Control-flow Enforcement (CET) is a new Intel processor feature that blocks
return/jump-oriented programming attacks. Details are in "Intel 64 and
IA-32 Architectures Software Developer's Manual" [1].
This is the second part of CET and enables Indirect Branch Tracking (IBT).
It is built on top of the shadow stack series.
Changes in v24:
- Split IBT into a separate Kconfig option, update related areas
accordingly. Specific changes are called out in each patch's commit
log.
- Patch #7: Update ENDBR definition with compiler macros.
- Rebase to Linus tree v5.12-rc5.
[1] Intel 64 and IA-32 Architectures Software Developer's Manual:
https://software.intel.com/en-us/download/intel-64-and-ia-32-
architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4
[2] Indirect Branch Tracking patches v23:
https://lore.kernel.org/r/[email protected]/
H.J. Lu (3):
x86/cet/ibt: Update arch_prctl functions for Indirect Branch Tracking
x86/vdso: Insert endbr32/endbr64 to vDSO
x86/vdso/32: Add ENDBR to __kernel_vsyscall entry point
Yu-cheng Yu (6):
x86/cet/ibt: Add Kconfig option for Indirect Branch Tracking
x86/cet/ibt: Add user-mode Indirect Branch Tracking support
x86/cet/ibt: Handle signals for Indirect Branch Tracking
x86/cet/ibt: Update ELF header parsing for Indirect Branch Tracking
x86/vdso: Introduce ENDBR macro
x86/vdso: Add ENDBR to __vdso_sgx_enter_enclave
arch/x86/Kconfig | 22 +++++++++
arch/x86/entry/vdso/Makefile | 5 +++
arch/x86/entry/vdso/vdso32/system_call.S | 2 +
arch/x86/entry/vdso/vsgx.S | 4 ++
arch/x86/include/asm/cet.h | 9 ++++
arch/x86/include/asm/disabled-features.h | 8 +++-
arch/x86/include/asm/vdso.h | 19 +++++++-
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/cet_prctl.c | 5 +++
arch/x86/kernel/fpu/signal.c | 30 +++++++++++--
arch/x86/kernel/ibt.c | 57 ++++++++++++++++++++++++
arch/x86/kernel/process_64.c | 8 ++++
12 files changed, 165 insertions(+), 5 deletions(-)
create mode 100644 arch/x86/kernel/ibt.c
--
2.21.0
Indirect Branch Tracking (IBT) provides protection against CALL-/JMP-
oriented programming attacks. It is active when the kernel has this
feature enabled, and the processor and the application support it.
When this feature is enabled, legacy non-IBT applications continue to
work, but without IBT protection.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
arch/x86/Kconfig | 20 ++++++++++++++++++++
arch/x86/include/asm/disabled-features.h | 8 +++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a69e351e7386..a58c5230e957 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1969,6 +1969,26 @@ config X86_SHADOW_STACK
If unsure, say N.
+config X86_IBT
+ prompt "Intel Indirect Branch Tracking"
+ def_bool n
+ depends on X86_64
+ depends on $(cc-option,-fcf-protection)
+ select X86_CET
+ help
+ Indirect Branch Tracking (IBT) provides protection against
+ CALL-/JMP-oriented programming attacks. It is active when
+ the kernel has this feature enabled, and the processor and
+ the application support it. When this feature is enabled,
+ legacy non-IBT applications continue to work, but without
+ IBT protection.
+ Support for this feature is present on Tiger Lake family of
+ processors released in 2020 or later. Enabling this feature
+ increases kernel text size by 3.7 KB.
+ See Documentation/x86/intel_cet.rst for more information.
+
+ If unsure, say N.
+
config EFI
bool "EFI runtime service support"
depends on ACPI
diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
index 018cd7acd3e9..9b826b9dd83d 100644
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -74,6 +74,12 @@
#define DISABLE_SHSTK (1 << (X86_FEATURE_SHSTK & 31))
#endif
+#ifdef CONFIG_X86_IBT
+#define DISABLE_IBT 0
+#else
+#define DISABLE_IBT (1 << (X86_FEATURE_IBT & 31))
+#endif
+
#ifdef CONFIG_X86_CET
#define DISABLE_CET 0
#else
@@ -103,7 +109,7 @@
#define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE|DISABLE_LA57|DISABLE_UMIP| \
DISABLE_ENQCMD|DISABLE_SHSTK)
#define DISABLED_MASK17 0
-#define DISABLED_MASK18 0
+#define DISABLED_MASK18 (DISABLE_IBT)
#define DISABLED_MASK19 0
#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 20)
--
2.21.0
From: "H.J. Lu" <[email protected]>
ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
component of CET. IBT prevents attacks by ensuring that (most) indirect
branches and function calls may only land at ENDBR instructions. Branches
that don't follow the rules will result in control flow (#CF) exceptions.
ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
instructions are inserted automatically by the compiler, but branch
targets written in assembly must have ENDBR added manually.
Add that to __kernel_vsyscall entry point.
Signed-off-by: H.J. Lu <[email protected]>
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Kees Cook <[email protected]>
---
arch/x86/entry/vdso/vdso32/system_call.S | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/entry/vdso/vdso32/system_call.S b/arch/x86/entry/vdso/vdso32/system_call.S
index de1fff7188aa..c962e7e4f7e3 100644
--- a/arch/x86/entry/vdso/vdso32/system_call.S
+++ b/arch/x86/entry/vdso/vdso32/system_call.S
@@ -7,6 +7,7 @@
#include <asm/dwarf2.h>
#include <asm/cpufeatures.h>
#include <asm/alternative-asm.h>
+#include <asm/vdso.h>
.text
.globl __kernel_vsyscall
@@ -14,6 +15,7 @@
ALIGN
__kernel_vsyscall:
CFI_STARTPROC
+ ENDBR
/*
* Reshuffle regs so that all of any of the entry instructions
* will preserve enough state.
--
2.21.0
Introduce user-mode Indirect Branch Tracking (IBT) support. Add routines
for the setup/disable of IBT.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
v24:
- Move IBT routines to a separate ibt.c, update related areas accordingly.
arch/x86/include/asm/cet.h | 9 ++++++
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/ibt.c | 57 ++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 arch/x86/kernel/ibt.c
diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h
index 26124820d46f..b3df306699b4 100644
--- a/arch/x86/include/asm/cet.h
+++ b/arch/x86/include/asm/cet.h
@@ -15,6 +15,7 @@ struct cet_status {
unsigned long shstk_base;
unsigned long shstk_size;
unsigned int locked:1;
+ unsigned int ibt_enabled:1;
};
#ifdef CONFIG_X86_SHADOW_STACK
@@ -41,6 +42,14 @@ static inline int shstk_check_rstor_token(bool ia32, unsigned long token_addr,
unsigned long *new_ssp) { return 0; }
#endif
+#ifdef CONFIG_X86_IBT
+int ibt_setup(void);
+void ibt_disable(void);
+#else
+static inline int ibt_setup(void) { return 0; }
+static inline void ibt_disable(void) {}
+#endif
+
#ifdef CONFIG_X86_CET
int prctl_cet(int option, u64 arg2);
#else
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 868cb3aac618..9653e422d0f3 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -152,6 +152,7 @@ obj-$(CONFIG_UNWINDER_GUESS) += unwind_guess.o
obj-$(CONFIG_AMD_MEM_ENCRYPT) += sev-es.o
obj-$(CONFIG_X86_SHADOW_STACK) += shstk.o
obj-$(CONFIG_X86_CET) += cet_prctl.o
+obj-$(CONFIG_X86_IBT) += ibt.o
###
# 64 bit specific files
diff --git a/arch/x86/kernel/ibt.c b/arch/x86/kernel/ibt.c
new file mode 100644
index 000000000000..d2cef1a0345b
--- /dev/null
+++ b/arch/x86/kernel/ibt.c
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * ibt.c - Intel Indirect Branch Tracking support
+ *
+ * Copyright (c) 2021, Intel Corporation.
+ * Yu-cheng Yu <[email protected]>
+ */
+
+#include <linux/user.h>
+#include <asm/msr.h>
+#include <asm/fpu/internal.h>
+#include <asm/fpu/xstate.h>
+#include <asm/fpu/types.h>
+#include <asm/cet.h>
+
+static void start_update_msrs(void)
+{
+ fpregs_lock();
+ if (test_thread_flag(TIF_NEED_FPU_LOAD))
+ __fpregs_load_activate();
+}
+
+static void end_update_msrs(void)
+{
+ fpregs_unlock();
+}
+
+int ibt_setup(void)
+{
+ u64 msr_val;
+
+ if (!cpu_feature_enabled(X86_FEATURE_IBT))
+ return -EOPNOTSUPP;
+
+ start_update_msrs();
+ rdmsrl(MSR_IA32_U_CET, msr_val);
+ msr_val |= (CET_ENDBR_EN | CET_NO_TRACK_EN);
+ wrmsrl(MSR_IA32_U_CET, msr_val);
+ end_update_msrs();
+ current->thread.cet.ibt_enabled = 1;
+ return 0;
+}
+
+void ibt_disable(void)
+{
+ u64 msr_val;
+
+ if (!cpu_feature_enabled(X86_FEATURE_IBT))
+ return;
+
+ start_update_msrs();
+ rdmsrl(MSR_IA32_U_CET, msr_val);
+ msr_val &= ~CET_ENDBR_EN;
+ wrmsrl(MSR_IA32_U_CET, msr_val);
+ end_update_msrs();
+ current->thread.cet.ibt_enabled = 0;
+}
--
2.21.0
ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
component of CET. IBT prevents attacks by ensuring that (most) indirect
branches and function calls may only land at ENDBR instructions. Branches
that don't follow the rules will result in control flow (#CF) exceptions.
ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
instructions are inserted automatically by the compiler, but branch
targets written in assembly must have ENDBR added manually.
There are two ENDBR versions: endbr64 and endbr32. The compilers (gcc and
clang) have _CET_ENDBR defined for the proper one. Introduce ENDBR macro,
which equals the compiler macro when enabled, otherwise nothing.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Dave Hansen <[email protected]>
Cc: Jarkko Sakkinen <[email protected]>
Cc: Peter Zijlstra <[email protected]>
---
arch/x86/entry/vdso/Makefile | 1 +
arch/x86/include/asm/vdso.h | 19 ++++++++++++++++++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index a773a5f03b63..be2ce5c8cb42 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -95,6 +95,7 @@ $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(
ifdef CONFIG_X86_IBT
$(vobjs) $(vobjs32): KBUILD_CFLAGS += -fcf-protection=branch
+$(vobjs) $(vobjs32): KBUILD_AFLAGS += -fcf-protection=branch
endif
#
diff --git a/arch/x86/include/asm/vdso.h b/arch/x86/include/asm/vdso.h
index 98aa103eb4ab..0128486ba09f 100644
--- a/arch/x86/include/asm/vdso.h
+++ b/arch/x86/include/asm/vdso.h
@@ -52,6 +52,23 @@ extern int map_vdso_once(const struct vdso_image *image, unsigned long addr);
extern bool fixup_vdso_exception(struct pt_regs *regs, int trapnr,
unsigned long error_code,
unsigned long fault_addr);
-#endif /* __ASSEMBLER__ */
+#else /* __ASSEMBLER__ */
+
+/*
+ * ENDBR is an instruction for the Indirect Branch Tracking (IBT) component
+ * of CET. IBT prevents attacks by ensuring that (most) indirect branches
+ * function calls may only land at ENDBR instructions. Branches that don't
+ * follow the rules will result in control flow (#CF) exceptions.
+ * ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
+ * instructions are inserted automatically by the compiler, but branch
+ * targets written in assembly must have ENDBR added manually.
+ */
+#ifdef __CET__
+#include <cet.h>
+#define ENDBR _CET_ENDBR
+#else
+#define ENDBR
+#endif
+#endif /* __ASSEMBLER__ */
#endif /* _ASM_X86_VDSO_H */
--
2.21.0
An ELF file's .note.gnu.property indicates features the file supports.
The property is parsed at loading time and passed to arch_setup_elf_
property(). Update it for Indirect Branch Tracking.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
v24:
- Update for changes introduced from splitting shadow stack and ibt.
arch/x86/Kconfig | 2 ++
arch/x86/kernel/process_64.c | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a58c5230e957..5496a1b79318 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1975,6 +1975,8 @@ config X86_IBT
depends on X86_64
depends on $(cc-option,-fcf-protection)
select X86_CET
+ select ARCH_USE_GNU_PROPERTY
+ select ARCH_BINFMT_ELF_STATE
help
Indirect Branch Tracking (IBT) provides protection against
CALL-/JMP-oriented programming attacks. It is active when
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 892d8e742e3b..8137e8af4503 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -864,6 +864,14 @@ int arch_setup_elf_property(struct arch_elf_state *state)
r = shstk_setup();
}
+ if (r < 0)
+ return r;
+
+ if (cpu_feature_enabled(X86_FEATURE_IBT)) {
+ if (state->gnu_property & GNU_PROPERTY_X86_FEATURE_1_IBT)
+ r = ibt_setup();
+ }
+
return r;
}
#endif
--
2.21.0
When an indirect CALL/JMP instruction is executed and before it reaches
the target, it is in 'WAIT_ENDBR' status, which can be read from
MSR_IA32_U_CET. The status is part of a task's status before a signal is
raised and preserved in the signal frame. It is restored for sigreturn.
IBT state machine is described in Intel SDM Vol. 1, Sec. 18.3.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Kees Cook <[email protected]>
---
v24:
- Update for changes from splitting shadow stack and ibt.
arch/x86/kernel/fpu/signal.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 2e56f2fe8be0..1f54c18607c9 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -71,16 +71,32 @@ int save_extra_state_to_sigframe(int ia32, void __user *fp, unsigned long restor
return err;
ext.ssp = token_addr;
+ }
+ if (new_ssp || cet->ibt_enabled) {
fpregs_lock();
if (test_thread_flag(TIF_NEED_FPU_LOAD))
__fpregs_load_activate();
+
if (new_ssp)
wrmsrl(MSR_IA32_PL3_SSP, new_ssp);
+
+ if (cet->ibt_enabled) {
+ u64 r;
+
+ rdmsrl(MSR_IA32_U_CET, r);
+
+ if (r & CET_WAIT_ENDBR) {
+ ext.wait_endbr = 1;
+ r &= ~CET_WAIT_ENDBR;
+ wrmsrl(MSR_IA32_U_CET, r);
+ }
+ }
+
fpregs_unlock();
}
- if (ext.ssp) {
+ if (ext.ssp || cet->ibt_enabled) {
void __user *p = fp;
ext.total_size = sizeof(ext);
@@ -110,7 +126,8 @@ static int get_extra_state_from_sigframe(int ia32, void __user *fp, struct sc_ex
if (!cpu_feature_enabled(X86_FEATURE_CET))
return 0;
- if (!cet->shstk_size)
+ if (!cet->shstk_size &&
+ !cet->ibt_enabled)
return 0;
memset(ext, 0, sizeof(*ext));
@@ -162,6 +179,13 @@ void restore_extra_state(struct sc_ext *sc_ext)
msr_val |= CET_SHSTK_EN;
}
+ if (cet->ibt_enabled) {
+ msr_val |= (CET_ENDBR_EN | CET_NO_TRACK_EN);
+
+ if (sc_ext->wait_endbr)
+ msr_val |= CET_WAIT_ENDBR;
+ }
+
if (test_thread_flag(TIF_NEED_FPU_LOAD))
cet_user_state->user_cet = msr_val;
else
@@ -626,7 +650,7 @@ static unsigned long fpu__alloc_sigcontext_ext(unsigned long sp)
* sigcontext_ext is at: fpu + fpu_user_xstate_size +
* FP_XSTATE_MAGIC2_SIZE, then aligned to 8.
*/
- if (cet->shstk_size)
+ if (cet->shstk_size || cet->ibt_enabled)
sp -= (sizeof(struct sc_ext) + 8);
#endif
return sp;
--
2.21.0
From: "H.J. Lu" <[email protected]>
Update ARCH_X86_CET_STATUS and ARCH_X86_CET_DISABLE for Indirect Branch
Tracking.
Signed-off-by: H.J. Lu <[email protected]>
Signed-off-by: Yu-cheng Yu <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
---
v24:
- Update for function name changes introduced from splitting shadow stack and ibt.
arch/x86/kernel/cet_prctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/cet_prctl.c b/arch/x86/kernel/cet_prctl.c
index 5f0054177d2a..ae31741d829a 100644
--- a/arch/x86/kernel/cet_prctl.c
+++ b/arch/x86/kernel/cet_prctl.c
@@ -22,6 +22,9 @@ static int cet_copy_status_to_user(struct cet_status *cet, u64 __user *ubuf)
buf[2] = cet->shstk_size;
}
+ if (cet->ibt_enabled)
+ buf[0] |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+
return copy_to_user(ubuf, buf, sizeof(buf));
}
@@ -46,6 +49,8 @@ int prctl_cet(int option, u64 arg2)
return -EINVAL;
if (arg2 & GNU_PROPERTY_X86_FEATURE_1_SHSTK)
shstk_disable();
+ if (arg2 & GNU_PROPERTY_X86_FEATURE_1_IBT)
+ ibt_disable();
return 0;
case ARCH_X86_CET_LOCK:
--
2.21.0
ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
component of CET. IBT prevents attacks by ensuring that (most) indirect
branches and function calls may only land at ENDBR instructions. Branches
that don't follow the rules will result in control flow (#CF) exceptions.
ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
instructions are inserted automatically by the compiler, but branch
targets written in assembly must have ENDBR added manually.
Add ENDBR to __vdso_sgx_enter_enclave() branch targets.
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Dave Hansen <[email protected]>
Cc: Jarkko Sakkinen <[email protected]>
Cc: Peter Zijlstra <[email protected]>
---
arch/x86/entry/vdso/vsgx.S | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
index 86a0e94f68df..c63eafa54abd 100644
--- a/arch/x86/entry/vdso/vsgx.S
+++ b/arch/x86/entry/vdso/vsgx.S
@@ -4,6 +4,7 @@
#include <asm/export.h>
#include <asm/errno.h>
#include <asm/enclu.h>
+#include <asm/vdso.h>
#include "extable.h"
@@ -27,6 +28,7 @@
SYM_FUNC_START(__vdso_sgx_enter_enclave)
/* Prolog */
.cfi_startproc
+ ENDBR
push %rbp
.cfi_adjust_cfa_offset 8
.cfi_rel_offset %rbp, 0
@@ -62,6 +64,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
.Lasync_exit_pointer:
.Lenclu_eenter_eresume:
enclu
+ ENDBR
/* EEXIT jumps here unless the enclave is doing something fancy. */
mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
@@ -91,6 +94,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
jmp .Lout
.Lhandle_exception:
+ ENDBR
mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
/* Set the exception info. */
--
2.21.0
From: "H.J. Lu" <[email protected]>
When Indirect Branch Tracking (IBT) is enabled, vDSO functions may be
called indirectly, and must have ENDBR32 or ENDBR64 as the first
instruction. The compiler must support -fcf-protection=branch so that it
can be used to compile vDSO.
Signed-off-by: H.J. Lu <[email protected]>
Signed-off-by: Yu-cheng Yu <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Kees Cook <[email protected]>
---
v24:
- Replace CONFIG_X86_CET with CONFIG_X86_IBT to reflect splitting of shadow
stack and ibt.
arch/x86/entry/vdso/Makefile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 05c4abc2fdfd..a773a5f03b63 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -93,6 +93,10 @@ endif
$(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL)
+ifdef CONFIG_X86_IBT
+$(vobjs) $(vobjs32): KBUILD_CFLAGS += -fcf-protection=branch
+endif
+
#
# vDSO code runs in userspace and -pg doesn't help with profiling anyway.
#
--
2.21.0
On Thu, Apr 01, 2021 at 03:14:03PM -0700, Yu-cheng Yu wrote:
> ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
> component of CET. IBT prevents attacks by ensuring that (most) indirect
> branches and function calls may only land at ENDBR instructions. Branches
> that don't follow the rules will result in control flow (#CF) exceptions.
>
> ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
> instructions are inserted automatically by the compiler, but branch
> targets written in assembly must have ENDBR added manually.
>
> Add ENDBR to __vdso_sgx_enter_enclave() branch targets.
>
> Signed-off-by: Yu-cheng Yu <[email protected]>
> Cc: Andy Lutomirski <[email protected]>
> Cc: Borislav Petkov <[email protected]>
> Cc: Dave Hansen <[email protected]>
> Cc: Jarkko Sakkinen <[email protected]>
> Cc: Peter Zijlstra <[email protected]>
Acked-by: Jarkko Sakkinen <[email protected]>
> ---
> arch/x86/entry/vdso/vsgx.S | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
> index 86a0e94f68df..c63eafa54abd 100644
> --- a/arch/x86/entry/vdso/vsgx.S
> +++ b/arch/x86/entry/vdso/vsgx.S
> @@ -4,6 +4,7 @@
> #include <asm/export.h>
> #include <asm/errno.h>
> #include <asm/enclu.h>
> +#include <asm/vdso.h>
>
> #include "extable.h"
>
> @@ -27,6 +28,7 @@
> SYM_FUNC_START(__vdso_sgx_enter_enclave)
> /* Prolog */
> .cfi_startproc
> + ENDBR
> push %rbp
> .cfi_adjust_cfa_offset 8
> .cfi_rel_offset %rbp, 0
> @@ -62,6 +64,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
> .Lasync_exit_pointer:
> .Lenclu_eenter_eresume:
> enclu
> + ENDBR
>
> /* EEXIT jumps here unless the enclave is doing something fancy. */
> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> @@ -91,6 +94,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
> jmp .Lout
>
> .Lhandle_exception:
> + ENDBR
> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
>
> /* Set the exception info. */
> --
> 2.21.0
>
>
/Jarkko
On 5/24/2021 11:51 AM, Sean Christopherson wrote:
> On Thu, Apr 01, 2021, Yu-cheng Yu wrote:
>> ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
>> component of CET. IBT prevents attacks by ensuring that (most) indirect
>> branches and function calls may only land at ENDBR instructions. Branches
>> that don't follow the rules will result in control flow (#CF) exceptions.
>>
>> ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
>> instructions are inserted automatically by the compiler, but branch
>> targets written in assembly must have ENDBR added manually.
>>
>> Add ENDBR to __vdso_sgx_enter_enclave() branch targets.
> ^
> |- indirect
>
> After reading the changelog, I was expecting ENDBR on every label.
>
Sorry about the confusion.
>> Signed-off-by: Yu-cheng Yu <[email protected]>
>> Cc: Andy Lutomirski <[email protected]>
>> Cc: Borislav Petkov <[email protected]>
>> Cc: Dave Hansen <[email protected]>
>> Cc: Jarkko Sakkinen <[email protected]>
>> Cc: Peter Zijlstra <[email protected]>
>> ---
>> arch/x86/entry/vdso/vsgx.S | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
>> index 86a0e94f68df..c63eafa54abd 100644
>> --- a/arch/x86/entry/vdso/vsgx.S
>> +++ b/arch/x86/entry/vdso/vsgx.S
>> @@ -4,6 +4,7 @@
>> #include <asm/export.h>
>> #include <asm/errno.h>
>> #include <asm/enclu.h>
>> +#include <asm/vdso.h>
>>
>> #include "extable.h"
>>
>> @@ -27,6 +28,7 @@
>> SYM_FUNC_START(__vdso_sgx_enter_enclave)
>> /* Prolog */
>> .cfi_startproc
>> + ENDBR
>> push %rbp
>> .cfi_adjust_cfa_offset 8
>> .cfi_rel_offset %rbp, 0
>> @@ -62,6 +64,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
>> .Lasync_exit_pointer:
>> .Lenclu_eenter_eresume:
>> enclu
>> + ENDBR
>
> It would be better to move this below the comment about EEXIT. As is, it looks
> like a misplaced annotation on the AEP. The AEP doesn't need ENDBR, it's the
> EEXIT target that needs ENDBR because EEXIT is treated as an indirect branch.
>
> Might also be helpful for future readers to explicitly state in the changelog
> that EEXIT is considered an indirect branch.
>
> I.e.
>
>> /* EEXIT jumps here unless the enclave is doing something fancy. */
> ENDBR
>> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
>> @@ -91,6 +94,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
>> jmp .Lout
>>
>> .Lhandle_exception:
>> + ENDBR
>> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
>>
>> /* Set the exception info. */
Thanks, I will fix that.
Yu-cheng
On Thu, Apr 01, 2021, Yu-cheng Yu wrote:
> ENDBR is a special new instruction for the Indirect Branch Tracking (IBT)
> component of CET. IBT prevents attacks by ensuring that (most) indirect
> branches and function calls may only land at ENDBR instructions. Branches
> that don't follow the rules will result in control flow (#CF) exceptions.
>
> ENDBR is a noop when IBT is unsupported or disabled. Most ENDBR
> instructions are inserted automatically by the compiler, but branch
> targets written in assembly must have ENDBR added manually.
>
> Add ENDBR to __vdso_sgx_enter_enclave() branch targets.
^
|- indirect
After reading the changelog, I was expecting ENDBR on every label.
> Signed-off-by: Yu-cheng Yu <[email protected]>
> Cc: Andy Lutomirski <[email protected]>
> Cc: Borislav Petkov <[email protected]>
> Cc: Dave Hansen <[email protected]>
> Cc: Jarkko Sakkinen <[email protected]>
> Cc: Peter Zijlstra <[email protected]>
> ---
> arch/x86/entry/vdso/vsgx.S | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
> index 86a0e94f68df..c63eafa54abd 100644
> --- a/arch/x86/entry/vdso/vsgx.S
> +++ b/arch/x86/entry/vdso/vsgx.S
> @@ -4,6 +4,7 @@
> #include <asm/export.h>
> #include <asm/errno.h>
> #include <asm/enclu.h>
> +#include <asm/vdso.h>
>
> #include "extable.h"
>
> @@ -27,6 +28,7 @@
> SYM_FUNC_START(__vdso_sgx_enter_enclave)
> /* Prolog */
> .cfi_startproc
> + ENDBR
> push %rbp
> .cfi_adjust_cfa_offset 8
> .cfi_rel_offset %rbp, 0
> @@ -62,6 +64,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
> .Lasync_exit_pointer:
> .Lenclu_eenter_eresume:
> enclu
> + ENDBR
It would be better to move this below the comment about EEXIT. As is, it looks
like a misplaced annotation on the AEP. The AEP doesn't need ENDBR, it's the
EEXIT target that needs ENDBR because EEXIT is treated as an indirect branch.
Might also be helpful for future readers to explicitly state in the changelog
that EEXIT is considered an indirect branch.
I.e.
> /* EEXIT jumps here unless the enclave is doing something fancy. */
ENDBR
> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> @@ -91,6 +94,7 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
> jmp .Lout
>
> .Lhandle_exception:
> + ENDBR
> mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
>
> /* Set the exception info. */
> --
> 2.21.0
>