Xen project Mailing List

Re: [PATCH 59.5/65] x86: Introduce helpers/checks for endbr64 instructions

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 3 Dec 2021 14:59:24 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PDg05RpEF1bPYLL6/rK0bqFh/BJbTp9zWAak54uQXhU=; b=Ml69u60zydKZlquVKrcRMtWoe83wOMl9K2e3BVisyC8fvl8kwyQNc+NvWhrdS8eqZZQ1KfJxltipx+cDmjUrOZRUMBtFwh22Vk613fKCMd71py3oOKsS5HSsSoK4qmuHgfHF9PtffQhrHTLUYEcWJD4Xb8aWqT3knKKBZIs3X88qMWmSJFVd65N4EdaBBfZLAzeszNNKCNNCZXqUcfRcdBB2i1igBmwcbmZU40aM4TrGUyATXOzR/f5HiPujZFM+CxsHKSsBZ28N5q4owL0+w0eWu//jaNK9Q+VSiiPPOKWOM1tzwiTGTlN906AgmlIV4wipNA7rDoaoOBgX6w+yhg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DWlsuNde5RZB9XYD3UDqCYl/PwM/yZGN6FFJsPYQPfSL7in9gbl79cLKQo+Uj1qyyoVRbagv8U4tch0ecLIu4Bw7DxbZZFirrhZP2NK5TLosQ4Km3SHcaVR2JLvhr2trFP1SvDDozQOw6YVpM/5vJ6JOvApy+bFi+2olhAsGdUu5Sw63FfqPNACZ8g5+yYvO0KNCtJ5kyeFUI2+uHSXKIRZN665u5du0rNTDjYkUeHQtV+C46EM85rgJr5ED4u5io0rTqH7A/QKWyDqirnQrpQQB6tzh34nOMOmxedPq0NFXqg2aNgzyRuSJlHG+llwYlafS1P6QrcOLs2a/Q94sUg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 03 Dec 2021 13:59:42 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.11.2021 17:33, Andrew Cooper wrote: > ... to prevent the optimiser creating unsafe code. See the code comment for > full details. > > Also add a build time check for endbr64 embedded in imm32 operands, which > catches the obvious cases where the optimiser has done an unsafe thing. But this is hardly enough to be safe. I'd even go as far as saying we can do without it if we don't check more thoroughly. > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -190,6 +190,10 @@ $(TARGET)-syms: prelink.o xen.lds > $(MAKE) -f $(BASEDIR)/Rules.mk efi-y= $(@D)/.$(@F).1.o > $(LD) $(XEN_LDFLAGS) -T xen.lds -N prelink.o $(build_id_linker) \ > $(@D)/.$(@F).1.o -o $@ > +ifeq ($(CONFIG_XEN_IBT),y) > + $(OBJDUMP) -d $@ | grep 0xfa1e0ff3 >/dev/null && \ > + { echo "Found embedded endbr64 instructions" >&2; false; } || : I guess I'm confused: The "false;" suggests to me you want to make the build fail in such a case. The "|| :" otoh suggests you want to silence errors (and not just the one from grep when not finding the pattern aiui). Also isn't passing -q to grep standard enough (and shorter) to use in place of redirecting its output to /dev/null? > --- /dev/null > +++ b/xen/include/asm-x86/endbr.h > @@ -0,0 +1,55 @@ > +/****************************************************************************** > + * include/asm-x86/endbr.h > + * > + * This program is free software; you can redistribute it and/or modify > + * it under the terms of the GNU General Public License as published by > + * the Free Software Foundation; either version 2 of the License, or > + * (at your option) any later version. > + * > + * This program is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; If not, see <http://www.gnu.org/licenses/>. > + * > + * Copyright (c) 2021 Citrix Systems Ltd. > + */ > +#ifndef XEN_ASM_ENDBR_H > +#define XEN_ASM_ENDBR_H > + > +#include <xen/compiler.h> > + > +/* > + * In some cases we need to inspect/insert endbr64 instructions. > + * > + * The naive way, mem{cmp,cpy}(ptr, "\xf3\x0f\x1e\xfa", 4), optimises > unsafely > + * by placing 0xfa1e0ff3 in an imm32 operand, which marks a legal indirect > + * branch target as far as the CPU is concerned. > + * > + * gen_endbr64() is written deliberately to avoid the problematic operand, > and > + * marked __const__ as it is safe for the optimiser to hoist/merge/etc. > + */ > +static inline uint32_t __attribute_const__ gen_endbr64(void) > +{ > + uint32_t res; > + > + asm ( "mov $~0xfa1e0ff3, %[res]\n\t" > + "not %[res]\n\t" > + : [res] "=r" (res) ); Strictly speaking "=&r". Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.