Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp153981imm; Fri, 5 Oct 2018 01:16:15 -0700 (PDT) X-Google-Smtp-Source: ACcGV60pa0fluL8ybHQEicBJ1Ttfv3tItpIWKYn5nnNS+OlMAyxCdKcikDHpDoCxi8hTxDVgiOte X-Received: by 2002:a17:902:1026:: with SMTP id b35-v6mr10550664pla.283.1538727375069; Fri, 05 Oct 2018 01:16:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538727375; cv=none; d=google.com; s=arc-20160816; b=N6IXN5rViUdKBA0hUKfMxeRa76ziD5UsUw14AgdYmTXF1B8b3IPV/a/VMu/osExcOl 5JrJl+Cmc3dB1x7loHimroQrBAusdjUoohXj2nUzxL47UG4c2ZVbo+3OI+v7NYyFRFUN 0AGLGdeECEQIsd7j7e6v83hKsyOiF1jp9eZtZDz/40S78XyxpS8XjaKTdImzPNnC/ne6 o4Wrs7DQDWAHHlet0wVWuMxVJ1Ov1owOJRNTCXsYlpF5fbxV7U7NLo/JnuSuHrCvjalf nUQ2ab7girAgyRuOI98fKu0Mgmiw85vbQTit5d+fRZkYpuR03F79ejVZJXRqP2jEy7JL e97A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=M974k2iyDJIOjsCt9yr954r2LChEqIlYPLi3JqN8ezM=; b=IkUlIvG/0kHaakUy3lx4uKxqbo3GNtiipvMY04eMYgE80RKUqhsSSwHRHvIMfpnY8b +RGiz6yWshoixldhr6dBAXs9ltZUoyw0pfga8TlLfL+jsjQ9UkM4e3pKd5RAUV/YsbFl ejp37d0sA8X6oQw3Sz40TpJpruTvcmUF80Q7PI0JPNapDde97fI+akF02Q9KaFbKOsxg 8fWznPutdgFIGk4WoNPoLxFUyNp1tamclE+4TvmkrlGN8BcOZFmi5HdJU8fzkdEAmjxK XPsUfkXDWgampbfxrCtR4I1d+5m5bYYs1UuAATSUBqu9nk0Ofip89I/3phPNoS0gF+wp P03A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MWd+hOYP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34-v6si6808039pgk.596.2018.10.05.01.15.59; Fri, 05 Oct 2018 01:16:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MWd+hOYP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728401AbeJEPLS (ORCPT + 99 others); Fri, 5 Oct 2018 11:11:18 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:33122 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728259AbeJEPLR (ORCPT ); Fri, 5 Oct 2018 11:11:17 -0400 Received: by mail-wm1-f66.google.com with SMTP id y140-v6so3198694wmd.0 for ; Fri, 05 Oct 2018 01:13:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=M974k2iyDJIOjsCt9yr954r2LChEqIlYPLi3JqN8ezM=; b=MWd+hOYP/XT8JhDN37zPYJpwEJYaMjz+DGw/Gv25gw+eg0s/a5gjnsTq2fxMFRjXfa XOMVBcpP7CyWqNHbBWmey7hjHyMNnG+gxrzc/jDFOObGBsroeG0GPzJLFwCtev3yPYQp vVyxleV0C7JUqQAW22vpLbZCcIWLOpw1cxhDg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=M974k2iyDJIOjsCt9yr954r2LChEqIlYPLi3JqN8ezM=; b=S3OJbaNXf01x3dL6PRKNk8CArExdDMpYeJpJq/XQR+7f45+SusiWL042j6mqyINvU7 gpHa80Fk/AfbI7EWHH5bNrmitfP9aTX/v8RzMhiRajh6wFHpk6gmuGcWSMWGxYwCIoeZ B4+JDokLGGScpnj/yHStic4YejoPHfun5az9Y7otvUwWSBcur/KiJwwCvhLllidcQVw/ 3Q+HrYEl2PxfGPU65VznPrfxr2CpANaKLPrObl53ECA8Mb/KraE+YPCVV5+HkwX81B0L I67kBBhq+CfbA2knGym9+ZwTOx5FbAFg74CsIi0KlWqLrebLzrhHgLW8tEhIAfw6GdIY a8Kg== X-Gm-Message-State: ABuFfoggDQ5Rtptf68p3s9W20q/Imk7whzT0fB/ecLiHP8BOqCnvq5hF QKmSQhgDIBLCHADrZZ9I152gncywoc4= X-Received: by 2002:a1c:9901:: with SMTP id b1-v6mr4381093wme.15.1538727220155; Fri, 05 Oct 2018 01:13:40 -0700 (PDT) Received: from localhost.localdomain ([2a01:cb1d:112:6f00:697e:67d9:a05d:22c7]) by smtp.gmail.com with ESMTPSA id t4-v6sm6565620wrb.45.2018.10.05.01.13.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Oct 2018 01:13:39 -0700 (PDT) From: Ard Biesheuvel To: linux-kernel@vger.kernel.org Cc: Ard Biesheuvel , "Jason A . Donenfeld" , Eric Biggers , Samuel Neves , Andy Lutomirski , Arnd Bergmann , Herbert Xu , "David S. Miller" , Catalin Marinas , Will Deacon , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Thomas Gleixner , Ingo Molnar , Kees Cook , "Martin K. Petersen" , Greg Kroah-Hartman , Andrew Morton , Richard Weinberger , Peter Zijlstra , linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org Subject: [RFC PATCH 1/9] kernel: add support for patchable function pointers Date: Fri, 5 Oct 2018 10:13:25 +0200 Message-Id: <20181005081333.15018-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20181005081333.15018-1-ard.biesheuvel@linaro.org> References: <20181005081333.15018-1-ard.biesheuvel@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a function pointer abstraction that can be implemented by the arch in a manner that avoids the downsides of function pointers, i.e., the fact that they are typically located in a writable data section, and their vulnerability to Spectre like defects. The FFP (or fast function pointer) is callable as a function, since the generic incarnation is simply that. However, due to the fact that C does not distinguish between functions and function pointers at the call site, the architecture can instead emit it as a patchable sequence of instructions consisting of ordinary branches. Signed-off-by: Ard Biesheuvel --- arch/Kconfig | 3 ++ include/linux/ffp.h | 43 ++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/arch/Kconfig b/arch/Kconfig index 6801123932a5..2af3442a61d3 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -862,6 +862,9 @@ config HAVE_ARCH_PREL32_RELOCATIONS architectures, and don't require runtime relocation on relocatable kernels. +config HAVE_ARCH_FFP + bool + source "kernel/gcov/Kconfig" source "scripts/gcc-plugins/Kconfig" diff --git a/include/linux/ffp.h b/include/linux/ffp.h new file mode 100644 index 000000000000..8fc3b4c9b38f --- /dev/null +++ b/include/linux/ffp.h @@ -0,0 +1,43 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef __LINUX_FFP_H +#define __LINUX_FFP_H + +#include +#include + +#ifdef CONFIG_HAVE_ARCH_FFP +#include +#else + +struct ffp { + void (**fn)(void); + void (*default_fn)(void); +}; + +#define DECLARE_FFP(_fn, _def) \ + extern typeof(_def) *_fn; \ + extern struct ffp const __ffp_ ## _fn + +#define DEFINE_FFP(_fn, _def) \ + typeof(_def) *_fn = &_def; \ + struct ffp const __ffp_ ## _fn \ + = { (void(**)(void))&_fn, (void(*)(void))&_def }; \ + EXPORT_SYMBOL(__ffp_ ## _fn) + +static inline void ffp_set_target(const struct ffp *m, void *new_fn) +{ + WRITE_ONCE(*m->fn, new_fn); +} + +static inline void ffp_reset_target(const struct ffp *m) +{ + WRITE_ONCE(*m->fn, m->default_fn); +} + +#endif + +#define SET_FFP(_fn, _new) ffp_set_target(&__ffp_ ## _fn, _new) +#define RESET_FFP(_fn) ffp_reset_target(&__ffp_ ## _fn) + +#endif -- 2.11.0