[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] xen: arm: enable stack protector feature

commit 1ec1462032f7d48ef34b65a679767bdef9d7ea46
Author:     Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
AuthorDate: Mon Apr 14 13:07:38 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Apr 14 13:07:38 2025 +0200

    xen: arm: enable stack protector feature
    
    Enable previously added CONFIG_STACK_PROTECTOR feature for ARM
    platform. Initialize stack protector magic value very early, at the
    very beginning of start_xen() function.
    
    We want to do this early because prior to that
    boot_stack_chk_guard_setup() call, default stack protector guard value
    is used. While it is fine for general development and testing, it does
    not provide highest security level, because potential attacker will
    know the default value and can alter a payload, so correct stack
    guard value will be placed in the correct position.
    
    Apart from that argument, boot_stack_chk_guard_setup() should be
    called prior to enabling secondary CPUs to avoid race with them.
    
    Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
    Acked-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 xen/arch/arm/Kconfig | 1 +
 xen/arch/arm/setup.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 565f288331..da8a406f5a 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -15,6 +15,7 @@ config ARM
        select GENERIC_UART_INIT
        select HAS_ALTERNATIVE if HAS_VMAP
        select HAS_DEVICE_TREE
+       select HAS_STACK_PROTECTOR
        select HAS_UBSAN
 
 config ARCH_DEFCONFIG
diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index bf39d41e9b..07703a15e1 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -30,6 +30,7 @@
 #include <xen/virtual_region.h>
 #include <xen/version.h>
 #include <xen/vmap.h>
+#include <xen/stack-protector.h>
 #include <xen/trace.h>
 #include <xen/libfdt/libfdt-xen.h>
 #include <xen/acpi.h>
@@ -306,6 +307,8 @@ void asmlinkage __init start_xen(unsigned long fdt_paddr)
     struct domain *d;
     int rc, i;
 
+    boot_stack_chk_guard_setup();
+
     dcache_line_bytes = read_dcache_line_bytes();
 
     percpu_init_areas();
--
generated by git-patchbot for /home/xen/git/xen.git#staging

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.