Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp767138pxy; Wed, 28 Apr 2021 13:52:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBKAGj05jeK0xJgzMo2Ni2RKyPxmuhFSmG/hzAbgI8qhX4AmfeeBE5NLz+wkx/iujfszLe X-Received: by 2002:a17:906:d978:: with SMTP id rp24mr4755947ejb.333.1619643145813; Wed, 28 Apr 2021 13:52:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619643145; cv=none; d=google.com; s=arc-20160816; b=uM+Smh5aRCW4o617/RlSK0+L2RJ+JtFY+IzleBRG0+ElAsfLDOFTaYhkLO0f0rLK9l AEWcV8+ReI5zFOvT6Sg9h01CznJD6LWELFlt2XeSEeGn9fAQfBIGavu2efyw/0ibz8Kp DKbk/VrIfkL//AstH7WN9om84E3YJ1TKKZTd8t4jx+Pq50PKFF2Q5Q4QgI+8q8hHHHjV gILnReFNyPbtRtWviohXyUZm0fPE1U1LVMz6XY9Ttd9dtd00YoCVPROBChWXHQIF+Pgu GJkjQYe+rosJNR3qjz/oZty8yWzgyoBPtR8o2Dch5RFAKtgVa7xJWSyW2O21K9qkAbZs qdtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=GDNVrff76VfRvD1j2rT05FypZOPT0Mkjjgr3q5U+VQs=; b=z1qN8Dg8fbTocDRPh2zQvaAN4MuDt4qCRKHJQcJqfHW9hrHeF2d958vbqZwwK3aJqv Rwh6qUTdqRbsM4jqnvufYpmB0jeZ5ZAwhlea+TV3hogfqRbKL3COwhkfU/PyzthEeFcL gEARTeBmCVqV1QcAs6+LW8hHtXXE37v/d6n8xl8ug2n+a6E0xNtgmf6z2uH2O0wss66h OYI9fhDT3lDhvcuuGCgSkqXJQArDI6955E3ZYcAElcvbCQe9MOtAqTw9OOG3gYRbfcWc VUkv0gV8+7H9QK82ZoNYczGGWlU0SbULd7KYCZfpuF8xCDjIE/yY6UW9f0YK78cofx8t iZEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=erq4vAGu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b96si900150edf.154.2021.04.28.13.52.02; Wed, 28 Apr 2021 13:52:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=erq4vAGu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241531AbhD1RQf (ORCPT + 99 others); Wed, 28 Apr 2021 13:16:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236887AbhD1RQe (ORCPT ); Wed, 28 Apr 2021 13:16:34 -0400 Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63830C061573; Wed, 28 Apr 2021 10:15:47 -0700 (PDT) Received: by mail-oi1-x235.google.com with SMTP id d25so26240817oij.5; Wed, 28 Apr 2021 10:15:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GDNVrff76VfRvD1j2rT05FypZOPT0Mkjjgr3q5U+VQs=; b=erq4vAGuJkQ8SLktjhZPoxGk6wz1+UuIbAj57Rr7KkYYOB1NZYw0zdi5NYSYpquFij 49QBMCIkAsb3hXsHwEzPSV9O/XsH6xbDxOLEBgKaxpRFTmAxC/u0xHHQ6h8BGxojsRly NjkpVJn8Nlpo1eo7rFT0w9fQUHQl30Z1wrn9KtV6SoDHQ7vGuFRjuQh5qFF7TjYtPwdF GPGDDOqEJ9PW94EtgE/59JBvIa8nEcwn6gcXDFB8CVy0EJMpAm8cfirMN+8lXdqfg3gT WmgMfwHNFhSaDHGXh+cDbnNrQ5Mi1HQ+tjOBgAUDyfAgoUtDrIqjx9XNze7X0NqMz6U8 r3Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GDNVrff76VfRvD1j2rT05FypZOPT0Mkjjgr3q5U+VQs=; b=mZhKBHwTNAE8vykHVzRchCT2l0xi0msvbjmi3Z/huKxZ5qktKc2TaK+t6sF/92Q7fZ bzRQ1D9q3tcmW6fX0zyYnFHMzGJci6xlwsJV7bxUFKfxqIRLmj6WE1IjOviMIH58zURO pYSm396ymwtzRjN95nSHHWGzkH9iF/0u8552lRLW5w9MeUlBc3GQ3n8q7zRB/eS4yije mDvQSI63g3DKSHIrUYE65Sf43fgEQ8GvD3vP4/uTRsMkyXHUA/bdRysrZWWwsX1HFS/4 MxU9sC9bLYXplOQ0LbIW8Om55081xpnWV+3IJDC8tsNUXZLIzo99NTyYn+10bv5qqKXb 2nDA== X-Gm-Message-State: AOAM533i8teCbHAI7S+JgQpZjzmqJawO5xxRmBIUZSv1j8SeD3rSxh9R /rwe7Prb3MIgfEuUGyZxTZ242b60oWiioVNcAUQmkSRa/0uzDA== X-Received: by 2002:aca:dd82:: with SMTP id u124mr3624452oig.35.1619630146460; Wed, 28 Apr 2021 10:15:46 -0700 (PDT) MIME-Version: 1.0 References: <20210427204720.25007-1-yu-cheng.yu@intel.com> <0e03c50ea05440209d620971b9db4f29@AcuMS.aculab.com> <0c6e1c922bc54326b1121194759565f5@AcuMS.aculab.com> <7d857e5d-e3d3-1182-5712-813abf48ccba@intel.com> In-Reply-To: <7d857e5d-e3d3-1182-5712-813abf48ccba@intel.com> From: "H.J. Lu" Date: Wed, 28 Apr 2021 10:15:10 -0700 Message-ID: Subject: Re: [PATCH v26 0/9] Control-flow Enforcement: Indirect Branch Tracking To: "Yu, Yu-cheng" Cc: David Laight , Andy Lutomirski , "x86@kernel.org" , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "linux-kernel@vger.kernel.org" , "linux-doc@vger.kernel.org" , "linux-mm@kvack.org" , "linux-arch@vger.kernel.org" , "linux-api@vger.kernel.org" , Arnd Bergmann , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang , Pengfei Xu , Haitao Huang Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 28, 2021 at 9:25 AM Yu, Yu-cheng wrote: > > On 4/28/2021 8:33 AM, David Laight wrote: > > From: Andy Lutomirski > >> Sent: 28 April 2021 16:15 > >> > >> On Wed, Apr 28, 2021 at 7:57 AM H.J. Lu wrote: > >>> > >>> On Wed, Apr 28, 2021 at 7:52 AM Andy Lutomirski wrote: > >>>> > >>>> On Wed, Apr 28, 2021 at 7:48 AM David Laight wrote: > >>>>> > >>>>> From: Yu-cheng Yu > >>>>>> Sent: 27 April 2021 21:47 > >>>>>> > >>>>>> Control-flow Enforcement (CET) is a new Intel processor feature that blocks > >>>>>> return/jump-oriented programming attacks. Details are in "Intel 64 and > >>>>>> IA-32 Architectures Software Developer's Manual" [1]. > >>>>> ... > >>>>> > >>>>> Does this feature require that 'binary blobs' for out of tree drivers > >>>>> be compiled by a version of gcc that adds the ENDBRA instructions? > >>>>> > >>>>> If enabled for userspace, what happens if an old .so is dynamically > >>>>> loaded? > >>> > >>> CET will be disabled by ld.so in this case. > >> > >> What if a program starts a thread and then dlopens a legacy .so? > > > > Or has shadow stack enabled and opens a .so that uses retpolines? > > > > When shadow stack is enabled, retpolines are not necessary. I don't > know if glibc has been updated for detection of this case. H.J.? > > >>>>> Or do all userspace programs and libraries have to have been compiled > >>>>> with the ENDBRA instructions? > >>> > >>> Correct. ld and ld.so check this. > >>> > >>>> If you believe that the userspace tooling for the legacy IBT table > >>>> actually works, then it should just work. Yu-cheng, etc: how well > >>>> tested is it? > >>>> > >>> > >>> Legacy IBT bitmap isn't unused since it doesn't cover legacy codes > >>> generated by legacy JITs. > >>> > >> > >> How does ld.so decide whether a legacy JIT is in use? > > > > What if your malware just precedes its 'jump into the middle of a function' > > with a %ds segment override? > > > > Do you mean far jump? It is not tracked by ibt, which tracks near > indirect jump. The details can be found in Intel SDM. > > > I may have a real problem here. > > We currently release program/library binaries that run on Linux > > distributions that go back as far as RHEL6 (2.6.32 kernel era). > > To do this everything is compiled on a userspace of the same vintage. > > I'm not at all sure a new enough gcc to generate the ENDBR64 instructions > > will run on the relevant system - and may barf on the system headers > > even if we got it to run. > > I really don't want to have to build multiple copies of everything. > > This is likely OK. We have tested many combinations. Should you run > into any issue, please let glibc people know. > If you have a Tiger Lake laptop, you can install the CET kernel on Fedora 34 or Ubuntu 20.10/21.04. -- H.J.