Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp217924pxb; Wed, 3 Nov 2021 03:04:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOHlaRJjMm61fSTPdV2tJMGetMGsC4cq/NrUSCTax9Vt9WsXV3VMtelvHt3tK0jE+Wc2ld X-Received: by 2002:aa7:d601:: with SMTP id c1mr18066847edr.17.1635933853936; Wed, 03 Nov 2021 03:04:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635933853; cv=none; d=google.com; s=arc-20160816; b=C+lrbzqtZJhYl3WFSoxg0fWtzsHwTdlL4Xh1ZqepiX4HOX6gXw+mEw95BbsPqpILqN p8PAgZ/XuvSQHWX5IHsDGj9SD1JDq4AWwNRQ5ZFxRaEh8+7Fus4vEwD9QPtLFE2EyzGs T9852LGApIhqIJIvoS+/m4LTfiLFhDoixRWpC7pGHvuayiFcGHQNVS40Hko1L+FLm+hX piFazU/ryvoL5EXMpSyMOQfMaQIUYvNwd2YjohCHLzmbeVkEmaCtVbdBAKIWAeNA2gnB b5WEQu+ZbugkgzZVCVoM7BsdZlJ3otdsNqKRwVHCgZeQFLh46VsjwM8ASGt6xbKBLmuu 4mMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=hRZzR2LmX6YqiOnfUwRuKNHLy+IPHXMCioajiZ0lfR0=; b=trrJ0iwqQYu0gvS1tDUrHBeP2QDF2zyjmxa53rzeZx2oKecgMfHKAXgHQN7412m3Gl /Yjtkod/aNO8eQXsLUPpi07uSBlXGeNH2NBnHtc4jVrEdK++wOb2UBRKXvy5HMIXovWO 8dUx/QMRBVxpW9OtFDQPkpob4j9vXaWwtvRKKkoFA357VwIldVavn7nUuOqwyLbTcBo1 erwGbEGAeKZ02qQ2aThM984Jk7wLTeMJslWsWhthXuzr5jFaa4BuMI54PYqvZ/eHwEIx smr+DTxfREXn4pGG+898NQ0ik9qoaLHg5BcwHYo5pqoB2Jsie8Qa9zO2jeJSwvVCdHKF 91og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i2si2850731ejp.615.2021.11.03.03.03.42; Wed, 03 Nov 2021 03:04:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231755AbhKCKEV convert rfc822-to-8bit (ORCPT + 99 others); Wed, 3 Nov 2021 06:04:21 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.85.151]:60789 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231749AbhKCKEU (ORCPT ); Wed, 3 Nov 2021 06:04:20 -0400 Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-46-D8J9dP9POlyetI0EQ9wyKQ-1; Wed, 03 Nov 2021 10:01:41 +0000 X-MC-Unique: D8J9dP9POlyetI0EQ9wyKQ-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP Server (TLS) id 15.0.1497.24; Wed, 3 Nov 2021 10:01:40 +0000 Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id 15.00.1497.024; Wed, 3 Nov 2021 10:01:40 +0000 From: David Laight To: 'Peter Zijlstra' , Andy Lutomirski CC: Kees Cook , Ard Biesheuvel , "Sami Tolvanen" , Mark Rutland , the arch/x86 maintainers , Josh Poimboeuf , Nathan Chancellor , "Nick Desaulniers" , Sedat Dilek , Steven Rostedt , "linux-hardening@vger.kernel.org" , Linux Kernel Mailing List , "llvm@lists.linux.dev" Subject: RE: [PATCH] static_call,x86: Robustify trampoline patching Thread-Topic: [PATCH] static_call,x86: Robustify trampoline patching Thread-Index: AQHX0I3T+Rz8ZcLBT06sRWcPs/oqcKvxiwhw Date: Wed, 3 Nov 2021 10:01:40 +0000 Message-ID: References: <20211101090155.GW174703@worktop.programming.kicks-ass.net> <202111021040.6570189A5@keescook> <90a14299-ce56-41d5-9df9-f625aae1ac70@www.fastmail.com> <202111021603.EDE5780FE@keescook> <20211103083559.GB174703@worktop.programming.kicks-ass.net> In-Reply-To: <20211103083559.GB174703@worktop.programming.kicks-ass.net> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Peter Zijlstra > Sent: 03 November 2021 08:36 > > On Tue, Nov 02, 2021 at 05:20:05PM -0700, Andy Lutomirski wrote: > > I think that's a big mistake -- any sane ENDBR-using scheme would > > really prefer that ENDBR to be right next to the actual function body, > > and really any scheme would benefit due to better cache locality. > > Agreed, IBT/BTI want the landing pad in front of the actual function. > > > But, more importantly, IMO any sane ENDBR-using scheme wants to > > generate the indirect stub as part of code gen for the actual > > function. > > Sorta, I really want to be able to not have a landing pad for functions > whose address is never taken. At that point it doesn't matter if it gets > generated along with the function and then stripped/poisoned later, or > generated later. > > As such, the landing pad should not be part of the function proper, > direct calls should never observe it. > > Less landing pads is more better. One problem is when a direct call is 'too far' for a call instruction. IIRC this can happen in arm64 with modules (all 64bit except x86?). So an indirect call has to be used instead - which needs the landing pad. Although it may actually be better to put a trampoline (landing pad + near jump) elsewhere and have the module loader do the correct fixup. (Is the loader already generating a trampoline in the module code?) The function body can then be cache-line aligned - with its benefits. Can't anything that can write instructions always use a retpoline to implement a jump indirect to an arbitrary address? (Not to mention just generating the required code rather than a call.) AFAICT CFI is all about detecting invalid values in function pointer tables. It doesn't really protect in any way from JIT code doing incorrect things. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)