Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4237457pxb; Tue, 2 Nov 2021 06:31:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzPDGNxEUTETbX+3v+6gFb7H6nShSAE3AeloGw4ZO5HRDh9rl9ZtgDryi1OyTkV+5sgB0oC X-Received: by 2002:a05:6638:14ce:: with SMTP id l14mr17407256jak.142.1635859893934; Tue, 02 Nov 2021 06:31:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635859893; cv=none; d=google.com; s=arc-20160816; b=Z0b4X1s/gyTtg1JfR4rFj7razu8PfQtaLk9qmI7Ds7rTOYYfZD22MThNhn8XJj/vSI zDHG1c43CZKqRj5mXCWIBl9zZYiJWTunXBjHQcvOLXeKtaf5dcTxCcRPFuq0C07segGq S23Z4GD2ztvmG0wbAVKftuvlyQ6ER9G1HhiMUGjcuDX0fpxKx4EhfRkaVikP9fyV5YGA uoy0Ms5oOe2tUBzKk7FdFIF/oZcaOf2HEKT1TXKKjn57X3z1b2BwMDQ7RImVk847WtWm PCQ3S8GX75ISdR0LbmzJ9lhMghyQFsmn3I/zoSZA5wXilvxhlAmJTfgkTfV3Whf2KFqV 0FLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=bGKSmCTDpFoLP1JJLQXqMm0zWZVdp9goOESdYBnNV2s=; b=Aa09hOgg5RZCXh/bXF0lGVxybO3Dm9fcpB0xCh2OgJHPn7ynV7A69IfaunbO5Flsrk /wX2bsWwWzPX6QaAhQEZ7spKLJCuzCMsSrViPyTiySw5m4eh2OgQgc/vZ1tK5/G+9YyD IQNOiGiVrKj+lUM4ZDHlygq4g+mB6EchspXutNJsDmHxd6O6qWLRvAqylhLpAOepjCkP DoTpsTJu6WHM2TtYD5zNNc0jwJaSl/QNj0X99NQSqnNYDR8LIUU0+INzVnz26NmaJ8j7 kdNURg9H/+NZAoICpE9gNE0y4frwR5eos9XHeuLClO3CO+rU0Ff7QIGRgedfVALxm0Gf E1jA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=p0lMGiJd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w11si2995383jad.116.2021.11.02.06.31.21; Tue, 02 Nov 2021 06:31:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=p0lMGiJd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230522AbhKBNAw (ORCPT + 99 others); Tue, 2 Nov 2021 09:00:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230326AbhKBNAv (ORCPT ); Tue, 2 Nov 2021 09:00:51 -0400 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68B56C061714; Tue, 2 Nov 2021 05:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=bGKSmCTDpFoLP1JJLQXqMm0zWZVdp9goOESdYBnNV2s=; b=p0lMGiJdFK4mTiRAYVcEK1G2JK YEbC6rEB5RywDf91bgqWy4Y83973HIJ+Jz5Xu5rt6nJt0hmaFs1hkgzEWR7apTOgcsMiLUsifBSYb tMcUVV8vlvgPp0i4+mgrT/2nQdcaEArOiGjQbLa/k/shnHoY4WkrHaEAxn8134aF/2wlb3kpordKv 6woGBkyova35sHK+e9dYSkuq8qS9S/3ciikOGSbBIedmtSG6PdCizOB8uY4bL1oQ+SLsoHN/kcVix 3ogE4BhlwnevwpJU09OALRUhFgN3P59PTVTC/uWaL6+EWlXWa9T6D5EZtBS0Ka7JtSZorJzuNSi20 MxjTw0zg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mhtMH-00Dkn7-Vb; Tue, 02 Nov 2021 12:57:46 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 8EF783005F4; Tue, 2 Nov 2021 13:57:44 +0100 (CET) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 1DB0D2C8D22FD; Tue, 2 Nov 2021 13:57:44 +0100 (CET) Date: Tue, 2 Nov 2021 13:57:44 +0100 From: Peter Zijlstra To: Ard Biesheuvel Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching Message-ID: References: <20211031163920.GV174703@worktop.programming.kicks-ass.net> <20211101090155.GW174703@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 01, 2021 at 03:14:41PM +0100, Ard Biesheuvel wrote: > On Mon, 1 Nov 2021 at 10:05, Peter Zijlstra wrote: > > How is that not true for the jump table approach? Like I showed earlier, > > it is *trivial* to reconstruct the actual function pointer from a > > jump-table entry pointer. > > > > That is not the point. The point is that Clang instruments every > indirect call that it emits, to check whether the type of the jump > table entry it is about to call matches the type of the caller. IOW, > the indirect calls can only branch into jump tables, and all jump > table entries in a table each branch to the start of some function of > the same type. > > So the only thing you could achieve by adding or subtracting a > constant value from the indirect call address is either calling > another function of the same type (if you are hitting another entry in > the same table), or failing the CFI type check. Ah, I see, so the call-site needs to have a branch around the indirect call instruction. > Instrumenting the callee only needs something like BTI, and a > consistent use of the landing pads to ensure that you cannot trivially > omit the check by landing right after it. That does bring up another point tho; how are we going to do a kernel that's optimal for both software CFI and hardware aided CFI? All questions that need answering I think. So how insane is something like this, have each function: foo.cfi: endbr64 xorl $0xdeadbeef, %r10d jz foo ud2 nop # make it 16 bytes foo: # actual function text goes here And for each hash have two thunks: # arg: r11 # clobbers: r10, r11 __x86_indirect_cfi_deadbeef: movl -9(%r11), %r10 # immediate in foo.cfi xorl $0xdeadbeef, %r10 # our immediate jz 1f ud2 1: ALTERNATIVE_2 "jmp *%r11", "jmp __x86_indirect_thunk_r11", X86_FEATURE_RETPOLINE "lfence; jmp *%r11", X86_FEATURE_RETPOLINE_AMD # arg: r11 # clobbers: r10, r11 __x86_indirect_ibt_deadbeef: movl $0xdeadbeef, %r10 subq $0x10, %r11 ALTERNATIVE "", "lfence", X86_FEATURE_RETPOLINE jmp *%r11 And have the actual indirect callsite look like: # r11 - &foo ALTERNATIVE_2 "cs call __x86_indirect_thunk_r11", "cs call __x86_indirect_cfi_deadbeef", X86_FEATURE_CFI "cs call __x86_indirect_ibt_deadbeef", X86_FEATURE_IBT Although if the compiler were to emit: cs call __x86_indirect_cfi_deadbeef we could probaly fix it up from there. Then we can at runtime decide between: {!cfi, cfi, ibt} x {!retpoline, retpoline, retpoline-amd}