[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/3] x86: prefer shadow stack for producing call traces

  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 8 Apr 2026 18:53:58 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AIMrzchhdGia6eH2W6vZNViMK6HO3jKFZOOV2fmad9E=; b=qsL+T81q3PrCicYYtnS85I0qF0yUSe4p14qwmjT5HaGdSgW/YWPk3HokdAfHRH5FQHGQ4goP5tCiu/5+VahbjFZTR4JNotxdBWQkpcZVd3uug83tXcWxPyXEbqUg1amznihpPdpmyGZeRSDXesys4232KPE+7SXzu9HxxeQy0qGSbgrx4DRJHV62Botzciy0mdLcnErYp/PntFzAeF1QGWOdF5QaoAXlO7Sxonsp8uHPlXrjcd8WDeZPDzq6zEF8KsCMXerKbLJbUiRiZZAXSqo+aRDQKuhxUt7GecklIdTJ1Sk/+qjJRhb47l1Z7LAWxcwtriB7tWWcWXvev5o11A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kmatBLpbgfd73eJyAeLNYvhUqAH3H115PzjOJ0FufJk461+Aw7zncCvf/Lm1p2rAWIU+R6DE7jpM5n1mr/zfyz0dRY35seok7Do/AGM9KEmxjqiNwkk+W0ykU09f1aV3ZQTVO5BuYlhQSdJKWDVpgoKoM/VKjS9KA0zrSh3v92K9CvpySzqIckQftn8SLFxXW+7YSlIcJrIbyn3q1VxdCchTnDce559L3bAdXV72F/B4tit8IVpEgqWOUguhsm8qaem38UuYmB38HCEly9rLRb+BM6RcJX4Vgh35JPoPZcK4/B6R5gcYqhKKG0KVGkWq5tjG9ziCv0KCwBlPSsEnlA==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>
  • Delivery-date: Wed, 08 Apr 2026 17:54:22 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08/04/2026 1:23 pm, Jan Beulich wrote:
> Shadow stacks contain little more than return addresses, and they in
> particular allow precise call traces also without FRAME_POINTER.

Do you have an example of what such a backtrace now looks like ?


> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> While the 'E' for exception frames is probably okay, I'm not overly
> happy with the 'C' (for CET). I would have preferred 'S' (for shadow),
> but we use that character already.
>
> As an alternative to suppressing output for the top level exception
> frame, adding the new code ahead of the 'R' output line (and then also
> ahead of the stack top read) could be considered.
>
> Perhaps having a printk() for the PV entry case is meaningless, for
> - no frame being pushed when entered from CPL=3 (64-bit PV),
> - no entry possible from CPL<3 (32-bit PV disabled when CET is active)?
> In which case the comment probably should just be "Bogus." and the code
> merely be "break;".

Yes, PV32 doesn't exist when CET-SS is active, and PV64 doesn't push a
frame.  regs->ssp will point to the supervisor token (IDT delivery) or
on the boundary with the regular stack (FRED).

> Quite likely a number of other uses of is_active_kernel_text() also want
> amending with in_stub().

There are very few things which can exist on a shadow stack.

1) Tokens (supervisor, restore or prev)
2) Return address
3) Old-SSP
4) Old-CS

Intel recommend not allowing code or stacks to be in the bottom 64k of
the address space to prevent type confusion between Old-CS and the other
values.  Xen matches this expectation, but it might be wise to check for
it explicitly.

Notably, we cannot ever get a value matching in_stub() (outside of
general memory corruption).

On SYSCALL/SYSENTER, SSP is set to 0, and we don't re-establish a proper
SSP until the SETSSBSY after leaving the stub.  Similarly on SYSRET, the
CLRSSBSY sets SSP to 0 too.

An NMI hitting these paths should find regs->ssp pointing at it's own
shadow stack, with an Old-SSP of 0.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.