[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 65/65] x86: Enable CET Indirect Branch Tracking
- To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Mon, 6 Dec 2021 12:24:28 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ljyOQVJzhmY3HQCtr60ZGufz8NUz80QQWkVKU7vzOFM=; b=ABV88f1hofmot+T6wvet85QG47U4OgEiwNDDBVQNmAAHJnV8mFhnXa23NOAWWn3zuUYbJ5oh9fNua/LNUxUjaG+WxnEgjYvS1S7E1nSdph9AC8QfCRJM+Y1nGfw510AKnjOXpzQuIB1+xGIc1gdAlsazx6CsMNWE7053Gas5eVkDoJdbdNA/5BaJA7eQmDmz9YnfHD7h/ReWA9qGHI62NtzWEo39qP/cyaZ92ukIAU+lsUBn8CBJBmw8w4kGu9P8/seLoOE8YMNl/wKldU4hf42ytG9z9ChipiEYf9ET300iZezuBQSSSwb/xXsj7JzO4LQ8QdC/d4QUWzsmSCgN5Q==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hp4aODkgUHW3geLbfQ/UCv/7TjrhqaGsSfAjJRarj8uOmzc0LJceBl/Ea5kjHTx0a/F/1ftyshtm+27y/lWYdjGwOGttWk6kZzJ0O4JmATtgyIuL6tE/uP2nSCrMb5ZU0gaPS01M+5UqEFIqextoqLQTiRb8Q4jK3ohqDOsDnG4fk5TdtWix5RX3vCb7+Mhi7S8Ba3RtLJRo/FIT3Ear8iz89kq4sPBudUNxXRCwRzPbE7VKmssQcfLyl2r8cpclOUZvg8klrOq22W9aHHULJoHmc38/UoCuZHyx+yRPvKfepUgpVEiPW+0a1jqOc3hDShXivGZsq0KpPkERv31bkg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Mon, 06 Dec 2021 11:24:46 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 26.11.2021 13:34, Andrew Cooper wrote:
> With all the pieces now in place, turn CET-IBT on when available.
>
> MSR_S_CET, like SMEP/SMAP, controls Ring1 meaning that ENDBR_EN can't be
> enabled for Xen independently of PV32 kernels. As we already disable PV32 for
> CET-SS, extend this to all CET, adjusting the documentation/comments as
> appropriate.
>
> Introduce a cet=no-ibt command line option to allow the admin to disable IBT
> even when everything else is configured correctly.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> @@ -1102,11 +1116,33 @@ void __init noreturn __start_xen(unsigned long mbi_p)
> printk("Enabling Supervisor Shadow Stacks\n");
>
> setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
> + }
> +
> + if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) )
> + {
> + printk("Enabling Indirect Branch Tracking\n");
> +
> + setup_force_cpu_cap(X86_FEATURE_XEN_IBT);
> +
> + if ( efi_no_cet_ibt )
> + printk(" - UEFI Runtime Services not IBT safe\n");
Here it becomes clear why you need the variable also in efi/stub.c.
Jan
|
