[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CET-IBT and kexec?
- To: David Vrabel <dvrabel@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Mon, 7 Mar 2022 17:25:56 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9o2/1mxb+L0ljiQl/EdESBVgRtCw8o/iccanDF5noO0=; b=HyboXSSmivv48LS4QH0I2mw70nVmILI+FAVeXsPZJoIBKmiDv40FpZUhYoXk87F12AX7Bn/Pj3p1DFVGqD5Pd7ecDIbjqunJAXC1gfXZisrEpavY65C1PPmPuWiypLJ6aAkN54bwtO8XNT990uic4HM71hNEgV2DAKXjJLHnFtwkJqoXsOx42iwXdgNdwbItnFGnLZJ3tjaLuD5K0bXNsTXtSmj+M9Wei86LToV/bGlgWYrMUDEHzKavgKqxkJL4WneXX1xlkmxardH36y5x/iLFPWyv10FgyEr0C1V3xr6ikbJJDYzRsd+3wLotAjbDSMk8V6GnYisrM9pKedv8hg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DhSuXMqR7d+JED9Xjaig2kAegEROjKeesAjUrJ2yHz2/P0y+XmqBCKCqTd7zUSGIYKLeg1VejR145RrpCov57dxS5VZ7Tjb3qyh4o5tia/eI1kBfDJDRNKxgQtulALiuP1g2TGUIscDegzb6skwcjuZLxCPPwa0fxYHz2eRkqmcNtgfrvvoszPdVFjvB09YHAa+68TYMYPigYUlmf0amI79koDYxxoTKBsLNWuNVuVQ+bnvQP+n98Ohqq1mg2UEEsyZ14WE7mBKVyx9GMxFKAiRyO4Gh+on7r2fZYHUb8ACwum61roT9Ug1IvV65TQ6Ozrnnorm/nJGS7cjzJuNarg==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Delivery-date: Mon, 07 Mar 2022 17:26:18 +0000
- Ironport-data: A9a23:v/lpBKmfsji3ELwXkQOICt/o5gyFJkRdPkR7XQ2eYbSJt1+Wr1Gzt xIeX2mDbPreM2P3Kt90PYS/oEkDvZTXnNM2Sws5qH03HiMWpZLJC+rCIxarNUt+DCFioGGLT Sk6QoOdRCzhZiaE/n9BCpC48T8kk/vgqoPUUIYoAAgoLeNfYHpn2EoLd9IR2NYy24DiW1zV4 7senuWEULOb828sWo4rw/rrRCNH5JwebxtB4zTSzdgS1LPvvyF94KA3fMldHFOhKmVgJcaoR v6r8V2M1jixEyHBqD+Suu2TnkUiGtY+NOUV45Zcc/DKbhNq/kTe3kunXRa1hIg+ZzihxrhMJ NtxWZOYRAYjMor9s9whVgBkSSQnLbFN9e7+Li3q2SCT5xWun3rExvxvCAc9PJEC+/YxCmZLn RAaAGlTNFbZ3bvwme/lDLk37iggBJCD0Ic3k3ds1zzGS90hRojOWf7i7t5ExjYgwMtJGJ4yY uJHNGM2NUuaMnWjPH81MJ9lm6DxvUDDLRFnlny1j7UwskLqmVkZPL/Fb4OOJ43iqd9utlaVo CfK8nr0BjkeNceD0nyV/3S0nOjNkCjnHoUIG9WQ+uBwiVeewkQYARsKXFH9p/Sl4nNSQPoGd RZSoHB36/Fvqgr7FbERQiFUvlaJvxQQfOt7K9E/8T3Xz/PE/w2UV1ELG2sphMMdiOc6Qjkj1 1msltzvBCByvLD9dU9x5ot4vhvpZ3FLcDZqiTssCFJcvoK9+N1bYgfnE447eJNZmOEZDt0ZL 9qiiCElz4segscQv0lQ1QCW2mn8znQlo+Nc2+k2Yo5Hxl4jDGJGT9bxgbQ+0RqnBNzFJmRtR FBex6CjABkmVPlhbhClTuQXB62O7P2YKjDailMHN8B/q2rwqiD7ItsAsG0WyKJV3iEsI2OBX aMukVkJuM870IWCN8ebnL5d++x1lPO9RLwJp9jfb8ZUY4gZSeN01HoGWKJk5Ei0yBJEufhmY f+zKJ/wZV5HWfUP5GfnHI81jO50rh3SMEuOHPgXOTz8iuHADJNUIJ9YWGazghcRt/vV8F2Iq I8Eb6NnCXx3CYXDX8UeyqZKRXgiJnknH5Hm7ctRc++IOA19H289TfTWxNscl0ZNxsy5Ss+gE qmBZ3Jl
- Ironport-hdrordr: A9a23:Hn1NPKDehpcvHXblHegCsceALOsnbusQ8zAXPh9KJiC9I/b1qy nxppkmPEfP+UsssHFJo6HkBEEZKUmsuqKdkrNhQYtKOzOW9ldATbsSobcKpgePJ8SQzJ8l6U 4NSdkcNDS0NykBsS+Y2nj4Lz9D+qj+zEnAv463pB0NLT2CKZsQlDuRYjzrSXGeLzM2YabRYa DsgPav0ADQHkj/AP7LZEUtbqzmnZnmhZjmaRkJC1oM8w+Vlw6l77b8Dlyxwgoeeykn+8ZjzU H11yjCoomzufCyzRHRk0XJ6Y5NpdfnwtxfQOSRl8kuLCn2gArAXvUjZ1TChkF2nAic0idvrD D+mWZmAy210QKWQoiBm2qp5+An6kd215at8y7BvZKpm72HeNtzMbs+uWseSGqC16NohqAN7E oAtVjpxqZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh5rD30XklWavoJhiKoLzP0d MeeP309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv00so5dY4Ud1J9u 7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHqokd9aWvYtgF3ZEykJ POXBdRsnMzYVvnDYmU0JhC4nn2MROAtPTWu7ZjDrRCy8/BreDQQF6+oXgV4r6dn8k=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYMkZGRiX5uAcMSkGDeNGbXVStcqy0LEIA
- Thread-topic: CET-IBT and kexec?
On 07/03/2022 17:10, David Vrabel wrote:
> kexec_reloc (see xen/arch/x86/x86_64/kexec_reloc.S) has an indirect
> branch as part of switching page tables. I understand that if CET-IBT
> is enabled this will raise an exception since there's no ENDBR64
> instruction and (as far as I could tell) CET-IBT has not been disabled
> in machine_kexec() prior to calling kexec_reloc().
>
> Have I correctly spotted an issue, and if so, would the correct fix be
> to disable CET-IBT in machine_kexec()?
>
> I guess this would also be an issue if kexec'ing to a image without
> CET-IBT support.
Hmm. We clobber CET in machine_crash_shutdown().
But you're right - that doesn't cover the kexec reboot case.
The ctxt_switch_levelling(NULL) right before clobbering CET in the crash
path also needs moving too.
I'll draft a patch.
~Andrew
|