Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1724743pxm; Thu, 24 Feb 2022 08:15:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJy9OXKRrWzDUN4L+HpJpyn0o8EEIqVgZgu+mSHYHvfVfntp21lt3WzPhZRy30/jf00xRNNx X-Received: by 2002:a17:902:9a96:b0:14f:ecc0:c21a with SMTP id w22-20020a1709029a9600b0014fecc0c21amr3313675plp.78.1645719313968; Thu, 24 Feb 2022 08:15:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645719313; cv=none; d=google.com; s=arc-20160816; b=Wj0zg4uqMA4uSTDaVLq8TcUQUZrheM3R8SDckx9pH9StJ/2ISRNWCrNYo/AhY1WKjc lw+qybmG3F+BN9cMIFRpUsnZc4/Su/DerHQBN36HbM+g8J28mtMxAP6aaRPUnQ/b6xhH opyWW9PW4MLdKC62Baf5NY1g/k+KlhTZPO/xHOk1amTJeAaS6d11A0G0BkTU76lXQt04 n+CEjEWfx1p5q/Gn+DHN3YXO0UZAt9cenIeiff0/ZHJScdkyFgJ2wKpiR3OXOQ7AYOQB 1/QMOkw+v5dAvVDkxoSQpvG+GEjvWqKCuL9KLmRmA+gK/9syGwACn7iidbBi9qf6GQsk PvUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:subject:cc:to:from:date :user-agent:message-id:dkim-signature; bh=bva9vPHXQYlcS7hOjih1Py2Kr67jbSPtC0VimiZzpYo=; b=LEukevZyx5Q5VhyeWg0GIpIp8JehJSZ4tfzgCWVzCT3l3INbqv5hUdCYp2HCaQjlqC xei4nRDmXeVMxpyuCsGCWcE0WC+oD4UERqF9Jn4apK8Dv6/qUArXOvM789JIWLcq1IK6 wsJsuqh4GOksOrY+OCQaNsaEhnjzE3ulSdqOGbPaXC5B0+Lh0uEVtVafKIkhtaU8M9bx fIhO/p7TJzqBGQ/1Tb5tH8EN/55mBLRJN3DiYCEuBDysNI0AGr3lPMkSSIKkl3pzQaoE 1CVWovCJyR2D0VTMdvUvXxn3lLw3cVNPmSIyt87nvZPc0tF7p5AfFSOWjRVvQhWoqYcA bn1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=fnpWiWTT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id s14si3081634pfu.318.2022.02.24.08.15.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Feb 2022 08:15:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=fnpWiWTT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5127F2A27C; Thu, 24 Feb 2022 08:06:59 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235915AbiBXPTG (ORCPT + 99 others); Thu, 24 Feb 2022 10:19:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235968AbiBXPS2 (ORCPT ); Thu, 24 Feb 2022 10:18:28 -0500 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8435144F4A for ; Thu, 24 Feb 2022 07:17:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Type:MIME-Version:References: Subject:Cc:To:From:Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:In-Reply-To; bh=bva9vPHXQYlcS7hOjih1Py2Kr67jbSPtC0VimiZzpYo=; b=fnpWiWTTG+VNzxDVzv0wlEhQ0N Nm7SG63xcJz8PTBYg1tKnn/GkcT8a4/7PhrezkRWcyDsnfq9GAKbfHpb3MoZVBSsn7VD57Sbdsj72 LnrCzJ4FjKIOCrRn6MOpkKp2rstx3zYdOCl9TFR6qRBMe2GXGdX8A5p5uvI9Ug6nEoF8Qu6J9IOG/ 5k10xOjEcY1wY0vOtzak0+pdhcXlDcT30cJsehYympIb0QuaNIFYvALKnd0mWfAitXA+sQd+g1JBa HbOIsCFg/3Gsxx/NK8gc47lZnb8PEzKmKAc775AdafsPYqJEhme4qSzCmlD/Lt1I93PavEyupPVdc xc2WeFSg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nNFs3-00CeLa-61; Thu, 24 Feb 2022 15:17:31 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 2638D30081D; Thu, 24 Feb 2022 16:17:29 +0100 (CET) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0) id 2F69929E75E51; Thu, 24 Feb 2022 16:17:28 +0100 (CET) Message-ID: <20220224151322.307406918@infradead.org> User-Agent: quilt/0.66 Date: Thu, 24 Feb 2022 15:51:43 +0100 From: Peter Zijlstra To: x86@kernel.org, joao@overdrivepizza.com, hjl.tools@gmail.com, jpoimboe@redhat.com, andrew.cooper3@citrix.com Cc: linux-kernel@vger.kernel.org, peterz@infradead.org, ndesaulniers@google.com, keescook@chromium.org, samitolvanen@google.com, mark.rutland@arm.com, alyssa.milburn@intel.com, mbenes@suse.cz, rostedt@goodmis.org, mhiramat@kernel.org, alexei.starovoitov@gmail.com Subject: [PATCH v2 05/39] x86: Base IBT bits References: <20220224145138.952963315@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add Kconfig, Makefile and basic instruction support for x86 IBT. XXX clang is not playing ball, probably lld being 'funny', I'm having problems with .plt entries appearing all over after linking. Signed-off-by: Peter Zijlstra (Intel) --- arch/x86/Kconfig | 19 ++++++++++++ arch/x86/Makefile | 7 +++- arch/x86/include/asm/ibt.h | 71 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 2 deletions(-) --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1861,6 +1861,25 @@ config X86_UMIP specific cases in protected and virtual-8086 modes. Emulated results are dummy. +config CC_HAS_IBT + # GCC >= 9 and binutils >= 2.29 + # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654 + # Clang/LLVM >= 14 + # fentry check to work around https://reviews.llvm.org/D111108 + def_bool ((CC_IS_GCC && $(cc-option, -fcf-protection=branch -mindirect-branch-register)) || \ + (CC_IS_CLANG && $(cc-option, -fcf-protection=branch -mfentry))) && \ + $(as-instr,endbr64) + +config X86_KERNEL_IBT + prompt "Indirect Branch Tracking" + bool + depends on X86_64 && CC_HAS_IBT + help + Build the kernel with support for Indirect Branch Tracking, a + hardware supported CFI scheme. Any indirect call must land on + an ENDBR instruction, as such, the compiler will litter the + code with them to make this happen. + config X86_INTEL_MEMORY_PROTECTION_KEYS prompt "Memory Protection Keys" def_bool y --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -36,7 +36,7 @@ endif # How to compile the 16-bit code. Note we always compile for -march=i386; # that way we can complain to the user if the CPU is insufficient. -REALMODE_CFLAGS := -m16 -g -Os -DDISABLE_BRANCH_PROFILING \ +REALMODE_CFLAGS := -m16 -g -Os -DDISABLE_BRANCH_PROFILING -D__DISABLE_EXPORTS \ -Wall -Wstrict-prototypes -march=i386 -mregparm=3 \ -fno-strict-aliasing -fomit-frame-pointer -fno-pic \ -mno-mmx -mno-sse $(call cc-option,-fcf-protection=none) @@ -62,8 +62,11 @@ export BITS # KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -# Intel CET isn't enabled in the kernel +ifeq ($(CONFIG_X86_KERNEL_IBT),y) +KBUILD_CFLAGS += $(call cc-option,-fcf-protection=branch) +else KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) +endif ifeq ($(CONFIG_X86_32),y) BITS := 32 --- /dev/null +++ b/arch/x86/include/asm/ibt.h @@ -0,0 +1,71 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_X86_IBT_H +#define _ASM_X86_IBT_H + +#include + +#if defined(CONFIG_X86_KERNEL_IBT) && !defined(__DISABLE_EXPORTS) + +#define HAS_KERNEL_IBT 1 + +#ifndef __ASSEMBLY__ + +#ifdef CONFIG_X86_64 +#define ASM_ENDBR "endbr64\n\t" +#else +#define ASM_ENDBR "endbr32\n\t" +#endif + +#define __noendbr __attribute__((nocf_check)) + +static inline __attribute_const__ unsigned int gen_endbr(void) +{ + unsigned int endbr; + + /* + * Generate ENDBR64 in a way that is sure to not result in + * an ENDBR64 instruction as immediate. + */ + asm ( "mov $~0xfa1e0ff3, %[endbr]\n\t" + "not %[endbr]\n\t" + : [endbr] "=&r" (endbr) ); + + return endbr; +} + +static inline bool is_endbr(unsigned int val) +{ + val &= ~0x01000000U; /* ENDBR32 -> ENDBR64 */ + return val == gen_endbr(); +} + +#else /* __ASSEMBLY__ */ + +#ifdef CONFIG_X86_64 +#define ENDBR endbr64 +#else +#define ENDBR endbr32 +#endif + +#endif /* __ASSEMBLY__ */ + +#else /* !IBT */ + +#define HAS_KERNEL_IBT 0 + +#ifndef __ASSEMBLY__ + +#define ASM_ENDBR + +#define __noendbr + +static inline bool is_endbr(unsigned int val) { return false; } + +#else /* __ASSEMBLY__ */ + +#define ENDBR + +#endif /* __ASSEMBLY__ */ + +#endif /* CONFIG_X86_KERNEL_IBT */ +#endif /* _ASM_X86_IBT_H */