Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2210688pxa;
        Mon, 24 Aug 2020 08:09:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxGzlKwAhkLo+FaV22q4JR4qURC3GKc/0BiJis39mx6fqCsLmoIk0erZb4mP4GonX3p7jh+
X-Received: by 2002:a50:dac6:: with SMTP id s6mr5819941edj.378.1598281771184;
        Mon, 24 Aug 2020 08:09:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598281771; cv=none;
        d=google.com; s=arc-20160816;
        b=WLUMBzoTWrrktw9hsNUuv35aLnaarz0LVyVhISSy1F9rEIRT0VMQmEMUF/lT81p/PP
         cu6BK6DlQU+noY9VfBFWZD1K/Oo/igUc1S8EWPuNW3INtC6LU7G04sFVFw51N5vHYJWy
         oczutjvzxTWo9FfS1vPLbsNx1Q/HV5oxoxXxnkNMNHZ35aixgi7jvonI5th3KRZjlszB
         fWYo0P3rGbg9KAgJMXoaDAXX2TMPrKZx1GlnvYay0mfXMcncquirIl05LUWSQT9J/R9e
         uJv1cLcVKo8MGOr1EsuG4b5d5B1ia5ybYmgP930bdV7Et6tVbkw92sTpnd+NjkQzyiSz
         BuiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=;
        b=ODNsszicp8/NPbwSjO7UEJvOQFZOJHVo1lGc5lGiKtyvg2aJJ9blaiA39Y6bMprDBh
         8xJq6eCFXNA4b+pLTaqyx0Tf67VXprFcfgDvtIUhPqU0U2D68IIxBpb0NzRZJ277xLdh
         Vs7dcjrDtT8QomjsakHNDmSYnfdTiXGvFRKtYDvBDGPjfWVJ+7jc0LQ+lkxBV76iRKpO
         2nmh4mZPB5XG7PPSjDHgSeYBTW2vQA95z7WXaAnLDCKpgGn/XznyT60zDeN8Ap+XuVXo
         w1fU03Wtq/Bb6iuuc96wA4K40QiyNjnfOlTaB7ksnIXHqFfiJyPcrHW3FpDm3rvNw5jf
         VceA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lB8woOsv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x22si7085235ejw.73.2020.08.24.08.09.07;
        Mon, 24 Aug 2020 08:09:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=lB8woOsv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726952AbgHXPHC (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Mon, 24 Aug 2020 11:07:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39430 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726650AbgHXPFb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Aug 2020 11:05:31 -0400
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78682C0617A9
        for <linux-kernel@vger.kernel.org>; Mon, 24 Aug 2020 08:05:11 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id 83so8661634wme.4
        for <linux-kernel@vger.kernel.org>; Mon, 24 Aug 2020 08:05:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=;
        b=lB8woOsvvYhCqqAhBrrOI4RyghVGWXTQFIz7QP/geKRTgxJ5Ydbnf0ULekEb2fnx6E
         LIx5ZXOroEf5QkkzXGFUuatWpWzKU8BXTOBLol8vcK0GyEzvqLzwcxlZnouQiPxO3vQ9
         YGWWtTbmSO/FTFZTk4MxFuHaMnbSLcTjsA1ixnxCiRwMl/N9Pfkdkvi4wlAN5mU6s9lB
         gfGU+rWbIdYtgAAD952agaykme1dVHqFB5Gh+HyTuc0ShwRZSGX5SVSVxfFojiNsdqwW
         dbYPzTJBm3+Wps1nFdfCfuJTK4Z1wFTBwlBSW4yF/FROXrF4h55RK2I5C2uAGtuCIbGW
         1k+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=4Z9CfRsQ0JPDJK+OdpY56vYSFlw0MvtWCYo+D9zzr0o=;
        b=Y5Z2XUBiIy6BDMw7VJ03CRmWmKkYiQw4M1/A2ldPEt7ogyjSsNjU9DmeE3vRSKNMxe
         m/1eIJ+sN57lA9xJ9y8Bn4BDHP9QRZf27s5sJB/lJgswPXI/lZudW8NC9YN7e1gXz3q9
         UFx8otVpmN+crIVXqRoDlvF4KDJ+z9eivaLn3WREjaNiiYMNbw7LPS07NTPGjYYTHXP+
         KOa5FhQexo0Tpz4ng+uoTVmcroNPXqU13XGVVxsQOPCDHJqsyL75sNghheioUMDNvEfI
         +PKYVEDv5tAlQ4jihQSg3A6FAvtSw6ehte7inyPRrER71+4Zv+LMbHb6xT6gPG1WRp8c
         JBLA==
X-Gm-Message-State: AOAM532yo6frPGV8wHyVNBFzu2IUddxjtwbCGpiZoiXfZGNZMfA/5ePH
        pvHXoM/TztzwSieGhaSJe9BtAA==
X-Received: by 2002:a7b:cd88:: with SMTP id y8mr5875966wmj.14.1598281509685;
        Mon, 24 Aug 2020 08:05:09 -0700 (PDT)
Received: from google.com ([2a00:79e0:42:204:1ea0:b8ff:fe80:839])
        by smtp.gmail.com with ESMTPSA id y13sm14526834wrn.48.2020.08.24.08.05.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 24 Aug 2020 08:05:08 -0700 (PDT)
Date:   Mon, 24 Aug 2020 17:05:04 +0200
From:   Brendan Jackman <jackmanb@google.com>
To:     Peter Zijlstra <peterz@infradead.org>
Cc:     Kees Cook <keescook@chromium.org>,
        Brendan Jackman <jackmanb@chromium.org>,
        linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        James Morris <jmorris@namei.org>, pjt@google.com,
        Jann Horn <jannh@google.com>, rafael.j.wysocki@intel.com,
        thgarnie@chromium.org, KP Singh <kpsingh@google.com>,
        paul.renauld.epfl@gmail.com
Subject: Re: [RFC] security: replace indirect calls with static calls
Message-ID: <20200824150504.GA575149@google.com>
References: <20200820164753.3256899-1-jackmanb@chromium.org>
 <202008201435.97CF8296@keescook>
 <CA+i-1C0XEuWWRm5nMPWCzEPUao7rp5346Eotpt1A_S3Za3Wysw@mail.gmail.com>
 <20200824143344.GB3982@worktop.programming.kicks-ass.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200824143344.GB3982@worktop.programming.kicks-ass.net>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 24, 2020 at 04:33:44PM +0200, Peter Zijlstra wrote:
> On Mon, Aug 24, 2020 at 04:09:09PM +0200, Brendan Jackman wrote:
> 
> > > > Why this trick with a switch statement? The table of static call is defined
> > > > at compile time. The number of hook callbacks that will be defined is
> > > > unknown at that time, and the table cannot be resized at runtime.  Static
> > > > calls do not define a conditional execution for a non-void function, so the
> > > > executed slots must be non-empty.  With this use of the table and the
> > > > switch, it is possible to jump directly to the first used slot and execute
> > > > all of the slots after. This essentially makes the entry point of the table
> > > > dynamic. Instead, it would also be possible to start from 0 and break after
> > > > the final populated slot, but that would require an additional conditional
> > > > after each slot.
> > >
> > > Instead of just "NOP", having the static branches perform a jump would
> > > solve this pretty cleanly, yes? Something like:
> > >
> > >         ret = DEFAULT_RET;
> > >
> > >         ret = A(args); <--- direct call, no retpoline
> > >         if ret != 0:
> > >                 goto out;
> > >
> > >         ret = B(args); <--- direct call, no retpoline
> > >         if ret != 0:
> > >                 goto out;
> > >
> > >         goto out;
> > >         if ret != 0:
> > >                 goto out;
> > >
> > > out:
> > >         return ret;
> > 
> > Hmm yeah that's a cool idea. This would either need to be implemented
> > with custom code-modification logic for the LSM hooks, or we'd need to
> > think of a way to express it in a sensible addition to the static_call
> > API. I do wonder if the latter could take the form of a generic system
> > for arrays of static calls.
> 
> So you basically want something like:
> 
> 	if (A[0] && (ret = static_call(A[0])(...)))
> 		return ret;
> 
> 	if (A[1] && (ret = static_call(A[1])(...)))
> 		return ret;
> 
> 	....
> 
> 	return ret;
> 
> Right? The problem with static_call_cond() is that we don't know what to
> do with the return value when !func, which is why it's limited to void
> return type.
> 
> You can however construct something like the above with a combination of
> static_branch() and static_call() though. It'll not be pretty, but it
> ought to work:
> 
> 	if (static_branch_likely(A[0].key)) {
> 		ret = static_call(A[0].call)(...);
> 		if (ret)
> 			return ret;
> 	}
> 
> 	...
> 
> 	return ret;
> 
Right. That's actually exactly what Paul's first implementation
looked like for call_int_hook. But we thought the switch thing was
easier to understand.

> 
> > It would also need to handle the fact that IIUC at the moment the last
> > static_call may be a tail call, so we'd be patching an existing jump
> > into a jump to a different target, I don't know if we can do that
> > atomically.
> 
> Of course we can, the static_call() series supports tail-calls just
> fine. In fact, patching jumps is far easier, it was patching call that
> was the real problem because it mucks about with the stack.
> 
OK great. I had a vague apprehension that we could only patch to or from
a NOP.