From 1ec1462032f7d48ef34b65a679767bdef9d7ea46 Mon Sep 17 00:00:00 2001 From: Volodymyr Babchuk Date: Mon, 14 Apr 2025 13:07:38 +0200 Subject: [PATCH] xen: arm: enable stack protector feature Enable previously added CONFIG_STACK_PROTECTOR feature for ARM platform. Initialize stack protector magic value very early, at the very beginning of start_xen() function. We want to do this early because prior to that boot_stack_chk_guard_setup() call, default stack protector guard value is used. While it is fine for general development and testing, it does not provide highest security level, because potential attacker will know the default value and can alter a payload, so correct stack guard value will be placed in the correct position. Apart from that argument, boot_stack_chk_guard_setup() should be called prior to enabling secondary CPUs to avoid race with them. Signed-off-by: Volodymyr Babchuk Acked-by: Julien Grall --- xen/arch/arm/Kconfig | 1 + xen/arch/arm/setup.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 565f288331..da8a406f5a 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -15,6 +15,7 @@ config ARM select GENERIC_UART_INIT select HAS_ALTERNATIVE if HAS_VMAP select HAS_DEVICE_TREE + select HAS_STACK_PROTECTOR select HAS_UBSAN config ARCH_DEFCONFIG diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index bf39d41e9b..07703a15e1 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -306,6 +307,8 @@ void asmlinkage __init start_xen(unsigned long fdt_paddr) struct domain *d; int rc, i; + boot_stack_chk_guard_setup(); + dcache_line_bytes = read_dcache_line_bytes(); percpu_init_areas(); -- 2.39.5