Xen project Mailing List

[PATCH v6 3/4] xen: arm: enable stack protector feature

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Date: Mon, 17 Feb 2025 02:49:17 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n7p/GHrjsr8F4ZE7rkQrmBs/1k/mYhuWeTWyLqZKz7g=; b=NijasZtXI8VIEBU7NmS9njbvyubIDqPL7huBQ9X9Nsso4+KI1QFN/d2eKBI5qYM9qZpvI6Qp0/TJQK2hE2uxkDp7wEP4T3LjCQKTKbi6T6vL/Lut7e7DpDH19TWkPfPcnLIgOZxfma+hB4z/ihlTyBPrICJEq4BW0wr5vLLgP4ha7ryR47ySXyBWlaRYV5hQerbIG7yGlZBj5xJzrXobmcacQGnPB1ZlDDJlGOhM8ajh1iFndEHTsHDjiN4ThLe0po1jaDffmyFl6RZkXvkDufZ57Q5+4XdJEOOwHA3thj1dY5x1OBwaxhYpwaQ4CmsV1ysXH2ws7SCAu5ik6ZofVA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NG+wiwxQ6pMdFp41D9W/vFk2TJxqpXF/CY/kBoLswCZjPmI61o2EXJv6HRG/n/oqmbi0tuLW7Q6X7ocMoiepAqxSzne5qo8t5K/P5zawqjAGlTu+L4Zpra8HKtsia70qx7O5y5cODZWnv8sr5yPYihEKkbbzAPSsqRjR0uLusZCrPBJ9GklM/+WsK4wgd7VFDFYToU1WDcwLWk+HRLeiqQQT68RAmnpgq+4orjYpAA9hZIgHAK0L0Y4lFTtN6pg4VCChmqztGruwLFe5L6GG1MhzMTUJ9lUhya1/8VYxNK7qKRi2CVAzBwE9BMMLJLDGMERHTqn1ubWb4Q6+ZEH5pg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>

Delivery-date: Mon, 17 Feb 2025 02:49:32 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHbgOaJE6kDVTbKPE2BH7sXiNdS9g==

Thread-topic: [PATCH v6 3/4] xen: arm: enable stack protector feature

Enable previously added CONFIG_STACK_PROTECTOR feature for ARM platform. Initialize stack protector magic value very early, at the very beginning of start_xen() function. We want to do this early because prior to that boot_stack_chk_guard_setup() call, default stack protector guard value is used. While it is fine for general development and testing, it does not provide highest security level, because potential attacker will know the default value and can alter a payload, so correct stack guard value will be placed in the correct position. Apart from that argument, boot_stack_chk_guard_setup() should be called prior to enabling secondary CPUs to avoid race with them. Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> Acked-by: Julien Grall <jgrall@xxxxxxxxxx> --- Changes in v6: - Expanded the commit message - Added Julien's A-b tag Changes in v5: - Call boot_stack_chk_guard_setup() from start_xen() instead of early ASM --- xen/arch/arm/Kconfig | 1 + xen/arch/arm/setup.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index a26d3e1182..8f1a3c7d74 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -16,6 +16,7 @@ config ARM select GENERIC_UART_INIT select HAS_ALTERNATIVE if HAS_VMAP select HAS_DEVICE_TREE + select HAS_STACK_PROTECTOR select HAS_UBSAN config ARCH_DEFCONFIG diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index c1f2d1b89d..0dca691207 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -30,6 +30,7 @@ #include <xen/virtual_region.h> #include <xen/version.h> #include <xen/vmap.h> +#include <xen/stack-protector.h> #include <xen/trace.h> #include <xen/libfdt/libfdt-xen.h> #include <xen/acpi.h> @@ -305,6 +306,8 @@ void asmlinkage __init start_xen(unsigned long fdt_paddr) struct domain *d; int rc, i; + boot_stack_chk_guard_setup(); + dcache_line_bytes = read_dcache_line_bytes(); percpu_init_areas(); -- 2.47.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.