Xen project Mailing List

[PATCH] x86/spec-ctrl: Disable retpolines with CET-IBT

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 28 Feb 2022 22:51:17 +0000

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Mon, 28 Feb 2022 22:52:05 +0000

Ironport-data: A9a23:NbMHf6zRTiLv1Pyoj6J6t+czxirEfRIJ4+MujC+fZmUNrF6WrkUPz mEfDGmEOa7fYzDye90kboSwpElSv8WGyodmHgpvqSAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnj/0bv656yMUOZigHtIQMsadUsxKbVIiGX9JZS5LwbZj2NYy24jhWWthh PupyyHhEA79s9JLGjp8B5Kr8HuDa9yr5Vv0FnRnDRx6lAe2e0s9VfrzFonoR5fMeaFGH/bSe gr25OrRElU1XfsaIojNfr7TKiXmS1NJVOSEoiI+t6OK2nCuqsGuu0qS2TV1hUp/0l20c95NJ NpllKWIQjsuJf32uOE7UUZ8OAM5PoEbweqSSZS/mZT7I0zudnLtx7NlDV0sPJ1e8eFyaY1M3 aVGcnZXNEnF3r/ohuLgIgVvrp1LwM3DFYUToHx/ixreCu4rW8vrSKTW/95Imjw3g6iiGN6AO JZEMms1NXwsZTV/ZFIMJpEkrN6tn3vBfiBcqBWOu6Qetj27IAtZj+G2bYu9lsaxbdpRtlaVo CTB5WuRKjMwOcGbyDGF2mmxneKJliT+MKoCGbv9+vN0jVm7wm0IFAZQRVa9ueO+iEO1R5RYM UN8x8Y1hfFsrgrxFIC7BkDm5i7f1vIBZzZOO8wD0AqxzbGE2SacIGpbahVjL98K6fZjEFTGy WS1t9/uADVutpicRnSc6qqYoFuOBMQFEYMRTXRaFFVYurEPtKl210uSFYg7TMZZm/WoQWmY/ tyckMQpa1z/Z+Yv3r7zw13IiinESnPhHl9svVW/so5IA2pEiG+Zi26AtACzARVodt/xory9U J4swZD2AAcmV8zlqcB1aL9RdIxFHt7cWNEmvXZhHoM66xOm8GO5cIZb7VlWfRk1bJ5bImG1O RaK6Gu9AaO/2lPwNsebhKrrVqwXIVXIT4y5Bpg4kPIUCnSOSON31H43PhPBt4wcuEMtjbs+K f+mnTWEVh4n5VBc5GPuHY81iOZzrghnnD+7bc2rnnyPjOvFDFbIGOhtDbd7Rr1ghE9yiF6Oq Ig32grj40g3bdASlQGMqd9DdQ1RdCNjbX00wuQOHtO+zsNdMDlJI5fsLXkJIuSJQ4w9ej/0w 0yA

Ironport-hdrordr: A9a23:nqOVNqyU3ur40HF399rAKrPwKL1zdoMgy1knxilNoHtuA6ulfq GV7ZAmPHrP4wr5N0tNpTntAsa9qBDnlaKdg7N+AV7KZmCP0gaVxepZjLfK8nnNHDD/6/4Y9Y oISdkaNDQoNykYsS8t2njbL+od

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

CET-IBT depend on executing indirect branches for protections to apply. Extend the clobber for CET-SS to all of CET. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> I can't decide if this wants a fixes tag or not. If I'd remembered during the CET series, it would have been its own patch. Functionally, it depends on c/s cdbe2b0a1aec which sets CR4.CET fairly early during boot. --- xen/arch/x86/spec_ctrl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 2d4cf5c7ef80..12bf1c5722f9 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -944,10 +944,11 @@ void __init init_speculation_mitigations(void) boot_cpu_has(X86_FEATURE_IBRS)); /* - * First, disable the use of retpolines if Xen is using shadow stacks, as - * they are incompatible. + * First, disable the use of retpolines if Xen is using CET. Retpolines + * are a ROP gadget so incompatbile with Shadow Stacks, while IBT depends + * on executing indirect branches for the safety properties to apply. */ - if ( cpu_has_xen_shstk && + if ( (read_cr4() & X86_CR4_CET) && (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) ) thunk = THUNK_JMP; -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.