| Message ID | 20230629121713.1211-1-alejandro.vallejo@cloud.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Introduce a REQUIRE_NX Kconfig option | expand |
On Thu, Jun 29, 2023 at 1:17 PM Alejandro Vallejo < alejandro.vallejo@cloud.com> wrote: > v3: > * Fixed a Gitlab CI breakage on older toolchains (patch 1) > * Removed XD_DISABLE override logic from cpu/intel.c > * Various style fixes to patch 2 (from Andrew's feedback) > > This option hardens Xen by forcing it to write secure (NX-enhanced) PTEs > regardless of the runtime NX feature bit in boot_cpu_data. This prevents an > attacker with partial write support from affecting Xen's PTE generation > logic by overriding the NX feature flag. The patch asserts support for the > NX bit in PTEs at boot time and if so short-circuits the cpu_has_nx macro > to 1. > > Alejandro Vallejo (3): > tools: Add __AC() macro to common-macros.h > x86/boot: Clear XD_DISABLE from the early boot path > x86: Add Kconfig option to require NX bit support > > tools/include/xen-tools/common-macros.h | 3 ++ > tools/libs/light/libxl_internal.h | 2 - > tools/tests/x86_emulator/x86-emulate.h | 3 -- > xen/arch/x86/Kconfig | 16 +++++++ > xen/arch/x86/boot/head.S | 62 ++++++++++++++++++++++--- > xen/arch/x86/boot/trampoline.S | 3 +- > xen/arch/x86/cpu/intel.c | 16 +++---- > xen/arch/x86/efi/efi-boot.h | 9 ++++ > xen/arch/x86/include/asm/cpufeature.h | 3 +- > xen/arch/x86/include/asm/msr-index.h | 2 +- > xen/arch/x86/include/asm/x86-vendors.h | 6 +-- > 11 files changed, 98 insertions(+), 27 deletions(-) > > -- > 2.34.1 > > Adding CCs here because I forgot to run the add_maintainers.pl script before sending. Ugh... Alejandro