From patchwork Wed Mar 9 12:39:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12775033 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2B15AC433FE for ; Wed, 9 Mar 2022 12:40:17 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.287815.488046 (Exim 4.92) (envelope-from ) id 1nRvbq-0006cQ-FI; Wed, 09 Mar 2022 12:40:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 287815.488046; Wed, 09 Mar 2022 12:40:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nRvbq-0006bB-8y; Wed, 09 Mar 2022 12:40:06 +0000 Received: by outflank-mailman (input) for mailman id 287815; Wed, 09 Mar 2022 12:40:04 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nRvbo-0005Bn-NV for xen-devel@lists.xenproject.org; Wed, 09 Mar 2022 12:40:04 +0000 Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com [216.71.155.168]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 098d7ac6-9fa6-11ec-8eba-a37418f5ba1a; Wed, 09 Mar 2022 13:40:03 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 098d7ac6-9fa6-11ec-8eba-a37418f5ba1a DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1646829603; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Eg/ifCx2kE6sAtZ1kPwmImh59SmF+XQTuUTtEX5um+U=; b=FBIwznuJJzEI2laV2mso3cY5DWyRcx2q2NGRNLvZqsyr5rVOGvkjQwfH VZsPHI5zF2b5lk9M6Spc1KoC9cS7o3dqEndxTttG8SLAh7i4Hdx6IDwgu SaCByw+OwKH/ARz3UJJq9h13Z0XldTCuBpask+tJagSPKwEUppH1L1InW c=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 5.1 X-MesageID: 65285147 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:p9N2jKvYBkC5g71x9odXgq5tmufnVFFeMUV32f8akzHdYApBsoF/q tZmKTjVP/jcajHwL9x2OYXgoU0OvZWHzNJqHVdqqClmEH4Q+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZhSAgk/nOHNIQMcacUsxLbVYMpBwJ1FQyw4bVvqYy2YLjW1jV6 IuoyyHiEATNNwBcYzp8B52r8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBb /TC1NmEElbxpH/BPD8HfoHTKSXmSpaKVeSHZ+E/t6KK2nCurQRquko32WZ1he66RFxlkvgoo Oihu6BcRi8xHoSWm88PCyJ/EhNdZYF46K/mHHOW5Jn7I03uKxMAwt1rBUAye4YZ5vx2ESdF8 vlwxDIlN07ZwbjsmfTiF7cq1p9LwMrDZevzvllJyz3DAOlgapfEW6jQvvdT3Ssqh9AIFvHbD yYcQWQyNkSdOkEQUrsRIM8RmN6vlnfvT2RVsGqX+akYwlXuzjUkhdABN/KKI4fXFK25hH2wu Wbu72n/RBYAO7S36xCI73atje/nhj7gVcQZE7jQ3u5nhhify3IeDDUSVECnur+ph0imQdVdJ kcIvC00osAPGFeDF4enGUfi+Tjd40BaC4E4//AGBB+l0or9uQWyFDA/aT9zS4QKit8mZAEh/ wrc9z/2PgBHvLqQQHOb076bqzKuJCQYRVM/iT84oRgtuIe6/txq5v7bZpM6SfPu0IWpcd3l6 23S9EADa6MvYdnnPklR1XTOmHqSq5fAVWbZDS2HDzv+vmuViGNIDrFECGQ3D94ddO51rXHb5 RDofvRyCshUU/lhcwTXHI0w8EmBvartDdElqQcH82Md3zqs4WW/Wotb/StzIkxkWu5dJ2O3P xGP41MNuMMNVJdPUUORS9jhYyjN5fK8fekJq9iONoYeCnSPXFTvEN5Sib64gDm2zRlEfVAXM paHa8e8ZUv2+ow8pAdas9w1iOdxrghnnDu7bcmik3yPjOrPDFbIGOxtGAbfMYgEAFas/Vy9H yB3bJDRlX2ykYTWP0HqzGLkBQtTfCZhWsyu9ZA/myzqClMOJVzNwsT5mdsJE7GJVYwJyY8kI lnVtpdk9WfC IronPort-HdrOrdr: A9a23:5vsT0a+8jJIFOwkZr7duk+FRdb1zdoMgy1knxilNoENuH/Bwxv rFoB1E73TJYW4qKQkdcKO7SdK9qBLnhNZICOwqUYtKMzOW3FdAQLsC0WKm+UyYJ8SczJ8X6U 4DSdkYNDSYNzET4qjHCUuDYrAdKbK8gcOVbJLlvhJQpHZRGsNdBmlCajqzIwlTfk1rFJA5HJ 2T6o5svDy7Y0kaacy9Gz0sQ/XDj8ejruOqXTc2QzocrCWehzKh77D3VzKC2A0Fbj9JybA+tU DYjg3C4Lm5uf3T8G6R64aT1eUYpDLS8KoDOCW+sLlUFtwqsHfqWG1VYczNgNnympDs1L9lqq iIn/5qBbUI15qYRBDJnfKq4Xir7N9m0Q6f9XaIxXTkusD3XzQ8Fo5Igp9YaALQ7w46sMh7y7 8j5RPvi3N7N2K0oM3G3am9a/iqrDvFnVMy1eoIy3BPW4oXb7Fc6YQZ4UNOCZ8FWCb38pouHu ViBNzVoK8+SyLSU1nJ+m10hNC8VHU6GRmLBkAEp8yOyjBT2HR01VERysATlmoJsJg9V55H7e LZNbkArsA5cuYGKaZmQOsRS8q+DWLABRrKLWKJOFziULoKPnrcwqSHkondJNvaC6Dg4KFC5q gpCmkoylLaU3ieePGz4A== X-IronPort-AV: E=Sophos;i="5.90,167,1643691600"; d="scan'208";a="65285147" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH 1/2] x86/CET: Remove XEN_SHSTK's dependency on EXPERT Date: Wed, 9 Mar 2022 12:39:35 +0000 Message-ID: <20220309123936.16991-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220309123936.16991-1-andrew.cooper3@citrix.com> References: <20220309123936.16991-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 CET-SS hardware is now available from multiple vendors, and the feature has downstream users. Enable it by default. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 83d0f317ecf9..06d6fbc86478 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -117,8 +117,8 @@ config HVM If unsure, say Y. config XEN_SHSTK - bool "Supervisor Shadow Stacks (EXPERT)" - depends on HAS_AS_CET_SS && EXPERT + bool "Supervisor Shadow Stacks" + depends on HAS_AS_CET_SS default y ---help--- Control-flow Enforcement Technology (CET) is a set of features in From patchwork Wed Mar 9 12:39:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 12775032 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A01E2C433F5 for ; Wed, 9 Mar 2022 12:40:05 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.287814.488035 (Exim 4.92) (envelope-from ) id 1nRvbc-0005RY-4p; Wed, 09 Mar 2022 12:39:52 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 287814.488035; Wed, 09 Mar 2022 12:39:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nRvbc-0005RR-0e; Wed, 09 Mar 2022 12:39:52 +0000 Received: by outflank-mailman (input) for mailman id 287814; Wed, 09 Mar 2022 12:39:51 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nRvba-0005Bn-Ul for xen-devel@lists.xenproject.org; Wed, 09 Mar 2022 12:39:50 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 027e3d6e-9fa6-11ec-8eba-a37418f5ba1a; Wed, 09 Mar 2022 13:39:50 +0100 (CET) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 027e3d6e-9fa6-11ec-8eba-a37418f5ba1a DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1646829589; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=WF7VI67OSsAZQRpJlsfAPEjrr4Q7HY425itKcbMGzsw=; b=eT3mpT0VSkFl7AldrtKBAsUSCncV1ft+77yxb54DquAwSOaD80jRROz+ G6M1v5XK1C6sbmsuOWA03vyp/s8kDAf8WFqRNg6rxHOYpdW5jto+2oPFS VkVBrojF0wVaWD0G7bI96pBgXua9HjnuZpakx2FZSvrOcFFDMQSIinJOd 8=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 5.1 X-MesageID: 68164423 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:DlQqCagHwgaPlooMdAndXhxkX161ZBAKZh0ujC45NGQN5FlHY01je htvXD+AOqvbazSje4p0OYu1ox5UuJTdztNkQAs9qCA3RC8b9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhWFvc4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YVsXGYyRyKdEajt3QnhGBKNXp6fpAUHq5KR/z2WeG5ft6/BnDUVwNowE4OdnR2pJ8 JT0KhhUMErF3bjvhuvmFK883azPL+GyVG8bklhmwSvUErANRpfbTr+RzdRZwC0xloZFGvO2i 88xN2o2MkicOUYn1lE/DL47gbyWh1rEWn5mlFeb/IoZzHeDw1kkuFTqGIWMIYHbLSlPpW6Ho krW8mK/BQsVXPS94zeY9nOnhsfUgDj2HokVEdWQ5vNsxVGe2GEXIBkXTkeg5+m0jFakXNBSI FBS/TAhxZXe72TyEIO7BUfh5ifZ4FhMALK8DtHW9inR9I31vlbaX1EmYW8YUOUopZAuaxwTg wrhc8zSORRjt7icSHS4/7iSrC+vNSV9EVLudRPoXiNevYC9/dhbYgbnC486TfXr1oGd9STYn mjSxBXSkYn/miLiO0+T2VncywyhqZHSJuLezlWGBzn1hu+ViWPMWmBJ1bQ5xasYRGp6ZgPY1 JThpyR4xLpQZX1qvHbRKNjh5Jnzu5643MT02DaD5aUJ+TW34GKEdotN+jx4L0oBGp9aJWG2P hOJ6V8NuME70J6WgUlfOdLZ5yMCl/SIKDgYfqqMMoomjmZZL2drAx2ClWbPhjuwwSDAYIk0O IuBcNbEMJrpIf8P8dZCfM9EieVD7nlnnQv7HMmnpzz6gev2TCPEEt8tbQrRBt3VGYvZ+W05B f4EbJDUo/ieOcWjChTqHXk7dglbcyJkWcio96S6tIere2JbJY3oMNeJqZtJRmCvt/g9ejvgl p1lZnJl9Q== IronPort-HdrOrdr: A9a23:X1x/mKBMhCGLJBblHemU55DYdb4zR+YMi2TC1yhKJyC9Ffbo7v xG/c5rsyMc5wxwZJhNo7y90ey7MBbhHP1OkO4s1NWZLWrbUQKTRekIh+bfKn/baknDH4ZmpN 9dmsNFaeEYY2IUsS+D2njbL+od X-IronPort-AV: E=Sophos;i="5.90,167,1643691600"; d="scan'208";a="68164423" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH 2/2] Changelog: Add __ro_after_init and CET Date: Wed, 9 Mar 2022 12:39:36 +0000 Message-ID: <20220309123936.16991-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220309123936.16991-1-andrew.cooper3@citrix.com> References: <20220309123936.16991-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83d85fad5bbc..577517383ec9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ## [unstable UNRELEASED](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=staging) - TBD +### Added + - __ro_after_init support on x86, for marking data as immutable after boot. + - Support for Xen using x86 Control Flow Enforcement technology for its own + protection. Both Shadow Stacks (ROP protection) and Indirect Branch + Tracking (COP/JOP protection). + ### Removed / support downgraded - dropped support for the (x86-only) "vesa-mtrr" and "vesa-remap" command line options