[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tboot: Disable CET at shutdown


  • To: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 15 Aug 2023 15:19:48 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1692127193; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=rwzP4TaIwcHatVRrjDzhTH0GjGPudFzkLSV2NYiflIY=; b=D1WJXz+EkURLfFS4NBOrSMwaK53z00i9z3yzxJKNvtYKsuUtmSIHYC8ik+afQ0ardZ9rHDVVmtaAfVLPMcySMC4c9ZMKv5AK6bylG6AgEacUSbz+gXn8XN/IL9J7/2O7tBZ2/55lsCk/gwYQBN1ShBpHIKd0PYSYqqXouXuIYXo=
  • Arc-seal: i=1; a=rsa-sha256; t=1692127193; cv=none; d=zohomail.com; s=zohoarc; b=mSnMzPq7+sdaxlojyTmhiSKToReqbOKU3hGCAevbOjcLL8Wjf05VimrM+C4FZNZrS5uKbMFyG29UIMcVgoN6eFUfkqadZmvA7hzy54bBldgdTH4S+OGew5On7JEmqtJdtYSAC7RdWWVVyJcBWPTgPhiPzgcTJRFtAC3AzIYJOYQ=
  • Cc: Lukasz Hawrylko <lukasz@xxxxxxxxxxx>, Mateusz Mówka <mateusz.mowka@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Tue, 15 Aug 2023 19:20:08 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 8/15/23 12:11, Jason Andryuk wrote:
tboot_shutdown() calls into tboot to perform the actual system shutdown.
tboot isn't built with endbr annotations, and Xen has CET-IBT enabled on
newer hardware.  shutdown_entry isn't annotated with endbr and Xen
faults:

Panic on CPU 0:
CONTROL-FLOW PROTECTION FAULT: #CP[0003] endbranch

And Xen hangs at this point.

Disabling CET-IBT let Xen and tboot power off, but reboot was
perfoming a poweroff instead of a warm reboot.  Disabling all of CET,
i.e. shadow stacks as well, lets tboot reboot properly.

Fixes: cdbe2b0a1aec ("x86: Enable CET Indirect Branch Tracking")
Signed-off-by: Jason Andryuk <jandryuk@xxxxxxxxx>
---
Without this fix, Xen subsequently hangs:

Reboot in five seconds...
[VT-D] IOMMU1: QI wait descriptor taking too long
  IQA = 484897000
  IQH = 0
  IQT = 820

with no futher output.
---
  xen/arch/x86/tboot.c | 10 ++++++++++
  1 file changed, 10 insertions(+)

diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c
index 90f6e805a9..86c4c22cac 100644
--- a/xen/arch/x86/tboot.c
+++ b/xen/arch/x86/tboot.c
@@ -353,6 +353,16 @@ void tboot_shutdown(uint32_t shutdown_type)
          tboot_gen_xenheap_integrity(g_tboot_shared->s3_key, &xenheap_mac);
      }
+ /*
+     * Disable CET - tboot may not be built with endbr, and it doesn't support
+     * shadow stacks.
+     */
+    if ( read_cr4() & X86_CR4_CET )
+    {
+        wrmsrl(MSR_S_CET, 0);
+        write_cr4(read_cr4() & ~X86_CR4_CET);
+    }
+
      /*
       * During early boot, we can be called by panic before idle_vcpu[0] is
       * setup, but in that case we don't need to change page tables.

Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.