Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1826712pxb; Wed, 9 Feb 2022 05:26:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJzz6jbqEB7ldJED6P9E4XpUoBZkbi9Q+nvShzY4kPYIhTGCsb66v6ANnj7GegGQTkyM6knc X-Received: by 2002:a05:6a00:1a50:: with SMTP id h16mr2292258pfv.74.1644413177153; Wed, 09 Feb 2022 05:26:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644413177; cv=none; d=google.com; s=arc-20160816; b=c2hZA3yo7rLFCfAVld/7Irp5pXFTxcU5rqRS7titMPC7gUzHfyJ+07kwDL0N3+nCM5 enzbpN+v2KJQZnoSEGwjUV1QAcfSSAgvyHINiJO1gR9zkKTkPA9ZQhywNCxd83bEqc6x pPQiDhZujRHNc4EHHKDkOpdgvqCOnmeqkIMC+F4gGVTZDYRfO530acPuf93zF0qtey4N TVWw+y42JvFf9WRicD8KCsazxy1wwRGb2ac3OA5Al0tLycrHU6ikMpdisZzqUen2NS5V 8aTMkwiga4pt5EcVgSlq4QWfXDU35WjaWwiCeF6KodBmVBVIWpfmqMx3arvtNtVJXrxS k5Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=6+sTXDYmgUQsDsJLKYnziAyPf1hDavDmQY5J7q52kzU=; b=XHI6ZabP7efaCCS64lNZVB7PLk8LSSd3/Cb4nD+fDdEf+yqHvFBKgbH8VFEMvsWHgG 94k6GdfUmViUrcShVwwSlCNSW2CwfTQrAZtrHhc5dC7UhEhNKMpgJ5cc4N6wlzbyhqO5 KL6U4YlhMUZmeYEtiYsNALNYz5BgMOWPRZB3D95OLRLHRd+Eok0Wsh/TFPKwWW+lqIWt GjhQIrBllZaDotI0eaKAdmqfOgyrdyHonEmurwlhSJiFqE6cclkJFwfND7/lobFmXd0N s/fQ67AIpsaS63qk5j/cLhkoUwlJAlQiNgZIpdOsvMQkNTuD7e7izjie+2/pUpCz8n0U RYyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bxG+vq9e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id o7si18216091pfp.164.2022.02.09.05.26.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 05:26:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bxG+vq9e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 13A6AE085BDC; Wed, 9 Feb 2022 02:09:31 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237880AbiBHXmg (ORCPT + 99 others); Tue, 8 Feb 2022 18:42:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48882 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237833AbiBHXmf (ORCPT ); Tue, 8 Feb 2022 18:42:35 -0500 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D02ABC061576 for ; Tue, 8 Feb 2022 15:42:34 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id x3so700370pll.3 for ; Tue, 08 Feb 2022 15:42:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6+sTXDYmgUQsDsJLKYnziAyPf1hDavDmQY5J7q52kzU=; b=bxG+vq9e3SrwYf4/FxA1grj/gUOyczUGU1bFcT8v36LdowcfF2hAgXMQPHKEzV9/pB qXQRxGgd+B1VbFvyV2nq0D9IW3lLsBBAWiT8It3alVq/ceJ6kUx35g1PnKdOKBG0ssv+ R3aiUo/pBVqYnCHUtdp1fR3OKs0RsLlgkId68= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=6+sTXDYmgUQsDsJLKYnziAyPf1hDavDmQY5J7q52kzU=; b=1jqI8QjWu2CiGcSrqdAfG4laWOK4UkS/Kr7FRTmjzZWTbL6LWNogRZYe9Pv1nowyN4 bcAJZj2GXGbBNa1UGHtZe2onOS62HifyvSOIEGYimLlE30DUfNdrX3S6ZVfdILDMT0TW eFCZ3szB8YqXAP/L+PLBRplhKQd3dqWlfqSzF9Ue8/66Z9c8KtVv3ORl/1C+B9T6+Azc ETu6m8oD5Fbo4FvsD7KulLlcfx3fS/fUPCtInbIN9IdpjyY9BYHCKcTbm5MyH+5OWUqd xtbBq7CRJuKmf98Sc1s6xISNPKnJ8LDtWLtFrI9Est/b5E8EwWfiwBWVK4mpwT6bpF8h hWJg== X-Gm-Message-State: AOAM530QqErmar48aQos7d7Cqwf+0uGF7OB67do6Po0SgXZf95gh5Scg Iip1BBmTrbDsoRUnG2WVNDm14Q== X-Received: by 2002:a17:903:1207:: with SMTP id l7mr7035725plh.19.1644363754281; Tue, 08 Feb 2022 15:42:34 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s14sm17294592pfk.65.2022.02.08.15.42.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Feb 2022 15:42:34 -0800 (PST) Date: Tue, 8 Feb 2022 15:42:33 -0800 From: Kees Cook To: joao@overdrivepizza.com Cc: Peter Zijlstra , x86@kernel.org, hjl.tools@gmail.com, jpoimboe@redhat.com, andrew.cooper3@citrix.com, linux-kernel@vger.kernel.org, ndesaulniers@google.com, samitolvanen@google.com Subject: Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups Message-ID: <202202081541.900F9E1B@keescook> References: <20211122170301.764232470@infradead.org> <20211122170805.338489412@infradead.org> <6ebb0ab131c522f20c094294d49091fc@overdrivepizza.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6ebb0ab131c522f20c094294d49091fc@overdrivepizza.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 23, 2021 at 06:05:50PM -0800, joao@overdrivepizza.com wrote: > On 2021-11-22 09:03, Peter Zijlstra wrote: > > Objtool based IBT validation in 3 passes: > > > > --ibt-fix-direct: > > > > Detect and rewrite any code/reloc from a JMP/CALL instruction > > to an ENDBR instruction. This is basically a compiler bug since > > neither needs the ENDBR and decoding it is a pure waste of time. > > > > --ibt: > > > > Report code relocs that are not JMP/CALL and don't point to ENDBR > > > > There's a bunch of false positives, for eg. static_call_update() > > and copy_thread() and kprobes. But most of them were due to > > _THIS_IP_ which has been taken care of with the prior annotation. > > > > --ibt-seal: > > > > Find and NOP superfluous ENDBR instructions. Any function that > > doesn't have it's address taken should not have an ENDBR > > instruction. This removes about 1-in-4 ENDBR instructions. > > > > I did some experimentation with compiler-based implementation for two of the > features described here (plus an additional one). Before going into details, > just a quick highlight that the compiler has limited visibility over > handwritten assembly sources thus, depending on the feature, a > compiler-based approach will not cover as much as objtool. All the > observations below were made when compiling the kernel with defconfig, + > CLANG-related options, + LTO sometimes. Here I used kernel revision > 0fcfb00b28c0b7884635dacf38e46d60bf3d4eb1 with PeterZ's IBT Beginning patches > applied on top (plus changes to Kbuild), thus, IBT was not really enforced. > Tests consisted mostly of Clang's synthetics tests + booting a compiled > kernel. > > Prototypes of the features are available in: > https://github.com/lvwr/llvm/tree/joao/ibt -- I fixed as many corner cases I > could find while trying it out, but I believe some might still be haunting. > Also, I'm not very keen to Kbuild internals nor to however the kernel > patches itself during runtime, so I may have missed some details. > > Finally, I'm interested in general feedback about this... better ways of > implementing, alternative approaches, new possible optimizations and > everything. I should be AFK for a few days in the next weeks, but I'll be > glad to discuss this in January and then. Happy Holidays :) > > The features: > > -mibt-seal: > > Add ENDBRs exclusively to address-taken functions regardless of its linkage > visibility. Only make sense together with LTO. > > Observations: Reduced drastically the number of ENDBRs placed in the kernel > binary (From 44383 to 33192), but still missed some that were later fixed by > objtool (Number of fixes by objtool reduced from 11730 to 540). I did not > investigate further why these superfluous ENDBRs were still left in the > binary, but at this point my hypotheses spin around (i) false-positive > address-taken conclusions by the compiler, possibly due to things like > exported symbols and such; (ii) assembly sources which are invisible to the > compiler (although this would more likely hide address taken functions); > (iii) other binary level transformations done by objtool. > > Runtime testing: The kernel was verified to properly boot after being > compiled with -mibt-seal (+ LTO). > > Note: This feature was already submitted for upstreaming with the > llvm-project: https://reviews.llvm.org/D116070 Ah nice; I see this has been committed now. Given that IBT will need to work with both Clang and gcc, I suspect the objtool approach will still end up needing to do all the verification. (And as you say, it has limited visibility into assembly.) -Kees -- Kees Cook