From nobody Mon Feb 9 13:38:53 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1590607184; cv=none; d=zohomail.com; s=zohoarc; b=C2f0ZwacljB5YfpwDFFRCoXEWGMecU00Yn/3H+q955777peJ4s9SYBqyuyNbYB3dTR9csUl3yLTnbXAT1tBhKSlEZGR7WtdrqjwqSXLQ2ZxYmr3QNaVx+ghy/17myxOfceL7rphDh4OdZHOy1LqTlkaA4eCo+7GdDZDoS5Rg0TY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1590607184; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=UDUoUc5Mfw/vXmswk6U4hr5n5nPNjSWMcb2mfQlLq3E=; b=c3Gpvhs77vnzr7B8H1c85wEhA6EDFNns1Nr1llxX1zljoufsDhfn8eUGahJ7hgjNfXPtHcxNKCKaZ3fPeoHMhGa7r3mK2gmKqSzZBwoCf3PC+AG95Xu3/NYWK/lXtfnvZLw1IoG9rzTiy29gz8onEWYwD7lwlZ2rdaKK93fdJAc= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1590607184089715.8357586406338; Wed, 27 May 2020 12:19:44 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1je1aB-00040L-Nh; Wed, 27 May 2020 19:19:19 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1je1aA-000407-PL for xen-devel@lists.xenproject.org; Wed, 27 May 2020 19:19:18 +0000 Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id f267606a-a04e-11ea-81bc-bc764e2007e4; Wed, 27 May 2020 19:19:12 +0000 (UTC) X-Inumbo-ID: f267606a-a04e-11ea-81bc-bc764e2007e4 Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: PqU4pUb91tB9Qzz3QFZ5kdCgJyyeaIaQRM6P1RfR9bMkxLxj5+zFmOGBmAEaXDS6T9LmWcaiR/ NznYQ7Ek1SAKgop8OoJXAsDup0hcFx2/qh5n7dSxICCbcOWKmVwtWImqvP+CbZs1q14aVZX8hl 5omvACdCjxk6j1FDGP6amTVLSx6ufQyG5scC+Xns65sJgWJ+Ioj9Zq51LxH+cMQMtBsKpW0w9x s+VKO+5C8cJvfrTjrB055dJH8Po8Js3Dq2IPx3RxeeffSWkFxxl2MViGpCKNFEGgI3v39k2QT0 Dgw= X-SBRS: 2.7 X-MesageID: 19333916 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.73,442,1583211600"; d="scan'208";a="19333916" From: Andrew Cooper To: Xen-devel Subject: [PATCH v2 03/14] x86/shstk: Introduce Supervisor Shadow Stack support Date: Wed, 27 May 2020 20:18:36 +0100 Message-ID: <20200527191847.17207-4-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20200527191847.17207-1-andrew.cooper3@citrix.com> References: <20200527191847.17207-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Introduce CONFIG_HAS_AS_CET to determine whether CET instructions are supported in the assembler, and CONFIG_XEN_SHSTK as the main build option. Introduce cet=3D{no-,}shstk to for a user to select whether or not to use s= hadow stacks at runtime, and X86_FEATURE_XEN_SHSTK to determine Xen's overall enablement of shadow stacks. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 LLVM 6 supports CET-SS instructions while only LLVM 7 supports CET-IBT instructions. We'd need to split HAS_AS_CET into two if we want to support supervisor shadow stacks with LLVM 6. (This demonstrates exactly why picki= ng a handful of instructions to test is the right approach.) v2: * Leave a comment identifying minimum toolchain support, to make it easier= to remove ifdefary in the future when bumping minima. * Reindent CONFIG_XEN_SHSTK help text. * Rename xen=3D to cet=3D. Add documentation, __init. --- docs/misc/xen-command-line.pandoc | 17 +++++++++++++++++ xen/arch/x86/Kconfig | 18 ++++++++++++++++++ xen/arch/x86/setup.c | 30 ++++++++++++++++++++++++++++++ xen/include/asm-x86/cpufeature.h | 1 + xen/include/asm-x86/cpufeatures.h | 1 + xen/scripts/Kconfig.include | 4 ++++ 6 files changed, 71 insertions(+) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index e16bb90184..d4934eabb7 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -270,6 +270,23 @@ and not running softirqs. Reduce this if softirqs are = not being run frequently enough. Setting this to a high value may cause boot failure, particularly = if the NMI watchdog is also enabled. =20 +### cet + =3D List of [ shstk=3D ] + + Applicability: x86 + +Controls for the use of Control-flow Enforcement Technology. CET is group= of +hardware features designed to combat Return-oriented Programming (ROP, also +call/jmp COP/JOP) attacks. + +* The `shstk=3D` boolean controls whether Xen uses Shadow Stacks for its= own + protection. + + The option is available when `CONFIG_XEN_SHSTK` is compiled in, and + defaults to `true` on hardware supporting CET-SS. Specifying + `cet=3Dno-shstk` will cause Xen not to use Shadow Stacks even when sup= port + is available in hardware. + ### clocksource (x86) > `=3D pit | hpet | acpi | tsc` =20 diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index b565f6831d..304a42ffb2 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -34,6 +34,10 @@ config ARCH_DEFCONFIG config INDIRECT_THUNK def_bool $(cc-option,-mindirect-branch-register) =20 +config HAS_AS_CET + # binutils >=3D 2.29 and LLVM >=3D 7 + def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy;endbr64) + menu "Architecture Features" =20 source "arch/Kconfig" @@ -97,6 +101,20 @@ config HVM =20 If unsure, say Y. =20 +config XEN_SHSTK + bool "Supervisor Shadow Stacks" + depends on HAS_AS_CET && EXPERT =3D "y" + default y + ---help--- + Control-flow Enforcement Technology (CET) is a set of features in + hardware designed to combat Return-oriented Programming (ROP, also + call/jump COP/JOP) attacks. Shadow Stacks are one CET feature + designed to provide return address protection. + + This option arranges for Xen to use CET-SS for its own protection. + When CET-SS is active, 32bit PV guests cannot be used. Backwards + compatiblity can be provided vai the PV Shim mechanism. + config SHADOW_PAGING bool "Shadow Paging" default y diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2dec7a3fc6..584589baff 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -95,6 +95,36 @@ unsigned long __initdata highmem_start; size_param("highmem-start", highmem_start); #endif =20 +static bool __initdata opt_xen_shstk =3D true; + +static int __init parse_cet(const char *s) +{ + const char *ss; + int val, rc =3D 0; + + do { + ss =3D strchr(s, ','); + if ( !ss ) + ss =3D strchr(s, '\0'); + + if ( (val =3D parse_boolean("shstk", s, ss)) >=3D 0 ) + { +#ifdef CONFIG_XEN_SHSTK + opt_xen_shstk =3D val; +#else + no_config_param("XEN_SHSTK", "cet", s, ss); +#endif + } + else + rc =3D -EINVAL; + + s =3D ss + 1; + } while ( *ss ); + + return rc; +} +custom_param("cet", parse_cet); + cpumask_t __read_mostly cpu_present_map; =20 unsigned long __read_mostly xen_phys_start; diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeat= ure.h index cadef4e824..b831448eba 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -137,6 +137,7 @@ #define cpu_has_aperfmperf boot_cpu_has(X86_FEATURE_APERFMPERF) #define cpu_has_lfence_dispatch boot_cpu_has(X86_FEATURE_LFENCE_DISPATCH) #define cpu_has_xen_lbr boot_cpu_has(X86_FEATURE_XEN_LBR) +#define cpu_has_xen_shstk boot_cpu_has(X86_FEATURE_XEN_SHSTK) =20 #define cpu_has_msr_tsc_aux (cpu_has_rdtscp || cpu_has_rdpid) =20 diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufea= tures.h index b9d3cac975..d7e42d9bb6 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -38,6 +38,7 @@ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen u= ses MSR_DEBUGCTL.LBR */ XEN_CPUFEATURE(SC_VERW_PV, X86_SYNTH(23)) /* VERW used by Xen for P= V */ XEN_CPUFEATURE(SC_VERW_HVM, X86_SYNTH(24)) /* VERW used by Xen for H= VM */ XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for i= dle */ +XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow St= acks */ =20 /* Bug words follow the synthetic words. */ #define X86_NR_BUG 1 diff --git a/xen/scripts/Kconfig.include b/xen/scripts/Kconfig.include index 8221095ca3..e1f13e1720 100644 --- a/xen/scripts/Kconfig.include +++ b/xen/scripts/Kconfig.include @@ -31,6 +31,10 @@ cc-option =3D $(success,$(CC) -Werror $(CLANG_FLAGS) $(1= ) -E -x c /dev/null -o /de # Return y if the linker supports , n otherwise ld-option =3D $(success,$(LD) -v $(1)) =20 +# $(as-instr,) +# Return y if the assembler supports , n otherwise +as-instr =3D $(success,printf "%b\n" "$(1)" | $(CC) $(CLANG_FLAGS) -c -x a= ssembler -o /dev/null -) + # check if $(CC) and $(LD) exist $(error-if,$(failure,command -v $(CC)),compiler '$(CC)' not found) $(error-if,$(failure,command -v $(LD)),linker '$(LD)' not found) --=20 2.11.0