Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1124732pxb;
        Sat, 17 Apr 2021 07:21:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzJ8auPc6mQhTwgClMP6dMksYKOu7FSxo4U5k2KLjKtuLLFGifDAdwI5DqhA6Hh8AB1yhns
X-Received: by 2002:a17:902:8308:b029:e9:d69:a2f with SMTP id bd8-20020a1709028308b02900e90d690a2fmr14346619plb.20.1618669269235;
        Sat, 17 Apr 2021 07:21:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618669269; cv=none;
        d=google.com; s=arc-20160816;
        b=Px14KxAuQZ1qrZzrrq1HcCnkFvuXHopfpEABgPhgwq8tPXpg1dRvAxaSWf1V4r/D6V
         xuR2LkDDNYiFOs9MZxb3Wg8z4WSygX5Qks7UjMEyns4ghkIP1W/IZ9ExCKnD21r4ttP9
         c33/r++1at1buxc+DB/n/E8alpMo8u465WXGnwqwwLN0UuZ+8XN90fVxHFc/Swv7YLpP
         CGNi4mvp51qqHkWZmYznkzQY+i2TBb4YEG9g5w397UzHGVe2KqQyBlXv5YRF3/gxKc8Y
         huzckQGc5+lZLz0zBjyDOo85a1SJFDfrCYb2V+cbaGs5b5GWMfCbCg7UdlIe1LsgyPD8
         AsPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :mime-version:accept-language:in-reply-to:references:message-id:date
         :thread-index:thread-topic:subject:cc:to:from;
        bh=gGvivH+VqPveBp2tEqpSGVh/SFHPEdxsAmJMnG6NXD4=;
        b=UQ/vsttk/C4Bsw16t+g/0t+i2M9PrmUKz4fQmJqwCMqucGZGKsofe+bhXrGQrk8BvG
         3yJnS4csyjaizyMDurB5PhmJzjT66JxZeKdSFIQdAdnxnn+ZCY6KVeJoX55Hi4CkpZxE
         Gbl0NUVkJtI2kmHoBe77iKLxMxC0tKAPKTSpRsRZ6ORyOPbLqCmLx+hBXPIwArT+Mcl9
         rJS4vNAUafw/w701VBXqIoJO8yoa7qMgol6maf8sQ8vjuA/YzWdeFh2bqebTKBwVdWe2
         GOjCPh6eb0M14UZMHTCr19NGbq00tmZc8PzxONw9Y1AU0f6G76T2ZcvRLMjygZJnrWbQ
         7Nuw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h1si9425674plb.375.2021.04.17.07.20.56;
        Sat, 17 Apr 2021 07:21:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233008AbhDQOUr convert rfc822-to-8bit (ORCPT
        <rfc822;lishoy@gmail.com> + 99 others);
        Sat, 17 Apr 2021 10:20:47 -0400
Received: from eu-smtp-delivery-151.mimecast.com ([185.58.85.151]:40240 "EHLO
        eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S236058AbhDQOUq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Apr 2021 10:20:46 -0400
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using
 TLS) by relay.mimecast.com with ESMTP id
 uk-mta-238-fScdoKE0NyuCErCmE_g1LQ-1; Sat, 17 Apr 2021 15:20:17 +0100
X-MC-Unique: fScdoKE0NyuCErCmE_g1LQ-1
Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by
 AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP
 Server (TLS) id 15.0.1497.2; Sat, 17 Apr 2021 15:20:16 +0100
Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by
 AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id
 15.00.1497.015; Sat, 17 Apr 2021 15:20:16 +0100
From:   David Laight <David.Laight@ACULAB.COM>
To:     'Kees Cook' <keescook@chromium.org>,
        Andy Lutomirski <luto@kernel.org>
CC:     Borislav Petkov <bp@alien8.de>,
        Sami Tolvanen <samitolvanen@google.com>,
        X86 ML <x86@kernel.org>, Josh Poimboeuf <jpoimboe@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Nathan Chancellor <nathan@kernel.org>,
        "Nick Desaulniers" <ndesaulniers@google.com>,
        Sedat Dilek <sedat.dilek@gmail.com>,
        "linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        clang-built-linux <clang-built-linux@googlegroups.com>
Subject: RE: [PATCH 05/15] x86: Implement function_nocfi
Thread-Topic: [PATCH 05/15] x86: Implement function_nocfi
Thread-Index: AQHXMw/PuSsNstP2FUia6sIzu9nmdKq4wQCQ
Date:   Sat, 17 Apr 2021 14:20:16 +0000
Message-ID: <a8653ebf0a52498888f728524ebaa110@AcuMS.aculab.com>
References: <20210416203844.3803177-1-samitolvanen@google.com>
 <20210416203844.3803177-6-samitolvanen@google.com>
 <20210416211855.GD22348@zn.tnic>
 <CABCJKud8TvzhcjHCpsrtCJ4B50ZUfaL48F42EhZ2zWKLteAc0Q@mail.gmail.com>
 <20210416220251.GE22348@zn.tnic>
 <CALCETrVTtKqD6fonUmT_qr0HJ0X9TWzLGq-wpm+A7XKyjn3W5g@mail.gmail.com>
 <202104161519.1D37B6D26@keescook>
In-Reply-To: <202104161519.1D37B6D26@keescook>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.202.205.107]
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
        auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Kees Cook
> Sent: 16 April 2021 23:28
> 
> On Fri, Apr 16, 2021 at 03:06:17PM -0700, Andy Lutomirski wrote:
> > On Fri, Apr 16, 2021 at 3:03 PM Borislav Petkov <bp@alien8.de> wrote:
> > >
> > > On Fri, Apr 16, 2021 at 02:49:23PM -0700, Sami Tolvanen wrote:
> > > > __nocfi only disables CFI checking in a function, the compiler still
> > > > changes function addresses to point to the CFI jump table, which is
> > > > why we need function_nocfi().
> > >
> > > So call it __func_addr() or get_function_addr() or so, so that at least
> > > it is clear what this does.
> > >
> >
> > This seems backwards to me.  If I do:
> >
> > extern void foo(some signature);
> >
> > then I would, perhaps naively, expect foo to be the actual symbol that
> > gets called
> 
> Yes.
> 
> > and for the ABI to be changed to do the CFI checks.
> 
> Uh, no? There's no ABI change -- indirect calls are changed to do the
> checking.
> 
> > The
> > foo symbol would point to whatever magic is needed.
> 
> No, the symbol points to the jump table entry. Direct calls get minimal
> overhead and indirect calls can add the "is this function in the right
> table" checking.


Isn't this a bit like one of the PPC? ABI where function addresses
aren't (always) the entry point.
IIRC is causes all sorts of obscure grief.

I'd also like to know how indirect calls are actually expected to work.
The whole idea is that the potential targets might be in a kernel module
that is loaded at run time.

Scanning a list of possible targets has to be a bad design decision.

If you are trying to check that the called function has the right
prototype, stashing a hash of the prototype (or a known random number)
before the entry point would give most of the benefits without most
of the costs.
The linker could be taught to do the same test (much like name mangling
but without the crap user experience).

That scheme only has the downside of a data cache miss and (hopefully)
statically predicted correct branch (hmm - except you don't want to
speculatively execute the wrong function) and polluting the data cache
with code.

This all seems like a ploy to force people to buy faster cpus.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)