Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1890165ybv;
        Thu, 6 Feb 2020 11:42:22 -0800 (PST)
X-Google-Smtp-Source: APXvYqxtxfcHVO/ei9po6cRdRQGXYDAylR7ehPXc8VHoMOlN2SovTmAgS8ZBoFam3c9K+vrvKQP7
X-Received: by 2002:a9d:6e02:: with SMTP id e2mr32021639otr.194.1581018141945;
        Thu, 06 Feb 2020 11:42:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581018141; cv=none;
        d=google.com; s=arc-20160816;
        b=Mmj+8jAx/ESZSq9FPj9Tt6E5FrRjloQJMOnJdqrfOdmwHqd+Suw7pnL2sxVIqRCsUT
         hU1q91atYMJAvxOkYZS9cUOcEsIVWEbhsMTNGbxeP9tpLzfTMhgU0QpHNfZKuGrPoa4O
         /77V9eEygujy1NHImO1W2hH1pRDwgsP01g7oYPyxsuQ9qYk68veRTX0iV7GY44z5degX
         2zFoYBH084K47hO4NZFv8zTWxS0/x+s9dhsMrreGsfw1j6OTTLPCVEX7y/l+/5b/hvND
         d93NPtRxWr41gzxc56OnRJn5mqytO5vaaOHOQwQ1E5XfC22BMXBDpkwLiJcXpb/wmDYg
         ptpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=IvPGAhTevnxIfmMkiPuFI8EtYzs6du5iT7i+zeIxpeM=;
        b=G+23qDu7Ygs0eQ1lblGPZe5WbqwbH2AGMsZeXT5OFgtnalurkGQ7rmEDhZvtKOXKsS
         w9SHg9F5mLrlgIOhsZHqIxnfQJ48tQphUeoBuvnlbBvBmj8qvkWTluKkLJhFquu47izB
         kwilNbF08MJ8vRGENl5lclgzjENNnSjX5U61vCKkfluWDGc8S0Agd4NGk5xHrRH21I8l
         d2IvnYRl0xmrlOWXrkk/mpd4iGmAs5ww6CxBy3hIq4IPFY9TS0AbjLg98KsHgOAuSjPv
         10ThWzlsLd/o76R6E+5N/c7rVBB8rw+/sz+m9gh4g1rHwWBii3KnHkTJYiuMtrR7WSYs
         RiKg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i194si2741242oib.73.2020.02.06.11.42.09;
        Thu, 06 Feb 2020 11:42:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727831AbgBFTlQ (ORCPT <rfc822;yuvraaj@gmail.com> + 99 others);
        Thu, 6 Feb 2020 14:41:16 -0500
Received: from mga01.intel.com ([192.55.52.88]:49994 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727479AbgBFTlQ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Feb 2020 14:41:16 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 11:41:16 -0800
X-IronPort-AV: E=Sophos;i="5.70,410,1574150400"; 
   d="scan'208";a="236084936"
Received: from kcaccard-mobl.amr.corp.intel.com (HELO kcaccard-mobl1.jf.intel.com) ([10.24.10.96])
  by orsmga006-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 11:41:15 -0800
Message-ID: <75f0bd0365857ba4442ee69016b63764a8d2ad68.camel@linux.intel.com>
Subject: Re: [RFC PATCH 06/11] x86: make sure _etext includes function
 sections
From:   Kristen Carlson Accardi <kristen@linux.intel.com>
To:     Kees Cook <keescook@chromium.org>
Cc:     tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
        arjan@linux.intel.com, rick.p.edgecombe@intel.com, x86@kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
Date:   Thu, 06 Feb 2020 11:41:15 -0800
In-Reply-To: <202002060408.84005CEFFD@keescook>
References: <20200205223950.1212394-1-kristen@linux.intel.com>
         <20200205223950.1212394-7-kristen@linux.intel.com>
         <202002060408.84005CEFFD@keescook>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2020-02-06 at 04:26 -0800, Kees Cook wrote:
> On Wed, Feb 05, 2020 at 02:39:45PM -0800, Kristen Carlson Accardi
> wrote:
> > We will be using -ffunction-sections to place each function in
> > it's own text section so it can be randomized at load time. The
> > linker considers these .text.* sections "orphaned sections", and
> > will place them after the first similar section (.text). However,
> > we need to move _etext so that it is after both .text and .text.*
> > We also need to calculate text size to include .text AND .text.*
> 
> The dependency on the linker's orphan section handling is, I feel,
> rather fragile (during work on CFI and generally building kernels
> with
> Clang's LLD linker, we keep tripping over difference between how BFD
> and
> LLD handle orphans). However, this is currently no way to perform a
> section "pass through" where input sections retain their name as an
> output section. (If anyone knows a way to do this, I'm all ears).
> 
> Right now, you can only collect sections like this:
> 
>         .text :  AT(ADDR(.text) - LOAD_OFFSET) {
> 		*(.text.*)
> 	}
> 
> or let them be orphans, which then the linker attempts to find a
> "similar" (code, data, etc) section to put them near:
> https://sourceware.org/binutils/docs-2.33.1/ld/Orphan-Sections.html
> 
> So, basically, yes, this works, but I'd like to see BFD and LLD grow
> some kind of /PASSTHRU/ special section (like /DISCARD/), that would
> let
> a linker script specify _where_ these sections should roughly live.
> 
> Related thoughts:
> 
> I know x86_64 stack alignment is 16 bytes. I cannot find evidence for
> what function start alignment should be. It seems the linker is 16
> byte
> aligning these functions, when I think no alignment is needed for
> function starts, so we're wasting some memory (average 8 bytes per
> function, at say 50,000 functions, so approaching 512KB) between
> functions. If we can specify a 1 byte alignment for these orphan
> sections, that would be nice, as mentioned in the cover letter: we
> lose
> a 4 bits of entropy to this alignment, since all randomized function
> addresses will have their low bits set to zero.

So, when I was developing this patch set, I initially ignored the value
of sh_addralign and just packed the functions in one right after
another when I did the new layout. They were byte aligned :). I later
realized that I should probably pay attention to alignment and thus
started respecting the value that was in sh_addralign. There is
actually nothing stopping me from ignoring it again, other than I am
concerned that I will make runtime performance suffer even more than I
already have.

> 
> And we can't adjust function section alignment, or there is some
> benefit to a larger alignment, I would like to have a way for the
> linker
> to specify the inter-section padding (or fill) bytes. Right now, the
> FILL(0xnn) (or =0xnn) can be used to specify the padding bytes
> _within_
> a section, but not between sections. Right now, BFD appears to 0-pad. 
> I'd
> like that to be 0xCC so "guessing" addresses incorrectly will trigger
> a trap.

Padding the space between functions with int3 is easy to add during
boot time, and I've got it on my todo list.