|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] x86/EFI: Disable CET-IBT around Runtime Services calls
commit d37a8a067e62e3b6709d224c22f740fdda9d0078
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Nov 1 21:54:26 2021 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Wed Feb 23 15:33:43 2022 +0000
x86/EFI: Disable CET-IBT around Runtime Services calls
UEFI Runtime services, at the time of writing, aren't CET-IBT compatible.
Work is ongoing to address this. In the meantime, unconditionally disable
IBT.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
xen/common/efi/runtime.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c
index e3ce85d118..13b0975866 100644
--- a/xen/common/efi/runtime.c
+++ b/xen/common/efi/runtime.c
@@ -21,6 +21,7 @@ struct efi_rs_state {
* don't strictly need that.
*/
unsigned long __aligned(32) cr3;
+ unsigned long msr_s_cet;
#endif
};
@@ -113,6 +114,19 @@ struct efi_rs_state efi_rs_enter(void)
switch_cr3_cr4(mfn_to_maddr(efi_l4_mfn), read_cr4());
+ /*
+ * At the time of writing (2022), no UEFI firwmare is CET-IBT compatible.
+ * Work is under way to remedy this.
+ *
+ * Stash MSR_S_CET and clobber ENDBR_EN. This is necessary because
+ * SHSTK_EN isn't configured until very late on the BSP.
+ */
+ if ( cpu_has_xen_ibt )
+ {
+ rdmsrl(MSR_S_CET, state.msr_s_cet);
+ wrmsrl(MSR_S_CET, state.msr_s_cet & ~CET_ENDBR_EN);
+ }
+
return state;
}
@@ -122,6 +136,10 @@ void efi_rs_leave(struct efi_rs_state *state)
if ( !state->cr3 )
return;
+
+ if ( state->msr_s_cet )
+ wrmsrl(MSR_S_CET, state->msr_s_cet);
+
switch_cr3_cr4(state->cr3, read_cr4());
if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) )
{
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |