Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2469547pxb; Sun, 31 Oct 2021 16:57:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyevNDLaPnIzOsDLoHRasnoUzEnYoNkyMDdzSdVyN4o28mOO5lQ37I06BcA9PfrUHo9lfiM X-Received: by 2002:a92:b105:: with SMTP id t5mr17841144ilh.152.1635724629540; Sun, 31 Oct 2021 16:57:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635724629; cv=none; d=google.com; s=arc-20160816; b=eqhfpUTLEHbFZSyzSScwgQBWUce8iZyDrR+WT4Qlm4mDcssbg2C10Ih7yrAWJIXGOb S0ptjUVDgB3vZx27+XGNxpb6oX9vUK5IZ/QaBPZfLm234z7pga/0a2LqPEFv6522eKt7 HeIu0VScdGXTzT57yMppV+uO48ogsh8SOOkWURi5QxtKosbi+A1ew3jPWWNErmdB6RxL TjcUIEa+COf1pv5ISIjymsSqlinsGwK0P+IW6lz+/tWgih5ihHT9PyLbTM5tGEGudOTp Zl2lDQLDgl+aFb7rVYUk7JbfLCe4/lGPpKevaipBYKiym2Q7FczCNOuJQ0IsWyGttJjr 2ZxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=g0TKIn1SOhrkVD8q2CMYalRegdqbG3lBrJQqv31LIkY=; b=Ut0sAIP9ZGYr3oVzEMJsCOVFmzXmxPu3OxvHB6m0VHNJWwdiKvdnU3kjDK2WeDOw35 ac2pzA7xPXj6uS+/+sktgYx7hqi5KQY/3mP4ipkaYwzoLPqte/siiuyQ/apVVVZ8QlVl 2odMTfu4ZyiyNpkDR6PbQLrHI+DOuKRiyJ4vI+4OZ8oAkrFieOcnxeiN8em4Z/NXsO8f 3dyIZ9elAeXykRYqMCmpWaKrtbvAVEB2c4TG4Wv4yrLBEbjHDonSTYXacYbQTFMr/Lmz dVn/Xzk0ZnO6v14aUezupZfF8UuvU+WHL0IcHxMx5uB+DNtx33iMGsFIvgMO6u2IdutB B10w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fzUgvHNW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n6si11807415ilk.99.2021.10.31.16.56.35; Sun, 31 Oct 2021 16:57:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fzUgvHNW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230246AbhJaXjD (ORCPT + 99 others); Sun, 31 Oct 2021 19:39:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:53492 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230232AbhJaXjD (ORCPT ); Sun, 31 Oct 2021 19:39:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9534360F58; Sun, 31 Oct 2021 23:36:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635723390; bh=g0TKIn1SOhrkVD8q2CMYalRegdqbG3lBrJQqv31LIkY=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=fzUgvHNWX0djoMW5fRqQMgZtWXqn42cvF3D45sF2MG+afqYNmEyihOqMFDRsldVw/ GO7FaopjSWMqSpx0fLsjNGyzOXiAmnZ3gaZe0gnkyMxVYzRngQ6h6gYnBpx+B5KsPf T055rJTxO8q3kTE4BjZ3Si7to6UKU8pdmJ8wgJHEhTHRHoo063wjWm+RW1P+xq2d7Q FDuM79Uv2rX+XptPAiav2tvNlPcI4640ug/BvDDzkXHRTmRB/kZE6Tyw8ByEBCDHzA Dfe+/0cooB3nwiaX35baoMJ2KPLqENuDCdSqpDX6iExXWrDKQkmuw31g60PDTU5Eq8 mqmD6d6x0p/Dw== Received: by mail-ot1-f42.google.com with SMTP id o10-20020a9d718a000000b00554a0fe7ba0so17064465otj.11; Sun, 31 Oct 2021 16:36:30 -0700 (PDT) X-Gm-Message-State: AOAM532Aw+B45EABdBRYY9tlq99cubbmLR75TgmckzytYbkYceO4z8qf Pha1ospTsC0HCxrp7cF/Q0ujyE1j0FS3kQprBY8= X-Received: by 2002:a9d:6e8:: with SMTP id 95mr12669686otx.112.1635723389889; Sun, 31 Oct 2021 16:36:29 -0700 (PDT) MIME-Version: 1.0 References: <20211029200324.GR174703@worktop.programming.kicks-ass.net> <20211030074758.GT174703@worktop.programming.kicks-ass.net> <20211030180249.GU174703@worktop.programming.kicks-ass.net> <20211031163920.GV174703@worktop.programming.kicks-ass.net> In-Reply-To: From: Ard Biesheuvel Date: Mon, 1 Nov 2021 00:36:18 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching To: Peter Zijlstra Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 31 Oct 2021 at 21:45, Peter Zijlstra wrote: > > On Sun, Oct 31, 2021 at 09:21:56PM +0100, Ard Biesheuvel wrote: > > > That means we can support static calls on arm64 now without breaking > > Clang CFI, and work on a solution for the redundant jumps on a more > > relaxed schedule. > > Yes, arm64 has a 'problem' with having already merged the clang-cfi > stuff :/ > > I'm hoping the x86 solution can be an alternative CFI scheme, I'm > starting to really hate this one. And I'm not at all convinced the > proposed scheme is the best possible scheme given the constraints of > kernel code. AFAICT it's a compromise made in userspace. Your scheme only works with IBT: the value of %r11 is under the adversary's control so it could just point it at 'foo+0x10' if it wants to call foo indirectly, and circumvent the check. So without IBT (or BTI), I think the check fundamentally belongs in the caller, not in the callee.