From patchwork Mon Feb 17 02:49:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Volodymyr Babchuk X-Patchwork-Id: 13977021 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 31BEFC02198 for ; Mon, 17 Feb 2025 02:49:41 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.889654.1298735 (Exim 4.92) (envelope-from ) id 1tjrCH-0002Ta-KG; Mon, 17 Feb 2025 02:49:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 889654.1298735; Mon, 17 Feb 2025 02:49:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tjrCH-0002T6-EC; Mon, 17 Feb 2025 02:49:25 +0000 Received: by outflank-mailman (input) for mailman id 889654; Mon, 17 Feb 2025 02:49:24 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tjrCG-0001oi-7p for xen-devel@lists.xenproject.org; Mon, 17 Feb 2025 02:49:24 +0000 Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2061c.outbound.protection.outlook.com [2a01:111:f403:260e::61c]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id ca13219c-ecd9-11ef-9aa6-95dc52dad729; Mon, 17 Feb 2025 03:49:21 +0100 (CET) Received: from GV1PR03MB10456.eurprd03.prod.outlook.com (2603:10a6:150:16a::21) by AS8PR03MB9534.eurprd03.prod.outlook.com (2603:10a6:20b:5a6::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.15; Mon, 17 Feb 2025 02:49:17 +0000 Received: from GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e]) by GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e%4]) with mapi id 15.20.8445.017; Mon, 17 Feb 2025 02:49:17 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: ca13219c-ecd9-11ef-9aa6-95dc52dad729 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=x4qLCB/liKGHWKLJRam5ZLujsg0j2rJi4/wWlU084l6v7/HdNAa7Pbfme/ng2HRZqwM8z9DeTxKhwNWdoceURBUsqMbbGQk1ifeGs76LrG8gG1gzXXOCY+OOaXYjMa5Sp/MSV2JzZsAuJYi/DqY/5aBTXgvA6tpNnEp23hDcDsiCInKV4RYh0c9t6zyoH87I569iRm+j2YX0Ng61EAJvN3Vl/OHzrb1Qv17jDxEbjshzCdG3YqwSrczXrmFTums26/Ht+I1BB6aQC/tq1GyjY3sxcgjYwYIzyWvGhlGn/CAOH4gATjUoUQaLAHfMC0y6FU0ctRzhUh2FUXqKjVtnBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fYCAKQexokAgM3h/9SoGSw9D7Aknb12i66xb7xIFR1s=; b=FCOh86KrKkzWCh3ze4fNDbXdxoDjQmKgv34Z5FscUxKSsDdewixi7+lmca9f9sqRZHQMKJHbh984rJibeH/adxcSnTZhHqPviJysulVADk1mptOKqJ34m33XDqA3ZH0862Zot562zeaIChnocZwtl6pgWjtKP6Mqvdf0UbUPfMjhFcOXs7vPuDO69CMWs9Od3jF+o5w3pBY2zntq85gKcgdXzkLHMek1rPnBngS0LOuvcZ0e230OneRDVsQxvn8N/M6Gt4DgnJ+iA8yNZa+GZ5vNgit9v8cod0ZHKi4Kt9lD747hOfMDEyITbqhpnFNhKqME5Bk6VtBLGcQE/tn4/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fYCAKQexokAgM3h/9SoGSw9D7Aknb12i66xb7xIFR1s=; b=Ff0Y+WCITB+s/U1ojn3ighb6hJFV21sKisC4SP3kTRmA2wFEz0WQTP7V6vkT3pHQ+CFaKY0JgCx/4sbn80gzZGiA5t3+qThSdT15Kal6UPKlSkppQlC1bEDiSPeVf+tHwTnr1Cjw/i2WD+jca9izXJ2qTIK6EX+SOnjBqMk9wzSdYyWPIV7E0RUdM/KQVq2hDmntrf7mdLxrxoF0EaFmijvaY14FTunlTlmvW01lLHADERiURXdaoMrOZgXa8VHwlMBcC22TpEIGvuiLTtYD1KTXg924KLbW3xeztfZsYfz4gchwdViA6ASGRSRcvZhbO7zx7J4dWtW1eZffMe8lAw== From: Volodymyr Babchuk To: "xen-devel@lists.xenproject.org" CC: Volodymyr Babchuk , Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH v6 2/4] xen: common: add ability to enable stack protector Thread-Topic: [PATCH v6 2/4] xen: common: add ability to enable stack protector Thread-Index: AQHbgOaJRZZjxSPvq0GPGrg2wX/xCA== Date: Mon, 17 Feb 2025 02:49:17 +0000 Message-ID: <20250217024848.3059635-3-volodymyr_babchuk@epam.com> References: <20250217024848.3059635-1-volodymyr_babchuk@epam.com> In-Reply-To: <20250217024848.3059635-1-volodymyr_babchuk@epam.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.47.1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV1PR03MB10456:EE_|AS8PR03MB9534:EE_ x-ms-office365-filtering-correlation-id: a3309769-06f9-45f9-cb5e-08dd4efdabe2 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?rsrDlszoKIG7Z2+HPWZI+F7/pppR0AB?= =?utf-8?q?Du79//I7LOymxvCpJ5zcmF4RuDqJJNCbTTGUWjzlSlbc/bQ8JLwAp0bfa06MD6I1Q?= =?utf-8?q?9u3+RNoXRGQOeDHLeSX+M1dTo1wmAMfQQxZOnPjN7nS2m/xqYimGYmFsL3UYJSEMP?= =?utf-8?q?V1hvlZMWuW0MMjIwFxL1O3rsTh5tUXcApTUesIYH6lqnLvPUlqILHwziFGxp3yO4o?= =?utf-8?q?JvlHhfOs/OlSL0g3BnzrplM+1eoevopiM5NI33efz1XIsQUTR6wW4dJYh3XgD2ofT?= =?utf-8?q?oiadOoSzgHjhzuR76+445wKNnUSHp3QtyLhW6N2n/lxuh1Gs+eU4rwvL0AjeWenfO?= =?utf-8?q?syKICLECbcViKSgRHMlTLSI94DYpOfNGHeKONjbIw8zKTPB7tn1jRfgOQZKdy82eh?= =?utf-8?q?BXvgaLgafr5ahJEa1+qW1j2pfOxvS14cyUlHue+4hNHV7GuiL8DYU4PlcnyHikRJv?= =?utf-8?q?8tT4bKgNwrjyFAWRv/HsLZJYUyf1MK+v1TDERbvimZ3S4De3cPJN+D3Mhze+sv8EZ?= =?utf-8?q?RRN1fueQIdYSAOax7mQI8Jh4UYIvkY7z2LFrsN5OeMjQgA9XeCjIhCWaf8WX9Q2IY?= =?utf-8?q?JjmbBThqX+WN++MnYevLmabbirw5nBp8fCTvmSqlJnWuluIk/kSidCveirP7Ekx6T?= =?utf-8?q?n1e1Mh3cLNzM8OU3zlSGg/rws+AWmr5BqUdsUDYD+yh/TMNoWcgjsVW1IiRHHa0am?= =?utf-8?q?Xts42iRt5wOzZY0z9SV+HthhI4nCs1cLZQspjxvnWBaQ1Wf6Pm8GlHXAowfQD0weI?= =?utf-8?q?SULiyJtKr5UxrdHwXsUBSkEOmwSZY8ZeU07eF8eCcMIR0NcI7Grwk6TvHLiotbdDy?= =?utf-8?q?AeAgXizp1a+02B+Fh0osCu63gIdJhrEIjRCsqhGaNCn2nJzg77wWnCwr+OpwN6VuB?= =?utf-8?q?lbyb+ldiQPsI92PQ2DAdXXGcMtKMflA/3nSTFVZuBfyaZKjsXtP+QQdd0U2FNrscD?= =?utf-8?q?cUPVUlEqQdFE2E6DBiZwdbCUVuYOvP0XFO+XifVF9AM+bWT9ho0k2mVYrvhfrs4t2?= =?utf-8?q?ao7Cgyrafmkt+5kRK6i9b04RasJSqTQ5MVR4B3CoeXTg9wp7Gy6BFu/RIP0oSvKG2?= =?utf-8?q?Iwp0WAMCNlR3ld7tpZ2D8Sp1Ejg0HhF8tE787COO4XbykdqYelaloYKrbTLt++s7p?= =?utf-8?q?qBswSQ/fvZSl1Xzrlprh9srJ+obieZbSk5a/LATX6BvgP9Xs9LhH1YJBLTL2DrLyJ?= =?utf-8?q?y8yQoiWub3UusvZYPSMaERxjB7PNcFDLgke94qi29oR+07n9SRA63fhtmz0940FDU?= =?utf-8?q?0xt2hnGwB07b3X8WmvebAj55o4bPMPAAIlQOGc/bPpk8NvgZNmtdUeO2n1Ns1sUcz?= =?utf-8?q?gxzrYFCP3n3wu7ZwjUrstTbtjHycIhUoPLGlNGA6zxQENtlb1Yvn8np15xr4XSxq4?= =?utf-8?q?wEiA3WrlpAg?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR03MB10456.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?z/Ebo+b+LdDnASIDwg+AlU04rs7X?= =?utf-8?q?3xUaqt8/alQZZgiVtzBUzCXwCdEqehleP2RIJM9a/fbCWJeqG3x+lKYQ+LHfr2/qR?= =?utf-8?q?5hrjjdkZ6nmI933xhownRzaW6RkVBTkpQ0HP1tIShQbtIhXLsASXp/68eLy8K0KBS?= =?utf-8?q?YF7waFrxL3qQHU5DivZzvD8zISl9BDXaBiioVUk8FsbUWCNNR0KUbmJP5DpyBMH3w?= =?utf-8?q?RqUzgQ+sgP+zfRALQ20Xoi1TTtRvhaLZhZUeXz/QJebzmKFmY4qteZUjlbyjyJgCh?= =?utf-8?q?JpX5glZbZtddKQs5WQ4GUNnVDU786L06TFNwS0w56RPj8MHy60yu2Fbu9//iWCLMM?= =?utf-8?q?DGHQoobxYG/NDvQCBa1su2z21pdt6PjPiR25v8fmNNUodCa9EkTgVDik+QpYVnYHb?= =?utf-8?q?Ikdybg9voHGpq03MMCo4Xg/pw2Jdu7nss/x3mBdzgybGhla5sMOlq0wFXe9aleUMM?= =?utf-8?q?3HlQZ7+CNxcEvkoMop/2yq85QQldJ4VD3PrYkGKF1rPQD/tvg1bAMYvCLpnaoWdIr?= =?utf-8?q?/rDdYf/ndHDGgIF8Qrbkkkq4LYjboKQI7j5/HzH3BzG99Ti4sg9HrpPLHTs7F/1rh?= =?utf-8?q?x7aRI7aSXVG9dEvGg6n8n08UPcVfXEe/oMJq4Q97mOkZ2NMQ2sp0ZzjxMf88TKV4S?= =?utf-8?q?T/fW5nUFr70zVJOf57VQ1FsbHNSbMBjcstBElAn6qsj1O8Eiqwfjk0RRSdhSA7csy?= =?utf-8?q?zj9NFye30q1/nX8wgHzHZiymtUtwbyHKyfVFeL+XswYGDeP5qYnuMfSGPzBbZr4Ok?= =?utf-8?q?dDhDM0tjDp5jeUe7lvOOQ7xBBP+ZJxHMACqFyqt3ah3OdBTCiHX/sURRiUVqnnDLF?= =?utf-8?q?q03Niz8r15rEp2xCa2buwPj+G5Sir3N22y+lkohXlF9MLlbITr1Y9JluPe4oKHVEr?= =?utf-8?q?qivF+BJP1S9z0VMIKoIgvNYgZSH+E2ZypWy0jwu9yK4mX1u0FwGIn3roPDkgrBNse?= =?utf-8?q?VW9x/ovvUdfWR9nynBLPCCsDr44Q1SQTOrARcBQTsfa48pQgvdWeHZAxQ648JUEd1?= =?utf-8?q?iDfBwEAeUkGNMrV64sp+AqawAe2JXfRNn1zr+551l8IwVBRuV1rf1yJoucmIo1H0Q?= =?utf-8?q?YIwaqNegd9axKHraawo4WYHaoSmyaBKxXxA2cy21q8roHzyk9X3GdXvcGX0hjtjZH?= =?utf-8?q?F7OO729aYA7fxvJSqVGajO+cdsR9KnOxI412pc81chsJlZQNsOaWiNipUI/oWJLH0?= =?utf-8?q?Hkw5z2A14Hu+3Aa2y8tDtm3J+huqkwMB5oUkPEQA/n/ROkZX67f+4HEgFL152ssWX?= =?utf-8?q?45yS6+wJ9XFHtzU+dKFySOkPa0u7H7zkYfkNNYWWB7JfBa8DJDNXd0cNWOsOdhUeI?= =?utf-8?q?l1jde5vmxOKGpPyj/gCbClUFC0yLKKA2fU816454D/FZ8G8d1A/U9EtXhCfdKXYK1?= =?utf-8?q?PcwPK6eF0niy+qKIUzYpVF6fj3/G+gXnu674puUt23nKWT8MsHwGEpXRUc/pqRrp4?= =?utf-8?q?Vtnxbiosivraa0ffU+7hgasqQkp3AETQe8mSgVmKAXQg3TetQUnFoR0HZs6DoYdbW?= =?utf-8?q?BsrckD/BP3LEIv+NS5jq5r1o67FP2+yniA=3D=3D?= Content-ID: MIME-Version: 1.0 X-OriginatorOrg: epam.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a3309769-06f9-45f9-cb5e-08dd4efdabe2 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2025 02:49:17.1109 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iSTs79sLws3QteRDXeBrAqr5T+o2F0GQ8LICl3+H8yVGGThaCDKdo4ozaRM/EzS/s7nWpa6TohgI0SWWUGM6goY1z7aiIFJE0/4/eMcf4N4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB9534 Both GCC and Clang support -fstack-protector feature, which add stack canaries to functions where stack corruption is possible. This patch makes general preparations to enable this feature on different supported architectures: - Added CONFIG_HAS_STACK_PROTECTOR option so each architecture can enable this feature individually - Added user-selectable CONFIG_STACK_PROTECTOR option - Implemented code that sets up random stack canary and a basic handler for stack protector failures Stack guard value is initialized in two phases: 1. Pre-defined randomly-selected value. 2. Own implementation linear congruent random number generator. It relies on get_cycles() being available very early. If get_cycles() returns zero, it would leave pre-defined value from the previous step. boot_stack_chk_guard_setup() is declared as inline, so it can be called from C code. Of course, in this case, caller should ensure that stack protection code will not be reached. It is possible to call the same function from ASM code by introducing simple trampoline in stack-protector.c, but right now there is no use case for such trampoline. Signed-off-by: Volodymyr Babchuk --- Changes in v6: - boot_stack_chk_guard_setup() moved to stack-protector.h - Removed Andrew's r-b tag Changes in v5: - Fixed indentation - Added stack-protector.h --- xen/Makefile | 4 +++ xen/common/Kconfig | 15 +++++++++++ xen/common/Makefile | 1 + xen/common/stack-protector.c | 21 +++++++++++++++ xen/include/xen/stack-protector.h | 43 +++++++++++++++++++++++++++++++ 5 files changed, 84 insertions(+) create mode 100644 xen/common/stack-protector.c create mode 100644 xen/include/xen/stack-protector.h diff --git a/xen/Makefile b/xen/Makefile index a0c774ab7d..48bc17c418 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -435,7 +435,11 @@ else CFLAGS_UBSAN := endif +ifeq ($(CONFIG_STACK_PROTECTOR),y) +CFLAGS += -fstack-protector +else CFLAGS += -fno-stack-protector +endif ifeq ($(CONFIG_LTO),y) CFLAGS += -flto diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 6166327f4d..bd53dae43c 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -83,6 +83,9 @@ config HAS_PMAP config HAS_SCHED_GRANULARITY bool +config HAS_STACK_PROTECTOR + bool + config HAS_UBSAN bool @@ -216,6 +219,18 @@ config SPECULATIVE_HARDEN_LOCK endmenu +menu "Other hardening" + +config STACK_PROTECTOR + bool "Stack protector" + depends on HAS_STACK_PROTECTOR + help + Enable the Stack Protector compiler hardening option. This inserts a + canary value in the stack frame of functions, and performs an integrity + check on function exit. + +endmenu + config DIT_DEFAULT bool "Data Independent Timing default" depends on HAS_DIT diff --git a/xen/common/Makefile b/xen/common/Makefile index cba3b32733..8adbf6a3b5 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -46,6 +46,7 @@ obj-y += shutdown.o obj-y += softirq.o obj-y += smp.o obj-y += spinlock.o +obj-$(CONFIG_STACK_PROTECTOR) += stack-protector.o obj-y += stop_machine.o obj-y += symbols.o obj-y += tasklet.o diff --git a/xen/common/stack-protector.c b/xen/common/stack-protector.c new file mode 100644 index 0000000000..9089294d30 --- /dev/null +++ b/xen/common/stack-protector.c @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#include +#include +#include +#include + +/* + * Initial value is chosen by a fair dice roll. + * It will be updated during boot process. + */ +#if BITS_PER_LONG == 32 +unsigned long __ro_after_init __stack_chk_guard = 0xdd2cc927UL; +#else +unsigned long __ro_after_init __stack_chk_guard = 0x2d853605a4d9a09cUL; +#endif + +void asmlinkage __stack_chk_fail(void) +{ + dump_execution_state(); + panic("Stack Protector integrity violation identified\n"); +} diff --git a/xen/include/xen/stack-protector.h b/xen/include/xen/stack-protector.h new file mode 100644 index 0000000000..b758a8cb3d --- /dev/null +++ b/xen/include/xen/stack-protector.h @@ -0,0 +1,43 @@ +#ifndef __XEN_STACK_PROTECTOR_H__ +#define __XEN_STACK_PROTECTOR_H__ + +#ifdef CONFIG_STACK_PROTECTOR + +extern unsigned long __stack_chk_guard; + +/* + * This function should be called from a C function that escapes stack + * canary tracking (by calling reset_stack_and_jump() for example). + */ +static inline void boot_stack_chk_guard_setup(void) +{ + /* + * Linear congruent generator (X_n+1 = X_n * a + c). + * + * Constant is taken from "Tables Of Linear Congruential + * Generators Of Different Sizes And Good Lattice Structure" by + * Pierre L’Ecuyer. + */ +#if BITS_PER_LONG == 32 + const unsigned long a = 2891336453UL; +#else + const unsigned long a = 2862933555777941757UL; +#endif + const unsigned long c = 1; + + unsigned long cycles = get_cycles(); + + /* Use the initial value if we can't generate random one */ + if ( !cycles ) + return; + + __stack_chk_guard = cycles * a + c; +} + +#else + +static inline void boot_stack_chk_guard_setup(void) {}; + +#endif + +#endif /* __XEN_STACK_PROTECTOR_H__ */