From nobody Sun May 5 13:30:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1679695768; cv=none; d=zohomail.com; s=zohoarc; b=lZVome9mWIJNzHJ1RnafXSE4bwL6WQCWSJCFI3DoAjrDH6BNYUUYeVwcOUwPu45B0Fr7IylYORdDZvI/3ODjW30EvGk7oBNXftB7UyZvgUkRWMo+9XM42u//85V55hst4cgTteT+MzPJzgA96JwiNDFNKxFelYKCKNNvBMfCal8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679695768; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=JaF8A9iixpx/AiKpeA/JdGxWkNZYiqpZzUZ8LfqPWUI=; b=TWV8spXZBZ/XMM1FQuA/dDkKBLyRSe20efpVlPC1TSk8hg6EbuwkYQ3n7BEgijmRED5WmyqC/efvHol/CIOuApAWlKIA7CXZohZNE19WJwDlpnUF9rWmquI4tfuRyCqBPbty0XbtMTTBUNID0ODUVjpEWso2WAFlSz1IW0dkFR8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1679695768017764.8543263330115; Fri, 24 Mar 2023 15:09:28 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.514469.796742 (Exim 4.92) (envelope-from ) id 1pfpaW-0004uW-V0; Fri, 24 Mar 2023 22:08:44 +0000 Received: by outflank-mailman (output) from mailman id 514469.796742; Fri, 24 Mar 2023 22:08:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pfpaW-0004uP-QR; Fri, 24 Mar 2023 22:08:44 +0000 Received: by outflank-mailman (input) for mailman id 514469; Fri, 24 Mar 2023 22:08:43 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pfpaV-0004uJ-5f for xen-devel@lists.xenproject.org; Fri, 24 Mar 2023 22:08:43 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 6dd72415-ca90-11ed-85db-49a42c6b2330; Fri, 24 Mar 2023 23:08:40 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 6dd72415-ca90-11ed-85db-49a42c6b2330 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1679695720; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=GJUjm1x5LRvqL5EDLYrkqj21m5mZTtD0QpN/WYKinHo=; b=eq9LtYISNpqYExeUdfcqvcU7JSq0IuSCyr+f9zgcn2CZtorbLUcIlSTi mAtFV5KqKOKTPkOniU4tlWkfMIvZdouyWfUL1Pe9eOqTrsuwlH0y1AWPZ vKeA4FlfVzxpIoVDRFge3WfTQHiaUdHOGO8ZkvUYSpxB4BH5iLzNqGMJc g=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 104701282 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:05ABa6P4UPBTG6XvrR3Zl8FynXyQoLVcMsEvi/4bfWQNrUoigz0Cm 2dLW2mFPv2JYGL3e412PNmz/R9Vv5fWytdiSAto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvLrRC9H5qyo42tD5ABmPpingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0sVxG0VL8 +YGFG0iVhe52/ia7ey7QMA506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w2Nk+ojx5nYz/7DLoXmuuyi2a5WDpfsF+P/oI84nTJzRw327/oWDbQUoXSGZoNxxzI/ Aoq+UzLHREnLt7OxACXzX2pgKzXsD/6dL0NQejQGvlC3wTImz175ActfUS/iem0jAi5Qd03A 1wZ/G8ioLY/8GSvT8LhRFuorXicpBkeVtFMVeog52ml6IDZ/gKYDWgsVSNaZZots8peeNAx/ gbXxZWzX2Up6eDLDyvHrd94sA9eJwA2K3UmYCkeUzdYzOHkmt0poj+RTtxKRfvdYsLOJd3g/ 9ybhHFg2ORN05NRjP3TEUPv2Gz1+MWQJuIhzkCOBz/+sFskDGKwT9bwgWU3+8qsO2pworOpm HEf0/aT4+kVZX1mvHzcGb5ddF1FChvsDdE9vbKMN8N7n9hV0yT/Fb28GRknTKuTDu4KeCXyf GjYsh5L6ZlYMROCNPEoMtzhUJxznPO5SLwJs8w4ifIQCqWdiSfdpH0+DaJu9zmFfLcQfVEXZ s7ALJfE4YcyAqV71jumL9ogPUsQ7nlmnwv7HMmrpylLJJLCPBZ5v59ZagrRBg34hYvYyDjoH yF3bZHbkEQECbCmP0E6M+c7dDg3EJTyPriuw+Q/SwJJClQO9L0JYxMJ/Y4cRg== IronPort-HdrOrdr: A9a23:bV1R3qnxxq2pE0NBLIM0sW4gufTpDfLr3DAbv31ZSRFFG/Fxl6 iV7ZImPH7P6Ar5PUtKpTnuAsi9qB/nhPtICOoqTM6ftWvdyROVxehZhOOMrQEIcxeOjdK1vp 0QF5SWZueAamRSvILW2iT9NfAKqePqzEmvv43j5kYody1RL4tHyChYJDqhOnBXYi4DP7YFfa DshfZvln6ueXEadMSpCmNtZYX+jtfWjo/hZRIcJzNP0njtsQ+V X-IronPort-AV: E=Sophos;i="5.98,289,1673931600"; d="scan'208";a="104701282" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata Date: Fri, 24 Mar 2023 22:08:24 +0000 Message-ID: <20230324220824.3279825-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1679695770627100001 While we've been diligent to ensure that the main text/data/rodata mappings have suitable restrictions, their aliases via the directmap were left fully read/write. Worse, we even had pieces of code making use of this as a feature. Restrict the permissions for .text/rodata, as we have no legitimate need for writeability of these areas via the directmap alias. Note that the compile-time allocated pagetables do get written through their directmap alias, so need to remain writeable. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu v2: * Update comments and commit message for clarity, and over changes. Notes: * The stubs are still have RX via one alias, RW via another, and these need to stay. We should harden this using PKS (available on SPR and later) to block incidental writes. * Backing memory for livepatch text/rodata needs similar treatment. * For backporting, this patch depends on c/s e7f147bf4ac7 ("x86/crash: Drop manual hooking of exception_table[]") and c/s e7db635f4428 ("x86/pv-shim: Don't modify the hypercall table"). No compile error will occur from getting these dependencies wrong. --- xen/arch/x86/setup.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2b44a3ae26dd..b29229933d8c 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -1667,6 +1667,16 @@ void __init noreturn __start_xen(unsigned long mbi_p) destroy_xen_mappings((unsigned long)&__2M_rwdata_end, ROUNDUP((unsigned long)&__2M_rwdata_end, MB(2= ))); =20 + /* + * Mark all of .text and .rodata as RO in the directmap - we don't want + * these sections writeable via any alias. The compile-time allocated + * pagetables are written via their directmap alias, so data/bss needs= to + * remain writeable. + */ + modify_xen_mappings((unsigned long)__va(__pa(_start)), + (unsigned long)__va(__pa(__2M_rodata_end)), + PAGE_HYPERVISOR_RO); + nr_pages =3D 0; for ( i =3D 0; i < e820.nr_map; i++ ) if ( e820.map[i].type =3D=3D E820_RAM ) --=20 2.30.2