Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3849811imw; Mon, 18 Jul 2022 15:58:55 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uTeQ9sNvmMTGWEJ2pkTNIG0cvckpz0JbyJGrdEEDaWi5rmii2qMD7W8wbY84kjnywbKAOP X-Received: by 2002:a63:c5:0:b0:40c:a799:ad29 with SMTP id 188-20020a6300c5000000b0040ca799ad29mr26601430pga.305.1658185135619; Mon, 18 Jul 2022 15:58:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658185135; cv=none; d=google.com; s=arc-20160816; b=oQcEAkTUqFWF/eDfP2mVP1JLqV8K2QxjRnSD8T03kUrJAwqjp8uT1rGIonOpdnxhhF +GQxqjzNo13+DoWNpPs7RTwWUjok5HbIgG0wOOFPIQ18ECZ8zbPTxqwySCRQLsgBB79+ pbBG4U4/mSbK7c8LjmvHbYqDGigQRRmVTK+4sVTMXD9onwYQh6qmSS5vvC+D+p4vTDjR YZ+LHeecPZIn0BSbX4D9WwIh1+/8oMIJclJI+XlifMwCBvC/aP+PBP3kbWtft2ybZiDB todLW6XGS4HACvVbTbdmDuAJotCixOZaWw1VlAddcMB8PyCdWhsEDoDZXQmMPPqVypkf cuhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=bYtF9o3AAXAN7JdzBP54NvAjk/Ivtt74/nNR9Wq/yhs=; b=tnFMlsNpVrxXNF30TWA+0ZBtSfG4JbwLDIEZ5M9pNRHl4KtJ51dEE5DxKSAzDrSwJG JgBEL2sig+NoU5B2Tb3342I+LdG3OpA4h5dyIuYL/h7WMOGQiX4Zq0vrtkN0jjSn5ztT d/bK7ivN+wUFbmVIJksUC4T8Y07J5h/YrPR76UWsr6ZH4W7rNZp6U+sm3wsGBV6BfmVy llKuKQu7Nh80OxGDHpi6Wsnl3nwPdbqgD38h2f34XQT4xunyS+AH27LZBCP11DUFpfJW yY9Lkwq5vK4mKoEutlNmm1QPrbm6svKN+GgloTFNNNVNkRcnvYXsWWnRrfLnJGJxlGNh X6mg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h5-20020a636c05000000b00415859f697csi15288121pgc.269.2022.07.18.15.58.40; Mon, 18 Jul 2022 15:58:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235953AbiGRWrm (ORCPT + 99 others); Mon, 18 Jul 2022 18:47:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235692AbiGRWrk (ORCPT ); Mon, 18 Jul 2022 18:47:40 -0400 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43E6D24BE9 for ; Mon, 18 Jul 2022 15:47:39 -0700 (PDT) Received: (Authenticated sender: joao@overdrivepizza.com) by mail.gandi.net (Postfix) with ESMTPA id 923C71C0002; Mon, 18 Jul 2022 22:47:29 +0000 (UTC) MIME-Version: 1.0 Date: Mon, 18 Jul 2022 15:47:29 -0700 From: Joao Moreira To: Thomas Gleixner Cc: Peter Zijlstra , "Torvalds, Linus" , LKML , the arch/x86 maintainers , Tim Chen , Josh Poimboeuf , "Cooper, Andrew" , Pawan Gupta , Johannes Wikner , Alyssa Milburn , Jann Horn , "H.J. Lu" , "Moreira, Joao" , "Nuzman, Joseph" , Steven Rostedt , "Gross, Jurgen" , Masami Hiramatsu , Alexei Starovoitov , Daniel Borkmann , samitolvanen@google.com Subject: Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation In-Reply-To: <87lesqukm5.ffs@tglx> References: <20220716230344.239749011@linutronix.de> <87wncauslw.ffs@tglx> <87tu7euska.ffs@tglx> <87o7xmup5t.ffs@tglx> <87lesqukm5.ffs@tglx> Message-ID: <2f7f899cb75b79b08b0662ff4d2cb877@overdrivepizza.com> X-Sender: joao@overdrivepizza.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-07-18 15:22, Thomas Gleixner wrote: > On Mon, Jul 18 2022 at 23:18, Peter Zijlstra wrote: >> On Mon, Jul 18, 2022 at 10:44:14PM +0200, Thomas Gleixner wrote: >>> And we need input from the Clang folks because their CFI work also >>> puts >>> stuff in front of the function entry, which nicely collides. >> >> Right, I need to go look at the latest kCFI patches, that sorta got >> side-tracked for working on all the retbleed muck :/ >> >> Basically kCFI wants to preface every (indirect callable) function >> with: >> >> __cfi_\func: >> int3 >> movl $0x12345678, %rax >> int3 >> int3 >> \func: >> endbr >> \func_direct: >> >> Ofc, we can still put the whole: >> >> sarq $5, PER_CPU_VAR(__x86_call_depth); >> jmp \func_direct >> >> thing in front of that. But it does somewhat destroy the version I had >> that only needs the 10 bytes padding for the sarq. > > Right, because it needs the jump. I was just chatting with Jaoa about > that over IRC. > > The jump slow things down. Jaoa has ideas and will reply soonish. So, IIRC, kCFI will do something like this to validate call targets based on the hash as described on Peter's e-mail: func_whatever: ... cmpl $0x\hash, -6(%rax) je 1f ud2 1: call *%rax ... Thus the hash will be 6 bytes before the function entry point. Then we can get the compiler to emit a padding area before the __cfi_\func snippet and, during boot, if the CPU needs the call depth tracking mitigation, we: - move the __cfi_func into the padding area - patch the call depth tracking snippet ahead of it (overwriting the old __cfi_\func:) - fix the cmpl offset in the caller func_whatever: ... cmpl $0x\hash, -FIXED_OFFSET(%rax) je 1f ud2 1: call *%rax ... This approach is very similar to what we discussed in the past for replacing kCFI with FineIBT if CET is available. Also, it would prevent the need for any jump and would keep the additional padding area in 10 bytes. Tks, Joao