On Thu, Jun 29, 2023 at 1:17 PM Alejandro Vallejo < alejandro.vall...@cloud.com> wrote:
> This option hardens Xen by forcing it to write secure (NX-enhanced) PTEs > regardless of the runtime NX feature bit in boot_cpu_data. This prevents an > attacker with partial write support from affecting Xen's PTE generation > logic by overriding the NX feature flag. The patch asserts support for the > NX bit in PTEs at boot time and if so short-circuits the cpu_has_nx macro > to 1. > > It has the nice benefit of replacing many instances of runtime checks with > folded constants. This has several knock-on effects that improve codegen, > saving 2.5KiB off the text section. > > The config option defaults to OFF for compatibility with previous > behaviour. > > Signed-off-by: Alejandro Vallejo <alejandro.vall...@cloud.com> > Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com> > --- > xen/arch/x86/Kconfig | 16 ++++++++++++++++ > xen/arch/x86/boot/head.S | 15 ++++++++++++++- > xen/arch/x86/boot/trampoline.S | 3 ++- > xen/arch/x86/efi/efi-boot.h | 9 +++++++++ > xen/arch/x86/include/asm/cpufeature.h | 3 ++- > 5 files changed, 43 insertions(+), 3 deletions(-) > @mantainers
