From nobody Wed May  1 22:32:53 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1637961830; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HejVLLOACjumq75Pto6ol8yOZeVJHHW60dx0QYWZyjvNOnXeh+BEJK2X7nPM/DPHmFf9w6WUyZlsH3dBTha0oZPKhb0Om+Mx/zPu9PMrGeI549zjG7diNg0uJS3MeIZZQF9mRLmukSaj4vfeVct1JtOwCF5dqsmaaIbQaWnVIX0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1637961830;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=9FUY2Rrb4evKPLow5S1lEvhiaQHjWmMBalkSp/B5Lgc=;
	b=nOtIYgY1yXCjm9QZiPfThOra7JkVx0+jLdWoOVwsLnfzVlc6O9OFHIQyIvGqbU+12IyXBX96jL7+OJjNoU6pRUzvC8CEZpXDlF+gH2yNYqXlWIapAjk7xu7bABuPErwQ6MkSx8voTYa0DUL0qFF7xfSeekkV8t/rA3iUhpJeo10=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1637961830479266.78181090811074;
 Fri, 26 Nov 2021 13:23:50 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.233495.405165 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigo-0007ZO-V3; Fri, 26 Nov 2021 21:23:26 +0000
Received: by outflank-mailman (output) from mailman id 233495.405165;
 Fri, 26 Nov 2021 21:23:26 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigo-0007YL-R8; Fri, 26 Nov 2021 21:23:26 +0000
Received: by outflank-mailman (input) for mailman id 233495;
 Fri, 26 Nov 2021 21:23:24 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=k+gV=QN=citrix.com=Andrew.Cooper3@srs-se1.protection.inumbo.net>)
 id 1mqigm-00072N-Lo
 for xen-devel@lists.xenproject.org; Fri, 26 Nov 2021 21:23:24 +0000
Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com
 [216.71.155.168]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 151e8664-4eff-11ec-a9d2-d9f7a1cc8784;
 Fri, 26 Nov 2021 22:23:23 +0100 (CET)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 151e8664-4eff-11ec-a9d2-d9f7a1cc8784
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=citrix.com; s=securemail; t=1637961803;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=TxAJc2n5PichyDyTiJejXWJBeWozzwZwjnnnvWmbitg=;
  b=UvsiO30K7HZMrHMaI1Uear0VAHI09ThoO88IPK0nMiX/KM+vjROmrEgk
   sMbOoTCjf3sKV7V5UhVjn1VmkWTEYL/V9m+2ZCX5rPxTRR3f0a2lU44jJ
   5nJiJ/jkG84Qp3g+o/VTrh2ysN1PRIfG3AZuHFvwQSSPJ/+DIuTSRLY66
   s=;
Authentication-Results: esa5.hc3370-68.iphmx.com;
 dkim=none (message not signed) header.i=none
IronPort-SDR: 
 5f1fTgV3jtzARWkmShZjdlhoOKf4lvyJweJmWy4u7qpfnvwb0QMoTHutJpiVy1tLruQ0kLowCX
 QANQhL2DgUSCXKh9WyZpoqozyoVupj1HXeYYuo2hR22FSGVvCwgqu5UFHwup9MOJ7B46EhQeF9
 n8G1BZKiBSEcxYICY2ayPaW9CJHDL+iGAuU1RxGuFgFxZCNqz6T7x7KoehoXd8vGpRruUb5Z3K
 ZwBKD6JBOAESxEuwgZKoZt2YM91d+am4OENkHEErOU4lptzsndHUdolZ/DYx2MYmci5ClvLH+W
 qyrfBG5ypP5uslCM13GbEetK
X-SBRS: 5.1
X-MesageID: 58217721
X-Ironport-Server: esa5.hc3370-68.iphmx.com
X-Remote-IP: 162.221.156.83
X-Policy: $RELAYED
IronPort-Data: A9a23:Sicw26IlZVfo7LouFE+RHJIlxSXFcZb7ZxGr2PjKsXjdYENSgTNWy
 GBOWG/SPvaMa2b1KIx2aN7k8UwGsZ/UxoVgGwJlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s
 q3yv/GZdJhcokcxIn5BC5C5xZVG/fjgqoHUVaiUZUideSc+EH140Es5xbZj6mJVqYPR7z2l6
 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyB94KYkDbOwNxPFrrx8RYZWc
 QphIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGvaUXe345iXMfwZ3u7hB2skot+z
 O4TsqaAVD0bBoL8or0veDVxRnQW0a1uoNcrIFC6uM2XiUbHb2Ht07NlC0Re0Y8wo7gtRzsUr
 LpBdW5LPkvra+GemdpXTsFFgMg5IdatF4QYonx6lhnSDOo8QICFSKLPjTNd9Gpg3JkRQqyHD
 yYfQWVQL0maWzlMA2gOGdU4ktelr1r4MDIN/Tp5ooJoujOOnWSdyoPFL979atGMA8JPkS6wh
 EjL4mD4CREyL8GExHyO9XfErv/Cm2b3VZwfEJW89+V2mxuDy2oLEhoUWFCn5/6jhSaDt8l3c
 hJOvHB09O5rqRLtHoKVswCETGCsmxNHVN5rTeoA2By3+JL70zzANEMoZ2sUADA5j/MeSTsv3
 16PutrmAz1zrbGYIU6gGqeoQSCaYnZMczJbDcMQZU5cuoS4/tlv5v7aZo87SPbdszHjJd3nL
 9lmRgAajq5bs8ME3r7TEbvv02P1/cihouLYC2zqsoOZAuFRON7Ni2+AswGzARN8wGCxFAHpU
 J8swZX20Qz2JcvR/BFhuc1UdF1T296LMSfHnXlkFIQ7+jKm9haLJN4Lv2AjfRoyaJxaJlcFh
 XM/XysLv/e/21PwMMdKj3+ZUZx2ncAM6/y5PhwrUja+SscoL1LWlM2fTUWRw3rsgCARfVIXY
 v+mnTKXJS9CU8xPlWPuL89EiOND7n1ulAv7GMGgpzz6gOX2WZJgYepcWLd4Rrtit/3sTcS82
 4s3CvZmPD0DCrCjOXeOrtZIRb3IRFBiba3LRwVsXrbrCmJb9KsJUZc9GJstJN5ombp7jODN8
 i3vU0NU0gOn13bGNR+LejZob7a2BcRzqncyPCoNO1e02id8PdbzvflHL5ZnL6M68OFDzOJvS
 6VXccu3HfkSGC/M/C4QbMehodU6Jgirnw+HIwGsfCM7I8x7XwXM99K9Jlnv+SACAzCZr8w7p
 7H8hArXTYBaH1ZpDdrMaeLpxFS05CBPlOV3VkrOA99SZESzr9Q6d32v1qc6epheJw/Cyz2W0
 xetLS0Z/eSd8ZUo9NTphLyfq9v7GeVJAUcHTXLQ6qy7NHeG8zP7k5NASuuBYRvUSHjwpPe5f
 exQwvzxbK8HkVJNv9YuGrpn1/tjtd7mprscxQV4BnTbKV+sD+o4cHWB2MBOsIxLx6NY5lTqC
 h7epIECNOXbIt7hHX4QOBEhP7aK2vwjkzXP6eg4fRfh7yht8bvbCUhfMnFgUsCGwGeZ5G/9/
 dochQ==
IronPort-HdrOrdr: A9a23:EISlL61TjzCrMG8ePL4QGQqjBIgkLtp133Aq2lEZdPRUGvb4qy
 nIpoVi6faUskdpZJhOo6HiBEDtexzhHNtOkO0s1NSZLW/bUQmTXeNfBOLZqlWKcUCTygce79
 YGT0EXMqyKMbEQt6bHCWeDferIuOP3lZyVuQ==
X-IronPort-AV: E=Sophos;i="5.87,266,1631592000";
   d="scan'208";a="58217721"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich
	<JBeulich@suse.com>, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?=
	<roger.pau@citrix.com>, Wei Liu <wl@xen.org>
Subject: [PATCH 1/4] x86/altcall: Check and optimise altcall targets
Date: Fri, 26 Nov 2021 21:22:55 +0000
Message-ID: <20211126212258.7550-2-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20211126212258.7550-1-andrew.cooper3@citrix.com>
References: <20211126212258.7550-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1637961832665100001

When converting indirect to direct calls, there is no need to execute endbr=
64
instructions.  Detect and optimise this case, leaving a warning in the case
that no endbr64 was found, as it likely indicates a build error.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
---
 xen/arch/x86/alternative.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c
index ec24692e9595..5ae4c80d5119 100644
--- a/xen/arch/x86/alternative.c
+++ b/xen/arch/x86/alternative.c
@@ -18,6 +18,7 @@
 #include <xen/delay.h>
 #include <xen/types.h>
 #include <asm/apic.h>
+#include <asm/endbr.h>
 #include <asm/processor.h>
 #include <asm/alternative.h>
 #include <xen/init.h>
@@ -279,6 +280,27 @@ static void init_or_livepatch _apply_alternatives(stru=
ct alt_instr *start,
=20
                 if ( dest )
                 {
+                    /*
+                     * When building for CET-IBT, all function pointer tar=
gets
+                     * should have an endbr64 instruction.
+                     *
+                     * If this is not the case, leave a warning because
+                     * something is wrong with the build.
+                     *
+                     * Otherwise, skip the endbr64 instruction.  This is a
+                     * marginal perf improvement which saves on instruction
+                     * decode bandwidth.
+                     */
+                    if ( IS_ENABLED(CONFIG_HAS_CC_CET_IBT) )
+                    {
+                        if ( is_endbr64(dest) )
+                            dest +=3D 4;
+                        else
+                            printk(XENLOG_WARNING
+                                   "altcall %ps dest %ps has no endbr64\n",
+                                   orig, dest);
+                    }
+
                     disp =3D dest - (orig + 5);
                     ASSERT(disp =3D=3D (int32_t)disp);
                     *(int32_t *)(buf + 1) =3D disp;
--=20
2.11.0


From nobody Wed May  1 22:32:53 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1637961831; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VxAPrF7E/mKnieU0vtwBh7H2ZS5dS0R/ZYEPv+Ly28fmLxXQaoQTDdkEYBCuZOvnoVwd2BEcFmA1f71y0cobzuYTdojDdU8/CVsJbSo85xa+DaTpgtK7jd96Beq1tG/bp2W5FNVtEGiSRCn53F67Yg7K+bODax0x6xf4Y3zDpNg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1637961831;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=rgcMAgJ7Jwke7ewod7DCxlzVNvVGs8GprnXgtcW9N0U=;
	b=LSj7pb6kMCzLgY11ECkxfYy47N9igJQnZza9qaoMSSHZ8PBX9orAZLc75VXMhzfStiAN1pJC4FWtjALiRHcKSLoG5sLm5WsyzyF2JBGhco3E/DHbh4ZeHQPUvYCJmW0D8bIaKFbGjV+n/uEWBp8JDCkC0RkapzE1Uyrwauqeajk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1637961831341907.8896218024735;
 Fri, 26 Nov 2021 13:23:51 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.233496.405170 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigp-0007c6-Av; Fri, 26 Nov 2021 21:23:27 +0000
Received: by outflank-mailman (output) from mailman id 233496.405170;
 Fri, 26 Nov 2021 21:23:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigp-0007bR-3T; Fri, 26 Nov 2021 21:23:27 +0000
Received: by outflank-mailman (input) for mailman id 233496;
 Fri, 26 Nov 2021 21:23:25 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=k+gV=QN=citrix.com=Andrew.Cooper3@srs-se1.protection.inumbo.net>)
 id 1mqign-0006mN-48
 for xen-devel@lists.xenproject.org; Fri, 26 Nov 2021 21:23:25 +0000
Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com
 [216.71.155.168]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 159e72e1-4eff-11ec-9787-a32c541c8605;
 Fri, 26 Nov 2021 22:23:23 +0100 (CET)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 159e72e1-4eff-11ec-9787-a32c541c8605
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=citrix.com; s=securemail; t=1637961803;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=hKzw/5xvyhxl0lgipvVL1e85ARROZwUJRY07zD4G8Ow=;
  b=Nxohs8vqQ50RNHlXXj49u7yBJ4zGo7GjVgDy0QBnJ/zfXPWPPYazGIGy
   1CaXyQv6Nj7qh+hJYasAtCZKTNRy4P468fsMkapnRsm9BBVH7XHsoqN5b
   Mdp7pqitGroDAWNlCsPAv9WJ9PpDFZTVOtZWlFRNdparcr8AYbwxh7Q5T
   o=;
Authentication-Results: esa5.hc3370-68.iphmx.com;
 dkim=none (message not signed) header.i=none
IronPort-SDR: 
 565yRgGU9nN57B+tPBd7vR2CnYMVNxuhYaiS0swu4/lZcTVFJ0PThc4qMk2TVlIMt5TnhcWAKQ
 hO+oby/ZOL9FyixXRrOiL3WYwZ1AqDCqB+kSDRRtep5B5NcB6D0CVBe9WzQM/IitU+CEqACxPu
 8mQQc2c3r98+lnxBYEjZzNYCwYaYiOeahRWXXFtKJSqZ9q37hiamKRUStpUfh9Va+f+pOaYRY4
 LJthDppO1rbYLgOzkFUbAlUnnVRQamXbV+AGJR+Un2nt4T/SesDW4HCL/56Rt88RpoQNo5bUm2
 jjKICdV+vcdLP1rulUODXKtk
X-SBRS: 5.1
X-MesageID: 58217720
X-Ironport-Server: esa5.hc3370-68.iphmx.com
X-Remote-IP: 162.221.156.83
X-Policy: $RELAYED
IronPort-Data: A9a23:zahAsatqpTMNCJwp3K4ywvMlTOfnVJtZMUV32f8akzHdYApBsoF/q
 tZmKW6GOqmKZzb2Kox0YYTg8ExV6JCAz9dmSQM+rSxjFi8U+JbJXdiXEBz9bniYRiHhoOOLz
 Cm8hv3odp1coqr0/0/1WlTZQP0VOZigHtIQMsadUsxKbVIiGHhJZS5LwbZj29cx24bhWWthh
 PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe
 gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ
 Npl67G2QAMvDpb3us89bBVlEzhfBIxZ9+qSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3
 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6DN
 5BANmU1NHwsZTVMO2tIUco+p9uig2jOfTFpql/M/YUOtj27IAtZj+G2bYu9lsaxbdpRtlaVo
 CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM
 UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO7MX7giJzJrv2CSyJlcIcz5YSeUHq8BjEFTGy
 WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WsQWmoq
 w1muhTSkFn6YSQj86ygtW7KjDu3znQiZl5kv16HNo5JA+4QWWJEW2BKwQSLhRqjBNzAJrVkg
 JTis5LGhAzpJcvQ/BFhuM1XQNmUCw+taVUwe2JHEZg77CiK8HW+Z41W6zwWDB43aZlVJGa0O
 xWJ51w5CHpv0J2CN/Qfj2WZUZlC8EQdPY69CqC8giRmPvCdizNrDAkxPBXNjggBYWAnkL0lO
 IfzTCpfJS1yNEiT9xLvH711+eZynkgWnDqPLbimn0XP+efPPxa9FOZaWGZim8hktctoVi2Oq
 I0BXyZLoj0CONDDjt7/rdROcAtUdCdjXvgbaaV/L4a+H+avI0l5Y9e5/F/rU9YNc319mria8
 3ejdFVfzVaj13TLJR/TMiJoaa/1XIY5pnU+ZHR+MVGt0nklQICu8KZAKMdnIeh5rLRunaxuU
 v0IW8ScGfATGD7JzCsQMMvmp4t4eRX12Q/XZ3i5YCIydoJLThDS/oO2ZRPm8SQDV3LltcY3r
 7C6+BncRJ4PG1ZrAMrMMar9xFKtp3kN3ul1WhKQcNVUfUzt9qlsKjDw0aBrc51dd02by2LDh
 QiMABoeqe3cmKMP8YHE1fKesoOkM+piBU4GTWPV2qm7aHvB9W25zI4eDOvRJWLBVHn58bmJb
 PlOy62uK+UOmVtHvtYuE7tvyq5itdLjq6UDk1ZhFXTPKV+qFqlhMj+N2swW7v9BwbpQuA2XX
 EOT+4YFZeXVaZ29SFNBdhA4aumj1O0PnmiA5Ps4F0z2+Str8efVSk5VJRSN1HRQIbYd3FnJG
 gv9VBr6MzCCtyc=
IronPort-HdrOrdr: A9a23:sQhGKaxaOg9zAi/FIcMBKrPwFr1zdoMgy1knxilNoRw8SK2lfq
 eV7YwmPH7P+U8ssR4b6LO90cW7Lk80sKQFhbX5Xo3SOjUO2lHYTr2KhLGKq1aLdkHDH6xmpM
 BdmsBFeabN5DNB7foSjjPXLz9Z+qjjzJyV
X-IronPort-AV: E=Sophos;i="5.87,266,1631592000";
   d="scan'208";a="58217720"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich
	<JBeulich@suse.com>, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?=
	<roger.pau@citrix.com>, Wei Liu <wl@xen.org>
Subject: [PATCH 2/4] x86/altcall: Optimise away endbr64 instruction where
 possible
Date: Fri, 26 Nov 2021 21:22:56 +0000
Message-ID: <20211126212258.7550-3-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20211126212258.7550-1-andrew.cooper3@citrix.com>
References: <20211126212258.7550-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1637961832774100008

With altcall, we convert indirect branches into direct ones.  With that
complete, none of the potential targets need an endbr64 instruction.

Furthermore, removing the endbr64 instructions is a security defence-in-dep=
th
improvement, because it limits the options available to an attacker who has
managed to hijack a function pointer.

Introduce a new .init.data.cf_clobber section.  Have _apply_alternatives()
walk over the entire section, looking for any pointers into .text, and clob=
ber
an endbr64 instruction if found.  This is some minor structure (ab)use but =
it
works alarmingly well.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>

It would be nice for the printk() to say "optimised away %u of %u", but the
latter number can only feasibly come from post-processing of xen-syms during
the build.
---
 xen/arch/x86/alternative.c | 38 ++++++++++++++++++++++++++++++++++++++
 xen/arch/x86/xen.lds.S     |  5 +++++
 xen/include/xen/init.h     |  2 ++
 3 files changed, 45 insertions(+)

diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c
index 5ae4c80d5119..65fc8534b97f 100644
--- a/xen/arch/x86/alternative.c
+++ b/xen/arch/x86/alternative.c
@@ -173,6 +173,9 @@ text_poke(void *addr, const void *opcode, size_t len)
     return memcpy(addr, opcode, len);
 }
=20
+extern unsigned long __initdata_cf_clobber_start[];
+extern unsigned long __initdata_cf_clobber_end[];
+
 /*
  * Replace instructions with better alternatives for this CPU type.
  * This runs before SMP is initialized to avoid SMP problems with
@@ -329,6 +332,41 @@ static void init_or_livepatch _apply_alternatives(stru=
ct alt_instr *start,
         add_nops(buf + a->repl_len, total_len - a->repl_len);
         text_poke(orig, buf, total_len);
     }
+
+    /*
+     * Clobber endbr64 instructions now that altcall has finished optimised
+     * all indirect branches to direct ones.
+     */
+    if ( force && cpu_has_xen_ibt )
+    {
+        unsigned long *val;
+        unsigned int clobbered =3D 0;
+
+        /*
+         * This is some minor structure (ab)use.  We walk the entire conte=
nts
+         * of .init.data.cf_clobber as if it were an array of pointers.
+         *
+         * If the pointer points into .text, and has an endbr64 instructio=
n,
+         * nop out the endbr64.  This causes the pointer to no longer be a
+         * legal indirect branch target under CET-IBT.  This is a
+         * defence-in-depth measure, to reduce the options available to an
+         * adversary who has managed to hijack a function pointer.
+         */
+        for ( val =3D __initdata_cf_clobber_start;
+              val < __initdata_cf_clobber_end;
+              val++ )
+        {
+            void *ptr =3D (void *)*val;
+
+            if ( !is_kernel_text(ptr) || !is_endbr64(ptr) )
+                continue;
+
+            add_nops(ptr, 4);
+            clobbered++;
+        }
+
+        printk("altcall: Optimised away %u endbr64 instructions\n", clobbe=
red);
+    }
 }
=20
 void init_or_livepatch apply_alternatives(struct alt_instr *start,
diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
index 87e344d4dd97..5b16a98e4df1 100644
--- a/xen/arch/x86/xen.lds.S
+++ b/xen/arch/x86/xen.lds.S
@@ -214,6 +214,11 @@ SECTIONS
        *(.initcall1.init)
        __initcall_end =3D .;
=20
+       . =3D ALIGN(POINTER_ALIGN);
+        __initdata_cf_clobber_start =3D .;
+	*(.init.data.cf_clobber)
+        __initdata_cf_clobber_end =3D .;
+
        *(.init.data)
        *(.init.data.rel)
        *(.init.data.rel.*)
diff --git a/xen/include/xen/init.h b/xen/include/xen/init.h
index bfe789e93f6b..66b324892a52 100644
--- a/xen/include/xen/init.h
+++ b/xen/include/xen/init.h
@@ -18,6 +18,8 @@
 #define __init_call(lvl)  __used_section(".initcall" lvl ".init")
 #define __exit_call       __used_section(".exitcall.exit")
=20
+#define __initdata_cf_clobber __section(".init.data.cf_clobber")
+
 /* These macros are used to mark some functions or=20
  * initialized data (doesn't apply to uninitialized data)
  * as `initialization' functions. The kernel can take this
--=20
2.11.0


From nobody Wed May  1 22:32:53 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1637961831; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E62SCF1ybsbr37/onKMQA3Mp2r+a5eSKjEuaicCHbMOrdIktrqYQywSIbHE+zmVAnguN4dVB2pdHnvFuhIIY5qEhcCuQQETbDY/M7nip329I0RKjGj7i+jP7OXi8WfdPxb52w34fyKBI9zY+JiqPNnz6GWWj8CbsoPA/TGfRfK0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1637961831;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=Rilo258aCY/bPo6j5Jo8rNQAWua7tnht6Dd7Vh01Chc=;
	b=bjuhmpU81MrWOOgGt1zfK+hje3QhkuklEkPhskYYwKykpX2nscZKh93gumHoC5gZSZFmPBdO00ToquuXt/KHkCqtNKd+Emdm3NaII23NJNRLSeEJa3dfbdttq+P+afoVOO7/26l4y63WkUuLQEgy9l4Za0WcZ+39tipt8dJwAJo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1637961831322169.0864553462685;
 Fri, 26 Nov 2021 13:23:51 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.233492.405132 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigl-0006ma-3K; Fri, 26 Nov 2021 21:23:23 +0000
Received: by outflank-mailman (output) from mailman id 233492.405132;
 Fri, 26 Nov 2021 21:23:23 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigk-0006mT-VY; Fri, 26 Nov 2021 21:23:22 +0000
Received: by outflank-mailman (input) for mailman id 233492;
 Fri, 26 Nov 2021 21:23:22 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=k+gV=QN=citrix.com=Andrew.Cooper3@srs-se1.protection.inumbo.net>)
 id 1mqigk-0006mN-C5
 for xen-devel@lists.xenproject.org; Fri, 26 Nov 2021 21:23:22 +0000
Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com
 [216.71.155.168]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 132f5f49-4eff-11ec-9787-a32c541c8605;
 Fri, 26 Nov 2021 22:23:20 +0100 (CET)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 132f5f49-4eff-11ec-9787-a32c541c8605
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=citrix.com; s=securemail; t=1637961800;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=bq6J9uivE4OFqVknMwT0glvJ/cJ2p4tmLYuqVTlL0Lk=;
  b=CP+eHPxlhd9WTsTtqagvcCD8gqr+qeE1PovB6srdOkJXQbntA2z0RUTt
   SpMpn/8F627Vzmv78QMpRynslHJfdlvyM/242WHAspde4wUB7N1JvLKMW
   rgK3TYwRKWHCAjQRCFpDODTl3WD1aAEAcB3atd5w48SqhxRF4/H6qWiD+
   A=;
Authentication-Results: esa5.hc3370-68.iphmx.com;
 dkim=none (message not signed) header.i=none
IronPort-SDR: 
 jjjHfZ7XNjv2KAbml77rhU0NWM9t2TmwMqi+zNaDiF3d1Uz/t3fqSUneKdTeIlM77/Rz+8NtG5
 Ercv6V3ZK6OImyRt3yLn+pj9hmBWrt2YSSwNOzwTZfADLCwLql/5QKF4lBNVTFeFFLOxQOoCNJ
 mpg8KiI2pNYE2GKAP3AdZ0BqqgQZ1nE1QktmuD0bbu9Gxtf/zNyGR/aP0WY1LOB8Et+Z0GI3i9
 +0UlAZsXdLGLDjdQ39rvM8VbxUGxMtp1Q/QS0eYE2zA/ENYoBd3BTIkhoLcUk5xIRx14Klq9q3
 jkFkWWHVn0dpM5+pWRyXShDe
X-SBRS: 5.1
X-MesageID: 58217717
X-Ironport-Server: esa5.hc3370-68.iphmx.com
X-Remote-IP: 162.221.156.83
X-Policy: $RELAYED
IronPort-Data: A9a23:EyFukK3jWiHtpgMFyvbD5St2kn2cJEfYwER7XKvMYLTBsI5bpzNWy
 WcdDTjVPvnfYTbxKtoiO9iy8k0Gv5fcyYJmQVM/pC1hF35El5HIVI+TRqvS04J+DSFhoGZPt
 Zh2hgzodZhsJpPkS5PE3oHJ9RGQ74nRLlbHILOCan8ZqTNMEn970Es6wbBh2OaEvPDia++zk
 YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFMZH4rHomjLmOQf2VhNrXSq
 9Avbl2O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/TrS+NbPqsTbZIhhUlrZzqhuuh6+
 u0Tka2JSR4zYPyVh8A3VANoDHQrVUFG0OevzXmXtMWSywvNcmf2wuUoB0YzVWEa0r8pWycUr
 6VecW1TKEDY7w616OvTpu1Er8IvNsT0eqgYvWlt12rxBvc6W5HTBa7N4Le02R9t1poXQqmHO
 KL1bxJSTzOYSi9rIW0LUpInuuS3oXf0fxJX/Qf9Sa0fvDGIkV0ZPKLWGPj/d8GORM5Vtl2Fv
 W+A9GP8ajkFMPSPxDzD9Wij7sfDhTj+WZ4SPLSg++R2nUaIwWgOFBwRU0D9qv684mauVtQaJ
 0EK9y4Gqakp6FftXtT7Rwe/onOPolgbQdU4O+E15AyC0KP8/xeSBm9CSCVILtMhqqcLqScCj
 wHT2YmzXHo27ePTGSn1GqqoQS2aHBAeH1dcQR49TRIfvYi6v6UZiQj/UYM2eEKqteHdFTb1y
 jGMiSExgbQPkMIGv5mGEUD7byGE/caQEFNsjunDdif8t14iOtb5D2C9wQGDta4oEWqPcrWWU
 JHoceC65ftGM5yCnTflrA4lTODwvKbt3NExbDdS83gdG9aFpy7LkWN4umgWyKJV3iAsI2eBj
 Kj741452XOrFCH2BZKbmqroYyjQ8YDuFM7+StffZcdUb556eWevpX81Oh/Nhj22yhJyzsnT3
 Kt3l+72Vh727ow9kVKLqxo1i+d3lkjSO0uPLXwE8/hX+eXHPyPEIVv0GFCPcvo4/Mu5TPb9q
 L5i2z+x40wHCoXWO3CPmaZKdAxiBSVrVPje9p0MHsbec1UOJY3UI6KIqV/XU9c+xPo9eyah1
 izVZ3K0P3Kj3yCaclvTNSg4AF4tNL4mxU8G0eUXFQ7A8xAejUyHtc/zrrM7Iusq8vJN1/lxQ
 6VXcsmMGK0XGD/G5y4cfd/2q4k7LEanggeHPiyEZjkjfsE/G1yVq4G8Jga/pjMTCieXtNclp
 +Hy3A3sXpdeFR9pC9zbaazzwgrp72Qdgu97Q2DBPsJXJBf36IFvJiGo1q03LsgAJA/t3Dyf0
 wrKUx4UqfOU+90+8cXThLDCpICsSrMsEk1fFmjdzLC3KSiFoTbznd4eCL6FJGmPWnn19aOuY
 fRu48v9aPBXzkxXt4dcEqpwyf5s7dXYuLIHnB9vG2/Gbgr3B+o4cGWGx8RGqoZE2qRd5VmtQ
 kuK99RXZeeJNcfiHAJDLQYpdL3eh/Qdmz2U5vUpOkTqoiRw+ePfA0lVOhCNjg1bLad0b9x5k
 btw5pZO5lztkAcuP/aHkjtQpjaFIXE3Wqk6so0XXd3wgQ0xx1AeOZHRB0caOn1Uhwmg5qXyH
 gKpuQ==
IronPort-HdrOrdr: A9a23:IVHYNqEfXFqZKJCWpLqE0MeALOsnbusQ8zAXP0AYc3Jom6uj5r
 mTdZUgpHnJYVkqOE3I9ertBEDEewK4yXcX2/h3AV7BZniEhILAFugLhuGO/9SjIVybygc079
 YZT0EUMrzN5DZB4voSmDPIceod/A==
X-IronPort-AV: E=Sophos;i="5.87,266,1631592000";
   d="scan'208";a="58217717"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>, Daniel De Graaf
	<dgdegra@tycho.nsa.gov>, Daniel Smith <dpsmith@apertussolutions.com>, "Jan
 Beulich" <JBeulich@suse.com>, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?=
	<roger.pau@citrix.com>, Wei Liu <wl@xen.org>
Subject: [PATCH 3/4] xen/xsm: Use __init_data_cf_clobber for xsm_ops
Date: Fri, 26 Nov 2021 21:22:57 +0000
Message-ID: <20211126212258.7550-4-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20211126212258.7550-1-andrew.cooper3@citrix.com>
References: <20211126212258.7550-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1637961832762100006

All calls through xsm_ops are fully altcall'd.  Harden all fnptr targets.

This yields:

  (XEN) altcall: Optimised away 197 endbr64 instructions

of 1655 on an everything-enabled build of Xen, which is ~12%.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: Daniel De Graaf <dgdegra@tycho.nsa.gov>
CC: Daniel Smith <dpsmith@apertussolutions.com>
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
---
 xen/xsm/dummy.c       | 2 +-
 xen/xsm/flask/hooks.c | 2 +-
 xen/xsm/silo.c        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 4d29a9aa5b9f..4f1d352d5507 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -13,7 +13,7 @@
 #define XSM_NO_WRAPPERS
 #include <xsm/dummy.h>
=20
-static const struct xsm_ops __initconstrel dummy_ops =3D {
+static struct xsm_ops __initdata_cf_clobber dummy_ops =3D {
     .security_domaininfo           =3D xsm_security_domaininfo,
     .domain_create                 =3D xsm_domain_create,
     .getdomaininfo                 =3D xsm_getdomaininfo,
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 63484e323c09..b1c917113ec3 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1765,7 +1765,7 @@ static int cf_check flask_argo_send(
=20
 #endif
=20
-static const struct xsm_ops __initconstrel flask_ops =3D {
+static struct xsm_ops __initdata_cf_clobber flask_ops =3D {
     .security_domaininfo =3D flask_security_domaininfo,
     .domain_create =3D flask_domain_create,
     .getdomaininfo =3D flask_getdomaininfo,
diff --git a/xen/xsm/silo.c b/xen/xsm/silo.c
index 4d5fc98e7e54..7a17595888bb 100644
--- a/xen/xsm/silo.c
+++ b/xen/xsm/silo.c
@@ -102,7 +102,7 @@ static int cf_check silo_argo_send(
=20
 #endif
=20
-static const struct xsm_ops __initconstrel silo_xsm_ops =3D {
+static struct xsm_ops __initdata_cf_clobber silo_xsm_ops =3D {
     .evtchn_unbound =3D silo_evtchn_unbound,
     .evtchn_interdomain =3D silo_evtchn_interdomain,
     .grant_mapref =3D silo_grant_mapref,
--=20
2.11.0


From nobody Wed May  1 22:32:53 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1637961830; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TNlECWdKppmOyVqWxniLAXAlzeBUCVRdqVKUuLlDfFIqs/7J9xZl0KF9V8ajXA+neBzOeL1h+Z9Gde+gr4X6xyyM1TgLcrci6dBNyjpPMTHbaI1lEBfwnznALHSAXZ+elJqIox4dTrsLjmc8+Qy0uKJU3yQsdncboIzecSGuqXg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1637961830;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=kiDpRKaipVM/K2OjPZsDv2owYwBD4d5lsUmzgG+cJds=;
	b=myxYBYiQ2figZmBClFNiiC0hiqSqDQTSnSoyf9EUHSoHO+fGQlAuSC9yl6GCmc6Ppp8cBGYv/Q0boss+sp/X76uRLaek2oq2aJZit3Vd61S+sxGQtaJjbsjhVxOomnl1Z/ZeRdVVBGoSGvzdYHBbpMIYp8uv5EgdlyQMV3r3PWE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1637961830668463.88007777013956;
 Fri, 26 Nov 2021 13:23:50 -0800 (PST)
Received: from list by lists.xenproject.org with
 outflank-mailman.233493.405144 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigm-00072I-DB; Fri, 26 Nov 2021 21:23:24 +0000
Received: by outflank-mailman (output) from mailman id 233493.405144;
 Fri, 26 Nov 2021 21:23:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1mqigm-00072A-7J; Fri, 26 Nov 2021 21:23:24 +0000
Received: by outflank-mailman (input) for mailman id 233493;
 Fri, 26 Nov 2021 21:23:23 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=k+gV=QN=citrix.com=Andrew.Cooper3@srs-se1.protection.inumbo.net>)
 id 1mqigl-0006mN-3W
 for xen-devel@lists.xenproject.org; Fri, 26 Nov 2021 21:23:23 +0000
Received: from esa2.hc3370-68.iphmx.com (esa2.hc3370-68.iphmx.com
 [216.71.145.153]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 1306db17-4eff-11ec-9787-a32c541c8605;
 Fri, 26 Nov 2021 22:23:20 +0100 (CET)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 1306db17-4eff-11ec-9787-a32c541c8605
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=citrix.com; s=securemail; t=1637961800;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=Fdg/mal0fwHNsO6+Dyz+0vovVFgRt44ymW0H5zE+iIs=;
  b=QuQlqk2WusQo5uS57szMu5NjwWlzPNxstFBX+A8KktZZzNKr5TyWm+4r
   buCqNh7sR/dAddBcS+eRRl/D+IzHBvjgupDp2zWzZXzhXGqd0suJrQqTU
   1wZTEyP8Tq09PkR2wOrAmx7S0L+HxCtkEFSWBf/IDUvGalC9ZYnk/6Hz9
   k=;
Authentication-Results: esa2.hc3370-68.iphmx.com;
 dkim=none (message not signed) header.i=none
IronPort-SDR: 
 h1/aWimN67MANX8dI/ny8Aq8OE3NPwEhMzhRBnH8T2lpV2H6T67q25lTY7JgTxJukl2zU43JbD
 r1Xs1Ujjig8wHLDz8tN0YdkR1jWIPFKsfyaGCVQGlCmM4Ac8TYISx7Tq+xNv/baldYkrMBfemg
 z1k3TPd1T6LP5CIinhkmnMAiyELaDs6o7MOHk9K6g6dlnJvOjseZzaThX5nX/jnGkHwIJX7L6h
 OfYjTxfD+tN8UFBQVqDisI8+PcbNTeMuFITVYRqj746JGBEJsXS8ebXkowYYQ/+1gfQKzqKs2T
 2/SJU9suGVcH4zsNKw9Eln4I
X-SBRS: 5.1
X-MesageID: 58700057
X-Ironport-Server: esa2.hc3370-68.iphmx.com
X-Remote-IP: 162.221.156.83
X-Policy: $RELAYED
IronPort-Data: A9a23:vjjqAalRGt7TdZlAd14Y66ro5gxMIURdPkR7XQ2eYbSJt1+Wr1Gzt
 xIXC2+HPauCY2HxLtx3Pd6zpEsF6sLcytFmTAE/r3ozQiMWpZLJC+rCIxarNUt+DCFioGGLT
 Sk6QoOdRCzhZiaE/n9BClVlxJVF/fngqoDUUYYoAQgsA187IMsdoUg7wbdg29Q22YLR7z6l4
 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc
 s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4
 Pppq76zGBgLBZCPquZMDxMAOGZnerITrdcrIVDn2SCS50jPcn+qyPRyFkAme4Yf/46bA0kXq
 6ZecmpUKEne2aTmm9pXScE17ignBODtMJkSpTdLyjbBAOx9aZvCX7/L9ZlT2zJYasVmQKaBP
 5JBNGUHgBLoYUF+Z1cSEZkFzeap3jr2fCcDqk+Iqv9ii4TU5FMoi+W8WDbPQfSVQe1Fk0Deo
 XjJl0zbKBwHMN2UyRKe72mhwOTImEvTSI8UUbG16PNuqFmS3XAITg0bU0Ohpvu0gVL4XMhQQ
 3H44QJ38/J0rhbyCICgAVvo+xZooyLwRfJ/N/MY61CS6JHpoDSbVzQOFhUGcZs54ZpeqSMR6
 neFmNbgBDpKubKTSG6A+rr8kQ5eKRT5PkdZO3ZaEFJtD83L5dhq00mRFooL/Lud14WtQVnNL
 ya2QD/Sbln5peoCzO2F8F/OmFpATbCZH1dutm07so9Ihz6VhbJJhaT0uTA3Dt4ade51q2VtW
 lBew6ByC8hUUPmweNSlGrllIV1Qz6/t3MfgqVBuBYI90D+m5mSue4tdiBknehw2Y5tdJGSzO
 hGM0e+02HO1FCHxBUOQS9jsY/nGMIC6TYi1PhwqRoYmjmdNmP+vo3g1OB/4M5HFm0kwi6AvU
 ap3gu73ZUv2/Z9PlWLsL89EiOdD7nlnmQv7GMCqpzz6gOH2TCPEFt843K6mM7lRAFWs+16Or
 b6y9qKiln1ibQEJSnWNrNNIcwlVdSNT6FKfg5U/S9Nv6zFOQAkJY8I9C5t4E2C8t6gKxOrO4
 F+nXUpUlAj2iXHdcF3YYXF/crL/G514qCtjbyArOF+p3VklYJqus/hDJ8dmI+F/+bwx1+NwQ
 tkEZ96EXqZFRAPY9mlPdpL6toFjKkim3FrcIyq/bTEjVJd8XAiVqMT8dw7i+XBWXCq6vMczu
 ZO60QbfTcZRTghuFp+OOvmu00mwrT4Wn+crBxnEJdxaeUPN9ol2KnOu0q9rcp9UcRian2mUz
 QebBxsctNLhmY5t/Ymbn72AoqeoD/B6QhhQEV7E4OvkLiLd5Gein9NNCb7aYTDHWWro06y+f
 uEJnerkOfgKkVsW4YpxF7FnkfA369f1/uIIyw1lGDPAbkixC6MmKX6DhJEduqpIz75fmA23R
 kPQpYUKZeTXYJvoQAwLOQ4oTuWfzvVFyDDd4MM8LFj++CIqrqGMVl9fPkXUhSFQRFev3FjJH
 Qv1VBYq1jGC
IronPort-HdrOrdr: A9a23:h40MzaBo4u9YGi7lHemi55DYdb4zR+YMi2TDtnocdfUxSKelfq
 +V88jzuSWbtN9yYhEdcKG7WZVoKEm0nfQZ3WB7B8bAYOCJghrMEKhSqafk3j38C2nf24dmpM
 NdmnFFeb/NMWQ=
X-IronPort-AV: E=Sophos;i="5.87,266,1631592000";
   d="scan'208";a="58700057"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>, Jan Beulich
	<JBeulich@suse.com>, =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?=
	<roger.pau@citrix.com>, Wei Liu <wl@xen.org>
Subject: [PATCH 4/4] x86/ucode: Use altcall, and __initdata_cf_clobber
Date: Fri, 26 Nov 2021 21:22:58 +0000
Message-ID: <20211126212258.7550-5-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20211126212258.7550-1-andrew.cooper3@citrix.com>
References: <20211126212258.7550-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1637961832727100004

Microcode loading is not a fastpath, but there are control flow security
benefits from using altcall()'s hardening side effect.

Convert the existing microcode_ops pointer into a __read_mostly structure, =
and
move {amd,intel}_ucode_ops into __initdata_cf_clobber.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
---
 xen/arch/x86/cpu/microcode/amd.c     |  2 +-
 xen/arch/x86/cpu/microcode/core.c    | 38 +++++++++++++++++++-------------=
----
 xen/arch/x86/cpu/microcode/intel.c   |  2 +-
 xen/arch/x86/cpu/microcode/private.h |  2 +-
 4 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/=
amd.c
index 0afa2192bf1d..27c8644ab8ba 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -422,7 +422,7 @@ static struct microcode_patch *cf_check cpu_request_mic=
rocode(
     return patch;
 }
=20
-const struct microcode_ops amd_ucode_ops =3D {
+struct microcode_ops __initdata_cf_clobber amd_ucode_ops =3D {
     .cpu_request_microcode            =3D cpu_request_microcode,
     .collect_cpu_info                 =3D collect_cpu_info,
     .apply_microcode                  =3D apply_microcode,
diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode=
/core.c
index f84dafa82693..755f2dc9a1e5 100644
--- a/xen/arch/x86/cpu/microcode/core.c
+++ b/xen/arch/x86/cpu/microcode/core.c
@@ -21,6 +21,7 @@
  * 2 of the License, or (at your option) any later version.
  */
=20
+#include <xen/alternative-call.h>
 #include <xen/cpu.h>
 #include <xen/earlycpio.h>
 #include <xen/err.h>
@@ -214,7 +215,7 @@ void __init microcode_grab_module(
         microcode_scan_module(module_map, mbi);
 }
=20
-static const struct microcode_ops __read_mostly *microcode_ops;
+static struct microcode_ops __read_mostly ucode_ops;
=20
 static DEFINE_SPINLOCK(microcode_mutex);
=20
@@ -241,9 +242,9 @@ static const struct microcode_patch *nmi_patch =3D ZERO=
_BLOCK_PTR;
  */
 static struct microcode_patch *parse_blob(const char *buf, size_t len)
 {
-    microcode_ops->collect_cpu_info();
+    alternative_vcall(ucode_ops.collect_cpu_info);
=20
-    return microcode_ops->cpu_request_microcode(buf, len);
+    return alternative_call(ucode_ops.cpu_request_microcode, buf, len);
 }
=20
 static void microcode_free_patch(struct microcode_patch *patch)
@@ -258,8 +259,8 @@ static bool microcode_update_cache(struct microcode_pat=
ch *patch)
=20
     if ( !microcode_cache )
         microcode_cache =3D patch;
-    else if ( microcode_ops->compare_patch(patch,
-                                           microcode_cache) =3D=3D NEW_UCO=
DE )
+    else if ( alternative_call(ucode_ops.compare_patch,
+                               patch, microcode_cache) =3D=3D NEW_UCODE )
     {
         microcode_free_patch(microcode_cache);
         microcode_cache =3D patch;
@@ -311,14 +312,14 @@ static int microcode_update_cpu(const struct microcod=
e_patch *patch)
 {
     int err;
=20
-    microcode_ops->collect_cpu_info();
+    alternative_vcall(ucode_ops.collect_cpu_info);
=20
     spin_lock(&microcode_mutex);
     if ( patch )
-        err =3D microcode_ops->apply_microcode(patch);
+        err =3D alternative_call(ucode_ops.apply_microcode, patch);
     else if ( microcode_cache )
     {
-        err =3D microcode_ops->apply_microcode(microcode_cache);
+        err =3D alternative_call(ucode_ops.apply_microcode, microcode_cach=
e);
         if ( err =3D=3D -EIO )
         {
             microcode_free_patch(microcode_cache);
@@ -368,7 +369,7 @@ static int primary_thread_work(const struct microcode_p=
atch *patch)
     if ( !wait_for_state(LOADING_ENTER) )
         return -EBUSY;
=20
-    ret =3D microcode_ops->apply_microcode(patch);
+    ret =3D alternative_call(ucode_ops.apply_microcode, patch);
     if ( !ret )
         atomic_inc(&cpu_updated);
     atomic_inc(&cpu_out);
@@ -481,7 +482,7 @@ static int control_thread_fn(const struct microcode_pat=
ch *patch)
     }
=20
     /* Control thread loads ucode first while others are in NMI handler. */
-    ret =3D microcode_ops->apply_microcode(patch);
+    ret =3D alternative_call(ucode_ops.apply_microcode, patch);
     if ( !ret )
         atomic_inc(&cpu_updated);
     atomic_inc(&cpu_out);
@@ -610,7 +611,8 @@ static long cf_check microcode_update_helper(void *data)
      */
     spin_lock(&microcode_mutex);
     if ( microcode_cache &&
-         microcode_ops->compare_patch(patch, microcode_cache) !=3D NEW_UCO=
DE )
+         alternative_call(ucode_ops.compare_patch,
+                          patch, microcode_cache) !=3D NEW_UCODE )
     {
         spin_unlock(&microcode_mutex);
         printk(XENLOG_WARNING "microcode: couldn't find any newer revision=
 "
@@ -678,7 +680,7 @@ int microcode_update(XEN_GUEST_HANDLE(const_void) buf, =
unsigned long len)
     if ( len !=3D (uint32_t)len )
         return -E2BIG;
=20
-    if ( microcode_ops =3D=3D NULL )
+    if ( !ucode_ops.apply_microcode )
         return -EINVAL;
=20
     buffer =3D xmalloc_flex_struct(struct ucode_buf, buffer, len);
@@ -722,10 +724,10 @@ __initcall(microcode_init);
 /* Load a cached update to current cpu */
 int microcode_update_one(void)
 {
-    if ( !microcode_ops )
+    if ( !ucode_ops.apply_microcode )
         return -EOPNOTSUPP;
=20
-    microcode_ops->collect_cpu_info();
+    alternative_vcall(ucode_ops.collect_cpu_info);
=20
     return microcode_update_cpu(NULL);
 }
@@ -780,22 +782,22 @@ int __init early_microcode_init(void)
     {
     case X86_VENDOR_AMD:
         if ( c->x86 >=3D 0x10 )
-            microcode_ops =3D &amd_ucode_ops;
+            ucode_ops =3D amd_ucode_ops;
         break;
=20
     case X86_VENDOR_INTEL:
         if ( c->x86 >=3D 6 )
-            microcode_ops =3D &intel_ucode_ops;
+            ucode_ops =3D intel_ucode_ops;
         break;
     }
=20
-    if ( !microcode_ops )
+    if ( !ucode_ops.apply_microcode )
     {
         printk(XENLOG_WARNING "Microcode loading not available\n");
         return -ENODEV;
     }
=20
-    microcode_ops->collect_cpu_info();
+    alternative_vcall(ucode_ops.collect_cpu_info);
=20
     if ( ucode_mod.mod_end || ucode_blob.size )
         rc =3D early_microcode_update_cpu();
diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcod=
e/intel.c
index d3864b5ab03e..89e91f7fd06b 100644
--- a/xen/arch/x86/cpu/microcode/intel.c
+++ b/xen/arch/x86/cpu/microcode/intel.c
@@ -376,7 +376,7 @@ static struct microcode_patch *cf_check cpu_request_mic=
rocode(
     return patch;
 }
=20
-const struct microcode_ops intel_ucode_ops =3D {
+struct microcode_ops __initdata_cf_clobber intel_ucode_ops =3D {
     .cpu_request_microcode            =3D cpu_request_microcode,
     .collect_cpu_info                 =3D collect_cpu_info,
     .apply_microcode                  =3D apply_microcode,
diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microc=
ode/private.h
index c085a1026847..4ee92a8fbaad 100644
--- a/xen/arch/x86/cpu/microcode/private.h
+++ b/xen/arch/x86/cpu/microcode/private.h
@@ -53,6 +53,6 @@ struct microcode_ops {
         const struct microcode_patch *new, const struct microcode_patch *o=
ld);
 };
=20
-extern const struct microcode_ops amd_ucode_ops, intel_ucode_ops;
+extern struct microcode_ops amd_ucode_ops, intel_ucode_ops;
=20
 #endif /* ASM_X86_MICROCODE_PRIVATE_H */
--=20
2.11.0