Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3321801iob; Mon, 16 May 2022 19:20:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycEnAy0rYKr5CurBtL8Pd+U8qaUT2g7uKRqb6VcXOHMB6T08Z4nPvRYicE4IrmSPCBU14C X-Received: by 2002:a17:906:a188:b0:6f4:f5cd:27bd with SMTP id s8-20020a170906a18800b006f4f5cd27bdmr18100081ejy.406.1652754030278; Mon, 16 May 2022 19:20:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652754030; cv=none; d=google.com; s=arc-20160816; b=YGF8qemg4J2/BWD7D5qALymVNRWxA4f0X5QeRLh0w8tikpQhGp5KFTpYsVl5ziWcAO CGIqISMiQD2SKnaVz1V+SMcmxdXGgJ+rRTCMTEBXqYymeGsiqqqJ3kwLqhvJdiBSSR3Q lTKXarjQ3qsh9gbWSA+F8foJKSS44170wxMM9v4TGDs8DeD5T30982Lpm3fyJHtRdZ7S B68/oESd+V9unRqtwX1UzOMbtt3TKXc7VgwMsuFRzjWZXj25LqKeRFWZdUKEYFUu9IRD w44Vce4H+nLXPVwM4lhxBKMWLRYj+FjM4IOfBdNx30e8EvEdewq/mdtN6Tvj2QzOXSvV HgGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=IL9TbLhyeP2sftod3aC2bsX/Zvqtrxl7C4bOPoUOVMV/8oYsilEgWWsiki1TZkpkNM CS8iOR+rmceLN3Eq/7ALmX+u6Oz9dUHM8tEkeaIsBVN+Tgt3UuPExm97OP0ZH1O/qaEI o2gadeDJ6k/ur5kA2lxJPm71Arp/A9BW2Ss9I75oBP3ACOH3jDX/P/wb8BG9tHBosrIB aaewVFJ7CxKdBhxWtmRtRoHEiFAsImh32Z4pmAQXrFMTSmBeS7i7J4p78zCYBgFysl4t tYZgDmrwgC1wh0jgOubIFbPYyzc1nydyADLqvx98hTeZ1Ry8C0FxihpictU6vv4XFzsy ol6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=sG0LBzcw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp9-20020a1709071b0900b006f404072c3asi1416238ejc.916.2022.05.16.19.20.04; Mon, 16 May 2022 19:20:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=sG0LBzcw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344211AbiEPRPu (ORCPT + 99 others); Mon, 16 May 2022 13:15:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344165AbiEPRPj (ORCPT ); Mon, 16 May 2022 13:15:39 -0400 Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB36B3389B for ; Mon, 16 May 2022 10:15:37 -0700 (PDT) Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-2ef5380669cso160903767b3.9 for ; Mon, 16 May 2022 10:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=sG0LBzcw6X5gtPxGyrwzWMTlfNPOaO9928SvntnUZYb9/aTe8ETQvXR+oTGM+2Q01E FT27+UEachU8nZ1/6NE6iFT0H7w2Z3yA+Xt2mScQcVbGHTAWTIC7oC4Ow2OaFjZ9yRPC zsYacU5leVMUJP7q08JQQ5kO8v4LF8Y18NuJOV1FQrJzkb1Q6HVJDb2aR5qUZZ4fxb8L j83sHlqEvTkYQHwcihaYzN7Qej80njRn7ld+NLQm+PvbJhpZV4rhRz6XHZUrjQV7dE19 0b1Wx+2l3Noy/e5cucVImILRyz95RaT9Ba/0fxbWcc15VZWfUSGKEh7MDJ5UgWmgO8Wm Fp5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=qRuhatHe2GhWxhc+B0j/k960NPZuZch8QXIshVC2oSe6kyhBrU0jdOjGjDxCqcJSP2 TzaD6Vf+z2zOV7/D9g1JPB2/hJSJjXxPk3ZTXZJLeM0T56LQ2GmoqUUGySa0y3TasHjk OuheycpJXZV/pPedsBCxPWbQFlFcrdOPwcxuyeWTtfDRmDG2yEa3PummLwTQczimf2Vy s2CCHTp814K/qCaiU/wf5bSCBHi8mFwRIVc1ruQueCHRqpHNsgsU0IslI7D5/PNBhiZX lfDXubXazwahlyB6LIsSeceFJXXpqbfuTwoBSMSRQ3v7UkG4YdrnZ0Yx/XIxMp71mH/y F5Zw== X-Gm-Message-State: AOAM530XF+w4qHt5wLCukl4ssgRqzuwd5DXCVPeEMdElKYT40yy2DW9B cNTErN1LbqOUtCjBWvgixpMMix5id4jTdr+Ffe6n4A== X-Received: by 2002:a0d:d747:0:b0:2ff:22b9:9281 with SMTP id z68-20020a0dd747000000b002ff22b99281mr186733ywd.305.1652721336717; Mon, 16 May 2022 10:15:36 -0700 (PDT) MIME-Version: 1.0 References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> In-Reply-To: From: Sami Tolvanen Date: Mon, 16 May 2022 10:15:00 -0700 Message-ID: Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG To: Peter Zijlstra Cc: linux-kernel@vger.kernel.org, Kees Cook , Josh Poimboeuf , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 16, 2022 at 2:54 AM Peter Zijlstra wrote: > > On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler injects a type preamble > > immediately before each function and a check to validate the target > > function type before indirect calls: > > > > ; type preamble > > __cfi_function: > > int3 > > int3 > > mov , %eax > > int3 > > int3 > > function: > > ... > > When I enable CFI_CLANG and X86_KERNEL_IBT I get: > > 0000000000000c80 <__cfi_io_schedule_timeout>: > c80: cc int3 > c81: cc int3 > c82: b8 b5 b1 39 b3 mov $0xb339b1b5,%eax > c87: cc int3 > c88: cc int3 > > 0000000000000c89 : > c89: f3 0f 1e fa endbr64 > > > That seems unfortunate. Would it be possible to get an additional > compiler option to suppress the endbr for all symbols that get a __cfi_ > preaamble? What's the concern with the endbr? Dropping it would currently break the CFI+IBT combination on newer hardware, no? > Also, perhaps s/CFI_CLANG/KERNEL_CFI/ or somesuch, so that GCC might > also implement this same scheme (in time)? I'm fine with renaming the config. > > ; indirect call check > > cmpl , -6(%r11) > > je .Ltmp1 > > ud2 > > .Ltmp1: > > call __x86_indirect_thunk_r11 > > The first one I try and find looks like: > > 26: 41 81 7b fa a6 96 9e 38 cmpl $0x389e96a6,-0x6(%r11) > 2e: 74 02 je 32 <__traceiter_sched_kthread_stop+0x29> > 30: 0f 0b ud2 > 32: 4c 89 f6 mov %r14,%rsi > 35: e8 00 00 00 00 call 3a <__traceiter_sched_kthread_stop+0x31> 36: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4 > > This must not be. If I'm to rewrite that lot to: > > movl $\hash, %r10d > sub $9, %r11 > call *%r11 > .nop 4 > > Then there must not be spurious instruction in between the ud2 and the > indirect call/retpoline thing. With the current compiler patch, LLVM sets up function arguments after the CFI check. if it's a problem, we can look into changing that. Sami