[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 01/11] x86/HVM: improve CET-IBT pruning of ENDBR



On Wed, Mar 05, 2025 at 05:23:05PM +0100, Jan Beulich wrote:
> On 05.03.2025 16:39, Roger Pau Monné wrote:
> > On Wed, Mar 05, 2025 at 04:02:51PM +0100, Jan Beulich wrote:
> >> On 05.03.2025 15:48, Roger Pau Monné wrote:
> >>> On Tue, Feb 25, 2025 at 12:37:00PM +0100, Jan Beulich wrote:
> >>>> __init{const,data}_cf_clobber can have an effect only for pointers
> >>>> actually populated in the respective tables. While not the case for SVM
> >>>> right now, VMX installs a number of pointers only under certain
> >>>> conditions. Hence the respective functions would have their ENDBR purged
> >>>> only when those conditions are met. Invoke "pruning" functions after
> >>>> having copied the respective tables, for them to install any "missing"
> >>>> pointers.
> >>>>
> >>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> >>>
> >>> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> >>
> >> Thanks.
> >>
> >>> However I find this filling slightly ugly, and prone to be forgotten
> >>> when further hooks are added.
> >>
> >> Indeed. Luckily, while undesirable, that wouldn't be an outright bug.
> >>
> >>> Would it make sense to delay enabling of IBT until after alternatives
> >>> have been applied, and thus simply not use the cf_clobber attribute on
> >>> functions that are patched to not be indirectly called?
> 
> Hmm, wait - how would that work? cf_clobber is used on function pointer
> tables; any function indirectly callable prior to patching still needs
> marking with cf_check, for build-time analysis to not throw errors (with
> the specially patched gcc that Andrew prepared with a patch of H.J.'s).

Yeah, we would need something there?

Maybe disable such detection around alternative_{,v}call() usages if
possible?

I assume the build-time detection is done based on call sites?  We
would need to figure out whether the detection can be disabled for
chunks of code.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.