From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Jan Beulich" <JBeulich@suse.com>,
"Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>
Subject: [PATCH v3 06/70] x86: Introduce support for CET-IBT
Date: Tue, 22 Feb 2022 15:26:34 +0000 [thread overview]
Message-ID: <20220222152645.8844-5-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <20220222152645.8844-1-andrew.cooper3@citrix.com>
CET Indirect Branch Tracking is a hardware feature designed to provide
forward-edge control flow integrity, protecting against jump/call oriented
programming.
IBT requires the placement of ENDBR{32,64} instructions at the target of every
indirect call/jmp, and every entrypoint.
However, the default -fcf-protection=branch places an ENDBR on every function
which far more than necessary, and reduces the quantity of protection
afforded. Therefore, we use manual placement using the cf_check attribute.
It is necessary to check for both compiler and assembler support, as the
notrack prefix can be emitted in certain cases.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
Clang/LLVM support for -mmanual-endbr is in progress:
https://reviews.llvm.org/D118355
v2:
* Correct CONFIG_HAS_CC_CET_IBT to CONFIG_XEN_IBT in some places
* Move cf_check compatibility into tools/tests/x86_emulator/x86-emulate.h
v3:
* Extend commit message
* Disable IBT for pvshim defconfig
---
Config.mk | 1 -
tools/firmware/Makefile | 2 ++
tools/libs/guest/xg_dom_decompress_unsafe.h | 2 ++
tools/tests/x86_emulator/x86-emulate.h | 2 ++
xen/arch/x86/Kconfig | 17 +++++++++++++++++
xen/arch/x86/arch.mk | 6 ++++++
xen/arch/x86/configs/pvshim_defconfig | 1 +
xen/arch/x86/include/asm/asm-defns.h | 6 ++++++
xen/arch/x86/include/asm/cpufeature.h | 1 +
xen/arch/x86/include/asm/cpufeatures.h | 1 +
xen/include/xen/compiler.h | 6 ++++++
11 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/Config.mk b/Config.mk
index 95c053212ec3..f56f7dc33468 100644
--- a/Config.mk
+++ b/Config.mk
@@ -190,7 +190,6 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
-EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
index 345037b93b7f..53ed4f161edb 100644
--- a/tools/firmware/Makefile
+++ b/tools/firmware/Makefile
@@ -6,6 +6,8 @@ TARGET := hvmloader/hvmloader
INST_DIR := $(DESTDIR)$(XENFIRMWAREDIR)
DEBG_DIR := $(DESTDIR)$(DEBUG_DIR)$(XENFIRMWAREDIR)
+EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
+
SUBDIRS-y :=
SUBDIRS-$(CONFIG_OVMF) += ovmf-dir
SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir
diff --git a/tools/libs/guest/xg_dom_decompress_unsafe.h b/tools/libs/guest/xg_dom_decompress_unsafe.h
index 4e0bf23aa587..ac6b94288d5e 100644
--- a/tools/libs/guest/xg_dom_decompress_unsafe.h
+++ b/tools/libs/guest/xg_dom_decompress_unsafe.h
@@ -8,6 +8,8 @@ typedef int decompress_fn(unsigned char *inbuf, unsigned int len,
void (*error)(const char *x));
#endif
+#define cf_check /* No Control Flow Integriy checking */
+
int xc_dom_decompress_unsafe(
decompress_fn fn, struct xc_dom_image *dom, void **blob, size_t *size)
__attribute__((visibility("internal")));
diff --git a/tools/tests/x86_emulator/x86-emulate.h b/tools/tests/x86_emulator/x86-emulate.h
index 7f60ef9e89ba..18ae40d01712 100644
--- a/tools/tests/x86_emulator/x86-emulate.h
+++ b/tools/tests/x86_emulator/x86-emulate.h
@@ -54,6 +54,8 @@
#define likely(x) __builtin_expect(!!(x), true)
#define unlikely(x) __builtin_expect(!!(x), false)
+#define cf_check /* No Control Flow Integriy checking */
+
#define container_of(ptr, type, member) ({ \
typeof(((type *)0)->member) *mptr__ = (ptr); \
(type *)((char *)mptr__ - offsetof(type, member)); \
diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index 41198b0f96ed..8e70f9a44847 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -40,6 +40,11 @@ config HAS_AS_CET_SS
# binutils >= 2.29 or LLVM >= 6
def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)
+config HAS_CC_CET_IBT
+ # GCC >= 9 and binutils >= 2.29
+ # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
+ def_bool $(cc-option,-fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern) && $(as-instr,endbr64)
+
menu "Architecture Features"
source "arch/Kconfig"
@@ -125,6 +130,18 @@ config XEN_SHSTK
When CET-SS is active, 32bit PV guests cannot be used. Backwards
compatiblity can be provided via the PV Shim mechanism.
+config XEN_IBT
+ bool "Supervisor Indirect Branch Tracking"
+ depends on HAS_CC_CET_IBT
+ default y
+ help
+ Control-flow Enforcement Technology (CET) is a set of features in
+ hardware designed to combat Return-oriented Programming (ROP, also
+ call/jump COP/JOP) attacks. Indirect Branch Tracking is one CET
+ feature designed to provide function pointer protection.
+
+ This option arranges for Xen to use CET-IBT for its own protection.
+
config SHADOW_PAGING
bool "Shadow Paging"
default !PV_SHIM_EXCLUSIVE
diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index edfc043dbbaf..f780c912a9cf 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -52,6 +52,12 @@ CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables
CFLAGS-$(CONFIG_CC_IS_CLANG) += -mretpoline-external-thunk
endif
+ifdef CONFIG_XEN_IBT
+CFLAGS += -fcf-protection=branch -mmanual-endbr
+else
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
+endif
+
# If supported by the compiler, reduce stack alignment to 8 bytes. But allow
# this to be overridden elsewhere.
$(call cc-option-add,CFLAGS_stack_boundary,CC,-mpreferred-stack-boundary=3)
diff --git a/xen/arch/x86/configs/pvshim_defconfig b/xen/arch/x86/configs/pvshim_defconfig
index 787376df5a27..d0e92c2ded1f 100644
--- a/xen/arch/x86/configs/pvshim_defconfig
+++ b/xen/arch/x86/configs/pvshim_defconfig
@@ -8,6 +8,7 @@ CONFIG_NR_CPUS=32
CONFIG_EXPERT=y
# Disable features not used by the PV shim
# CONFIG_XEN_SHSTK is not set
+# CONFIG_XEN_IBT is not set
# CONFIG_GRANT_TABLE is not set
# CONFIG_HYPFS is not set
# CONFIG_BIGMEM is not set
diff --git a/xen/arch/x86/include/asm/asm-defns.h b/xen/arch/x86/include/asm/asm-defns.h
index 505f39ad5f76..8bd9007731d5 100644
--- a/xen/arch/x86/include/asm/asm-defns.h
+++ b/xen/arch/x86/include/asm/asm-defns.h
@@ -57,6 +57,12 @@
INDIRECT_BRANCH jmp \arg
.endm
+#ifdef CONFIG_XEN_IBT
+# define ENDBR64 endbr64
+#else
+# define ENDBR64
+#endif
+
.macro guest_access_mask_ptr ptr:req, scratch1:req, scratch2:req
#if defined(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS)
/*
diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h
index a0ab6d7d78ea..f2c6f255ace9 100644
--- a/xen/arch/x86/include/asm/cpufeature.h
+++ b/xen/arch/x86/include/asm/cpufeature.h
@@ -152,6 +152,7 @@
#define cpu_has_nscb boot_cpu_has(X86_FEATURE_NSCB)
#define cpu_has_xen_lbr boot_cpu_has(X86_FEATURE_XEN_LBR)
#define cpu_has_xen_shstk boot_cpu_has(X86_FEATURE_XEN_SHSTK)
+#define cpu_has_xen_ibt boot_cpu_has(X86_FEATURE_XEN_IBT)
#define cpu_has_msr_tsc_aux (cpu_has_rdtscp || cpu_has_rdpid)
diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
index b10154fc44bb..7413febd7ad8 100644
--- a/xen/arch/x86/include/asm/cpufeatures.h
+++ b/xen/arch/x86/include/asm/cpufeatures.h
@@ -39,6 +39,7 @@ XEN_CPUFEATURE(SC_VERW_PV, X86_SYNTH(23)) /* VERW used by Xen for PV */
XEN_CPUFEATURE(SC_VERW_HVM, X86_SYNTH(24)) /* VERW used by Xen for HVM */
XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */
XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */
+XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */
/* Bug words follow the synthetic words. */
#define X86_NR_BUG 1
diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h
index 696c7eb89e4c..933aec09a92d 100644
--- a/xen/include/xen/compiler.h
+++ b/xen/include/xen/compiler.h
@@ -37,6 +37,12 @@
# define nocall
#endif
+#ifdef CONFIG_XEN_IBT
+# define cf_check __attribute__((__cf_check__))
+#else
+# define cf_check
+#endif
+
#if (!defined(__clang__) && (__GNUC__ == 4) && (__GNUC_MINOR__ < 5))
#define unreachable() do {} while (1)
#else
--
2.11.0
next prev parent reply other threads:[~2022-02-22 15:27 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-22 15:26 [PATCH v3 00/70 (not all posted)] x86: Support for CET Indirect Branch Tracking Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 01/70] xen/sort: Switch to an extern inline implementation Andrew Cooper
2022-02-22 15:52 ` Julien Grall
2022-02-22 15:26 ` [PATCH v3 03/70] x86/pv-shim: Don't modify the hypercall table Andrew Cooper
2022-02-22 16:24 ` Jan Beulich
2022-02-22 15:26 ` [PATCH v3 05/70] x86/kexec: Annotate embedded data with ELF metadata Andrew Cooper
2022-02-22 15:26 ` Andrew Cooper [this message]
2022-02-28 12:58 ` [PATCH v3 06/70] x86: Introduce support for CET-IBT Jan Beulich
2022-02-22 15:26 ` [PATCH v3 08/70] xen: CFI hardening for custom_param() Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 12/70] xen: CFI hardening for continue_hypercall_on_cpu() Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 26/70] xen/iommu: CFI hardening Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 27/70] xen/video: " Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 29/70] xen/misc: " Andrew Cooper
2022-02-23 10:25 ` Jan Beulich
2022-02-23 10:34 ` Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 33/70] x86/emul: " Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 46/70] x86/logdirty: " Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 47/70] x86/shadow: " Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 59/70] x86: Use control flow typechecking where possible Andrew Cooper
2022-02-23 14:21 ` Jan Beulich
2022-02-23 14:28 ` Andrew Cooper
2022-02-22 15:26 ` [PATCH v3 60/70] x86: Build check for embedded endbr64 instructions Andrew Cooper
2022-02-23 11:31 ` Jan Beulich
2022-02-23 12:05 ` Andrew Cooper
2022-02-23 14:29 ` Jan Beulich
2022-02-22 15:26 ` [PATCH v3 64/70] x86: Introduce helpers/checks for " Andrew Cooper
2022-02-22 15:29 ` [PATCH v3 00/70 (not all posted)] x86: Support for CET Indirect Branch Tracking Jan Beulich
2022-02-22 15:41 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220222152645.8844-5-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.