From patchwork Mon Feb 14 12:56:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 47E4BC4167B for ; Mon, 14 Feb 2022 12:57:10 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271581.466086 (Exim 4.92) (envelope-from ) id 1nJauY-00025A-IJ; Mon, 14 Feb 2022 12:56:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271581.466086; Mon, 14 Feb 2022 12:56:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauY-00024F-C1; Mon, 14 Feb 2022 12:56:58 +0000 Received: by outflank-mailman (input) for mailman id 271581; Mon, 14 Feb 2022 12:56:57 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauW-0001Wb-TF for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:56:57 +0000 Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com [216.71.155.168]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 94ef0e1e-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:53 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 94ef0e1e-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843414; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=KtRbcAVnwSg90xFfImO++msF+yEET8LbZ8bFNj96oow=; b=XnpxBPus1N/rk/ODoaX71cZCNOvJYiSeGfpRmfGirqw3Lvp7yZWxT2P0 KREbQNt9ZKeOccuzybgjQmPsvi/eQmMXEg+8ANT1c9O/4USO7ogfPlXqM JpSo/q8d2QpB2jsEqAgr45kG6uPwM4Wc4QaqbX/9OALVvLcwSG4OAZd2y 0=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: dKn9DAspMXze6wdPTIGSTGLdIP4NAM7WUYNbmq8tRPm+h4w8jbiRpI7BSzM8c7NvOaxd1400wo r9t/Xfqym7h/0UNTRS7V9JKhxdOlGHY8Vv0M0xFnj4/fYoTcntRDCTkzP09Gu/fuEbkV9H8Riu nlxASVxCFzgIWqNCkE1fobiNpN1jvnFB7hk333c2k5ZFR838NNm76lehM10U3fwzudlbnzDkt2 HlZx0tN1U094bXNMvuolH2z5ramWfdwat2pV+MaNKWhoOZzwQk5B8QQX0qEtikCZUKpnHQXkkr lSHNd/bccUIHvYCcYLqmykhw X-SBRS: 5.1 X-MesageID: 63591331 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:E39jq6zvnrYqYvO/ibd6t+cLwSrEfRIJ4+MujC+fZmUNrF6WrkVSz GsfWD/VPfuMZTahLo0naI7n/EMEvJbczIU1SFNu/CAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnvopW1TYhSEUOZugH9IQM8aZfHAhLeNYYH1500g7wbdl2tcAbeWRWGthh /uj+6UzB3f9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqZPXrgKrS4K8bhL wr1IBNVyUuCl/slIovNfr8W6STmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt9wy6 tZ2tsKAc14sMaTzoMARUgl5CS4raMWq+JefSZS+mcmazkmAeHrw2fR+SkoxOOX0+M4uXzsIr 6ZBbmlQMFbT3Ipaw5riIgVoru0lINPmI8U0vXZ4wCuCJf0nXYrCU+PB4towMDIY2JsTTK+FP JNxhTxHPD/LQRBmAlUsLZ8Gmvj3iWL8IjkftwfAzUYwyzeKl1EguFT3C/LKfvSaSMMTmVyXz krk1WnkBhARNPSE1CGItHmrg4fnjS79HY4fCrC83vprm0GIgHweDgUMUlm2quX/jVSxM++zM GRNpHBo9/JrshX2EJ+tBHVUvUJooDYQGPhTKO5k2DvUz6Xd3D69CmkUbyROPYlOWNANeRQm0 VqAntXMDDNpsaGIRX/1yop4vQ9eKgBOczZcOHZsoR8tpoC6/dpt1k6nosNLTfbt5uAZDw0c1 NxjQMIWo7wIxfAG2Kyglbwsq2L9/8OZJuLZC+i+Y45E0u+bTNP/D2BLwQKChRqlEGp+ZgPf1 EXoY+DEsIgz4WilzURhutklErCz/OqiOzbBm1NpFJRJ323zpyL8LdANvWknfx0B3iM4ldjBO hG7hO+szMULYCvCgVFfP+pd9PjGPYC/TI+4B5g4n/JFY4RrdR/vwc2dTRX44owZq2B1yftXE c7CKa6EVC9GYYw6nGveb7pMitcDm3FhrV4/sLimlnxLJ5LFPyXLIVrEWXPTBt0EAFSs/lmLr YYFapfiJtc2eLSWXxQ7OLU7dTgiRUXXz7iswyCOXuLccAdgBk87DPrdneEod4B/xvwHnebU5 HCtHERfzQOn13HALAyLbFFlaa/uAskj/S5qY3R0MAb6wWUnbKau8LwbK8k9c444+bEx1vVzV fQEJZmNW6wdVjTd9j0BRpDht4g+Jg+zjAeDMnP9MjgydpJtXSLT/drgcle9/SUCFHPv58A/v 6ehxkXQRp9aH1ZuC8PfafSOyVKtvCdCxLIuDhWQetQKIRfi6olnLSD1n8QbGcBUJEWR3Cae2 iaXHQwc+bvHrbgq/YSbnquDtYqoTbdzRxIIA2nB4L+qHiDG5W7/k5RYWeOFcD2BBmP5/KKuO bdcw/3maaBVmV9Lt8x3EqpxzLJ47Nzq/ucIwgNhFXTNTlKqFrI/fSXWgZgR7vVAlu1DpA+7e kOT4d0La7yGNfTsHEMVOAd4PP+I0usZm2WK4Pk4SKkgCPSbIFZTvZ1uAiSx IronPort-HdrOrdr: A9a23:mJT8lKAKX1KZImnlHemU55DYdb4zR+YMi2TC1yhKJyC9Ffbo7v xG/c5rsyMc5wxwZJhNo7y90ey7MBbhHP1OkO4s1NWZLWrbUQKTRekIh+bfKn/baknDH4ZmpN 9dmsNFaeEYY2IUsS+D2njbL+od X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="63591331" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 1/7] xen/altcall: Use __ro_after_init now that it exists Date: Mon, 14 Feb 2022 12:56:26 +0000 Message-ID: <20220214125632.24563-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 For the !CONFIG_ALTERNATIVE_CALL case, the use of __read_mostly was only a stopgap while nothing better existed. __ro_after_init now does, so it use. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu v2: * New --- xen/include/xen/alternative-call.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/alternative-call.h b/xen/include/xen/alternative-call.h index c2d3b70e312e..5c6b9a562b92 100644 --- a/xen/include/xen/alternative-call.h +++ b/xen/include/xen/alternative-call.h @@ -57,7 +57,7 @@ #define alternative_call(func, args...) (func)(args) #define alternative_vcall(func, args...) (func)(args) -#define __alt_call_maybe_initdata __read_mostly +#define __alt_call_maybe_initdata __ro_after_init #endif /* !CONFIG_ALTERNATIVE_CALL */ #endif /* XEN_ALTERNATIVE_CALL */ From patchwork Mon Feb 14 12:56:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E3355C43217 for ; Mon, 14 Feb 2022 12:57:09 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271579.466071 (Exim 4.92) (envelope-from ) id 1nJauW-0001mV-Vc; Mon, 14 Feb 2022 12:56:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271579.466071; Mon, 14 Feb 2022 12:56:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauW-0001mO-Qz; Mon, 14 Feb 2022 12:56:56 +0000 Received: by outflank-mailman (input) for mailman id 271579; Mon, 14 Feb 2022 12:56:55 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauU-0001Wb-T7 for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:56:55 +0000 Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com [216.71.155.168]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 937cf4b1-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:52 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 937cf4b1-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843412; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1CKl1xVTrEiSTs3I4IXapDMOKGH0W00+m3pdXMEQ9Q4=; b=SW39No1f+WAJGY8o3q2fanQ1l0mIvM83jDXYDrIhxKJiDSj4Znl2hmxT voCljibNd9Eu4nYoHLAbwrBOxV9Hoz5q5Nj/4ysPNg+ygXlyQkHyiFT+B e9Zm3rJ8wxu6HWdgyfou999UCiiKK8zGvrB95erV69Lp3rwCdXCrS7DAW 4=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: yiPOqDVw2uctAGuI2F6hqobxrJFB39GaQS3Gr4BUngEVXC8oBY5Lh1AqovGOM0unhmWINmJEf2 UAabnTPv4oC+vZGTp02PDmTfz3gmUSjTQ6JYkDIN1xGnW25qRC0huXnPoY5O9an8arj5SJNn2H sADA2f3HsQzhNcPhLkGhz32UIl6zd0Ta5FFkm1q1z0HD6I/2tfaYR2e4BTnfTG0JOrTlBPSwwk ykMnc8wUoS6GJD7jk7PwyD8zphewqoQFy3ifaP8+H0uKozUGjtbRUCgTiGofefShypP9IGqQa1 /UlTK/FNGIMJhalFMgorY/et X-SBRS: 5.1 X-MesageID: 63591330 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:Xf0rk6xvglxnJ/pLb3t6t+cLwSrEfRIJ4+MujC+fZmUNrF6WrkVRz 2tOCmDUMquCYWfyLosiPYnipEgA7Z7czIBnHFRsqiAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnvopW1TYhSEUOZugH9IQM8aZfHAhLeNYYH1500g7wbdl2tcAbeWRWGthh /uj+6UzB3f9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqZPXrgKrS4K8bhL wr1IBNVyUuCl/slIovNfr8W6STmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt9wy6 tZ2tsKAc14sMaTzoMARUgl5CS4raMWq+JefSZS+mcmazkmAeHrw2fR+SkoxOOX0+M4uXzsIr 6ZBbmlQMFbT3Ipaw5riIgVoru0lINPmI8U0vXZ4wCuCJf0nXYrCU+PB4towMDIY2JsTTK+FP JJxhTxHfSXYUw9/Gw0rB5s1n8q3rWvGUTh7kQfAzUYwyzeKl1EguFT3C/LKfvSaSMMTmVyXz krk1WnkBhARNPSE1CGItHmrg4fnjS79HY4fCrC83vprm0GIgHweDgUMUlm2quX/jVSxM++zM GRNpHBo9/JrshX2EJ+tBHVUvUJooDYQGPhTKO5k2DvUz6Xd3D69CmkUbyROPYlOWNANeRQm0 VqAntXMDDNpsaGIRX/1yop4vQ9eKgBOczZcOHZsoR8tpoC6/dpt1k6nosNLTfbt5uAZDw0c1 NxjQMIWo7wIxfAG2Kyglbwsq2L9/8OZJuLZC+i+Y45E0u+bTNP/D2BLwQKChRqlEGp+ZgPf1 EXoY+DEsIgz4WilzURhutklErCz/OqiOzbBm1NpFJRJ323zpyL8LdANvWknfx0B3iM4ldjBO hG7hO+szMULYCvCgVFfP+pd9PjGPYC/TI+4B5g4n/JFY4RrdR/vwc2dTRX44owZq2B1yftXE c7CKa6EVC9GYYw6nGveb7pMitcDm3FhrV4/sLimlnxLJ5LFPyXLIVrEWXPTBt0EAFSs/lmLr YYFapfiJtc2eLSWXxQ7OLU7dTgiRUXXz7iswyCOXuLccAdgBk87DPrdneEod4B/xvwHnebU5 HCtHERfzQOn13HALAyLbFFlaa/uAskj/S5qY3R0MAb6wWUnbKau8LwbK8k9c444+bEx1vVzV fQEJZmNW6wdVjTd9j0BRpDht4g+Jg+zjAeDMnP9MjgydpJtXSLT/drgcle9/SUCFHPv58A/v 6ehxkXQRp9aH1ZuC8PfafSOyVKtvCdCxLIuDhWQetQKIRfi6olnLSD1n8QbGcBUJEWR3Cae2 iaXHQwc+bvHrbgq/YSbnquDtYqoTbdzRxIIA2nB4L+qHiDG5W7/k5RYWeOFcD2BBmP5/KKuO bdcw/3maaBVmV9Lt8x3EqpxzLJ47Nzq/ucIwgNhFXTNTlKqFrI/fSXWgZgR7vVAlu1DpA+7e kOT4d0La7yGNfTsHEMVOAd4PP+I0usZm2WK4Pk4SKkgCPSbIFZTvZ1uAiSx IronPort-HdrOrdr: A9a23:FrYif6Dvp+uPM8/lHemU55DYdb4zR+YMi2TC1yhKJyC9Ffbo7v xG/c5rsyMc5wxwZJhNo7y90ey7MBbhHP1OkO4s1NWZLWrbUQKTRekIh+bfKn/baknDH4ZmpN 9dmsNFaeEYY2IUsS+D2njbL+od X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="63591330" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 2/7] x86/altcall: Check and optimise altcall targets Date: Mon, 14 Feb 2022 12:56:27 +0000 Message-ID: <20220214125632.24563-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 When converting indirect to direct calls, there is no need to execute endbr64 instructions. Detect and optimise this case, leaving a warning in the case that no endbr64 was found, as it likely indicates a build error. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/alternative.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c index ec24692e9595..65537fe1f0bd 100644 --- a/xen/arch/x86/alternative.c +++ b/xen/arch/x86/alternative.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -279,6 +280,28 @@ static void init_or_livepatch _apply_alternatives(struct alt_instr *start, if ( dest ) { + /* + * When building for CET-IBT, all function pointer targets + * should have an endbr64 instruction. + * + * If this is not the case, leave a warning because + * something is probably wrong with the build. A CET-IBT + * enabled system might have exploded already. + * + * Otherwise, skip the endbr64 instruction. This is a + * marginal perf improvement which saves on instruction + * decode bandwidth. + */ + if ( IS_ENABLED(CONFIG_HAS_CC_CET_IBT) ) + { + if ( is_endbr64(dest) ) + dest += 4; + else + printk(XENLOG_WARNING + "altcall %ps dest %ps has no endbr64\n", + orig, dest); + } + disp = dest - (orig + 5); ASSERT(disp == (int32_t)disp); *(int32_t *)(buf + 1) = disp; From patchwork Mon Feb 14 12:56:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 65366C433F5 for ; Mon, 14 Feb 2022 12:57:11 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271584.466127 (Exim 4.92) (envelope-from ) id 1nJauc-0003Ar-DQ; Mon, 14 Feb 2022 12:57:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271584.466127; Mon, 14 Feb 2022 12:57:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauc-00039K-1n; Mon, 14 Feb 2022 12:57:02 +0000 Received: by outflank-mailman (input) for mailman id 271584; Mon, 14 Feb 2022 12:57:00 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauZ-0001Wb-Tq for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:57:00 +0000 Received: from esa3.hc3370-68.iphmx.com (esa3.hc3370-68.iphmx.com [216.71.145.155]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 9606d693-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:55 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 9606d693-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843415; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Sj4Jt6Qi86GvIWajmlKXBFXybjwDfP/78ikZXyhmmlU=; b=Y7kW5HibSl3KdYRQF/fSbJxPwlnAR7oxkFMSUdmTK8B2Tj1b90hRNk5x H1g8Oxw3Tv/pljALuFGVhKewwFSVpgUukBMaB/a43dILMV+XSTSiRXc4Z eCXmKK2sTj8AUrCqGMig77MbXI57qtYu9xzdSCR0ISj1/RZaaRUzVz5Sz U=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: T3ZvleISg0fcIDCNoPBSn4fFdiIE5ZN1Of8msHm4HwP9rjDGw3/8kUwHCoppwYbF0NXPTuFYq5 XhJkEsnmFEEGYNO9VyI7mcZ4v48ItQLf5iusNSmTPTL1/M9swOtapgq5sD8oESsc00fWmN9b8u MdC1uWcrcR+NdSFVRh/pXuBxNsxtTaXpr/sBhtMu68CglmfhBurzF9Hf9kKE0xpL/nb0EBEUtK 5UG8yvsCXqBwupfJTPD+5LuCu60Lrm7AcXxP3pe7e2yBKwC8Qo3bEFt9YCNrBK+uNux9bQozCt elKK8j9wMOPYhhewDF00XAxn X-SBRS: 5.1 X-MesageID: 64148581 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:WiQv1Kthah/KGO5iXfWROpuHPufnVGlZMUV32f8akzHdYApBsoF/q tZmKT2COaqNN2LzeN5yaY+3oxlTvsSAyoAwS1Fk/igwQXtD+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2IThWmthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NplmKybGClqEYT3t6c9XgYDNz4lZJIX5+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO 5NFOWc/NXwsZTVKKgdQE4hkp9uNhyX0WGR3uUqlr684tj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO8AKw1CjiYX92CnaJmUbFRpeM4UZ5dBjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtAKzARVodt/xory9U J8swZb20Qz2JcvR/BFhuc1UdF1T296LMSfHnXlkFIQ7+jKm9haLJN4MvG4udBo0ap9fI1cFh XM/XisLuvdu0IaCN/crM+pd9ex2pUQfKTgVfq+NNYcfCnSAXASG4DtvdSatM5PFyyARfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T8vhS+efHDJJjYexeawXmgyFQxP7snTg5B P4Ba5rUm00HCrWWj+u+2dd7EG3m5EMTXfjew/G7vMbaSua/MG1+WfLX3507fIlpw/ZcmuvSp ynvUU5E0lvvw3bALFzSOHxkbbruW7d5rG46YnNwbQr5hSB7bNb99robers2YaIjqL5pw8lrQ qRXYM6HGPlOFGjKomxPcZnnoYV+Xx23ngbSbTG9aT0ycsc4FQzE89PpZCX18ywKAnblvMcyu eT4hAjaXYACV0JpC8OPMKCjyFa4vH48nuNuXhSXfokPKRu0qIUzcn7/lP46Jc0IOC7v/DrC2 lbEGwocqMnMv5QxrIvDi5ebotr7COB5BEdbQTXWtO7kKSnA82O/6oZcS+LULyvFXWb59aj+N +VYy/bwbK8OkFpQ6tcuFr9qyeQ15sf1pq8cxQNhRS2ZY1OuA7JmA3+HwcgQ6fEdmu4H4VO7C hCV591XGbSVI8e0QlceKT0sYvmHyfxJyCLZ6u44IRmi6SJ6lFZdvZ6+4/VYZPRhEYZI IronPort-HdrOrdr: A9a23:0zFgi6rR0SBIdGgg/dQHZPYaV5opeYIsimQD101hICG8cqSj+f xG/c5rrCMc5wxwZJhNo7y90ey7MBbhHP1OkO8s1NWZLWrbUQKTRekIh+bfKn/baknDH4ZmpM BdmsNFaeEYY2IUsS+D2njbL+od X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="64148581" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 3/7] x86/altcall: Optimise away endbr64 instruction where possible Date: Mon, 14 Feb 2022 12:56:28 +0000 Message-ID: <20220214125632.24563-4-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 With altcall, we convert indirect branches into direct ones. With that complete, none of the potential targets need an endbr64 instruction. Furthermore, removing the endbr64 instructions is a security defence-in-depth improvement, because it limits the options available to an attacker who has managed to hijack a function pointer. Introduce new .init.{ro,}data.cf_clobber sections. Have _apply_alternatives() walk over this, looking for any pointers into .text, and clobber an endbr64 instruction if found. This is some minor structure (ab)use but it works alarmingly well. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu It would be nice for the printk() to say "optimised away %u of %u", but the latter number can only feasibly come from post-processing of xen-syms during the build. v2: * Drop hard tabs * Add __initconst_cf_clobber too * Change types to reduce casting --- xen/arch/x86/alternative.c | 38 ++++++++++++++++++++++++++++++++++++++ xen/arch/x86/xen.lds.S | 6 ++++++ xen/include/xen/init.h | 3 +++ 3 files changed, 47 insertions(+) diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c index 65537fe1f0bd..dd4609070001 100644 --- a/xen/arch/x86/alternative.c +++ b/xen/arch/x86/alternative.c @@ -173,6 +173,9 @@ text_poke(void *addr, const void *opcode, size_t len) return memcpy(addr, opcode, len); } +extern void *const __initdata_cf_clobber_start[]; +extern void *const __initdata_cf_clobber_end[]; + /* * Replace instructions with better alternatives for this CPU type. * This runs before SMP is initialized to avoid SMP problems with @@ -330,6 +333,41 @@ static void init_or_livepatch _apply_alternatives(struct alt_instr *start, add_nops(buf + a->repl_len, total_len - a->repl_len); text_poke(orig, buf, total_len); } + + /* + * Clobber endbr64 instructions now that altcall has finished optimising + * all indirect branches to direct ones. + */ + if ( force && cpu_has_xen_ibt ) + { + void *const *val; + unsigned int clobbered = 0; + + /* + * This is some minor structure (ab)use. We walk the entire contents + * of .init.{ro,}data.cf_clobber as if it were an array of pointers. + * + * If the pointer points into .text, and at an endbr64 instruction, + * nop out the endbr64. This causes the pointer to no longer be a + * legal indirect branch target under CET-IBT. This is a + * defence-in-depth measure, to reduce the options available to an + * adversary who has managed to hijack a function pointer. + */ + for ( val = __initdata_cf_clobber_start; + val < __initdata_cf_clobber_end; + val++ ) + { + void *ptr = *val; + + if ( !is_kernel_text(ptr) || !is_endbr64(ptr) ) + continue; + + add_nops(ptr, 4); + clobbered++; + } + + printk("altcall: Optimised away %u endbr64 instructions\n", clobbered); + } } void init_or_livepatch apply_alternatives(struct alt_instr *start, diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index ca22e984f807..c399178ac123 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -221,6 +221,12 @@ SECTIONS *(.initcall1.init) __initcall_end = .; + . = ALIGN(POINTER_ALIGN); + __initdata_cf_clobber_start = .; + *(.init.data.cf_clobber) + *(.init.rodata.cf_clobber) + __initdata_cf_clobber_end = .; + *(.init.data) *(.init.data.rel) *(.init.data.rel.*) diff --git a/xen/include/xen/init.h b/xen/include/xen/init.h index bfe789e93f6b..0af0e234ec80 100644 --- a/xen/include/xen/init.h +++ b/xen/include/xen/init.h @@ -18,6 +18,9 @@ #define __init_call(lvl) __used_section(".initcall" lvl ".init") #define __exit_call __used_section(".exitcall.exit") +#define __initdata_cf_clobber __section(".init.data.cf_clobber") +#define __initconst_cf_clobber __section(".init.rodata.cf_clobber") + /* These macros are used to mark some functions or * initialized data (doesn't apply to uninitialized data) * as `initialization' functions. The kernel can take this From patchwork Mon Feb 14 12:56:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E2DD0C433EF for ; Mon, 14 Feb 2022 12:57:11 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271585.466131 (Exim 4.92) (envelope-from ) id 1nJauc-0003IP-U1; Mon, 14 Feb 2022 12:57:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271585.466131; Mon, 14 Feb 2022 12:57:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauc-0003Fg-JS; Mon, 14 Feb 2022 12:57:02 +0000 Received: by outflank-mailman (input) for mailman id 271585; Mon, 14 Feb 2022 12:57:01 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJaua-0001Wb-Tu for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:57:01 +0000 Received: from esa3.hc3370-68.iphmx.com (esa3.hc3370-68.iphmx.com [216.71.145.155]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 95738935-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:55 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 95738935-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843416; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=bS6U6dpS0uCHmyTfyvV11KW0uKIoo2qJ/wueBOXPivk=; b=A6REouaRBDkRyFwQwIO95HTAALUcEYrhICbPBWWG0Jlfg09Swj3zmvoC 1VABM/sahF7VlpufIgpj/XrCneTchZoZJX4E40TNf2v7UykdVAtBZcq8o KQHi0Rqy373+oz0131T+8hiB5qby075h++3Dkfy/ml07lVlmzdCEWzR61 w=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: DcILunBeCx6JLSKYMAN5Ejn1W6HEpA9UXxQC/kfaq2+bBy5/w2+cDsBLAX4KkGwAkMX0o9PKAR Bzf0W+y7J2bdy8v4TnIcTtrANOJceFf0MiXi8rxTIF/CO5wwSp7XlplHnpvd2P2oGBWbixXBwY paRC12Nqk103A5rHrfBv+ZxZ3CBzCVp2P8waxCfBA87xT6WYWrkREZcFOVigvSiz1ECi+1BFJt vgCd6GO4HmSfFFoI4q70yDuOG55chiPxTDq7Sj4lQSpxVsuFbf+0IltD6EaQpfazFFYhxMnpGV nhJTXpPc+fLmHwSpaAsw1U6h X-SBRS: 5.1 X-MesageID: 64148583 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:XWXNLatFYQLeei+KE2WuiZmVb+fnVEhZMUV32f8akzHdYApBsoF/q tZmKWjUaP2CamLxeIx1bdu+9ksCvZbUxtI3TQpory9nFHlH+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2IThWmthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NplmKybGClqEYT3t6c9XgYDNz4lZJIX5+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO 5NFOWc/N3wsZTVsMU0rLp95md6ToUD6fAEDgwq3/LcOtj27IAtZj+G2bYu9lsaxbdVYmAOUq 3zL+0z9AwoGL5qPxDyd6HWui+TT2yThV+ov+KaQr6AwxgfJnypKVUNQBQDTTeSFZlCWduJ0e mJX1QMVgusS+VPwasamBiLpvyvR1vIDYOZ4H+o/4QCL76Pb5QeFG2QJJgJ8hMwaWNweHmJzi ALQ9z/9LXk26eDOFyrBnluBhW7qYUAowXk+iTjopOfvy/3qu8kNgx3GVb6P+4bl34SuSVkcL 91nxRXSZon/b+ZWjc1XHnid2lpAQ6QlqSZvuG3qspqNtF8RWWJcT9XABaLnxfhBNp2FaVKKo WIJncOThMhXU83Ry3zdHbhVRerzjxpgDNE7qQQxd6TNChz3oyLzFWyuyG0WyLhV3jYsJmayP R67VfJ5755PJnq6BZKbkKrqY/nGOZPITIy/PtiNN4ImSsEoKGevoXE/DWbNjjuFuBV9zskC1 WKzLJ/E4YAyUv88klJbho41jNcW+8zJ7T2PFM6rl0z9idJzphe9EN84DbdHVchhhIvsnekf2 4w32xKix0oNXevgTDPQ9IJPf1kGIWJiXcL9qtBNd/7FKQ1jQTlzB/jUyLInWopkg6UKybuYo iDjAhdVmAjlmHnKCQSWcXQ/Ornhaoly8CAgNis2MFf2h3V6OdSz7L0SfoccdKU88LAx1uZ9S vQIIp3SAvlGRjnd1S4aaJ3x8N5reBix3FrcNCu5ejkvOZVnQlWRqNPjewLu8ggIDza26pRi8 +HxiFuDTMNaFQp4DcvQZPa+9H+LvCAQyLBoQk/FAthPY0GwooJkHDP8060sKMYWJBSdmjbDj 1SKAQ0VrPXmqpMu9IWbnriNqoqkHrcsHkdeGGWHv7+6OTODozimyI5EFu2JYSrcRCX//6D7P bdZyPT1MfsmmldWstUjT+Y3nPxmv9a/9aVHyglEHWnQawX5A7xtFXCKwM1Tu/Af3bReowa3B hqC99Qy1W9l4y85/Ir9/DYYU9k= IronPort-HdrOrdr: A9a23:8a+lVqnTUB7VIruLicTU/0ogkSXpDfIo3DAbv31ZSRFFG/Fxl6 iV/cjztCWE8Ar5N0tQ+uxoVJPufZqYz+8Q3WBzB8baYOCFghrLEGgK1+KLqFeMdxEWtNQtsp uIG5IObuEYZmIbsS+V2meF+q4bsby6zJw= X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="64148583" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper Subject: [PATCH v2 4/7] xsm: Use __initconst_cf_clobber for xsm_ops Date: Mon, 14 Feb 2022 12:56:29 +0000 Message-ID: <20220214125632.24563-5-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 All calls through xsm_ops are fully altcall'd. Harden all fnptr targets. This yields: (XEN) altcall: Optimised away 197 endbr64 instructions of 1655 on an everything-enabled build of Xen, which is ~12%. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Daniel P. Smith --- xen/xsm/dummy.c | 2 +- xen/xsm/flask/hooks.c | 2 +- xen/xsm/silo.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 4d29a9aa5b9f..8c044ef61500 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -13,7 +13,7 @@ #define XSM_NO_WRAPPERS #include -static const struct xsm_ops __initconstrel dummy_ops = { +static const struct xsm_ops __initconst_cf_clobber dummy_ops = { .security_domaininfo = xsm_security_domaininfo, .domain_create = xsm_domain_create, .getdomaininfo = xsm_getdomaininfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 63484e323c09..0bf63ffa84c4 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1765,7 +1765,7 @@ static int cf_check flask_argo_send( #endif -static const struct xsm_ops __initconstrel flask_ops = { +static const struct xsm_ops __initconst_cf_clobber flask_ops = { .security_domaininfo = flask_security_domaininfo, .domain_create = flask_domain_create, .getdomaininfo = flask_getdomaininfo, diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c index 4d5fc98e7e54..b89b36428784 100644 --- a/xen/xsm/silo.c +++ b/xen/xsm/silo.c @@ -102,7 +102,7 @@ static int cf_check silo_argo_send( #endif -static const struct xsm_ops __initconstrel silo_xsm_ops = { +static const struct xsm_ops __initconst_cf_clobber silo_xsm_ops = { .evtchn_unbound = silo_evtchn_unbound, .evtchn_interdomain = silo_evtchn_interdomain, .grant_mapref = silo_grant_mapref, From patchwork Mon Feb 14 12:56:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 34ECEC43219 for ; Mon, 14 Feb 2022 12:57:10 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271583.466109 (Exim 4.92) (envelope-from ) id 1nJaua-0002dT-DP; Mon, 14 Feb 2022 12:57:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271583.466109; Mon, 14 Feb 2022 12:57:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJaua-0002ck-2n; Mon, 14 Feb 2022 12:57:00 +0000 Received: by outflank-mailman (input) for mailman id 271583; Mon, 14 Feb 2022 12:56:59 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauY-0001Wb-Tg for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:56:59 +0000 Received: from esa3.hc3370-68.iphmx.com (esa3.hc3370-68.iphmx.com [216.71.145.155]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 955ad2c9-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:54 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 955ad2c9-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843414; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=mNfie2MP8cG2OgPaZ9Su1HgYG5WuL0YllF2ieG0fnJE=; b=BJW87xX7vA4vhnS5jjLLg60j6+WVq5cK3/EIdz3u3Vm6Nw2sfakxl5f5 qON0BYKghu8nsIv0vpL3RMzglz8g/CsncEyVDtJtPo6hdTqfYJDGS9TRk Taw1p5UrXV17Y3hdYCao/cGKHRzwWiSWXq4LKm3wo+eQTP7utpHPVadiZ o=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: 5fwCK46QNMINHaSODo3dbe9bwNd34zbkmByn1roMykKdwEluZshOOOzrf+BHQL8W3mmgOHjo02 WFPM7Qm/4We8QH2wMprEhZAnGVIE3gfoQ8qBPcbYTnFyM/yUU5CMeHEz72CmpTndMojnReikJU 3XjDzQbFmKvPNoLYlCNnNYBncfOsXSpb4cWCCaK7b2JwHXMUfuCmsj0EooIS3y9JQpAKtgbp+A uesMuQi+HOUeybjNLxqYjEV20VeuCfJ6y/fqqe23QasiL6y+QCTl9lyn3XXl6l82w83e9qUiM7 n2vmTys8IA+M5cCki/Q+iw5A X-SBRS: 5.1 X-MesageID: 64148580 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:lGd3sKtnr8WgXqPMkLJOvq260ufnVGlZMUV32f8akzHdYApBsoF/q tZmKWDXOvzYY2b2KdggaojnoE4E6sDUx9RgHgVtqi43ES1H+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2IThWmthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ Nplur+gSDktBpT1x6cPX0lZQw5DPq9DweqSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO 5NFOWc/NHwsZTVRZngNCqpls92yj0HiQwVVkV6Qlbsetj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO+IZ+ACzzpLt2lnaFGRUT25uVd8ksfZjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtAKzARVodt/xory9U J8swZb20Qz2JcvR/BFhuc1UdF1T296LMSfHnXlkFIQ7+jKm9haLJN4MvG4udBo0ap9fI1cFh XM/XisLuvdu0IaCN/crM+pd9ex2pUQfKTgVfq+NNYcfCnSAXASG4DtvdSatM5PFyyARfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T8vhS+efHDJJjYexeawXmgyFQxP7snTg5B P4Ba5rUm00HCrWWj+u+2dd7EG3m5EMTXfjew/G7vMbaSua/MG1+WfLX3507fIlpw/ZcmuvSp ynvUU5E0lvvw3bALFzSOHxkbbruW7d5rG46YnNwbQr5hSB7bNb99robers2YaIjqL5pw8lrQ qRXYM6HGPlOFGjKomxPcZnnoYV+Xx23ngbSbTG9aT0ycsc4FQzE89PpZCX18ywKAnblvMcyu eT4hAjaXYACV0JpC8OPMKCjyFa4vH48nuNuXhSXfokPKRu0qIUzcn7/lP46Jc0IOC7v/DrC2 lbEGwocqMnMv5QxrIvDi5ebotr7COB5BEdbQTXWtO7kKSnA82O/6oZcS+LULyvFXWb59aj+N +VYy/bwbK8OkFpQ6tcuFr9qyeQ15sf1pq8cxQNhRS2ZY1OuA7JmA3+HwcgQ6fEdmu4H4VO7C hCV591XGbSVI8e0QlceKT0sYvmHyfxJyCLZ6u44IRmi6SJ6lFZdvZ6+4/VYZPRhEYZI IronPort-HdrOrdr: A9a23:anNxi6A1HdEPhzrlHemu55DYdb4zR+YMi2TC1yhKJyC9E/bo7v xG88566faZslossTQb6LW90cq7MBXhHPxOkOos1N6ZNWGM0gaVxcNZnO/fKlXbakrDH4VmtJ uIHZIQNDSJNykZsfrH X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="64148580" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 5/7] x86/hvm: Use __initdata_cf_clobber for hvm_funcs Date: Mon, 14 Feb 2022 12:56:30 +0000 Message-ID: <20220214125632.24563-6-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 All calls through hvm_funcs are fully altcall'd. Harden all function pointer targets. This optimises away 106 targets. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/hvm/hvm.c | 2 +- xen/arch/x86/hvm/svm/svm.c | 2 +- xen/arch/x86/hvm/vmx/vmx.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index cdd1529014f2..709a4191efe8 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -88,7 +88,7 @@ unsigned int opt_hvm_debug_level __read_mostly; integer_param("hvm_debug", opt_hvm_debug_level); #endif -struct hvm_function_table hvm_funcs __read_mostly; +struct hvm_function_table __ro_after_init hvm_funcs; /* * The I/O permission bitmap is globally shared by all HVM guests except diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 63535a74b504..b80d4af6cb90 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2513,7 +2513,7 @@ static void cf_check svm_set_reg(struct vcpu *v, unsigned int reg, uint64_t val) } } -static struct hvm_function_table __initdata svm_function_table = { +static struct hvm_function_table __initdata_cf_clobber svm_function_table = { .name = "SVM", .cpu_up_prepare = svm_cpu_up_prepare, .cpu_dead = svm_cpu_dead, diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 41db538a9e3d..758df3321884 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2473,7 +2473,7 @@ static void cf_check vmx_set_reg(struct vcpu *v, unsigned int reg, uint64_t val) vmx_vmcs_exit(v); } -static struct hvm_function_table __initdata vmx_function_table = { +static struct hvm_function_table __initdata_cf_clobber vmx_function_table = { .name = "VMX", .cpu_up_prepare = vmx_cpu_up_prepare, .cpu_dead = vmx_cpu_dead, From patchwork Mon Feb 14 12:56:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8241AC433FE for ; Mon, 14 Feb 2022 12:57:09 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271582.466103 (Exim 4.92) (envelope-from ) id 1nJauZ-0002Wa-RM; Mon, 14 Feb 2022 12:56:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271582.466103; Mon, 14 Feb 2022 12:56:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauZ-0002VQ-LQ; Mon, 14 Feb 2022 12:56:59 +0000 Received: by outflank-mailman (input) for mailman id 271582; Mon, 14 Feb 2022 12:56:58 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauX-0001Wb-TY for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:56:58 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 94d0a77e-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:53 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 94d0a77e-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843413; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=U8FygIZVnvkagn5SaOc/r5k4iytMZOKvEHIjccC32Fg=; b=h0AUi6fL7zG25IqviVsZhv5zC6fIfjuxDQLYJFmcn4XLtItYBEylGxc+ oH1ZWatyh0/axATCQDxRKaAOYf0cqN91VsGHRnd6eJUKtkblbal2PN0A5 VcU5LZoZIdsgWj6Mh8Zffob5D17tsAj+UhdOkWDSjXEJhSdhoulA8r9b8 A=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: ZV+Ox5Zu+D9haf/k3fZ44Be3lA/AUjNxxo1S/Znou5buCxV+gy0mqqM7EzOP5Npj5EkWwsIgAM 5qzHzyVPnRR0+2ySGTOYhmoIGLvqdvFCXDQIjC7OQW91sewoHBsvO4tW/4oftNVjuN9vBPeSaj r4/4S8UMfPgbuZfHnk3WWUyHz5zHScqpXlI5IdnK0O3XGmsE+mNaI5XleBRJ5xduAj+hnz72xa F4DTPgbvnL7+YDFmZGgDxIbCgfGRXfd4M+x73LUXGAQZD97GpNK0UNMQgI6k2HanGew/ZtSpYP JyGmfHVrhsQhQg1dVhFpYRh+ X-SBRS: 5.1 X-MesageID: 66373621 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:GUkoEK34GQKaIx6DofbD5ex2kn2cJEfYwER7XKvMYLTBsI5bp2BRy GMcW2GDO62DZmHyeNpxO9/gpEsGscXTm4JrTAs5pC1hF35El5HIVI+TRqvS04J+DSFhoGZPt Zh2hgzodZhsJpPkS5PE3oHJ9RGQ74nRLlbHILOCanAZqTNMEn9700o5wrJh2+aEvPDia++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFMZH4rHomjLmOQf2VhNrXSq 9Avbl2O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/TrS+NbPqsTbZIhhUlrZzqhz/Fcz vdNt4GMGCgtPbXFp88jbkAHDHQrVUFG0OevzXmXtMWSywvNcmf2wuUoB0YzVWEa0r8pWycUr 6VecW1TKEDY7w616OvTpu1Er8IvNsT0eqgYvWlt12rxBvc6W5HTBa7N4Le02R9u2JsRRqiEP qL1bxJRQR6QWwEMHW00N61ngOuZnV6gU2dH/Qf9Sa0fvDGIkV0ZPKLWGMXRUsyHQ4NShEnwj kDs8nn9AxoaHMeC0jfD+XWp7sffkCW+VI8MGbmQ8v9xnEbV1mEVEAcRV1awvb++kEHWZj5EA xVKoGx09/F0rRH1CImmN/GlnJKalk49dtxyE+8n1FCizqnM6jmyOFVdESEUPbTKq/QKbTAt0 1aImfbgCjpurKCZRBqhy1uEkd+hEXNLdDFfPEfoWSNAuoC++99r0nojW/4+SPbdszHjJd3nL 9lmRgAajq5bs8ME3r7TEbvv02P1/cihouLYC2zqsoOZAuFROdTNi2+AswGzARN8wGGxFAfpg ZT8s5LChN3i9LnU/MB3fM0DHauy+9GOOyDGjFhkEvEJrmrxpyHzLd0NuGglfi+F1/ronhezP ifuVf55vscPbBNGk4crC25ONyja5fe5Tom0PhwlRtFPfoJwZGe6ENJGPiatM5TWuBF0y8kXY M7DGe71VCpyIfk3nVKeGrZGuZd2l39W+I8mbc2ip/hR+eHFPyD9pHZsGAbmU93VG4va/FSLo 44HbZPiJtc2eLSWXxQ7OLU7dTgiRUXXz7ivwyCOXuLccAdgBk87DPrdneEod4B/xvwHnebU5 HCtHERfzQOn13HALAyLbFFlaa/uAskj/S5qY3R0MAb6wWUnbKau8LwbK8k9c444+bEx1vVzV fQEJZmNW6wdVjTd9j0BRpDht4g+Jg+zjAeDMnP9MjgydpJtXSLT/drgcle9/SUCFHPv58A/v 6ehxkXQRp9aH1ZuC8PfafSOyVKtvCdCxLIuDhWQetQKIRfi6olnLSD1n8QbGcBUJEWR3Cae2 iaXHQwc+bvHrbgq/YSbnquDtYqoTbdzRxIIA2nB4L+qHiDG5W7/k5RYWeOFcD2BBmP5/KKuO bdcw/3maaBVmV9Lt8x3EqpxzLJ47Nzq/ucIwgNhFXTNTlKqFrI/fSXWgZgR7vVAlu1DpA+7e kOT4d0La7yGNfTsHEMVOAd4PP+I0usZm2WK4Pk4SKkgCPSbIFZTvZ1uAiSx IronPort-HdrOrdr: A9a23:GYGrrKCY9De2a3blHemU55DYdb4zR+YMi2TC1yhKJyC9Ffbo7v xG/c5rsyMc5wxwZJhNo7y90ey7MBbhHP1OkO4s1NWZLWrbUQKTRekIh+bfKn/baknDH4ZmpN 9dmsNFaeEYY2IUsS+D2njbL+od X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="66373621" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 6/7] x86/ucode: Use altcall, and __initconst_cf_clobber Date: Mon, 14 Feb 2022 12:56:31 +0000 Message-ID: <20220214125632.24563-7-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Microcode loading is not a fastpath, but there are control flow integrity hardening benefits from using altcall, because it allows us to clobber the endbr64 instructions on all function pointer targets. Convert the existing microcode_ops pointer into an __ro_after_init structure, and move {amd,intel}_ucode_ops into __initconst_cf_clobber. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu v2: * Adjust commit message. * Use __initconst_cf_clobber and __ro_after_init. --- xen/arch/x86/cpu/microcode/amd.c | 2 +- xen/arch/x86/cpu/microcode/core.c | 38 ++++++++++++++++++++------------------ xen/arch/x86/cpu/microcode/intel.c | 2 +- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c index 0afa2192bf1d..8195707ee149 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -422,7 +422,7 @@ static struct microcode_patch *cf_check cpu_request_microcode( return patch; } -const struct microcode_ops amd_ucode_ops = { +const struct microcode_ops __initconst_cf_clobber amd_ucode_ops = { .cpu_request_microcode = cpu_request_microcode, .collect_cpu_info = collect_cpu_info, .apply_microcode = apply_microcode, diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index f84dafa82693..452a7ca77340 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -21,6 +21,7 @@ * 2 of the License, or (at your option) any later version. */ +#include #include #include #include @@ -214,7 +215,7 @@ void __init microcode_grab_module( microcode_scan_module(module_map, mbi); } -static const struct microcode_ops __read_mostly *microcode_ops; +static struct microcode_ops __ro_after_init ucode_ops; static DEFINE_SPINLOCK(microcode_mutex); @@ -241,9 +242,9 @@ static const struct microcode_patch *nmi_patch = ZERO_BLOCK_PTR; */ static struct microcode_patch *parse_blob(const char *buf, size_t len) { - microcode_ops->collect_cpu_info(); + alternative_vcall(ucode_ops.collect_cpu_info); - return microcode_ops->cpu_request_microcode(buf, len); + return alternative_call(ucode_ops.cpu_request_microcode, buf, len); } static void microcode_free_patch(struct microcode_patch *patch) @@ -258,8 +259,8 @@ static bool microcode_update_cache(struct microcode_patch *patch) if ( !microcode_cache ) microcode_cache = patch; - else if ( microcode_ops->compare_patch(patch, - microcode_cache) == NEW_UCODE ) + else if ( alternative_call(ucode_ops.compare_patch, + patch, microcode_cache) == NEW_UCODE ) { microcode_free_patch(microcode_cache); microcode_cache = patch; @@ -311,14 +312,14 @@ static int microcode_update_cpu(const struct microcode_patch *patch) { int err; - microcode_ops->collect_cpu_info(); + alternative_vcall(ucode_ops.collect_cpu_info); spin_lock(µcode_mutex); if ( patch ) - err = microcode_ops->apply_microcode(patch); + err = alternative_call(ucode_ops.apply_microcode, patch); else if ( microcode_cache ) { - err = microcode_ops->apply_microcode(microcode_cache); + err = alternative_call(ucode_ops.apply_microcode, microcode_cache); if ( err == -EIO ) { microcode_free_patch(microcode_cache); @@ -368,7 +369,7 @@ static int primary_thread_work(const struct microcode_patch *patch) if ( !wait_for_state(LOADING_ENTER) ) return -EBUSY; - ret = microcode_ops->apply_microcode(patch); + ret = alternative_call(ucode_ops.apply_microcode, patch); if ( !ret ) atomic_inc(&cpu_updated); atomic_inc(&cpu_out); @@ -481,7 +482,7 @@ static int control_thread_fn(const struct microcode_patch *patch) } /* Control thread loads ucode first while others are in NMI handler. */ - ret = microcode_ops->apply_microcode(patch); + ret = alternative_call(ucode_ops.apply_microcode, patch); if ( !ret ) atomic_inc(&cpu_updated); atomic_inc(&cpu_out); @@ -610,7 +611,8 @@ static long cf_check microcode_update_helper(void *data) */ spin_lock(µcode_mutex); if ( microcode_cache && - microcode_ops->compare_patch(patch, microcode_cache) != NEW_UCODE ) + alternative_call(ucode_ops.compare_patch, + patch, microcode_cache) != NEW_UCODE ) { spin_unlock(µcode_mutex); printk(XENLOG_WARNING "microcode: couldn't find any newer revision " @@ -678,7 +680,7 @@ int microcode_update(XEN_GUEST_HANDLE(const_void) buf, unsigned long len) if ( len != (uint32_t)len ) return -E2BIG; - if ( microcode_ops == NULL ) + if ( !ucode_ops.apply_microcode ) return -EINVAL; buffer = xmalloc_flex_struct(struct ucode_buf, buffer, len); @@ -722,10 +724,10 @@ __initcall(microcode_init); /* Load a cached update to current cpu */ int microcode_update_one(void) { - if ( !microcode_ops ) + if ( !ucode_ops.apply_microcode ) return -EOPNOTSUPP; - microcode_ops->collect_cpu_info(); + alternative_vcall(ucode_ops.collect_cpu_info); return microcode_update_cpu(NULL); } @@ -780,22 +782,22 @@ int __init early_microcode_init(void) { case X86_VENDOR_AMD: if ( c->x86 >= 0x10 ) - microcode_ops = &amd_ucode_ops; + ucode_ops = amd_ucode_ops; break; case X86_VENDOR_INTEL: if ( c->x86 >= 6 ) - microcode_ops = &intel_ucode_ops; + ucode_ops = intel_ucode_ops; break; } - if ( !microcode_ops ) + if ( !ucode_ops.apply_microcode ) { printk(XENLOG_WARNING "Microcode loading not available\n"); return -ENODEV; } - microcode_ops->collect_cpu_info(); + alternative_vcall(ucode_ops.collect_cpu_info); if ( ucode_mod.mod_end || ucode_blob.size ) rc = early_microcode_update_cpu(); diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcode/intel.c index d3864b5ab03e..f5ba6d76d724 100644 --- a/xen/arch/x86/cpu/microcode/intel.c +++ b/xen/arch/x86/cpu/microcode/intel.c @@ -376,7 +376,7 @@ static struct microcode_patch *cf_check cpu_request_microcode( return patch; } -const struct microcode_ops intel_ucode_ops = { +const struct microcode_ops __initconst_cf_clobber intel_ucode_ops = { .cpu_request_microcode = cpu_request_microcode, .collect_cpu_info = collect_cpu_info, .apply_microcode = apply_microcode, From patchwork Mon Feb 14 12:56:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12745531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id ACF8DC4332F for ; Mon, 14 Feb 2022 12:57:09 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.271578.466060 (Exim 4.92) (envelope-from ) id 1nJauV-0001Wt-NO; Mon, 14 Feb 2022 12:56:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 271578.466060; Mon, 14 Feb 2022 12:56:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauV-0001Wm-Jq; Mon, 14 Feb 2022 12:56:55 +0000 Received: by outflank-mailman (input) for mailman id 271578; Mon, 14 Feb 2022 12:56:54 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nJauU-0001Wb-4a for xen-devel@lists.xenproject.org; Mon, 14 Feb 2022 12:56:54 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 936b9f78-8d95-11ec-b215-9bbe72dcb22c; Mon, 14 Feb 2022 13:56:51 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 936b9f78-8d95-11ec-b215-9bbe72dcb22c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1644843412; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=5PEQQ/t+uQZA4fZ6sVBA/WN/mnXeBHxy/ygwI1pyIvY=; b=UNWjCus7gZ0E78JL6p9Q+IzjpzIRIhJ/KBofSrEHnQRMYZesRevVW8Bl bGX9XF81fKMqNwTh1xjwoW7ioYqAp0mMt+RMwoGSBZDbeg4JoAaj429/x iCtbmlrkzx7GYdhR0X3XJ3PMJZuGnkDp33cM4fQZV2Jix0WHHcP97tW4j E=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: m2EkVewb1vahR/r+JHRysfu1ZNgbrrv4szf28kTfkMw8j9nyP2VCXoMmmo/NXoJNzYYLSdjGBK rWmRMhGy/te638LFeR2boY87SbYNTST6qi2BkP/zk47jpUZett2qwx10BrSij1TGXNa8NPr2WT 81oeZBqRg6/z1/bT/Rc3ZysTDu7/nw/MjSshHhpUcHeLPeaDhUG1KindsCAahJThHRP+gwvHcV RmEUKW7Vx2QoW1LlDy59o0JCS3Fq1xoIOfQdl4ztBDM/Wf9vG92q5KKNsA3QbXqc1WCahNkSce xG6uwEtrgu8RrI+loWr8qov0 X-SBRS: 5.1 X-MesageID: 66373620 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:KUs1xKvSm64PCejjaSMrIZ1kr+fnVGlZMUV32f8akzHdYApBsoF/q tZmKTyFa/2IMGCmeI93ao239BhVsJbVzIVlT1E5+C0yE3wX+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHdJZS5LwbZj2NYy2IThWmthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ Npl5b2dTyUpPLDwycsZUAFRLApAAPQZ5+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO ZFGMmQ1NHwsZTV3IHIoELwht92Fh1PcfDJgoVyz+Yw4tj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO70bxQevyqjJ31e2AmscRwFqVuF/69BjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtAKzARVodt/xory9U J8swZb20Qz2JcvR/BFhuc1UdF1T296LMSfHnXlkFIQ7+jKm9haLJN4MvG4udBo0ap9fI1cFh XM/XisLuvdu0IaCN/crM+pd9ex2pUQfKTgVfq+NNYcfCnSAXASG4DtvdSatM5PFyyARfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T8vhS+efHDJJjYexeawXmgyFQxP7snTg5B P4Ba5rUm00HCrWWj+u+2dd7EG3m5EMTXfjew/G7vMbaSua/MG1+WfLX3507fIlpw/ZcmuvSp ynvUU5E0lvvw3bALFzSOHxkbbruW7d5rG46YnNwbQr5hSB7bNb99robers2YaIjqL5pw8lrQ qRXYM6HGPlOFGjKomxPcZnnoYV+Xx23ngbSbTG9aT0ycsc4FQzE89PpZCX18ywKAnblvMcyu eT4hAjaXYACV0JpC8OPMKCjyFa4vH48nuNuXhSXfokPKRu0qIUzcn7/lP46Jc0IOC7v/DrC2 lbEGwocqMnMv5QxrIvDi5ebotr7COB5BEdbQTXWtO7kKSnA82O/6oZcS+LULyvFXWb59aj+N +VYy/bwbK8OkFpQ6tcuFr9qyeQ15sf1pq8cxQNhRS2ZY1OuA7JmA3+HwcgQ6fEdmu4H4VO7C hCV591XGbSVI8e0QlceKT0sYvmHyfxJyCLZ6u44IRmi6SJ6lFZdvZ6+4/VYZPRhEYZI IronPort-HdrOrdr: A9a23:BhIo76xSkGhTxw7hj4IAKrPwFL1zdoMgy1knxilNoRw8SKKlfq eV7Y0mPH7P+VAssR4b+exoVJPtfZqYz+8R3WBzB8bEYOCFghrKEGgK1+KLqFeMJ8S9zJ846U 4JSdkHNDSaNzlHZKjBjzVQa+xQouW6zA== X-IronPort-AV: E=Sophos;i="5.88,367,1635220800"; d="scan'208";a="66373620" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 7/7] x86/vpmu: Harden indirect branches Date: Mon, 14 Feb 2022 12:56:32 +0000 Message-ID: <20220214125632.24563-8-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 As all function pointer calls are resoved to direct calls on boot, clobber the endbr64 instructions too to make life harder for an attacker which has managed to hijack a function pointer. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu v2: * Use __initconst_cf_clobber --- xen/arch/x86/cpu/vpmu_amd.c | 2 +- xen/arch/x86/cpu/vpmu_intel.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu/vpmu_amd.c b/xen/arch/x86/cpu/vpmu_amd.c index 5963ce90150a..9bacc02ec135 100644 --- a/xen/arch/x86/cpu/vpmu_amd.c +++ b/xen/arch/x86/cpu/vpmu_amd.c @@ -518,7 +518,7 @@ static int cf_check svm_vpmu_initialise(struct vcpu *v) return 0; } -static const struct arch_vpmu_ops __initconstrel amd_vpmu_ops = { +static const struct arch_vpmu_ops __initconst_cf_clobber amd_vpmu_ops = { .initialise = svm_vpmu_initialise, .do_wrmsr = amd_vpmu_do_wrmsr, .do_rdmsr = amd_vpmu_do_rdmsr, diff --git a/xen/arch/x86/cpu/vpmu_intel.c b/xen/arch/x86/cpu/vpmu_intel.c index 48b81ab6f018..8612f46973ef 100644 --- a/xen/arch/x86/cpu/vpmu_intel.c +++ b/xen/arch/x86/cpu/vpmu_intel.c @@ -880,7 +880,7 @@ static int cf_check vmx_vpmu_initialise(struct vcpu *v) return 0; } -static const struct arch_vpmu_ops __initconstrel core2_vpmu_ops = { +static const struct arch_vpmu_ops __initconst_cf_clobber core2_vpmu_ops = { .initialise = vmx_vpmu_initialise, .do_wrmsr = core2_vpmu_do_wrmsr, .do_rdmsr = core2_vpmu_do_rdmsr, From patchwork Mon Feb 21 18:03:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12754031 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 619EDC433F5 for ; Mon, 21 Feb 2022 18:04:36 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.276396.472537 (Exim 4.92) (envelope-from ) id 1nMD2q-0008CJ-Fb; Mon, 21 Feb 2022 18:04:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 276396.472537; Mon, 21 Feb 2022 18:04:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nMD2q-0008CC-Ch; Mon, 21 Feb 2022 18:04:20 +0000 Received: by outflank-mailman (input) for mailman id 276396; Mon, 21 Feb 2022 18:04:18 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nMD2o-0008C6-HU for xen-devel@lists.xenproject.org; Mon, 21 Feb 2022 18:04:18 +0000 Received: from esa1.hc3370-68.iphmx.com (esa1.hc3370-68.iphmx.com [216.71.145.142]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id adf9a819-9340-11ec-8eb8-a37418f5ba1a; Mon, 21 Feb 2022 19:04:16 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: adf9a819-9340-11ec-8eb8-a37418f5ba1a DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1645466656; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=YlOjXF4k7rFwUbvZj0TZsWgDLG6n+/ToUDcdMAAvYXQ=; b=U5rBPfvYxzTI0Sq6p+Dq7s9Q0VLT+lG9dJIDeI1rIbicLHmbyQ9C4bhh Y83d8A9CmO8+lFOr8FzckMv2mEmNyeQTqbLrte6TjGUvW63zGwVPw4i+R Yo4mqgB+tEBhEXoQ60fTL6QM6zXhMBqyfrismrJ2OEHIzsAo7Fldfu6P3 c=; Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 5.1 X-MesageID: 65071859 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:2sxRRKpEiiX/fMIumeWqTI496TReBmJpZRIvgKrLsJaIsI4StFCzt garIBmHOqyCNDD9KttxYNzj8U1Su5XXzYRnSgtlqyFnES9EopuZCYyVIHmrMnLJJKUvbq7GA +byyDXkBJppJpMJjk71atANlVEliefQAOCU5NfsYkidfyc9IMsaoU8ly75RbrJA24DjWVvX4 4qq+aUzBXf+s9JKGjNMg068gEsHUMTa4Fv0aXRnOJinFHeH/5UkJMp3yZOZdhMUcaENdgKOf M7RzanRw4/s10xF5uVJMFrMWhZirrb6ZWBig5fNMkSoqkAqSicais7XOBeAAKv+Zvrgc91Zk b1wWZKMpQgBBqHQpKcHdARkDB50H6ZU1+PfGEKBrpnGp6HGWyOEL/RGCUg3OcsT+/ptAHEI/ vsdQNwPRknd3aTsmuv9E7QywJR4RCXoFNp3VnVI5DfVF/s5B7vERL3H/4Rw1zYsnMFeW/3ZY qL1bBIxMUyfOk0Saz/7Droure2loSnVfAdq8nXKiZpw3zPS8CtIhe2F3N39JYXRGJQ9clyjj n3C13T0BFcdLtP34Riv/2+oh+TPtTjmQ49UH7q9ntZ6jVvWymENBRk+UVqgveL/mkO4Q8hYK UEf5mwpt6dayaCwZoCjBVvi+ifC50NCHYoLewEn1O2T4pLY/zraHE8ZciF+Yv4tpuBqXQUQ6 EDcyrsFGgdTmLGSTHuc8JKdojWzJTUZIAc+WMMUcecWy4K9+d9u13ojWv4mSffo1YOtRVkc1 hjX9HBWulkFsSIcO0xXF3jjiinkmJXGRxVdCu7/DjP8tVMRiGJIiuWVBbnnARRocdzxorqp5 iFsdy2iAAcmV8zlqcB1aL9RdIxFHt7cWNEmvXZhHoM66xOm8GO5cIZb7VlWfRk1b51UJW60M RKJ6Gu9AaO/21PwMMdKj3+ZUZx2ncAM6/y+PhwrUja+SscoL1LWlM2fTUWRw3rsgCARfVIXY v+mnTKXJS9CU8xPlWPuL89EiOND7n1ulAv7GMGgpzz6gOX2WZJgYepcWLd4Rrtit/3sTcS82 4s3CvZmPD0FDrWlO3GPqdR7wJJjBSFTOK0aYvd/LoarSjeK0kl4YxMN6dvNo7BYopk= IronPort-HdrOrdr: A9a23:BwQZvK/aURGiZN8vzHluk+DcI+orL9Y04lQ7vn2ZLiYlFfBw9v re+MjzsCWetN9/Yh0dcLy7V5VoIkm9yXcW2+cs1N6ZNWGN1VdAR7sC0aLShxHmBi3i5qp8+M 5bAs1D4QTLfDtHZBDBkWuFL+o= X-IronPort-AV: E=Sophos;i="5.88,386,1635220800"; d="scan'208";a="65071859" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH v2.1 8/7] x86/IOMMU: Use altcall, and __initconst_cf_clobber Date: Mon, 21 Feb 2022 18:03:56 +0000 Message-ID: <20220221180356.13527-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220214125632.24563-1-andrew.cooper3@citrix.com> References: <20220214125632.24563-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Most IOMMU hooks are already altcall for performance reasons. Convert the rest of them so we can harden all the hooks in Control Flow Integrity configurations. This necessitates the use of iommu_{v,}call() in debug builds too. Move the root iommu_ops from __read_mostly to __ro_after_init now that the latter exists. There is no need for a forward declaration of vtd_ops any more, meaning that __initconst_cf_clobber can be used for VTD and AMD. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/include/asm/iommu.h | 6 ++---- xen/drivers/passthrough/amd/pci_amd_iommu.c | 2 +- xen/drivers/passthrough/iommu.c | 7 ++++--- xen/drivers/passthrough/vtd/iommu.c | 3 +-- xen/drivers/passthrough/x86/iommu.c | 4 ++-- 5 files changed, 10 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/iommu.h b/xen/arch/x86/include/asm/iommu.h index 8a96ba1f097f..a87f6d416252 100644 --- a/xen/arch/x86/include/asm/iommu.h +++ b/xen/arch/x86/include/asm/iommu.h @@ -72,7 +72,6 @@ struct arch_iommu extern struct iommu_ops iommu_ops; -#ifdef NDEBUG # include # define iommu_call(ops, fn, args...) ({ \ (void)(ops); \ @@ -83,7 +82,6 @@ extern struct iommu_ops iommu_ops; (void)(ops); \ alternative_vcall(iommu_ops.fn, ## args); \ }) -#endif static inline const struct iommu_ops *iommu_get_ops(void) { @@ -106,7 +104,7 @@ int iommu_setup_hpet_msi(struct msi_desc *); static inline int iommu_adjust_irq_affinities(void) { return iommu_ops.adjust_irq_affinities - ? iommu_ops.adjust_irq_affinities() + ? iommu_call(iommu_ops, adjust_irq_affinities) : 0; } @@ -122,7 +120,7 @@ int iommu_enable_x2apic(void); static inline void iommu_disable_x2apic(void) { if ( x2apic_enabled && iommu_ops.disable_x2apic ) - iommu_ops.disable_x2apic(); + iommu_vcall(iommu_ops, disable_x2apic); } int iommu_identity_mapping(struct domain *d, p2m_access_t p2ma, diff --git a/xen/drivers/passthrough/amd/pci_amd_iommu.c b/xen/drivers/passthrough/amd/pci_amd_iommu.c index e57f555d00d1..4b59a4efe9b6 100644 --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -628,7 +628,7 @@ static void cf_check amd_dump_page_tables(struct domain *d) hd->arch.amd.paging_mode, 0, 0); } -static const struct iommu_ops __initconstrel _iommu_ops = { +static const struct iommu_ops __initconst_cf_clobber _iommu_ops = { .init = amd_iommu_domain_init, .hwdom_init = amd_iommu_hwdom_init, .quarantine_init = amd_iommu_quarantine_init, diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c index e220fea72c2f..c6b2c384d1dd 100644 --- a/xen/drivers/passthrough/iommu.c +++ b/xen/drivers/passthrough/iommu.c @@ -540,7 +540,7 @@ int __init iommu_setup(void) int iommu_suspend() { if ( iommu_enabled ) - return iommu_get_ops()->suspend(); + return iommu_call(iommu_get_ops(), suspend); return 0; } @@ -548,7 +548,7 @@ int iommu_suspend() void iommu_resume() { if ( iommu_enabled ) - iommu_get_ops()->resume(); + iommu_vcall(iommu_get_ops(), resume); } int iommu_do_domctl( @@ -578,7 +578,8 @@ void iommu_crash_shutdown(void) return; if ( iommu_enabled ) - iommu_get_ops()->crash_shutdown(); + iommu_vcall(iommu_get_ops(), crash_shutdown); + iommu_enabled = false; #ifndef iommu_intremap iommu_intremap = iommu_intremap_off; diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c index 56968a06a100..6a65ba1d8271 100644 --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -56,7 +56,6 @@ bool __read_mostly iommu_snoop = true; static unsigned int __read_mostly nr_iommus; -static struct iommu_ops vtd_ops; static struct tasklet vtd_fault_tasklet; static int cf_check setup_hwdom_device(u8 devfn, struct pci_dev *); @@ -2794,7 +2793,7 @@ static int __init cf_check intel_iommu_quarantine_init(struct domain *d) return rc; } -static struct iommu_ops __initdata vtd_ops = { +static const struct iommu_ops __initconst_cf_clobber vtd_ops = { .init = intel_iommu_domain_init, .hwdom_init = intel_iommu_hwdom_init, .quarantine_init = intel_iommu_quarantine_init, diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c index ad5f44e13d98..17c0fe555dd0 100644 --- a/xen/drivers/passthrough/x86/iommu.c +++ b/xen/drivers/passthrough/x86/iommu.c @@ -27,7 +27,7 @@ #include const struct iommu_init_ops *__initdata iommu_init_ops; -struct iommu_ops __read_mostly iommu_ops; +struct iommu_ops __ro_after_init iommu_ops; bool __read_mostly iommu_non_coherent; enum iommu_intremap __read_mostly iommu_intremap = iommu_intremap_full; @@ -129,7 +129,7 @@ int iommu_enable_x2apic(void) if ( !iommu_ops.enable_x2apic ) return -EOPNOTSUPP; - return iommu_ops.enable_x2apic(); + return iommu_call(iommu_ops, enable_x2apic); } void iommu_update_ire_from_apic(