Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp218537pxb; Fri, 15 Oct 2021 04:15:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwB+xA0CskHcawCZUJ5ewSW50Ac/jfnnOfjHNvXHUWejLxfnafogjzqUeem5bEPBi+OZa8S X-Received: by 2002:a62:e90d:0:b0:44d:35a1:e5a0 with SMTP id j13-20020a62e90d000000b0044d35a1e5a0mr11138121pfh.54.1634296507529; Fri, 15 Oct 2021 04:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634296507; cv=none; d=google.com; s=arc-20160816; b=L12gsIfMwlbkK3+v3OvoBARXXmIoJ6tiyDQAMTl+Zf+uZI6gZnf/kB7gwhBNxN2p02 lafPex3ojdu2h+M972ZmuidO1bhWGtSottG6baWqQ22lnLCdGAsSvMrZGHoObtfpm0nv t0OkRNzkWNdIz3qeGjWpVtq0EgC6z8jLB+81uOFKFdIlqj7V3Anm10NjRyPKhnorj+Rq OXrR20DsLDDYOGGC8DdbuL5TiXFfHFQbJISbIIvVjy67NBrnyp0wWgkNLJpyCfQ+fD76 Z+YgFUClorTd88r+GyIuW5E2sKfrBHr9FFVGbhbR4wrB8qI2jbLwJ7ZwS0fhHE0uNYWC 8WiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:cc:to:from :date:references:in-reply-to:message-id:mime-version:user-agent :dkim-signature; bh=Xa0ibLvgVOG683GS1ofw3dFfT8jNjCtDAVMWJRQza+U=; b=WeYSQwznVGVaxrCOi4I3jGmktz4uaE0MOf4e2CdZZmrG/FsHii3IK/jmqcyQA/IEvO 0+BFAhw824mbWAnhxq8/hh/Fh+N8ChgaZsMH6/KBasIFrwQkp9+8KN3nqY1mgm1rrEa0 iGoDexEAqdV+KBZ2+lgPKVQRQMJXQm+my46AioG/AGMPsFVHdGOCOSLmfBKYxsK84FF0 yDNKfzc4qUlqyvUKX9SlSB9mgLul1G2cTHEUCdhoAIPZWCWoi8jLly7xBbVJ//f+rJDy kyOqXZxVImCfBqW/fSYI97amU/jraC8geO5pYpbYDOWrZI5fIDwBhirZ34l/qsqp6A1X i0tg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KYUn4ELb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i1si6316811plt.17.2021.10.15.04.14.55; Fri, 15 Oct 2021 04:15:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KYUn4ELb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233429AbhJOCxm (ORCPT + 99 others); Thu, 14 Oct 2021 22:53:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:40022 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232508AbhJOCxl (ORCPT ); Thu, 14 Oct 2021 22:53:41 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B481F61164; Fri, 15 Oct 2021 02:51:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1634266295; bh=xfa1FDvrYIPbLUuhSPJIPmO7l0zCqArc6ijIUDKEkHo=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=KYUn4ELbwLOcfd6ppWPCIcwp5wxJ1CpgHATf11+xDCj8kJsp/BmiMPI1QyoI9g72z AEH1RvFqEtucwuyLj37MaNkshxlNeJH1GTpoC82cW6uxmzNAShGfez4w847orhTB+m sUIOYsip6HXWoQCUCxfd+r4TXmXAFrgM/6ZGCFjgrW3YRzOktWDTauwkfBlX8AKxkE w1d5e9gFGzL9n+rHUdVPzBROEmfFCibtGNm57z3+IivfY9CHdt/0K0vsuCp1en2SwB VdJ+C8OR2PBLK94fRV9lCkFxw6revfOfCTwulITmh7TpULew9odd3qdSD+NzMwt73h NC/vS2Gb0X6ng== Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailauth.nyi.internal (Postfix) with ESMTP id C4A4327C0054; Thu, 14 Oct 2021 22:51:33 -0400 (EDT) Received: from imap48 ([10.202.2.98]) by compute6.internal (MEProxy); Thu, 14 Oct 2021 22:51:33 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddufedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedftehn ugihucfnuhhtohhmihhrshhkihdfuceolhhuthhosehkvghrnhgvlhdrohhrgheqnecugg ftrfgrthhtvghrnhepvdelheejjeevhfdutdeggefftdejtdffgeevteehvdfgjeeiveei ueefveeuvdetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homheprghnugihodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiudek heeifedvqddvieefudeiiedtkedqlhhuthhopeepkhgvrhhnvghlrdhorhhgsehlihhnuh igrdhluhhtohdruhhs X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3985121E0066; Thu, 14 Oct 2021 22:51:33 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-1345-g8441cd7852-fm-20211006.001-g8441cd78 Mime-Version: 1.0 Message-Id: <7377e6b9-7130-4c20-a0c8-16de4620c995@www.fastmail.com> In-Reply-To: <20211013181658.1020262-4-samitolvanen@google.com> References: <20211013181658.1020262-1-samitolvanen@google.com> <20211013181658.1020262-4-samitolvanen@google.com> Date: Thu, 14 Oct 2021 19:51:11 -0700 From: "Andy Lutomirski" To: "Sami Tolvanen" , "the arch/x86 maintainers" Cc: "Kees Cook" , "Josh Poimboeuf" , "Peter Zijlstra (Intel)" , "Nathan Chancellor" , "Nick Desaulniers" , "Sedat Dilek" , "Steven Rostedt" , linux-hardening@vger.kernel.org, "Linux Kernel Mailing List" , llvm@lists.linux.dev Subject: Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 13, 2021, at 11:16 AM, Sami Tolvanen wrote: > The kernel has several assembly functions, which are not directly > callable from C but need to be referred to from C code. This change ad= ds > the DECLARE_NOT_CALLED_FROM_C macro, which allows us to declare these > symbols using an opaque type, which makes misuse harder, and avoids the > need to annotate references to the functions for Clang's Control-Flow > Integrity (CFI). > > Suggested-by: Andy Lutomirski > Suggested-by: Steven Rostedt > Signed-off-by: Sami Tolvanen > Tested-by: Nick Desaulniers > Tested-by: Sedat Dilek > --- > include/linux/linkage.h | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/include/linux/linkage.h b/include/linux/linkage.h > index dbf8506decca..f982d5f550ac 100644 > --- a/include/linux/linkage.h > +++ b/include/linux/linkage.h > @@ -48,6 +48,19 @@ > #define __PAGE_ALIGNED_DATA .section ".data..page_aligned", "aw" > #define __PAGE_ALIGNED_BSS .section ".bss..page_aligned", "aw" >=20 > +/* > + * Declares a function not callable from C using an opaque type. Defi= ned as > + * an array to allow the address of the symbol to be taken without '&= '. > + */ I=E2=80=99m not convinced that taking the address without using & is a l= audable goal. The magical arrays-are-pointers-too behavior of C is a mi= stake, not a delightful simplification. > +#ifndef DECLARE_NOT_CALLED_FROM_C > +#define DECLARE_NOT_CALLED_FROM_C(sym) \ > + extern const u8 sym[] > +#endif The relevant property of these symbols isn=E2=80=99t that they=E2=80=99r= e not called from C. The relevant thing is that they are just and not o= bjects of a type that the programmer cares to tell the compiler about. (= Or that the compiler understands, for that matter. On a system with XO m= emory or if they=E2=80=99re in a funny section, dereferencing them may f= ail.) So I think we should use incomplete structs, which can=E2=80=99t be dere= ferenced and will therefore be less error prone.