On 29.05.2020 21:35, Andrew Cooper wrote: > On 28/05/2020 13:50, Jan Beulich wrote: >> On 27.05.2020 21:18, Andrew Cooper wrote: >>> + /* Primary Shadow Stack. 1x 4k in stack page 5. */ >>> p += PRIMARY_SHSTK_SLOT * PAGE_SIZE; >>> - map_pages_to_xen((unsigned long)p, virt_to_mfn(p), 1, _PAGE_NONE); >>> + if ( IS_ENABLED(CONFIG_XEN_SHSTK) ) >>> + write_sss_token(p + PAGE_SIZE - 8); >>> + >>> + map_pages_to_xen((unsigned long)p, virt_to_mfn(p), 1, >>> PAGE_HYPERVISOR_SHSTK); >>> } >>> >>> void memguard_unguard_stack(void *p) >> Would this function perhaps better zap the tokens? > > Why? We don't zap any other stack contents, and let the regular page > scrubbing clean it.
Except that Xen used pages, if re-used by Xen itself, may not go through a round of scrubbing. As long as we use 1:1 mappings, re-using the same page for a shadow stack will end up having the necessary token already in place. Looks like a defense-in-depth measure to zap them off as soon as a page goes out of (shadow stack) use. Jan