From: Andrew Cooper Date: Fri, 29 Oct 2021 13:05:07 +0000 (+0100) Subject: x86/nmi: CFI hardening X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=b1a7d40f30cde6e5b71ee23de25f9cae9837709e;p=people%2Ftklengyel%2Fxen.git x86/nmi: CFI hardening Control Flow Integrity schemes use toolchain and optionally hardware support to help protect against call/jump/return oriented programming attacks. Use cf_check to annotate function pointer targets for the toolchain. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c index 1cb531c9df..436047abe0 100644 --- a/xen/arch/x86/alternative.c +++ b/xen/arch/x86/alternative.c @@ -324,8 +324,8 @@ static unsigned int __initdata alt_done; * condition where an NMI hits while we are midway though patching some * instructions in the NMI path. */ -static int __init nmi_apply_alternatives(const struct cpu_user_regs *regs, - int cpu) +static int __init cf_check nmi_apply_alternatives( + const struct cpu_user_regs *regs, int cpu) { /* * More than one NMI may occur between the two set_nmi_callback() below. diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index c07f68ba35..f84dafa826 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -376,7 +376,8 @@ static int primary_thread_work(const struct microcode_patch *patch) return ret; } -static int microcode_nmi_callback(const struct cpu_user_regs *regs, int cpu) +static int cf_check microcode_nmi_callback( + const struct cpu_user_regs *regs, int cpu) { unsigned int primary = cpumask_first(this_cpu(cpu_sibling_mask)); int ret; diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c index f6264946a6..c383f718f5 100644 --- a/xen/arch/x86/crash.c +++ b/xen/arch/x86/crash.c @@ -36,7 +36,8 @@ static unsigned int crashing_cpu; static DEFINE_PER_CPU_READ_MOSTLY(bool, crash_save_done); /* This becomes the NMI handler for non-crashing CPUs, when Xen is crashing. */ -static int noreturn do_nmi_crash(const struct cpu_user_regs *regs, int cpu) +static int noreturn cf_check do_nmi_crash( + const struct cpu_user_regs *regs, int cpu) { stac(); diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index d056b1ed8b..37c9b8435e 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -175,7 +175,7 @@ static nmi_callback_t *saved_nmi_callback; * Note that because of this NOP code the do_nmi is not safely patchable. * Also if we do receive 'real' NMIs we have lost them. */ -static int mask_nmi_callback(const struct cpu_user_regs *regs, int cpu) +static int cf_check mask_nmi_callback(const struct cpu_user_regs *regs, int cpu) { /* TODO: Handle missing NMI/MCE.*/ return 1; diff --git a/xen/arch/x86/oprofile/nmi_int.c b/xen/arch/x86/oprofile/nmi_int.c index 6ebe20bd1d..a90b728258 100644 --- a/xen/arch/x86/oprofile/nmi_int.c +++ b/xen/arch/x86/oprofile/nmi_int.c @@ -95,7 +95,7 @@ bool nmi_oprofile_send_virq(void) return v; } -static int nmi_callback(const struct cpu_user_regs *regs, int cpu) +static int cf_check nmi_callback(const struct cpu_user_regs *regs, int cpu) { int xen_mode, ovf; diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 485bd66971..7b95710193 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -752,7 +752,8 @@ static cpumask_t show_state_mask; static bool opt_show_all; boolean_param("async-show-all", opt_show_all); -static int nmi_show_execution_state(const struct cpu_user_regs *regs, int cpu) +static int cf_check nmi_show_execution_state( + const struct cpu_user_regs *regs, int cpu) { if ( !cpumask_test_cpu(cpu, &show_state_mask) ) return 0;