[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86: Add Kconfig option to require NX bit support
- To: Jan Beulich <jbeulich@xxxxxxxx>, Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Fri, 2 Jun 2023 10:45:40 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hYLtv3+czrFgmUApOlfgnmYh9IveRIgCXZjdFCeC2zw=; b=G+K53vtS7wgr3UZGRt9moYfHaDQ71IcJk7GA3cihLIf7UuRx7yXxvPORO9EBc06h3mhXu7m1LVOvWlfK48BQZZOkq7DdBzgvANzfJH7cvpgdXV4Tostu32ase4it3v6bd5aqtd1SVriBXd9eLMD4r/Ezl5eGZDZw+4Drmezg88pqulTV64loX3FscV/scrzBS7vGZplJYB4VmhzKK8RtDOVG8+PrITPYXjLpz/QO/x+Qd2y5O8e8lUwa0gXYPVuVicwEfoM12d5CKluC1vbc9pAQAEDueGUjTWtcsK8sC9iN+SG3v44YFNxjcbXxsMePchZUSZFVDfD5NHZlcuQSjA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aBF58XVv8XqL0HHmjTyRoofNyu6Rz44Ok0+5Q1zH6QIPE1icrc7/BQI/2VEkhZIFl9kWiliX7AyPHmmsASa7yKk/fh4cevBMOf7/M3yf5kGPN+DnECVCVK8wMYUar5er27DcrOtOgsMCu0xahBhmhgpN3UHtvouWRUIXfL/sSXTsa+KAcjgPfe3BCUo7VdAPsOJjYvgvG/CbHVMWaNMh+7AjWZGBftLEaKFqchx9TXPrkGgPmscZjekAJUQ3MJCUgq+MWXGPo0XMfYweqvCjjKptXCnKK6tkis7d0xFE35N9OC9Q1+Ll0IFkLzxc/N24gcfI/ul/hCus/xAjLqElIQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 02 Jun 2023 09:46:03 +0000
- Ironport-data: A9a23:4IPti64ON506XgdFNt/BIQxRtPjGchMFZxGqfqrLsTDasY5as4F+v mEcXGmOb/mCamOjfoxxOY+/oUkA68fVx4QwHFc/qXtkHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35JwehBtC5gZlPa4T5geH/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5mt vgqBwonaim6iePo47eyc7RDpss4M5y+VG8fkikIITDxK98DGMmGaYOaoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6OnEoojuiF3Nn9I7RmQe18mEqCq 32A1GP+GhwAb/SUyCaf82LqjejK9c/+cNtLTOPnrKEw3DV/wEQRKBhVfH+VisC/sVGBVO5yI m8G3ygh+P1aGEuDC4OVsweDiHyOswMYWtFQO/Yn8wzLwa3Riy6QAmUGRzhNcttgqsYyQTEo0 XeCm9T0CXpkt7j9YW2Z3qeZq3W1Iyd9BX8PY2oIQBUI5/HnoZovlVTfQ9B7Cqm3g9bpXzbqz Fi3QDMWgrwSiYsB0fW99FWe2ja0/MGXHkgy+xndWX+j4kVhfom5aoe06F/dq/FdMIKeSVrHt 38B8ySD0N0z4Vi2vHTlaI0w8HuBvZ5p7BW0bYZTIqQc
- Ironport-hdrordr: A9a23:wdoCY6+9u5vmfNq6fkduk+AcI+orL9Y04lQ7vn2ZKSY5TiX4rb HKoB1/73XJYVkqN03I9ervBEDiewK/yXcW2+ks1N6ZNWGLhILBFupfBODZsl7d8kPFl9K01c 1bAtJD4N+bNykGsS4tijPIb+rJw7O8gd+Vbf+19QYIcenzAZsQlzuQDGygYypLbTgDP7UVPr yG6PFKojKxEE5nFfhSVhE+Lo7+T8SgruOeXSI7
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02/06/2023 9:31 am, Jan Beulich wrote:
> On 01.06.2023 19:43, Alejandro Vallejo wrote:
>> This allows replacing many instances of runtime checks with folded
>> constants. The patch asserts support for the NX bit in PTEs at boot time
>> and if so short-circuits cpu_has_nx to 1. This has several knock-on effects
>> that improve codegen:
>> * _PAGE_NX matches _PAGE_NX_BIT, optimising the macro to a constant.
>> * Many PAGE_HYPERVISOR_X are also folded into constants
>> * A few if ( cpu_has_nx ) statements are optimised out
>>
>> We save 2.5KiB off the text section and remove the runtime dependency for
>> applying NX, which hardens our security posture. The config option defaults
>> to OFF for compatibility with previous behaviour.
>>
>> Signed-off-by: Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>
> At a guess this may want a Suggested-by: Andrew?
Well - it was a work item off the backlog, and a one-liner at that. I
wouldn't have said an explicit tag was warranted simply because I put
the backlog together.
~Andrew
|
