[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/altcall: silence undue warning

  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 1 Mar 2022 14:34:11 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N4ApPAC8cZm8fRq41lmYjfGFw5DqEZ5qWgmha3HlxGo=; b=AF0IcW32fTSwzbd0Fj4Ap1i6CyEA7zgmtsdFotDIiiRNLMLMNmP8hkIpBW2IoS3myboOFIJGsULQcRkDVdOg10x2mrqK9lMeC4QeaV0yFHC5RHtijXsnJos0bHUXDnquW1Gn+pIan/ceum93Zmu/khuuojxu+/EoHEoVb5bwIEzRP4Hm2n1y1jBBVvhVJLs2Qmzc3PveHciBRdYiJ2EZA8tuDNKG78Z+N8xU1Fg3iaSyA/FBTHURdBCqB/7Q9mrt9V6nY0oaDmqrRcKT80BTHuLk8xjZLsCyxMJYhwdZlY6AazcuqS4IUPsbyZKrWt4qsNXLR8CKH7m73Lv4TGf1/w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aePV97E8tc2RxVczVqwKFVsApN1okvUpt5ID1HyAP3fZnav5d2mtpeQra7Xiu6E1K7gWERYZd5BHItcoM+B3dZXR7YCyO5HSyj4XgTn+ziepCfIsZ7QRSRy4dK+3f8JPEXJ5VeYF9io27+hl+kX2+uw/7dwufeB6CMkPZtq9kxlz6d3Half20mWab7RA7ejiwXKksXMp4SHqjRcUfgHQHBQJORZ8qBGZRTCAH7j4IjRYiLtwSe8myXMRa2K0Tqz9za10SO5AUK6ZJoVXzxIsmoFnGfq4SNMIXJUBZKKiOys6wpxceBjMiOqAoALI8VXLLZqk+3diULai+9u70B+f2A==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 01 Mar 2022 13:34:20 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 01.03.2022 13:48, Andrew Cooper wrote:
> On 01/03/2022 11:36, Jan Beulich wrote:
>> Suitable compiler options are passed only when the actual feature
>> (XEN_IBT) is enabled, not when merely the compiler capability was found
>> to be available.
>>
>> Fixes: 12e3410e071e ("x86/altcall: Check and optimise altcall targets")
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> Hmm yes.  This is fallout from separating CONFIG_HAS_CC_CET_IBT and
> CONFIG_XEN_IBT.
> 
> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Thanks.

>> ---
>> Furthermore, is "Optimised away ..." really appropriate in what
>> 37ed5da851b8 ("x86/altcall: Optimise away endbr64 instruction where
>> possible") added? If this really was an optimization (rather than
>> hardening), shouldn't we purge ENDBR also when !cpu_has_xen_ibt, and
>> then ideally all of them? Whereas if this is mainly about hardening,
>> wouldn't the message better say "Purged" or "Clobbered"?
> 
> I did have an RFC about this.  Turning ENDBR into NOP4 matters, on a
> CET-IBT-active system, to restrict the available options an attacker has
> when they have already managed to hijack a function pointer (i.e.
> already got a partial write gadget).
> 
> From that point of view, it is hardening.

But then you don't say whether there's any optimization aspect here.
My question was really about the wording of that log message.

> The first version of this logic was trying to use UD1 in the same way as
> Linux does, to harden non-CET builds too, but that does depend on having
> objtool so all direct branches can have their targets updated to miss
> the UD1 instruction.

I think it would be possible (but likely cumbersome) to arrange for
this also without objtool.

> P.S. I'd still like to have "away %u of %u endbr64's".  It occurs to me
> that now we have check-endbr64.sh, we could `wc -l` the $VALID file and
> re-link this back in, but then we couldn't check the final objects.

I was thinking about this wish of yours as well; I simply didn't know how
important you view it to have this information. Not being able to check
the final objects is not an issue: If the data is available after the 2nd
linking pass, contents of .text isn't going to change anymore. All
addresses are the same for the 2nd and 3rd linking passes. Hence if the
checking was inserted between these two passes, the value of interest
could be propagated suitably.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.