Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp729912pxb; Tue, 2 Feb 2021 16:57:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJznWK2ztH7Y2YCQCDw/4BhiddNPA+wJKjf1rr522vwx1toXo/soSFtoOlSX7wXMKAhX6rWl X-Received: by 2002:a50:bc15:: with SMTP id j21mr651646edh.187.1612313868355; Tue, 02 Feb 2021 16:57:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313868; cv=none; d=google.com; s=arc-20160816; b=hpJf2+XeMiO8m60WV8Q9bHHEIJAfj5O2wSRD2WbvSmsWhgqCwWM1jVsAnTfNB810mn z6nJko4HEF68MvJDIqHivUz/39M5wlLgk5CMGISH4cJsTEiReArUwttELncesi0LMKhw qdJp79hQjbimjtE27EC6gdUg3bFvznL2Yb7ierzx2PmfbO9MYf6Xxz7m1wybhYVhDONC GNUQrk+LOLP7xu94pm6HdzWIIfPpM+TVki3OZtnRgaeDY2gTGQVfUePmZ58SbeXgHpjt Lt4wON57XKYFlx1wLV4dxwmN9+65DXjduf3ozEri5ljch29B+L/vOhGR0I/Zz1wznSyg 4ivg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=df6pAHxeS3aJ78xgSJShNmAjNRSNKmi3Vx/fq6dvolA=; b=l/UQbs71xkodqzKgst3hE5b5NY/MwM7aNdOBhvwbH5p+5hdQbhEAD19WrtiT6gfOO9 r+GIawJ6ypJuo3GoC3vwMUoApp1gc6HjIEcMNgQDzVjpEAX9BTAj+dA6OQgQmUiWUkuO nO4ZZ+h8acj6R3hj5bdjJ99Ax9PB4qytmVvgpma7hbT5NEyDWI6g68mnW3sv9ULM6PcU cJZsMGvOOaMv8Cm3r4+W6Xz9mjj0QASqcTtIRTKTEdRBXCDuR5OFnA4RMY//PdsznefJ J6TqiYsvPWG/ogGNqyTEJegAykENEAhvAusLhiJiHg4p1Xsh4GHRT72+0D9O8j/XNa3j 51Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gnJJdDK5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m10si223244edc.111.2021.02.02.16.57.11; Tue, 02 Feb 2021 16:57:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gnJJdDK5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235928AbhBBWe4 (ORCPT + 99 others); Tue, 2 Feb 2021 17:34:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235876AbhBBWeb (ORCPT ); Tue, 2 Feb 2021 17:34:31 -0500 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EA33C061786 for ; Tue, 2 Feb 2021 14:33:51 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id e9so13329205plh.3 for ; Tue, 02 Feb 2021 14:33:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=df6pAHxeS3aJ78xgSJShNmAjNRSNKmi3Vx/fq6dvolA=; b=gnJJdDK50DARFPRWBNm51TSoFhO57kc+DrnUpG13DWdTHH1+iPf9T+QMDk3wV3ASQS MpZPNYRGCD0ose0Yd9/Ag5M1oX+z9jTh4mTSpKRD2nasbVV6/jbt3ilIdak1DY8f984l uKOhU0R2fKpVQavisyhS2gAMVzW3miboP/hKYArH9tY4bmzbu5QwvwHcOoYxWwqAQhkh MVLNCMWtE/Ef9D+Gx7IBvaK+qC7QEeMMsa8VQhM9oBXyV3adGu6hs8ZVhxW+aOr6riVA rclRjfRnlVoBKi7XRg9lPTpVj54xXa3ncTRkqqaAVo4E2lz6ayb2DvrPu8ghPzKDS0Eo BCyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=df6pAHxeS3aJ78xgSJShNmAjNRSNKmi3Vx/fq6dvolA=; b=HG5qNT4UiSAnHlpRZSxJ4NnXp+YnxcfFKFjyVIkMryFtlEWVWbb39DdPPASDyKaGFo 0sipPmLKv4SGNut5xG7Ru0LZ2eXGo7CG2WRPQhVIXdAnQPyIwDmzm0QMEf0mjbJ9cbHW +/0kSAO0NfFFWnsSF03Lp7uGKBqbwb3WTXmKqSHYo6cu70Y1oaEewWD9OffmmOxMR0GF Ij3Cn0b6vPp+4jNyLJUe7BVA0Sj0G/7Crzo0A5R9UEO/ad/+hEinSN7le9kNGPUxdxqB o+zZVTBA+HySR7ijbqSNAxUYhB+qEIgoAQRiVlEn4aEAh9iB35cwj3gQtMBKS95CgsBY 1nOA== X-Gm-Message-State: AOAM531agqoJwEgBKvr4yb7daVPzvXvMTlrnvk0S+p9VWUYIyDnjYZAl iAsQn9qDEPMB/E/wHAe6RU3iKsvOxkWD5yVSG2W5IQ== X-Received: by 2002:a17:90a:8b82:: with SMTP id z2mr10799pjn.25.1612305230632; Tue, 02 Feb 2021 14:33:50 -0800 (PST) MIME-Version: 1.0 References: <20210120173800.1660730-13-jthierry@redhat.com> <20210127221557.1119744-1-ndesaulniers@google.com> <20210127232651.rj3mo7c2oqh4ytsr@treble> <20210201214423.dhsma73k7ccscovm@treble> <20210202000203.rk7lh5mx4aflgkwr@treble> In-Reply-To: <20210202000203.rk7lh5mx4aflgkwr@treble> From: Nick Desaulniers Date: Tue, 2 Feb 2021 14:33:38 -0800 Message-ID: Subject: Re: [RFC PATCH 12/17] gcc-plugins: objtool: Add plugin to detect switch table on arm64 To: Josh Poimboeuf Cc: Julien Thierry , Ard Biesheuvel , Mark Brown , Catalin Marinas , Kees Cook , Linux ARM , linux-efi , linux-hardening@vger.kernel.org, LKML , Mark Rutland , Masahiro Yamada , Michal Marek , Peter Zijlstra , raphael.gault@arm.com, Will Deacon , clang-built-linux , Bill Wendling , swine@google.com, yonghyun@google.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 1, 2021 at 4:02 PM Josh Poimboeuf wrote: > > On Mon, Feb 01, 2021 at 03:17:40PM -0800, Nick Desaulniers wrote: > > On the earlier thread, Julien writes: > > > > >> I think most people interested in livepatching are using GCC built > > >> kernels, but I could be mistaken (althought in the long run, both > > >> compilers should be supported, and yes, I realize the objtool solution > > >> currently only would support GCC). > > > > Google's production kernels are using livepatching and are built with > > Clang. Getting similar functionality working for arm64 would be of > > interest. > > Well, that's cool. I had no idea. > > I'm curious how they're generating livepatch modules? Because > kpatch-build doesn't support Clang (AFAIK), and if they're not using > kpatch-build then there are some traps to look out for. Ok, I just met with a bunch of folks that are actively working on this. Let me intro Yonghyun Hwang Pete Swain who will be the folks on point for this from Google. My understanding after some clarifications today is that Google is currently using a proprietary kernel patching mechanism that developed around a decade ago, "pre-ksplice Oracle acquisition." But we are looking to transition to kpatch, and help towards supporting arm64. Live patching is important for deploying kernel fixes faster than predetermined scheduled draining of jobs in clusters. The first steps for kpatch transition is supporting builds with Clang. Yonghyun is working on that and my hope is he will have patches for you for that soon. Curiously, the proprietary mechanism doesn't rely on stack validation. I think that such dependency was questioned on the cover letter patch's thread as well. Maybe there's "some traps to look out for" you're referring to there? I'm not privy to the details, though I would guess it has to do with ensuring kernel threads aren't executing (or planning to return through) code regions that are trying to be patched/unpatched. I am curious about frame pointers never being omitted for arm64; is frame pointer chasing is unreliable in certain contexts? The internal functionality has been used heavily in production for almost a decade, though without it being public or supporting arm64; I'm not sure precisely how they solve such issues (or how others might review such an approach). Either way, the dependencies for live patching are less important, so long as they are toolchain portable. The ability to live patch kernel images is ___important___ to Google. > > Objtool support on arm64 is interesting to me though, because it has > > found bugs in LLVM codegen. That alone is extremely valuable. But not > > it's not helpful if it's predicated or tightly coupled to GCC, as this > > series appears to do. > > I agree 100%, if there are actual Clang livepatch users (which it sounds > like there are) then we should target both compilers. Or will be. (Sorry, I didn't know we hadn't completed the transition to kpatch yet. It is "the opposite side of the house" from where I work; I literally have 8 bosses, not kidding). Though if kpatch moves to requiring GCC plugins for architectures we use extensively or would like to use more of, that's probably going to throw a wrench in multiple transition plans. (The fleet's transition to Clang is done, I'm not worried about that). > And yes, objtool has been pretty good at finding compiler bugs, so the > more coverage the better. > > The idea of rebuilding control flow from binary analysis and using > > that to find codegen bugs is a really cool idea (novel, even? idk), > > and I wish we had some analog for userspace binaries that could > > perform similar checks. > > Objtool is generic in many ways -- in fact I recently heard from a PhD > candidate who used it successfully on another kernel for an ORC > unwinder. That's pretty cool! Reuse outside the initial context is always a good sign that something was designed right. > It could probably be used on user space without much effort. That was > an early original stated goal but I definitely don't have the bandwidth > or incentive to work on it. Heh. I'm a big fan of game theory; carrot or stick, right? -- Thanks, ~Nick Desaulniers