|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] x86/build: Unilaterally disable -fcf-protection
On Wed, May 13, 2020 at 7:01 AM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > > On 13/05/2020 03:35, Jason Andryuk wrote: > > [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments > > unless you have verified the sender and know the content is safe. > > > > On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > > wrote: > >> +# Xen doesn't support CET-IBT yet. At a minimum, logic is required to > >> +# enable it for supervisor use, but the Livepatch functionality needs > >> +# to learn not to overwrite ENDBR64 instructions. > > Is the problem that existing functions start with ENDBR64, but the > > livepatch overwrites with a "real" instruction? > > We livepatch by creating a new complete copy of the function, and > putting `jmp new` at the head of the old one. > > This means we don't need to patch every callsite and track every > function pointer to the old function, and we can fully revert by > replacing the 5 bytes which became `jmp new`. > > With CET-IBT in the mix, livepatch will have to learn to spot an ENDBR64 > instruction and leave it intact, patching instead the next 5 bytes, so > an old function pointer still lands on the ENDBR64 instruction. Ah, okay. Thanks for the explanation. -Jason
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |