Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4726129pxb; Tue, 2 Nov 2021 14:49:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJye+JQt9NQJaV0IUMjAb/2Ms/Xwk9jNfpTfAUNmy+PjF5fi3vU3fsJe7V5RMw9tU8xNxH8P X-Received: by 2002:a05:6e02:216e:: with SMTP id s14mr9988347ilv.247.1635889799460; Tue, 02 Nov 2021 14:49:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635889799; cv=none; d=google.com; s=arc-20160816; b=u+IdEepFWfWx2xwqXCgn+hs9XLU59SxUyY4MWM0KuJZISMPyc3ELNxtrmyEasqO7x9 N8S7tu/nE96JYi5TZgDUb3+xVs57BIT1lLXs1lrdmGPlL9n8ZPD7P8FedBVOePzLWDTK KOF+nmSoyPFCW1PLaxp9CU+X77VcKO3GwHG4+tfbMMCg2o5dOM53UtnjTaz4w0B7XfrK 2N6VmdhHx48YAk1bZ6z3X3yGytwEp+8bUiJ80SgHrDoCKr9O+QANLqb5LmjYevvtjz7c IkWNTasaWpHmT+KF4vsBrkJuuzwkqJghE8VX8oLN9+ECAybkGJ+WCW9z06lI6Z1rc/eP L+XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Y4e5G7N0rSCI/bB/4KF9vQwtKks3I0Qizmban8wLh88=; b=uTyOJPB1AEYW4SCCfGLkkmPAzLgE/LJpuWJMWReuRDrlU/JzY/fFmryb5UIzEBS8Wy ucHIcz5X5+ugaY7QawnR1l/hwSbyvo0dyKsXPfx0V3/Az8693AKfCBaHZTT35ii5zI5M 0hx/WR6y3zLxkrhLeNMRqN3wl+T56MXeKgGVJai6drb7HncVy/yPwtvTkReepbOW8I1M Q5EEGaAkUZQwDfNNFDZXRBtcJhFNLIcVfW4grc3qn+Fyw2JpnzcUdX78c3BrtOZzTben Nrnx097PVxLr8WY3gGjUZmBYJjUMYWWC0mdY9nB65WDB2o495VZaEXTjscSILchrPHEP GVDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=deg62C+M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q7si333382jaj.15.2021.11.02.14.49.47; Tue, 02 Nov 2021 14:49:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=deg62C+M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231218AbhKBVvU (ORCPT + 99 others); Tue, 2 Nov 2021 17:51:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230175AbhKBVvT (ORCPT ); Tue, 2 Nov 2021 17:51:19 -0400 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEBF7C061714; Tue, 2 Nov 2021 14:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=Y4e5G7N0rSCI/bB/4KF9vQwtKks3I0Qizmban8wLh88=; b=deg62C+MyuBRwQgACHwdkh+TpH rLxXHgp2kCN5sxwJAwtlpaMXRzaIEXFSfax93Azl8g+nUE4eW4As40ibGij99hMe3M+VHiZxLfWoZ jQwZB/FHQPaDO1mTBz6jKM435wHVvQrUauh9YmdsLjQOVVhs1j1z39SyLEU1yJbO6dwmi+5UaHl9N kkYd+La1bPtsk3Pb9/xEJ+Ud5JLYk+yTmNGSJaxwnNCFwGnVGvla6t74ZbQkukKoQYvfyRmvutpYW uZSXv5PaA5Xl0FabbBzC3gA0tGodLB8BPLaHvcy8vufb+wnozGDTg9xTrdvIgLqIZcyusXKDRbIGZ XUK5AWIw==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=worktop.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mi1dj-00DpCo-PG; Tue, 02 Nov 2021 21:48:20 +0000 Received: by worktop.programming.kicks-ass.net (Postfix, from userid 1000) id 68039984CD2; Tue, 2 Nov 2021 22:48:19 +0100 (CET) Date: Tue, 2 Nov 2021 22:48:19 +0100 From: Peter Zijlstra To: Ard Biesheuvel Cc: Sami Tolvanen , Mark Rutland , X86 ML , Kees Cook , Josh Poimboeuf , Nathan Chancellor , Nick Desaulniers , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, Linux Kernel Mailing List , llvm@lists.linux.dev, joao@overdrivepizza.com Subject: Re: [PATCH] static_call,x86: Robustify trampoline patching Message-ID: <20211102214819.GZ174703@worktop.programming.kicks-ass.net> References: <20211101090155.GW174703@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 02, 2021 at 07:18:53PM +0100, Ard Biesheuvel wrote: > > The range check isn't fundamental to CFI, having a check is the > > important thing AFAIU. > > Agreed. If the call site has a direct branch, it doesn't need the range check. That, from the earlier email: | And have the actual indirect callsite look like: | | # r11 - &foo | ALTERNATIVE_2 "cs call __x86_indirect_thunk_r11", | "cs call __x86_indirect_cfi_deadbeef", X86_FEATURE_CFI | "cs call __x86_indirect_ibt_deadbeef", X86_FEATURE_IBT So the callsite has a direct call to the hash-specific and cfi-type specific thunk, which then does an (indirect) tail-call. The CFI one does the hash check in the thunk and jumps to the function proper, the IBT one on does it in the landing-pad. The !CFI one ignore it all and simply does an indirect call (retpoline aided or otherwise) to the function proper -- in which case we can free all the thunks.