From patchwork Tue Mar 18 02:34:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Volodymyr Babchuk X-Patchwork-Id: 14020202 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7C66FC282EC for ; Tue, 18 Mar 2025 02:34:52 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.918402.1323104 (Exim 4.92) (envelope-from ) id 1tuMml-0004zK-Kd; Tue, 18 Mar 2025 02:34:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 918402.1323104; Tue, 18 Mar 2025 02:34:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tuMml-0004yv-FL; Tue, 18 Mar 2025 02:34:31 +0000 Received: by outflank-mailman (input) for mailman id 918402; Tue, 18 Mar 2025 02:34:30 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tuMmj-0004hg-TP for xen-devel@lists.xenproject.org; Tue, 18 Mar 2025 02:34:30 +0000 Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazlp170110001.outbound.protection.outlook.com [2a01:111:f403:c200::1]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 83ba7bf9-03a1-11f0-9899-31a8f345e629; Tue, 18 Mar 2025 03:34:28 +0100 (CET) Received: from GV1PR03MB10456.eurprd03.prod.outlook.com (2603:10a6:150:16a::21) by VI0PR03MB10565.eurprd03.prod.outlook.com (2603:10a6:800:20c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.33; Tue, 18 Mar 2025 02:34:20 +0000 Received: from GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e]) by GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e%4]) with mapi id 15.20.8534.031; Tue, 18 Mar 2025 02:34:20 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 83ba7bf9-03a1-11f0-9899-31a8f345e629 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=K67LyPoB975Ilfw7LW+VmhSKr/UmbGOuarOa9+WA6a9YVFIw+VVEJpPVCTZM9maqAp2WnUMT6boskntE0WJnJu4cDvDtwrhTH7Fr2+yVBe40ReKnz2rDiyR1ikfkDflYpsRZf2iRQBO7AleVd1KaPSZtc4ujdVpQJvOOrfk9oZ8ilzdtRQagsdPU2V5hcI9FVwa728iUu1n6Ln+D7adhpNnzSMym13DRCVNRMXXTrNxFMI17X6Nm6SfSG3EPoHCSLDAf2bO0+5HMuMSWwqte9afDgaiAcwD7/Fi7/2cbQrhMjeNVo/mCHQ5kcjtExCm/ugAVJiAA3GbS4hWZ02Bl2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=daQkFgoq5ipbNMtA3lu7b2NeP07vXt94awDw7fEV8oU=; b=T0Mhi+5xfQNdYbFGDSZUPayiW2ZfOgDAWjARfSgLNzXXCmyqMoT5CZL+Ua6SfHrWetxH053rMXCHFMjBpo0OqmltzWahKcW4+YLZ32IcvZuVZw26jzUSknVYJC1bsH72m1hqoqisG2x+3uRY8XNUkT24/lenmGkXUBRdXAsOOBm3hTg3SLlE6JUOjlt3rTqhn0bESo6Gy4Gag/cXIKszF20tPKu2asgbc0lJ+yXJJ+SLQcaKeaRR2XDwQMifaF1RyyMi4alJd0itzyTOQ58ERJPkKuD3F9MmO3xTKHtIDQdgIXJdoK0brCuR5vA3ZHTvg7PCppYSMMwvPwU1ZupchQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=daQkFgoq5ipbNMtA3lu7b2NeP07vXt94awDw7fEV8oU=; b=av5WHprUpVkqjisjYGgkN0d3L9iw/+CwojNgQU13ZLFTAQWTrzS41Nu4K+i/eSZPWnlHHa3q3VpgRuzrljrUay3Ff+k8efbZUqhk+m6Gl9UhQlitKr6J7nK0OdL0q0VpgpxBAo0z5cLPknmUx4r2e/aQmiV86C8m1hfNB29zzCl7IZrkAqKUkl4pVa5ErZVtaqC/Rp+7D2BQGhzNNjEhWs6JQ/0w/BH09yLwyjYDsjXzZe9WicRE+uGo39jqpL7mlUDZikjwWHiD8GO2PfgFN+6FzzYYUvud/eeO5GUWI7IJlDI/yZP5A5CPHsH8U2I6ouyx3J1u9alYWzuxSCWMrA== From: Volodymyr Babchuk To: "xen-devel@lists.xenproject.org" CC: Volodymyr Babchuk , Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH v7 1/3] xen: common: add ability to enable stack protector Thread-Topic: [PATCH v7 1/3] xen: common: add ability to enable stack protector Thread-Index: AQHbl64+rhP4I7ynyU+rW59ZNq7NnA== Date: Tue, 18 Mar 2025 02:34:16 +0000 Message-ID: <20250318023234.1210659-2-volodymyr_babchuk@epam.com> References: <20250318023234.1210659-1-volodymyr_babchuk@epam.com> In-Reply-To: <20250318023234.1210659-1-volodymyr_babchuk@epam.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.48.1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV1PR03MB10456:EE_|VI0PR03MB10565:EE_ x-ms-office365-filtering-correlation-id: 3d11eea2-e491-4425-29e7-08dd65c56380 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?ryUbVYoZ1U8drmSB2/qyqPYcHIHRw1Q?= =?utf-8?q?k4NcSxeWm7MSuYkqfQ1NSaTo5ItVsn2HTvJZfUtzG02SoOS1uW5UIH5fr/VXBZYTN?= =?utf-8?q?lGODdIo49HupD9+OPUOUG6f1A7BhufZMroChijRhFkch62rZqTs/7dt3zVv/YTWdc?= =?utf-8?q?UTG+KJ9RRa+xSmEgDQbeKgsbPG7V4bXgH/HL3AhHnPtjqOZM2NABOCBANGDLVMMNK?= =?utf-8?q?TA2McCr9J1C/l+Fs5eIuiA0JhtTo04Wq46A5ii+hW0OPLX0GHuIT4CKHxewh87FtA?= =?utf-8?q?DhVEH9XOS3ByvPqKZzyDg5HrMQpg8+2zxw39GqRQuFM4FuuctJsoR2BE8OHNXeFwE?= =?utf-8?q?/HTYM//UIkXqI2IRXAzsdYP/dvYMvMLGjlVDlOAOW5Cno4dRaWpOGMruLzpM4rmz3?= =?utf-8?q?/IKwAUmEzAi1Lu1anosKtUYFaodmV7CNoqES26G2a5AOd/JFygxW/1PtifAcSQp8y?= =?utf-8?q?nbplP7WffwPatkmgLHpc4NYXpfbQb0hz1uC8xIUWH6xzB1BS++YiiBM86I5tnTGbF?= =?utf-8?q?qp78tZWhJHzIaRig1+3GDQ/94Xr1K3s5SM1cJlf2r9kJJtkDINBMQKf423MFJpz5F?= =?utf-8?q?aqT6pncGzZz/VK3t1FZqj0vIrAl9aFm4Q+Jm++ceeWHr7frpd5jlDXAtYuwxPQqAp?= =?utf-8?q?pG9cUIDwNfHs6mv+slQ35zV6Lka1J8XASFRH79b7/c8ImWpROmYIEZXjHdpqQJwJ1?= =?utf-8?q?iJp79ujpg/UDYOE+AUK0dr9LFTnGo9GMnwrA2t/gp2XKCQrCswLEI1Nt5Mfec6Ahu?= =?utf-8?q?MLkKDwRendgzJ3VtgnErXLJS94jEwKc6NVCCdRkum6X0Eey+vctl3zKSyQHf9eaKR?= =?utf-8?q?2Ac27efmn4fh4bFCr8r4JWy4DIV9aGGIOvKxKHL/3tS9XQqypz8BEuBWPITK0EAS9?= =?utf-8?q?Aht5kpL15NtvRPgmFfKXrcOyffkKVx2167Z8o4KyqAAYsdKWJldIiLInsEGGglBMM?= =?utf-8?q?aTYBTie+nUutK5Np0r1y8QCaAgE/MBkx7usjSnqkKKkAbDO5LHAeD1Tt3aRuSqEE7?= =?utf-8?q?DZMGrOIShPCjLS1y21G0A5lSBQZnscPGzJXtUX02Ww9JHgy6fVqDk4/oDIeSwCq7w?= =?utf-8?q?N1ZgcTHixTnLJ5pa5xVA0mXdqJeoBJA57EE+Wchb3V6bVuu5MpXo1yDA70l1g1qJJ?= =?utf-8?q?ogumuIFbXVujN2h3KZoqVqwHzKG9Dt5U+uD2UwDa98Qvqr8eVT/Amcy4iIc7PQZ9N?= =?utf-8?q?jx8uP+GxwNnSjZB3oVn6ibNuozCLZtVz4RknZDd3WOHqKz/JSB8g5Oi3GklgW/LIM?= =?utf-8?q?WpGsyGCCXC1YS/SN97dH7nwHftEQDCKdacc50T+ldzBh5Z0F9V4mGn5XOmjtxne4Q?= =?utf-8?q?c6IKwMMOLao/gPXb8VHKTZTaOuX0hjF3VfhdzN/0g9J9hr4TIuyTVkzXv171ulRlY?= =?utf-8?q?6yjRxPmkKXi?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR03MB10456.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?uFU68m4NUP8nOUs/KRXgcOHkr2Lj?= =?utf-8?q?TRpJRBqMhzN4GX2MdD6rtR0vApTKB6rP97Vdw6ViHf6mOjP9hol0tLgcU6wLDMj3K?= =?utf-8?q?88FG+lP2n1Bql33TCdUmPJ0PRNpUi+xClb5k0NPIJsJLstU9RXojnIihwINrl1FuG?= =?utf-8?q?3KkMHA98U+W1CNdrgMkpu3cRfigzKkMVrLkSTPBW6xFIYMxgRQF/mzwfMznv2zme9?= =?utf-8?q?klqXuNHLRUckBYqa6WClCd5YyFsCfR5Ak7RSecZhXrnA/X/CrnvBShgFKuHR7nNwv?= =?utf-8?q?+WNv6qBqzy9a2xAguM1DiHTgsnpwY+quYU5uiRwBGCf2fo6G1KdNJNRUK67+M0qQr?= =?utf-8?q?8bg9p/KJrIh9mWjPt57WDJ27iIYraHIkKwJLPM86SyjAedry9aYnDO/30Tp28/A5j?= =?utf-8?q?CDK/g0ew9PKa06OwpKQJ4aza64xGtPx2dUOEShSD2Txz0oFjcYpWYw/Y5G/ajGN8L?= =?utf-8?q?IUS8iIJazrUIbsw5pNC6idHejyH/OTWQd4sVv91LE761+gniofkeMKCByxJCrlIvA?= =?utf-8?q?pUaWFoKjSk1e6U4nQTf+dAOMh3fCjqP/4npaM0/bw5UfuIoM1uZCiOsyjR+UH9GBx?= =?utf-8?q?537GYJCXWBtO3gZi7UjRBoGrdjYWSiAQ2rFj1WCXrj36cQmo4dkkB8oUWdGAj7lsX?= =?utf-8?q?IbRTyKX47dmJasVo6u9DpqdFDCcfy+t5qgwcpgPLWdgGEd3BuSvzDGZL1ME93Qy48?= =?utf-8?q?6gkuAGdt1/JFTwffhF9C7wd+c2oO3zZ2pNezzBg7Ue4gA37VB01r4X+iCFD6eEl2O?= =?utf-8?q?pCjQ21M/F8XZ5ajZAVOIOXrsJwzRU1HGb+BWHXUOc241OTU3QX3frOtwkkLJimitC?= =?utf-8?q?a3BdV13ifxtMVNiziWNYA8NOc+eU1K+Tt5BUiXP5rA5OtxTfxhkQm5TRJM1nZpanY?= =?utf-8?q?MuNmWefIlnvEMZ+Dmf0u+p7NHKxdiSebPdkIjTkcP3LreLUl9MDZGx6XR2qs5KlIr?= =?utf-8?q?JelkVsaiV4ZCTs//fdXtwQ9+LLyhWq5aSw5pACtI7KGrZfy009vthM08Nf+3ZsZ36?= =?utf-8?q?rM8N8npAwaHSNlSltTcSh/HAin0NQ/3Vo9uyq197lNd7PSOUz2gK2+OyuxB4W3YSB?= =?utf-8?q?Lj1HuiVsxcNkmNwKAl4S8Y/aWky6BYTYig2SRyPgtcyblA1Nw+N+joW1eREELotDh?= =?utf-8?q?dHWdZ7/x/gemFO1hiA6cCoy5LkgiFyV4ifgbMCDZipHHbFO58av+1ti4fene6v5Zi?= =?utf-8?q?tVPW9A6zQZE0oE66Q3AwaCWJIqIHEwxi/cRuhcMT+nRYd51fcO22niFJ5/yd6cd+w?= =?utf-8?q?7F27XRtRUdMeVP0Zx7GusKBugJ+EyedX6YmacyL3vMaK/svzq0kJsodTXc3YyNQ6+?= =?utf-8?q?lvldJvPWeSt4JXPMrF8n2uuuT+Xd/9AJ4VEWmNyu7x1/msJCFG08d1S8zGDJDrMpF?= =?utf-8?q?91YKAbAXAp3Xn7UXJAEgorMrNd4209py7QttrY0uWGTY6t/ABolF5PvZJeCyvgENa?= =?utf-8?q?cu00cRzbEWJI8L/59P1nvsyF/KwMh60crydz7mIixDli/Lu4geuslZKW+rATRmqV9?= =?utf-8?q?bIR8xVUvwph0RgCBd4S2Y/72q6jIXRcYJQ=3D=3D?= Content-ID: MIME-Version: 1.0 X-OriginatorOrg: epam.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3d11eea2-e491-4425-29e7-08dd65c56380 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2025 02:34:16.5494 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: plaHtDOt6OGHFBDSfbwc0W6WN9vog2Z3GWZZRxLyevtjOrRgYf6RAL+CVaQwKUImO6QspGz6vHRMcCFwIQYHZdR7zpWbc/+yReYZwIVissU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR03MB10565 Both GCC and Clang support -fstack-protector feature, which add stack canaries to functions where stack corruption is possible. This patch makes general preparations to enable this feature on different supported architectures: - Added CONFIG_HAS_STACK_PROTECTOR option so each architecture can enable this feature individually - Added user-selectable CONFIG_STACK_PROTECTOR option - Implemented code that sets up random stack canary and a basic handler for stack protector failures Stack guard value is initialized in two phases: 1. Pre-defined randomly-selected value. 2. Own implementation linear congruent random number generator. It relies on get_cycles() being available very early. If get_cycles() returns zero, it would leave pre-defined value from the previous step. boot_stack_chk_guard_setup() is declared as inline, so it can be called from C code. Of course, in this case, caller should ensure that stack protection code will not be reached. It is possible to call the same function from ASM code by introducing simple trampoline in stack-protector.c, but right now there is no use case for such trampoline. Signed-off-by: Volodymyr Babchuk --- Changes in v7: - declared boot_stack_chk_guard_setup as always_inline - moved `#ifdef CONFIG_STACK_PROTECTOR` inside the function Changes in v6: - boot_stack_chk_guard_setup() moved to stack-protector.h - Removed Andrew's r-b tag Changes in v5: - Fixed indentation - Added stack-protector.h --- xen/Makefile | 4 ++++ xen/common/Kconfig | 15 ++++++++++++ xen/common/Makefile | 1 + xen/common/stack-protector.c | 21 +++++++++++++++++ xen/include/xen/stack-protector.h | 39 +++++++++++++++++++++++++++++++ 5 files changed, 80 insertions(+) create mode 100644 xen/common/stack-protector.c create mode 100644 xen/include/xen/stack-protector.h diff --git a/xen/Makefile b/xen/Makefile index 58fafab33d..8fc4e042ff 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -435,7 +435,11 @@ else CFLAGS_UBSAN := endif +ifeq ($(CONFIG_STACK_PROTECTOR),y) +CFLAGS += -fstack-protector +else CFLAGS += -fno-stack-protector +endif ifeq ($(CONFIG_LTO),y) CFLAGS += -flto diff --git a/xen/common/Kconfig b/xen/common/Kconfig index a6aa2c5c14..2f6c74f11e 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -83,6 +83,9 @@ config HAS_PMAP config HAS_SCHED_GRANULARITY bool +config HAS_STACK_PROTECTOR + bool + config HAS_UBSAN bool @@ -216,6 +219,18 @@ config SPECULATIVE_HARDEN_LOCK endmenu +menu "Other hardening" + +config STACK_PROTECTOR + bool "Stack protector" + depends on HAS_STACK_PROTECTOR + help + Enable the Stack Protector compiler hardening option. This inserts a + canary value in the stack frame of functions, and performs an integrity + check on function exit. + +endmenu + config DIT_DEFAULT bool "Data Independent Timing default" depends on HAS_DIT diff --git a/xen/common/Makefile b/xen/common/Makefile index ac23120d7d..92c49127c9 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -46,6 +46,7 @@ obj-y += shutdown.o obj-y += softirq.o obj-y += smp.o obj-y += spinlock.o +obj-$(CONFIG_STACK_PROTECTOR) += stack-protector.o obj-y += stop_machine.o obj-y += symbols.o obj-y += tasklet.o diff --git a/xen/common/stack-protector.c b/xen/common/stack-protector.c new file mode 100644 index 0000000000..9089294d30 --- /dev/null +++ b/xen/common/stack-protector.c @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#include +#include +#include +#include + +/* + * Initial value is chosen by a fair dice roll. + * It will be updated during boot process. + */ +#if BITS_PER_LONG == 32 +unsigned long __ro_after_init __stack_chk_guard = 0xdd2cc927UL; +#else +unsigned long __ro_after_init __stack_chk_guard = 0x2d853605a4d9a09cUL; +#endif + +void asmlinkage __stack_chk_fail(void) +{ + dump_execution_state(); + panic("Stack Protector integrity violation identified\n"); +} diff --git a/xen/include/xen/stack-protector.h b/xen/include/xen/stack-protector.h new file mode 100644 index 0000000000..c76c601399 --- /dev/null +++ b/xen/include/xen/stack-protector.h @@ -0,0 +1,39 @@ +#ifndef __XEN_STACK_PROTECTOR_H__ +#define __XEN_STACK_PROTECTOR_H__ + +extern unsigned long __stack_chk_guard; + +/* + * This function should be called from a C function that escapes stack + * canary tracking (by calling reset_stack_and_jump() for example). + */ +static always_inline void boot_stack_chk_guard_setup(void) +{ +#ifdef CONFIG_STACK_PROTECTOR + + /* + * Linear congruent generator (X_n+1 = X_n * a + c). + * + * Constant is taken from "Tables Of Linear Congruential + * Generators Of Different Sizes And Good Lattice Structure" by + * Pierre L’Ecuyer. + */ +#if BITS_PER_LONG == 32 + const unsigned long a = 2891336453UL; +#else + const unsigned long a = 2862933555777941757UL; +#endif + const unsigned long c = 1; + + unsigned long cycles = get_cycles(); + + /* Use the initial value if we can't generate random one */ + if ( !cycles ) + return; + + __stack_chk_guard = cycles * a + c; + +#endif /* CONFIG_STACK_PROTECTOR */ +} + +#endif /* __XEN_STACK_PROTECTOR_H__ */