92t6QLzk6bZWoyql1Jas71gC1Q6RUk7VYZIA2hT6ptgQ/OjWA==
- Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=BQY45CCP/YKE2VzRHwLbRcF0EqEDcvnYOmrlIN5Mrw4zhFDB1dHoN36aI7WjwyPZ8kQkvqgeNTQej1Kft7/kmDXmyOxWLyeEwW12lO9p6/jDnY0ZnFGXNNyUJziv5Gk2EhHv8luJkOOknyddvhEzsXPt3rWYCCFt/Mi1qb0sB5+gp1TcU1dlYfRfIa57Z/brvIwedmauk2pdo7xGpRkRa+bKFAo/Qdy/DuEWGE6EVr13+rpyHI26kni2FhViJbaa+pApOdc7ylVd8tO8ApskxeN+lqNm3PHw5S5Yv0KESbQ9/bmYys5dJKcyriehwet/DBCJLiWwHw7qrCHUuIOtqA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Thd3BiX9EU2pRK36NWVG22ml6cLO25qfyMW7lSCwv3UZsh+GXD4MjQXv+j6kDzaSq8zTRzH/oFS9kPtb5tk1QsXc6EjNEK7YrUl+119X7wn7Ir0gd/6fNijmvabQwsgKWVj22mI+v8GWlPxX4SisKBgzbKEU2dTvJANS9xvekeqVUq5sqGllaRvLbwEY3eedhr8fNrB5UeB4L33CWjDT5FNP8UtHBtlhpuC7tMk/+IfKLjrfDeQdkUXdoh6pZLlt4kvdBNaQL7LZm633wxJ30LIKieMH4ozcNAbA772FL3v6ZyCMz47BnfhLhmtr5StWqHAsaF1XxJCEEe+MvXCqUw==
- Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
- Cc: Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 18 Aug 2022 14:07:40 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Nodisclaimer: true
- Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
- Thread-index: AQHYsaJm36MHcf45GkO6ALJzQ7Il0a2yxdaAgAAKiQCAAeQMAA==
- Thread-topic: [PATCH for-4.17] xen/arm: Support properly __ro_after_init on Arm
Hi,
> On 17 Aug 2022, at 10:14, Julien Grall <julien@xxxxxxx> wrote:
>
> Hi Jan,
>
> On 17/08/2022 09:37, Jan Beulich wrote:
>> On 16.08.2022 20:59, Julien Grall wrote:
>>> --- a/xen/arch/arm/setup.c
>>> +++ b/xen/arch/arm/setup.c
>>> @@ -75,10 +75,24 @@ domid_t __read_mostly max_init_domid;
>>> static __used void init_done(void)
>>> {
>>> + int rc;
>>> +
>>> /* Must be done past setting system_state. */
>>> unregister_init_virtual_region();
>>> free_init_memory();
>>> +
>>> + /*
>>> + * We have finished to boot. Mark the section .data.ro_after_init
>>> + * read-only.
>>> + */
>>> + rc = modify_xen_mappings((unsigned long)&__ro_after_init_start,
>>> + (unsigned long)&__ro_after_init_end,
>>> + PAGE_HYPERVISOR_RO);
>>> + if ( rc )
>>> + panic("Unable to mark the .data.ro_after_init section read-only
>>> (rc = %d)\n",
>>> + rc);
>> Just wondering - is this really worth panic()ing?
>
> The function should never fails and it sounds wrong to me to continue in the
> unlikely case it will fail.
I agree, we should not ignore and error here.
>
>>> --- a/xen/arch/arm/xen.lds.S
>>> +++ b/xen/arch/arm/xen.lds.S
>>> @@ -83,6 +83,13 @@ SECTIONS
>>> _erodata = .; /* End of read-only data */
>>> . = ALIGN(PAGE_SIZE);
>>> + .data.ro_after_init : {
>>> + __ro_after_init_start = .;
>>> + *(.data.ro_after_init)
>>> + . = ALIGN(PAGE_SIZE);
>>> + __ro_after_init_end = .;
>>> + } : text
>> Again just wondering: Wouldn't it be an option to avoid the initial
>> page size alignment (and the resulting padding) here, simply making
>> .data.ro_after_init part of .rodata and do the earlier write-protection
>> only up to (but excluding) the page containing __ro_after_init_start?
>
> So both this question and the previous one will impair the security of Xen on
> Arm (even though the later is only at boot time).
>
> This is not something I will support just because we are going to save <
> PAGE_SIZE. If we are concern of the size wasted, then there are other way to
> mitigate it (i.e. moving more variables to __ro_after_init).
Agree with Julien here.
Cheers
Bertrand
>
> Cheers,
>
> --
> Julien Grall
|