| Message ID | 20220228225117.14327-1-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86/spec-ctrl: Disable retpolines with CET-IBT | expand |
On 28.02.2022 23:51, Andrew Cooper wrote: > CET-IBT depend on executing indirect branches for protections to apply. > Extend the clobber for CET-SS to all of CET. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> > I can't decide if this wants a fixes tag or not. If I'd remembered during the > CET series, it would have been its own patch. On this basis I'd say no Fixes: tag. > --- a/xen/arch/x86/spec_ctrl.c > +++ b/xen/arch/x86/spec_ctrl.c > @@ -944,10 +944,11 @@ void __init init_speculation_mitigations(void) > boot_cpu_has(X86_FEATURE_IBRS)); > > /* > - * First, disable the use of retpolines if Xen is using shadow stacks, as > - * they are incompatible. > + * First, disable the use of retpolines if Xen is using CET. Retpolines > + * are a ROP gadget so incompatbile with Shadow Stacks, while IBT depends > + * on executing indirect branches for the safety properties to apply. > */ > - if ( cpu_has_xen_shstk && > + if ( (read_cr4() & X86_CR4_CET) && > (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) ) > thunk = THUNK_JMP; Just for my own understanding: Why unconditionally THUNK_JMP and not possibly THUNK_LFENCE? Jan
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 2d4cf5c7ef80..12bf1c5722f9 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -944,10 +944,11 @@ void __init init_speculation_mitigations(void) boot_cpu_has(X86_FEATURE_IBRS)); /* - * First, disable the use of retpolines if Xen is using shadow stacks, as - * they are incompatible. + * First, disable the use of retpolines if Xen is using CET. Retpolines + * are a ROP gadget so incompatbile with Shadow Stacks, while IBT depends + * on executing indirect branches for the safety properties to apply. */ - if ( cpu_has_xen_shstk && + if ( (read_cr4() & X86_CR4_CET) && (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) ) thunk = THUNK_JMP;
CET-IBT depend on executing indirect branches for protections to apply. Extend the clobber for CET-SS to all of CET. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Roger Pau Monné <roger.pau@citrix.com> CC: Wei Liu <wl@xen.org> I can't decide if this wants a fixes tag or not. If I'd remembered during the CET series, it would have been its own patch. Functionally, it depends on c/s cdbe2b0a1aec which sets CR4.CET fairly early during boot. --- xen/arch/x86/spec_ctrl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)