Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3301314iob; Mon, 16 May 2022 18:39:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzL/HsfbSXQEB+MeTVhCxiOjyMzoxFjqlhvvGEVcDDfIlkZQ6GNOPrK23vp+UlNkm5UfAdk X-Received: by 2002:a17:907:9813:b0:6fa:78b0:9be2 with SMTP id ji19-20020a170907981300b006fa78b09be2mr17992307ejc.159.1652751587259; Mon, 16 May 2022 18:39:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652751587; cv=none; d=google.com; s=arc-20160816; b=EoqOce/R/8C0ojs5hO9uzZ8GIRL3WlP/rp/FRPd01PVghk5xUUBtb7kdd2ouKcUxKy mamTjHIcw0umtUkjKPRHKyEWbtAmPJvafayHF9LfHCu4cbqRrEGgNQQThu39BpcwECAM 9rJ0be20C0jG6Oak4+8XHf46yxF1RNZRR2f8GkC/IyqNafz13EInza9WPhZGulkgpfPh aWumHJYN9yUT6URUx0awYyyv2F24R5aB8+FYDS0Hfy9vPtl7whMCs0ZrvWQGUbkH8fJ2 W2LS3yJcGF5Gn9q4I5YthRxTu/7Ow5BXc0fy8EJwv4fkLCL9ecVOmmMwEYE31FR51YB9 gDTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=99BWpQJkm6AArPPk7WzhPOholNHloGIEKeqo/lgHTyY=; b=DVbXik/AaxoYNpN+wAI/GZ8jxkM9mmta6AUkF5PfuYO49KF/docPt4X4WEtQpQ2cc2 Ch6Y12pOsKV8FG3Y5lNBoUWXD5BaI9H6UWiCrJhuPtaV62v1ryEzVk8L9Z+WZX8Nhvg3 377tJjmlfzxmjsvVzpmNeygDWNvzb6hETA0a2EceeWfQGzDWP6xk4wZetBNZuet+sqrd DO9Y1K79Dv0KqX5FFWoTAggc4umlu59PQ8FetSh3f/SyFAncQF+Cs9BaeICNodexLI1h OK5mVlBxbL4/xgu6Ad+7iRJcN3gqvA+oioj0JuD8EA4A0SgAZS/IR0Qm2f/dHNPNvbdn w7Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=HKQpIxEM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sc17-20020a1709078a1100b006e7edaf2b8asi856534ejc.371.2022.05.16.18.39.21; Mon, 16 May 2022 18:39:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=HKQpIxEM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345636AbiEPTma (ORCPT + 99 others); Mon, 16 May 2022 15:42:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345956AbiEPTlD (ORCPT ); Mon, 16 May 2022 15:41:03 -0400 Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C4813F33E for ; Mon, 16 May 2022 12:39:56 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-2ebf4b91212so165178327b3.8 for ; Mon, 16 May 2022 12:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=99BWpQJkm6AArPPk7WzhPOholNHloGIEKeqo/lgHTyY=; b=HKQpIxEMC4GFsVb7vDVuur9BVqohtM/mXn0p1tH0Gcc2mwIz+1Tr22I3UprAMWSABk 6xud03AVA7BWC54cAD97RMffWEB5L35VrUnFHlscjrrErL5W0hPpOCAJcTZL+Y007vUV jdFL+PVaXOmUgIAWJVRG3vPFljY9tUW2cVk9+nJ/5mSJqi/GSAR6t476Q0FiYvI2y42m sZvXIuXVVO4FakgC30CPAMbCdlNMeUf5MKxgMsgUOtKqD62rCULW3pro/bRAgZbvVwXM 0cq3BLN4+NkCWUUcEedGxECqGNRpPkkusw29hef/tZVDtRTdG0FbBo5OE1bTREoX9qYF nAtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=99BWpQJkm6AArPPk7WzhPOholNHloGIEKeqo/lgHTyY=; b=BAN9m4Jbp8dUJfG8wSkSfZezvQOjFux3LAEzeUD2xdimcE6p7Hgs7dNd9I1Xm/xpDG L2Wr4tDA9db2e0n6nVJv/swB9dxysB93TgDxHxNWJoOlWGQFjlbQoWydzhnZyNmU0q0W +wtkJyqqOHMYPjrhGEIzpdrYvGRj1LosYohdHm5TY2f1aOUBYpA76R765KL56l1aC7K3 j3Xl4g2USGuDiQYc2GApz/ie2TjzRmV6uJ3ShMVoa1/aONqJd4Z2mGaN0mebgKqvIbM6 AEynI24vpuivYCCmr2bF2NA3rFXcOr4ODxTV9u9XNlDmfWXKdp7SkvGdS/DzmGPckIs8 qjLQ== X-Gm-Message-State: AOAM532dg9XUqX5pa15T88cA6yjqvL8UN/V4L+tSvXfq0EgRu86tuuiE 0DpwVRBDOBWcQmD6jthcHW73Jr2GTG46HiRfHAeaTQ== X-Received: by 2002:a81:9188:0:b0:2fe:d01a:6b09 with SMTP id i130-20020a819188000000b002fed01a6b09mr12922227ywg.243.1652729995504; Mon, 16 May 2022 12:39:55 -0700 (PDT) MIME-Version: 1.0 References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> <20220516183047.GM76023@worktop.programming.kicks-ass.net> In-Reply-To: <20220516183047.GM76023@worktop.programming.kicks-ass.net> From: Sami Tolvanen Date: Mon, 16 May 2022 12:39:19 -0700 Message-ID: Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG To: Peter Zijlstra Cc: linux-kernel@vger.kernel.org, Kees Cook , Josh Poimboeuf , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 16, 2022 at 11:30 AM Peter Zijlstra wrote: > > On Mon, May 16, 2022 at 10:15:00AM -0700, Sami Tolvanen wrote: > > On Mon, May 16, 2022 at 2:54 AM Peter Zijlstra wrote: > > > > > > On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > > > > With CONFIG_CFI_CLANG, the compiler injects a type preamble > > > > immediately before each function and a check to validate the target > > > > function type before indirect calls: > > > > > > > > ; type preamble > > > > __cfi_function: > > > > int3 > > > > int3 > > > > mov , %eax > > > > int3 > > > > int3 > > > > function: > > > > ... > > > > > > When I enable CFI_CLANG and X86_KERNEL_IBT I get: > > > > > > 0000000000000c80 <__cfi_io_schedule_timeout>: > > > c80: cc int3 > > > c81: cc int3 > > > c82: b8 b5 b1 39 b3 mov $0xb339b1b5,%eax > > > c87: cc int3 > > > c88: cc int3 > > > > > > 0000000000000c89 : > > > c89: f3 0f 1e fa endbr64 > > > > > > > > > That seems unfortunate. Would it be possible to get an additional > > > compiler option to suppress the endbr for all symbols that get a __cfi_ > > > preaamble? > > > > What's the concern with the endbr? Dropping it would currently break > > the CFI+IBT combination on newer hardware, no? > > Well, yes, but also that combination isn't very interesting. See, > > https://lore.kernel.org/all/20220420004241.2093-1-joao@overdrivepizza.com/T/#m5d67fb010d488b2f8eee33f1eb39d12f769e4ad2 > > and the patch I did down-thread: > > https://lkml.kernel.org/r/YoJKhHluN4n0kZDm@hirez.programming.kicks-ass.net > > If we have IBT, then FineIBT is a much better option than kCFI+IBT. > Removing that superfluous endbr also shrinks the whole thing by 4 bytes. > > So I'm fine with the compiler generating working code for that > combination; but please get me an option to supress it in order to save > those pointless bytes. All this CFI stuff is enough bloat as it is. Sure, I'll take a look at what's the best way to accomplish this. > > > > ; indirect call check > > > > cmpl , -6(%r11) > > > > je .Ltmp1 > > > > ud2 > > > > .Ltmp1: > > > > call __x86_indirect_thunk_r11 > > > > > > The first one I try and find looks like: > > > > > > 26: 41 81 7b fa a6 96 9e 38 cmpl $0x389e96a6,-0x6(%r11) > > > 2e: 74 02 je 32 <__traceiter_sched_kthread_stop+0x29> > > > 30: 0f 0b ud2 > > > 32: 4c 89 f6 mov %r14,%rsi > > > 35: e8 00 00 00 00 call 3a <__traceiter_sched_kthread_stop+0x31> 36: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4 > > > > > > This must not be. If I'm to rewrite that lot to: > > > > > > movl $\hash, %r10d > > > sub $9, %r11 > > > call *%r11 > > > .nop 4 > > > > > > Then there must not be spurious instruction in between the ud2 and the > > > indirect call/retpoline thing. > > > > With the current compiler patch, LLVM sets up function arguments after > > the CFI check. if it's a problem, we can look into changing that. > > Yes, please fix that. Again see that same patch for why this is a > problem. Objtool can trivially find retpoline calls, but finding this > kCFI gadget is going to be hard work. If you ensure they're > unconditionally stuck together, then the problem goes away find one, > finds the other. You can use .kcfi_traps to locate the check right now, but I agree, it's not quite ideal. Sami