Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2210688pxa; Mon, 24 Aug 2020 08:09:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxGzlKwAhkLo+FaV22q4JR4qURC3GKc/0BiJis39mx6fqCsLmoIk0erZb4mP4GonX3p7jh+ X-Received: by 2002:a50:dac6:: with SMTP id s6mr5819941edj.378.1598281771184; Mon, 24 Aug 2020 08:09:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598281771; cv=none; d=google.com; s=arc-20160816; b=WLUMBzoTWrrktw9hsNUuv35aLnaarz0LVyVhISSy1F9rEIRT0VMQmEMUF/lT81p/PP cu6BK6DlQU+noY9VfBFWZD1K/Oo/igUc1S8EWPuNW3INtC6LU7G04sFVFw51N5vHYJWy oczutjvzxTWo9FfS1vPLbsNx1Q/HV5oxoxXxnkNMNHZ35aixgi7jvonI5th3KRZjlszB fWYo0P3rGbg9KAgJMXoaDAXX2TMPrKZx1GlnvYay0mfXMcncquirIl05LUWSQT9J/R9e uJv1cLcVKo8MGOr1EsuG4b5d5B1ia5ybYmgP930bdV7Et6tVbkw92sTpnd+NjkQzyiSz BuiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=; b=ODNsszicp8/NPbwSjO7UEJvOQFZOJHVo1lGc5lGiKtyvg2aJJ9blaiA39Y6bMprDBh 8xJq6eCFXNA4b+pLTaqyx0Tf67VXprFcfgDvtIUhPqU0U2D68IIxBpb0NzRZJ277xLdh Vs7dcjrDtT8QomjsakHNDmSYnfdTiXGvFRKtYDvBDGPjfWVJ+7jc0LQ+lkxBV76iRKpO 2nmh4mZPB5XG7PPSjDHgSeYBTW2vQA95z7WXaAnLDCKpgGn/XznyT60zDeN8Ap+XuVXo w1fU03Wtq/Bb6iuuc96wA4K40QiyNjnfOlTaB7ksnIXHqFfiJyPcrHW3FpDm3rvNw5jf VceA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lB8woOsv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x22si7085235ejw.73.2020.08.24.08.09.07; Mon, 24 Aug 2020 08:09:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lB8woOsv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726952AbgHXPHC (ORCPT + 99 others); Mon, 24 Aug 2020 11:07:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726650AbgHXPFb (ORCPT ); Mon, 24 Aug 2020 11:05:31 -0400 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78682C0617A9 for ; Mon, 24 Aug 2020 08:05:11 -0700 (PDT) Received: by mail-wm1-x32c.google.com with SMTP id 83so8661634wme.4 for ; Mon, 24 Aug 2020 08:05:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=; b=lB8woOsvvYhCqqAhBrrOI4RyghVGWXTQFIz7QP/geKRTgxJ5Ydbnf0ULekEb2fnx6E LIx5ZXOroEf5QkkzXGFUuatWpWzKU8BXTOBLol8vcK0GyEzvqLzwcxlZnouQiPxO3vQ9 YGWWtTbmSO/FTFZTk4MxFuHaMnbSLcTjsA1ixnxCiRwMl/N9Pfkdkvi4wlAN5mU6s9lB gfGU+rWbIdYtgAAD952agaykme1dVHqFB5Gh+HyTuc0ShwRZSGX5SVSVxfFojiNsdqwW dbYPzTJBm3+Wps1nFdfCfuJTK4Z1wFTBwlBSW4yF/FROXrF4h55RK2I5C2uAGtuCIbGW 1k+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=; b=Y5Z2XUBiIy6BDMw7VJ03CRmWmKkYiQw4M1/A2ldPEt7ogyjSsNjU9DmeE3vRSKNMxe m/1eIJ+sN57lA9xJ9y8Bn4BDHP9QRZf27s5sJB/lJgswPXI/lZudW8NC9YN7e1gXz3q9 UFx8otVpmN+crIVXqRoDlvF4KDJ+z9eivaLn3WREjaNiiYMNbw7LPS07NTPGjYYTHXP+ KOa5FhQexo0Tpz4ng+uoTVmcroNPXqU13XGVVxsQOPCDHJqsyL75sNghheioUMDNvEfI +PKYVEDv5tAlQ4jihQSg3A6FAvtSw6ehte7inyPRrER71+4Zv+LMbHb6xT6gPG1WRp8c JBLA== X-Gm-Message-State: AOAM532yo6frPGV8wHyVNBFzu2IUddxjtwbCGpiZoiXfZGNZMfA/5ePH pvHXoM/TztzwSieGhaSJe9BtAA== X-Received: by 2002:a7b:cd88:: with SMTP id y8mr5875966wmj.14.1598281509685; Mon, 24 Aug 2020 08:05:09 -0700 (PDT) Received: from google.com ([2a00:79e0:42:204:1ea0:b8ff:fe80:839]) by smtp.gmail.com with ESMTPSA id y13sm14526834wrn.48.2020.08.24.08.05.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Aug 2020 08:05:08 -0700 (PDT) Date: Mon, 24 Aug 2020 17:05:04 +0200 From: Brendan Jackman To: Peter Zijlstra Cc: Kees Cook , Brendan Jackman , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , James Morris , pjt@google.com, Jann Horn , rafael.j.wysocki@intel.com, thgarnie@chromium.org, KP Singh , paul.renauld.epfl@gmail.com Subject: Re: [RFC] security: replace indirect calls with static calls Message-ID: <20200824150504.GA575149@google.com> References: <20200820164753.3256899-1-jackmanb@chromium.org> <202008201435.97CF8296@keescook> <20200824143344.GB3982@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200824143344.GB3982@worktop.programming.kicks-ass.net> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 24, 2020 at 04:33:44PM +0200, Peter Zijlstra wrote: > On Mon, Aug 24, 2020 at 04:09:09PM +0200, Brendan Jackman wrote: > > > > > Why this trick with a switch statement? The table of static call is defined > > > > at compile time. The number of hook callbacks that will be defined is > > > > unknown at that time, and the table cannot be resized at runtime. Static > > > > calls do not define a conditional execution for a non-void function, so the > > > > executed slots must be non-empty. With this use of the table and the > > > > switch, it is possible to jump directly to the first used slot and execute > > > > all of the slots after. This essentially makes the entry point of the table > > > > dynamic. Instead, it would also be possible to start from 0 and break after > > > > the final populated slot, but that would require an additional conditional > > > > after each slot. > > > > > > Instead of just "NOP", having the static branches perform a jump would > > > solve this pretty cleanly, yes? Something like: > > > > > > ret = DEFAULT_RET; > > > > > > ret = A(args); <--- direct call, no retpoline > > > if ret != 0: > > > goto out; > > > > > > ret = B(args); <--- direct call, no retpoline > > > if ret != 0: > > > goto out; > > > > > > goto out; > > > if ret != 0: > > > goto out; > > > > > > out: > > > return ret; > > > > Hmm yeah that's a cool idea. This would either need to be implemented > > with custom code-modification logic for the LSM hooks, or we'd need to > > think of a way to express it in a sensible addition to the static_call > > API. I do wonder if the latter could take the form of a generic system > > for arrays of static calls. > > So you basically want something like: > > if (A[0] && (ret = static_call(A[0])(...))) > return ret; > > if (A[1] && (ret = static_call(A[1])(...))) > return ret; > > .... > > return ret; > > Right? The problem with static_call_cond() is that we don't know what to > do with the return value when !func, which is why it's limited to void > return type. > > You can however construct something like the above with a combination of > static_branch() and static_call() though. It'll not be pretty, but it > ought to work: > > if (static_branch_likely(A[0].key)) { > ret = static_call(A[0].call)(...); > if (ret) > return ret; > } > > ... > > return ret; > Right. That's actually exactly what Paul's first implementation looked like for call_int_hook. But we thought the switch thing was easier to understand. > > > It would also need to handle the fact that IIUC at the moment the last > > static_call may be a tail call, so we'd be patching an existing jump > > into a jump to a different target, I don't know if we can do that > > atomically. > > Of course we can, the static_call() series supports tail-calls just > fine. In fact, patching jumps is far easier, it was patching call that > was the real problem because it mucks about with the stack. > OK great. I had a vague apprehension that we could only patch to or from a NOP.