On Thu, Jun 29, 2023 at 1:17 PM Alejandro Vallejo <
alejandro.vallejo@cloud.com> wrote:
> v3:
> * Fixed a Gitlab CI breakage on older toolchains (patch 1)
> * Removed XD_DISABLE override logic from cpu/intel.c
> * Various style fixes to patch 2 (from Andrew's feedback)
>
> This option hardens Xen by forcing it to write secure (NX-enhanced) PTEs
> regardless of the runtime NX feature bit in boot_cpu_data. This prevents an
> attacker with partial write support from affecting Xen's PTE generation
> logic by overriding the NX feature flag. The patch asserts support for the
> NX bit in PTEs at boot time and if so short-circuits the cpu_has_nx macro
> to 1.
>
> Alejandro Vallejo (3):
> tools: Add __AC() macro to common-macros.h
> x86/boot: Clear XD_DISABLE from the early boot path
> x86: Add Kconfig option to require NX bit support
>
> tools/include/xen-tools/common-macros.h | 3 ++
> tools/libs/light/libxl_internal.h | 2 -
> tools/tests/x86_emulator/x86-emulate.h | 3 --
> xen/arch/x86/Kconfig | 16 +++++++
> xen/arch/x86/boot/head.S | 62 ++++++++++++++++++++++---
> xen/arch/x86/boot/trampoline.S | 3 +-
> xen/arch/x86/cpu/intel.c | 16 +++----
> xen/arch/x86/efi/efi-boot.h | 9 ++++
> xen/arch/x86/include/asm/cpufeature.h | 3 +-
> xen/arch/x86/include/asm/msr-index.h | 2 +-
> xen/arch/x86/include/asm/x86-vendors.h | 6 +--
> 11 files changed, 98 insertions(+), 27 deletions(-)
>
> --
> 2.34.1
>
> Adding CCs here because I forgot to run the add_maintainers.pl script
before sending. Ugh...
Alejandro