Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4445055pxa; Mon, 10 Aug 2020 09:12:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhqYgA6AgWdSmg3SXi4SFVflOI8Cqx3D/T5O9wzR9VkkBHoaiTJzH5u1K5/5KS1VE4khmA X-Received: by 2002:a05:6402:1b89:: with SMTP id cc9mr22070099edb.227.1597075962306; Mon, 10 Aug 2020 09:12:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597075962; cv=none; d=google.com; s=arc-20160816; b=m9frQ+SDEEyfVAP/QBaKf3XrTlj7tqzrmWL1fgv8+1qeuAGdv2bhofoI7WJ3ht1lLK yjMp8bNzSFQLgIInbG/73Wf+91P4/jZny8Sbxt4S9WGFRaf7tuP5GtyXjKQiY1m5Of4O YF50ss/2pQ1M3EorbrKSgPlg9swwjIdtikJfGHODPmqMnmBOHF2gNGBNSTfRX5VM7mWh ubkG2HE9NsQAQbmJ5OFLgE/6BB/D48pn9eSetF9/4WDTfaFbcvjk4K75f+sb9qcwV9nS mz5erg7SySYToYOR/H9ol8JWSh3HUYxaimBbAg6CsGNIC4xqaAPLurQLUjRV3/x1C8Fc u41Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:ironport-sdr:ironport-sdr; bh=CpEWFwmRkXAy0w4BD+6N1/6ADKL1B2xE9RWbal9diQ8=; b=GE+7vxClEg4V1Ct9DYrvn9UFgTF8xtPfhxgpAhhyS2PmUvQdlLKRF/ZUN0zhe3QVs/ klS2RV7XNdBo6Sn8xbF3ePSkuTmxitVzdXvyE4/7ZtLrax/AiZT/KQmf5UIKhciyKWt0 l6wsaZOx296rdI8vChM2Kjzdfuv8p+QVuF/in2JoiJXP6XjQDwsDgsJ21IvnJCCL+ped ErHDJ0DokU9wcboyF7Kil9pQ4q4zcPDfQMGpsiy+NhQEHmQbzpld3zcF8SMo3uPCSOKv CDNG22lPRO0H5QnLIqWKD7Ies94fjN2EP0+qXktnr/6gju60YKfrL4WD8A+gNRUSeyCb O6+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i11si10331435edx.429.2020.08.10.09.12.13; Mon, 10 Aug 2020 09:12:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727872AbgHJQKs (ORCPT + 99 others); Mon, 10 Aug 2020 12:10:48 -0400 Received: from mga02.intel.com ([134.134.136.20]:41566 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726486AbgHJQKr (ORCPT ); Mon, 10 Aug 2020 12:10:47 -0400 IronPort-SDR: E0f4ZdAjswR6z5/J+pv3qsv4XXWZ5bBHrCcW7YMm462uiDzVbp5SggIDPXqP/H4Q6wLIZ6LU4k gBvapLZxjYNQ== X-IronPort-AV: E=McAfee;i="6000,8403,9709"; a="141420194" X-IronPort-AV: E=Sophos;i="5.75,458,1589266800"; d="scan'208";a="141420194" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Aug 2020 09:10:46 -0700 IronPort-SDR: L0fGK7Oc41XXt/uCpVijKONSkPdWYSy53uICatG+sIVZajt8GK0hK7Me29p68sdmSoSBzhgOHo z8ekofBUjVhg== X-IronPort-AV: E=Sophos;i="5.75,458,1589266800"; d="scan'208";a="494847826" Received: from unknown (HELO kcaccard-mobl1.jf.intel.com) ([10.251.4.141]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Aug 2020 09:10:44 -0700 Message-ID: <6b96dcb30b9e1ab1638979c09462614aa2976721.camel@linux.intel.com> Subject: Re: [PATCH v4 00/10] Function Granular KASLR From: Kristen Carlson Accardi To: Kees Cook Cc: Joe Lawrence , tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, arjan@linux.intel.com, x86@kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, rick.p.edgecombe@intel.com, live-patching@vger.kernel.org Date: Mon, 10 Aug 2020 09:10:41 -0700 In-Reply-To: <202008071019.BF206AE8BD@keescook> References: <20200717170008.5949-1-kristen@linux.intel.com> <20200804182359.GA23533@redhat.com> <202008071019.BF206AE8BD@keescook> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2020-08-07 at 10:20 -0700, Kees Cook wrote: > On Fri, Aug 07, 2020 at 09:38:11AM -0700, Kristen Carlson Accardi > wrote: > > Thanks for testing. Yes, Josh and I have been discussing the > > orc_unwind > > issues. I've root caused one issue already, in that objtool places > > an > > orc_unwind_ip address just outside the section, so my algorithm > > fails > > to relocate this address. There are other issues as well that I > > still > > haven't root caused. I'll be addressing this in v5 and plan to have > > something that passes livepatch testing with that version. > > FWIW, I'm okay with seeing fgkaslr be developed progressively. > Getting > it working with !livepatching would be fine as a first step. There's > value in getting the general behavior landed, and then continuing to > improve it. > In this case, part of the issue with livepatching appears to be a more general issue with objtool and how it creates the orc unwind entries when you have >64K sections. So livepatching is a good test case for making sure that the orc tables are actually correct. However, the other issue with livepatching (the duplicate symbols), might be worth deferring if the solution is complex - I will keep that in mind as I look at it more closely.