Xen project Mailing List

[PATCH v7 2/3] xen: arm: enable stack protector feature

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Date: Tue, 18 Mar 2025 02:34:16 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PfIgfIDoaXKyQ0Ye0/pA+kr9b+4erfmqyiKrr/jzcao=; b=wSD3oc7EglKNXOq0dUM9C37hY1BTlFbiVOuXQPpST7BBYQdkMavSCsLToqCkiaMUupGBGqwbHJd+VAUM7eExC3Zu74jxDcTzRu7dDoq6Dl/Dmoys7q6EsGe9GD54VxHjb4Iw3zQj3hRWCPYfe8T+KmGI2s//O4WmfwO2F6T6L0YmSPl0LwVyoDJU7nroFqXQsHHueUIEPtcLMEd+hnfwRdX9hu7nEODpNLacwUgPEs98ClVGyHZJo4oc05Z4NxuzUPApM66JyqT45UoZLYCov9NgBZSrra6RgRcgACwBOTJ7PYf0ztMGAO2ohQF6UFpepbJpbwI1Zx8I8MXQ+j5BMA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JAtKsDizaGLABh2as4WKMSbP2b3HQozYNMQzdiOBWf4MAcYYl8OoWKXPZyDP6nVgtKI0CAMqmFiNOtg4G18X612awUx+/96CWCCoJQw4SyIqB/Y1Z0IWHo9KJRdxb5qcfY/RNhy0IfpieNdJEBmdsRM4J93MHRKj2sG1HYd5ntDBEIMbKtd7qxBgJZRZT7VF7hHDqxduMypsn/JiFAsyU293yhWw9+4KIDZGVh8C3mOFG9zlWzGaMSTXWbx5qZbYJe5Tpji2usOVysz4PaAonVxDxsiBTMlcvm+5xg9Ii39nwkxgtl+m1fUPycDxpRjRfW9vH3kGF72YCkD89LTQPA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>

Delivery-date: Tue, 18 Mar 2025 02:34:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHbl64+nK1qcyuMXkOHD2CNqoxb4Q==

Thread-topic: [PATCH v7 2/3] xen: arm: enable stack protector feature

Enable previously added CONFIG_STACK_PROTECTOR feature for ARM platform. Initialize stack protector magic value very early, at the very beginning of start_xen() function. We want to do this early because prior to that boot_stack_chk_guard_setup() call, default stack protector guard value is used. While it is fine for general development and testing, it does not provide highest security level, because potential attacker will know the default value and can alter a payload, so correct stack guard value will be placed in the correct position. Apart from that argument, boot_stack_chk_guard_setup() should be called prior to enabling secondary CPUs to avoid race with them. Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> Acked-by: Julien Grall <jgrall@xxxxxxxxxx> --- Changes in v6: - Expanded the commit message - Added Julien's A-b tag Changes in v5: - Call boot_stack_chk_guard_setup() from start_xen() instead of early ASM --- xen/arch/arm/Kconfig | 1 + xen/arch/arm/setup.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index ffdff1f0a3..5d6870c817 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -15,6 +15,7 @@ config ARM select GENERIC_UART_INIT select HAS_ALTERNATIVE if HAS_VMAP select HAS_DEVICE_TREE + select HAS_STACK_PROTECTOR select HAS_UBSAN config ARCH_DEFCONFIG diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index ffcae900d7..fa11e6be9f 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -30,6 +30,7 @@ #include <xen/virtual_region.h> #include <xen/version.h> #include <xen/vmap.h> +#include <xen/stack-protector.h> #include <xen/trace.h> #include <xen/libfdt/libfdt-xen.h> #include <xen/acpi.h> @@ -306,6 +307,8 @@ void asmlinkage __init start_xen(unsigned long fdt_paddr) struct domain *d; int rc, i; + boot_stack_chk_guard_setup(); + dcache_line_bytes = read_dcache_line_bytes(); percpu_init_areas(); -- 2.48.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.