* [PATCH] x86/build: Unilaterally disable -fcf-protection
@ 2020-05-12 19:11 Andrew Cooper
2020-05-13 2:35 ` Jason Andryuk
2020-05-13 9:15 ` Jan Beulich
0 siblings, 2 replies; 9+ messages in thread
From: Andrew Cooper @ 2020-05-12 19:11 UTC (permalink / raw)
To: Xen-devel
Cc: Wei Liu, Jason Andryuk, Andrew Cooper, Stefan Bader, Jan Beulich,
Roger Pau Monné
See comment for details. Works around a GCC-9 bug which breaks the build on
Ubuntu.
Reported-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Jason Andryuk <jandryuk@gmail.com>
CC: Stefan Bader <stefan.bader@canonical.com>
Sorry for messing you around with how to fix this. I'd neglected to consider
the CONFIG_LIVEPATCH interaction. With that extra observation, there is no
point having the extra complexity given that the result with CET-IBT and
Retpoline still isn't usable.
---
xen/arch/x86/arch.mk | 9 +++++++++
xen/arch/x86/boot/build32.mk | 1 +
2 files changed, 10 insertions(+)
diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index 2a51553edb..93e30e4bea 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
+# Xen doesn't support CET-IBT yet. At a minimum, logic is required to
+# enable it for supervisor use, but the Livepatch functionality needs
+# to learn not to overwrite ENDBR64 instructions.
+#
+# Furthermore, Ubuntu enables -fcf-protection by default, along with a
+# buggy version of GCC-9 which objects to it in combination with
+# -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
+
# If supported by the compiler, reduce stack alignment to 8 bytes. But allow
# this to be overridden elsewhere.
$(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3)
diff --git a/xen/arch/x86/boot/build32.mk b/xen/arch/x86/boot/build32.mk
index 48c7407c00..5a00755512 100644
--- a/xen/arch/x86/boot/build32.mk
+++ b/xen/arch/x86/boot/build32.mk
@@ -3,6 +3,7 @@ CFLAGS =
include $(XEN_ROOT)/Config.mk
$(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
CFLAGS += -Werror -fno-asynchronous-unwind-tables -fno-builtin -g0 -msoft-float
CFLAGS += -I$(XEN_ROOT)/xen/include
--
2.11.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-12 19:11 [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
@ 2020-05-13 2:35 ` Jason Andryuk
2020-05-13 11:01 ` Andrew Cooper
2020-05-13 9:15 ` Jan Beulich
1 sibling, 1 reply; 9+ messages in thread
From: Jason Andryuk @ 2020-05-13 2:35 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefan Bader, Xen-devel, Wei Liu, Jan Beulich, Roger Pau Monné
On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> See comment for details. Works around a GCC-9 bug which breaks the build on
> Ubuntu.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
> diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
> index 2a51553edb..93e30e4bea 100644
> --- a/xen/arch/x86/arch.mk
> +++ b/xen/arch/x86/arch.mk
> @@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
> CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
> CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
>
> +# Xen doesn't support CET-IBT yet. At a minimum, logic is required to
> +# enable it for supervisor use, but the Livepatch functionality needs
> +# to learn not to overwrite ENDBR64 instructions.
Is the problem that existing functions start with ENDBR64, but the
livepatch overwrites with a "real" instruction?
Regards,
Jason
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 2:35 ` Jason Andryuk
@ 2020-05-13 11:01 ` Andrew Cooper
2020-05-13 12:15 ` Jason Andryuk
0 siblings, 1 reply; 9+ messages in thread
From: Andrew Cooper @ 2020-05-13 11:01 UTC (permalink / raw)
To: Jason Andryuk
Cc: Stefan Bader, Xen-devel, Wei Liu, Jan Beulich, Roger Pau Monné
On 13/05/2020 03:35, Jason Andryuk wrote:
> [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
>
> On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>> See comment for details. Works around a GCC-9 bug which breaks the build on
>> Ubuntu.
>>
>> Reported-by: Jason Andryuk <jandryuk@gmail.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Tested-by: Jason Andryuk <jandryuk@gmail.com>
> Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
>
>> diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
>> index 2a51553edb..93e30e4bea 100644
>> --- a/xen/arch/x86/arch.mk
>> +++ b/xen/arch/x86/arch.mk
>> @@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
>> CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
>> CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
>>
>> +# Xen doesn't support CET-IBT yet. At a minimum, logic is required to
>> +# enable it for supervisor use, but the Livepatch functionality needs
>> +# to learn not to overwrite ENDBR64 instructions.
> Is the problem that existing functions start with ENDBR64, but the
> livepatch overwrites with a "real" instruction?
We livepatch by creating a new complete copy of the function, and
putting `jmp new` at the head of the old one.
This means we don't need to patch every callsite and track every
function pointer to the old function, and we can fully revert by
replacing the 5 bytes which became `jmp new`.
With CET-IBT in the mix, livepatch will have to learn to spot an ENDBR64
instruction and leave it intact, patching instead the next 5 bytes, so
an old function pointer still lands on the ENDBR64 instruction.
~Andrew
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 11:01 ` Andrew Cooper
@ 2020-05-13 12:15 ` Jason Andryuk
0 siblings, 0 replies; 9+ messages in thread
From: Jason Andryuk @ 2020-05-13 12:15 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefan Bader, Xen-devel, Wei Liu, Jan Beulich, Roger Pau Monné
On Wed, May 13, 2020 at 7:01 AM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> On 13/05/2020 03:35, Jason Andryuk wrote:
> > [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
> >
> > On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >> +# Xen doesn't support CET-IBT yet. At a minimum, logic is required to
> >> +# enable it for supervisor use, but the Livepatch functionality needs
> >> +# to learn not to overwrite ENDBR64 instructions.
> > Is the problem that existing functions start with ENDBR64, but the
> > livepatch overwrites with a "real" instruction?
>
> We livepatch by creating a new complete copy of the function, and
> putting `jmp new` at the head of the old one.
>
> This means we don't need to patch every callsite and track every
> function pointer to the old function, and we can fully revert by
> replacing the 5 bytes which became `jmp new`.
>
> With CET-IBT in the mix, livepatch will have to learn to spot an ENDBR64
> instruction and leave it intact, patching instead the next 5 bytes, so
> an old function pointer still lands on the ENDBR64 instruction.
Ah, okay. Thanks for the explanation.
-Jason
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-12 19:11 [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
2020-05-13 2:35 ` Jason Andryuk
@ 2020-05-13 9:15 ` Jan Beulich
1 sibling, 0 replies; 9+ messages in thread
From: Jan Beulich @ 2020-05-13 9:15 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jason Andryuk, Stefan Bader, Wei Liu, Roger Pau Monné
On 12.05.2020 21:11, Andrew Cooper wrote:
> See comment for details. Works around a GCC-9 bug which breaks the build on
> Ubuntu.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] build: Fix build with Ubuntu
@ 2020-05-13 13:55 Andrew Cooper
2020-05-13 13:55 ` [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
0 siblings, 1 reply; 9+ messages in thread
From: Andrew Cooper @ 2020-05-13 13:55 UTC (permalink / raw)
To: Xen-devel
Cc: Stefano Stabellini, Julien Grall, Wei Liu, Jason Andryuk,
George Dunlap, Andrew Cooper, Stefan Bader, Jan Beulich,
Ian Jackson, Roger Pau Monné
This supercedes "x86/build: Unilaterally disable -fcf-protection"
Andrew Cooper (2):
x86/build: move -fno-asynchronous-unwind-tables into EMBEDDED_EXTRA_CFLAGS
x86/build: Unilaterally disable -fcf-protection
Config.mk | 3 ++-
tools/tests/x86_emulator/testcase.mk | 2 +-
xen/arch/x86/arch.mk | 2 +-
xen/arch/x86/boot/build32.mk | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 13:55 [PATCH] build: Fix build with Ubuntu Andrew Cooper
@ 2020-05-13 13:55 ` Andrew Cooper
2020-05-13 14:13 ` Jan Beulich
2020-05-13 14:54 ` Jason Andryuk
0 siblings, 2 replies; 9+ messages in thread
From: Andrew Cooper @ 2020-05-13 13:55 UTC (permalink / raw)
To: Xen-devel
Cc: Wei Liu, Jason Andryuk, Andrew Cooper, Stefan Bader, Jan Beulich,
Roger Pau Monné
Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable it
for supervisor use, but the livepatch functionality needs to learn not to
overwrite ENDBR64 instructions.
Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
version of GCC-9 which objects to it in combination with
-mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
beginning of the object. These paths explode when .note.gnu.properties gets
put ahead of .text and we end up executing the notes data.
Disable -fcf-protection for all embedded objects.
Reported-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Jason Andryuk <jandryuk@gmail.com>
CC: Stefan Bader <stefan.bader@canonical.com>
v2:
* Fix Rombios 32 stubs as well.
---
Config.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/Config.mk b/Config.mk
index b0f16680f3..7d556aed30 100644
--- a/Config.mk
+++ b/Config.mk
@@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
+EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
# All the files at that location were downloaded from elsewhere on
--
2.11.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 13:55 ` [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
@ 2020-05-13 14:13 ` Jan Beulich
2020-05-13 14:40 ` Andrew Cooper
2020-05-13 14:54 ` Jason Andryuk
1 sibling, 1 reply; 9+ messages in thread
From: Jan Beulich @ 2020-05-13 14:13 UTC (permalink / raw)
To: Andrew Cooper
Cc: Xen-devel, Jason Andryuk, Stefan Bader, Wei Liu, Roger Pau Monné
On 13.05.2020 15:55, Andrew Cooper wrote:
> Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable it
> for supervisor use, but the livepatch functionality needs to learn not to
> overwrite ENDBR64 instructions.
>
> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
> version of GCC-9 which objects to it in combination with
> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
>
> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
> beginning of the object. These paths explode when .note.gnu.properties gets
> put ahead of .text and we end up executing the notes data.
>
> Disable -fcf-protection for all embedded objects.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
For the immediate purpose
Reviewed-by: Jan Beulich <jbeulich@suse.com>
I wonder however ...
> --- a/Config.mk
> +++ b/Config.mk
> @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>
> EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
> EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
... whether this isn't going to bite us once some of the consumers
of this variable want to enable some different mode.
Jan
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 14:13 ` Jan Beulich
@ 2020-05-13 14:40 ` Andrew Cooper
0 siblings, 0 replies; 9+ messages in thread
From: Andrew Cooper @ 2020-05-13 14:40 UTC (permalink / raw)
To: Jan Beulich
Cc: Xen-devel, Jason Andryuk, Stefan Bader, Wei Liu, Roger Pau Monné
On 13/05/2020 15:13, Jan Beulich wrote:
> [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
>
> On 13.05.2020 15:55, Andrew Cooper wrote:
>> Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable it
>> for supervisor use, but the livepatch functionality needs to learn not to
>> overwrite ENDBR64 instructions.
>>
>> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
>> version of GCC-9 which objects to it in combination with
>> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
>>
>> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
>> beginning of the object. These paths explode when .note.gnu.properties gets
>> put ahead of .text and we end up executing the notes data.
>>
>> Disable -fcf-protection for all embedded objects.
>>
>> Reported-by: Jason Andryuk <jandryuk@gmail.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> For the immediate purpose
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
Thanks.
>
> I wonder however ...
>
>> --- a/Config.mk
>> +++ b/Config.mk
>> @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>>
>> EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
>> EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
> ... whether this isn't going to bite us once some of the consumers
> of this variable want to enable some different mode.
I'm not overly happy with EMBEDDED_EXTRA_CFLAGS as a concept, but these
build fixes do need backporting.
All embedded targets may in principle use some/all of these options at
some point in the future.
~Andrew
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
2020-05-13 13:55 ` [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
2020-05-13 14:13 ` Jan Beulich
@ 2020-05-13 14:54 ` Jason Andryuk
1 sibling, 0 replies; 9+ messages in thread
From: Jason Andryuk @ 2020-05-13 14:54 UTC (permalink / raw)
To: Andrew Cooper
Cc: Stefan Bader, Xen-devel, Wei Liu, Jan Beulich, Roger Pau Monné
On Wed, May 13, 2020 at 9:56 AM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable it
> for supervisor use, but the livepatch functionality needs to learn not to
> overwrite ENDBR64 instructions.
>
> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
> version of GCC-9 which objects to it in combination with
> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
>
> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
> beginning of the object. These paths explode when .note.gnu.properties gets
> put ahead of .text and we end up executing the notes data.
>
> Disable -fcf-protection for all embedded objects.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
I have not re-tested this posting, but I tested an equivalent change
~2 weeks ago (in case that counts for Tested-by).
-Jason
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-13 15:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-12 19:11 [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
2020-05-13 2:35 ` Jason Andryuk
2020-05-13 11:01 ` Andrew Cooper
2020-05-13 12:15 ` Jason Andryuk
2020-05-13 9:15 ` Jan Beulich
2020-05-13 13:55 [PATCH] build: Fix build with Ubuntu Andrew Cooper
2020-05-13 13:55 ` [PATCH] x86/build: Unilaterally disable -fcf-protection Andrew Cooper
2020-05-13 14:13 ` Jan Beulich
2020-05-13 14:40 ` Andrew Cooper
2020-05-13 14:54 ` Jason Andryuk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.