Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3869553ybv;
        Mon, 10 Feb 2020 07:55:19 -0800 (PST)
X-Google-Smtp-Source: APXvYqwu3aFeVUDD9b+vSLE5VmoSHn1+rd5kMlqKjzGWSW5APB+yTWhJBJih/keOkc9D8T77p96X
X-Received: by 2002:aca:4c11:: with SMTP id z17mr1179856oia.104.1581350118934;
        Mon, 10 Feb 2020 07:55:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581350118; cv=none;
        d=google.com; s=arc-20160816;
        b=dxkuOTNAZwal0jaKNMDnBqLXRiBfJkf/WU3NIdap3nAZUOH0PHYlUrEh6jyqXwtoHO
         D3BgfPqm5EazRy2eqqsH2FDgiUzPP/YIRto79qGhojVI5YDLCpFYy1NGzkoRpt6dntU3
         nKKTzVpCkGLxPcarJjKlLL9+jWAdjKyDv0+olUMykSBR1Oxc79eXahwnqC4naXH1aOLw
         pN3xB2XxuqJgmU+p8/K7Dms5T1Z9uyiEoEmjUvf+4EhUND/WKFvUxJA9ej5IXD91xtRf
         SATCgkfDtbaEjmX+ARhAQ/Kk9MDu31Y1kUGTcPdl4CaHPoaAscJnKZANww0Srx/5qVOZ
         nD1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=uDrZPSWuz9Yg+PXsHclQDjqJerNmKy6N1SE0GSX8wyU=;
        b=BK7RQpxCHz9GkAv+dBVxTWbH+zlud2slln4V0Jqn/wnPa2wU1WM7ONt+9D8ToxMiut
         ROExLP2DurVuysmQyOot0d+1kTtqCilRCdStxWYshodoe1mem4Jl5bjcLnx6pIAy2s2M
         y4MWKePU4tLE4LedNBIRN82BPHqkaVIrVrfcOjXRxLagENThoNkGJTot0afOV/ZhOE6D
         9POY5hMrX2YX9dLlKPmASP7eG++Z+twCsNZi06U+4+smlIeEygatf5v/dx11pwqDXwa9
         y99Jcwf9LfwA6jCEM+VRFzMJrzotMX/s/3zkP3uylzMsnXhRpECMZYRHOohEAvuTXLy3
         7Oqg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y19si367819oto.102.2020.02.10.07.55.05;
        Mon, 10 Feb 2020 07:55:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727652AbgBJPzB (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Mon, 10 Feb 2020 10:55:01 -0500
Received: from mga07.intel.com ([134.134.136.100]:1546 "EHLO mga07.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727584AbgBJPzB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Feb 2020 10:55:01 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Feb 2020 07:55:00 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,425,1574150400"; 
   d="scan'208";a="380142760"
Received: from avandeve-mobl.amr.corp.intel.com (HELO [10.254.13.35]) ([10.254.13.35])
  by orsmga004.jf.intel.com with ESMTP; 10 Feb 2020 07:54:59 -0800
Subject: Re: [RFC PATCH 06/11] x86: make sure _etext includes function
 sections
To:     Peter Zijlstra <peterz@infradead.org>,
        Kees Cook <keescook@chromium.org>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Kristen Carlson Accardi <kristen@linux.intel.com>,
        tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
        rick.p.edgecombe@intel.com, x86@kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
References: <75f0bd0365857ba4442ee69016b63764a8d2ad68.camel@linux.intel.com>
 <B413445A-F1F0-4FB7-AA9F-C5FF4CEFF5F5@amacapital.net>
 <20200207092423.GC14914@hirez.programming.kicks-ass.net>
 <202002091742.7B1E6BF19@keescook>
 <20200210105117.GE14879@hirez.programming.kicks-ass.net>
From:   Arjan van de Ven <arjan@linux.intel.com>
Message-ID: <43b7ba31-6dca-488b-8a0e-72d9fdfd1a6b@linux.intel.com>
Date:   Mon, 10 Feb 2020 07:54:58 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20200210105117.GE14879@hirez.programming.kicks-ass.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> 
> I'll leave it to others to figure out the exact details. But afaict it
> should be possible to have fine-grained-randomization and preserve the
> workaround in the end.
> 

the most obvious "solution" is to compile with an alignment of 4 bytes (so tight packing)
and then in the randomizer preserve the offset within 32 bytes, no matter what it is

that would get you an average padding of 16 bytes which is a bit more than now but not too insane
(queue Kees' argument that tiny bits of padding are actually good)