xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 12 Feb 2018 16:06:00 +0000 (16:06 +0000)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Thu, 15 Feb 2018 11:08:27 +0000 (11:08 +0000)
commit	422588e88511d17984544c0f017a927de3315290
tree	e1bd1dc2245d1f4dc80ebc1bdf4aa57258f3b8f2	tree
parent	b7dce29d9faf3597d009c853ed1fcbed9f7a7f68	commit \| diff

x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings

The current XPTI implementation isolates the directmap (and therefore a lot of
guest data), but a large quantity of CPU0's state (including its stack)
remains visible.

Furthermore, an attacker able to read .text is in a vastly superior position
to normal when it comes to fingerprinting Xen for known vulnerabilities, or
scanning for ROP/Spectre gadgets.

Collect together the entrypoints in .text.entry (currently 3x4k frames, but
can almost certainly be slimmed down), and create a common mapping which is
inserted into each per-cpu shadow. The stubs are also inserted into this
mapping by pointing at the in-use L2. This allows stubs allocated later (SMP
boot, or CPU hotplug) to work without further changes to the common mappings.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

docs/misc/xen-command-line.markdown		diff \| blob \| blame \| history
xen/arch/x86/smpboot.c		diff \| blob \| blame \| history
xen/arch/x86/x86_64/compat/entry.S		diff \| blob \| blame \| history
xen/arch/x86/x86_64/entry.S		diff \| blob \| blame \| history
xen/arch/x86/xen.lds.S		diff \| blob \| blame \| history