Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3203922iob; Mon, 16 May 2022 15:58:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyQfYtaser7vtK0hMHm9DnhmtB+QJAgWdgF7REMLhF9k2HOqjX7tR1lM8CCBZnwxLHEQlg X-Received: by 2002:a17:90b:3508:b0:1dc:c275:3e18 with SMTP id ls8-20020a17090b350800b001dcc2753e18mr21811958pjb.245.1652741924172; Mon, 16 May 2022 15:58:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652741924; cv=none; d=google.com; s=arc-20160816; b=mBEk4TQbfb+oLpjAx4t480ceDcsk2rZ2SvOaTjsflmZRz9Rip99gvalgA+CVCqwkJ9 SMZvnGKyr6/xiPMKVqZnaIoymz61A2RlLxJ/rZPITwNyKmAMXFcIzuYd5YfWAxN7800m VCIv9EEePhdYXufAZU1ZPp25PCXpDgwJevcQLgicsBQUIAUDLsacfS+cEq+xTiGy0mvv KBfK/xZsgxSaDiK/rQWIWa4coCzoXCRHL7k0u43LWU7eTxkttgdGNRJNqJUUzVF4j+it jgV40H1M2/iFpBweFs7ULvR39XIqOButgIMaJBBnMVU5zkBP6PUEcSTVDFGE4q6dR3Is oQBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=MjT6Lh2fWnIRqcyu9+fU8ljp/f9ciDwE1jZdLagfUro=; b=BQ2oALN0ptMvUGvAQkDh4mJJBn5lt4CaFxDdAt1e6ISt40UJtXFFvOTAEpG/6beOKf GyoNKDx7INZJwDjgVeGcvmF11rma5ZX/0LyY1AgOBjGrTZdAdoEoIDVnOaN3ztzS55p9 K2XluaI/tvuqfTIr0lP0QOW6TKPW6f7nn9khzp8R3mt6IUMTv+vb+7mT3ei12bP0tWi5 wR1GGfqFapT3id6bjbZ7suwSkZ+7bWGBs5Y2YKIjOrVMTD7QUjJuE7N6SlSUtMsYHkFw h20brmTbgoOBKyv9BxSF1mr3fIE+KUrDfxIWZtrPw0B8Z76iC7UlVEgyuTjgfMIqIhSG lQjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b="DIyr6/C/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p23-20020a637f57000000b003ab1a126de4si13318495pgn.65.2022.05.16.15.58.33; Mon, 16 May 2022 15:58:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b="DIyr6/C/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237072AbiEPLpr (ORCPT + 99 others); Mon, 16 May 2022 07:45:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57950 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237005AbiEPLpo (ORCPT ); Mon, 16 May 2022 07:45:44 -0400 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 080ACDF4C; Mon, 16 May 2022 04:45:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description; bh=MjT6Lh2fWnIRqcyu9+fU8ljp/f9ciDwE1jZdLagfUro=; b=DIyr6/C/OlBvy/oySvPFldi/21 rOpTYtej3bizi+u7/K16YCrPzqB2hqe+RX9d6p7xbu3sp6GMJhzpq0v/JLqUod/xTtmlAv35QLUEj /wInc/XEfEZq+E70DWAPyASnQmaV5dqmdCGSjZ2qhGSgY/85J8I/gN1+hIvaHSDg5ST8in3v8iDwj jcMnpAa6C+r98QB7QvCCIFBAR5G2Vs/dsvb5tzsnEPYZosIs6GhIodV1v/BQ8U2audosn96Y/k164 gWZ+2yLr1TKifY4KPI4zoecKJmS+RdcxtOvj2eV1CHP8EH1qgoKQ3Wn8fSSV/h9Can4XPg/um6NB+ cXl0RWjA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nqZA8-000w7T-0G; Mon, 16 May 2022 11:45:20 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 53103300268; Mon, 16 May 2022 13:45:17 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 12EC620225E64; Mon, 16 May 2022 13:45:17 +0200 (CEST) Date: Mon, 16 May 2022 13:45:17 +0200 From: Peter Zijlstra To: Sami Tolvanen Cc: linux-kernel@vger.kernel.org, Kees Cook , Josh Poimboeuf , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG Message-ID: References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 16, 2022 at 11:54:33AM +0200, Peter Zijlstra wrote: > On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler injects a type preamble > > immediately before each function and a check to validate the target > > function type before indirect calls: > > > > ; type preamble > > __cfi_function: > > int3 > > int3 > > mov , %eax > > int3 > > int3 > > function: > > ... > > When I enable CFI_CLANG and X86_KERNEL_IBT I get: > > 0000000000000c80 <__cfi_io_schedule_timeout>: > c80: cc int3 > c81: cc int3 > c82: b8 b5 b1 39 b3 mov $0xb339b1b5,%eax > c87: cc int3 > c88: cc int3 > > 0000000000000c89 : > c89: f3 0f 1e fa endbr64 > > > That seems unfortunate. Would it be possible to get an additional > compiler option to suppress the endbr for all symbols that get a __cfi_ > preaamble? > > Also, perhaps s/CFI_CLANG/KERNEL_CFI/ or somesuch, so that GCC might > also implement this same scheme (in time)? > > > ; indirect call check > > cmpl? ? , -6(%r11) > > je .Ltmp1 > > ud2 > > .Ltmp1: > > call __x86_indirect_thunk_r11 > > The first one I try and find looks like: > > 26: 41 81 7b fa a6 96 9e 38 cmpl $0x389e96a6,-0x6(%r11) > 2e: 74 02 je 32 <__traceiter_sched_kthread_stop+0x29> > 30: 0f 0b ud2 > 32: 4c 89 f6 mov %r14,%rsi > 35: e8 00 00 00 00 call 3a <__traceiter_sched_kthread_stop+0x31> 36: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4 > > This must not be. If I'm to rewrite that lot to: > > movl $\hash, %r10d > sub $9, %r11 > call *%r11 > .nop 4 > > Then there must not be spurious instruction in between the ud2 and the > indirect call/retpoline thing. Hmmm.. when I replace it with: movl $\hash, %r10d sub $9, %r11 .nops 2 That would work, that has the added benefit of nicely co-existing with the current retpoline patching. The only remaining problem is how to find this; the .retpoline_sites is fairly concenient, but if the compiler can put arbitrary amounts of code in between this is going to be somewhat tedious.