projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7764fd9) | patch
x86: Introduce support for CET-IBT
authorAndrew Cooper <andrew.cooper3@citrix.com>
Thu, 21 Oct 2021 17:38:50 +0000 (18:38 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Wed, 23 Feb 2022 15:33:42 +0000 (15:33 +0000)
commit3667f7f8f7c471e94e58cf35a95f09a0fe5c1290
tree4ada7ece70a84b70f26064c8527c2c70a6f79f99tree | snapshot
parent7764fd93cf24d59b98fd1ee1c3f03a1fda83633acommit | diff
x86: Introduce support for CET-IBT

CET Indirect Branch Tracking is a hardware feature designed to provide
forward-edge control flow integrity, protecting against jump/call oriented
programming.

IBT requires the placement of endbr{32,64} instructions at the target of every
indirect call/jmp, and every entrypoint.

However, the default -fcf-protection=branch places an endbr{32,64} on every
function which far more than necessary, and reduces the quantity of protection
afforded.  Therefore, we use manual placement using the cf_check attribute.

It is necessary to check for both compiler and assembler support, as the
notrack prefix can be emitted in certain cases.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Config.mk diff | blob | history
tools/firmware/Makefile diff | blob | history
tools/libs/guest/xg_dom_decompress_unsafe.h diff | blob | history
tools/tests/x86_emulator/x86-emulate.h diff | blob | history
xen/arch/x86/Kconfig diff | blob | history
xen/arch/x86/arch.mk diff | blob | history
xen/arch/x86/configs/pvshim_defconfig diff | blob | history
xen/arch/x86/include/asm/asm-defns.h diff | blob | history
xen/arch/x86/include/asm/cpufeature.h diff | blob | history
xen/arch/x86/include/asm/cpufeatures.h diff | blob | history
xen/include/xen/compiler.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.