dgit.raspbian.org Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Wed, 22 Apr 2020 12:44:37 +0000 (13:44 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 29 May 2020 22:09:46 +0000 (23:09 +0100)
commit	b60ab42db2f04dcf56ebbfedfb9b0c65a75e4bac
tree	81b2445e31d59e64521d9d0dd57d6153afa5a0f5	tree \| snapshot
parent	633ecc4a7cb2d8d6d1903b39637c0d9a982b9693	commit \| diff

x86/shstk: Activate Supervisor Shadow Stacks

With all other plumbing in place, activate shadow stacks when possible.

Note that CET shares the similar problems to SMEP/SMAP with Ring1 being
supervisor to the processor, and that the layout of the shadow stack differs
between an IRET to Ring 1 and Ring 3.  Therefore, we disable PV32 when CET is
enabled.  Compatibility can be maintained if necessary via PV-Shim.

The BSP needs to wait until alternatives have run (to avoid interaction with
CR0.WP), and after the first reset_stack_and_jump() to avoid having a pristine
shadow stack interact in problematic ways with an in-use regular stack.
Activate shadow stack in reinit_bsp_stack().

APs have all infrastructure set up by the booting CPU, so enable shadow stacks
before entering C.  Adjust the logic to call start_secondary rather than jump
to it, so stack traces make more sense.

The crash path needs to turn CET off to avoid interfering with the crash
kernel's environment.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

docs/misc/xen-command-line.pandoc		diff \| blob \| history
xen/arch/x86/boot/x86_64.S		diff \| blob \| history
xen/arch/x86/cpu/common.c		diff \| blob \| history
xen/arch/x86/crash.c		diff \| blob \| history
xen/arch/x86/setup.c		diff \| blob \| history
xen/arch/x86/spec_ctrl.c		diff \| blob \| history