Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3905355imw; Mon, 18 Jul 2022 17:10:12 -0700 (PDT) X-Google-Smtp-Source: AGRyM1u1GDBDz9tZDKAoi6VJR7RinN4/VFteZbYLmw6ka4CaYkDML5b4jcBppMSQrZ7QejGFXNNi X-Received: by 2002:a17:907:1c91:b0:72b:7492:72d2 with SMTP id nb17-20020a1709071c9100b0072b749272d2mr28831871ejc.17.1658189412035; Mon, 18 Jul 2022 17:10:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658189412; cv=none; d=google.com; s=arc-20160816; b=EeSNtmc6pgidVywcq0zc5v+T7c4kP0TDMjDXUUgYE+CW/LS2YHDmWOt+x/fmIwuy7S JMCut+hT5p2NG0ZHoPH7zM1ezsJJjmk2P5fro4avac7LfyWQX6l+GmlNU4YOvnn5NOSi 6fTu8JA7fkC+iiugd0i03S8UpRPJN7TXc75PmBjoGKHEydAL3YXRro1YzT5HuNj6Vdos mPFH2PjlCLSFyA/gHg1YZGhRcD6bm7gs0FNOXPckQgMjCpIHex4gGsSweWB/t0oV6fGb wVBvEWCK85oxIvIkj2JndnnlG7NzUal1LK7hw5zC8gFnOaOmLhFaAEszS1uNZDreyQS3 VJ8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=T/yu627okIMF8pkzQTskW4G+bhjAWqQn59g/hCVl4vQ=; b=PZZXTkvGidAtx0JleEpGBcsU8EAnDYfKSLtmOshYIV1My71rKtSMFzCPqKWBOkWY7i xCXu74Xu6lDh2zWKIbMs9JFzLC80THhlyg3cXDCsbaOhP4VuBVO/939hVXnmJZPdFfYE 70eBOva1tQcpc0bAffvjwJgwJlCLykTYI/aPyJ9HD1jd9x+EbhG6op+5hGNYO8uoM9rr HI1xB5e25nFEYsjFO1OqdMATbIX/iGuGs3BH4zC5Xbooy7JllLpgZuwi0ktENyL1NzZ1 ds0pp1ST79lxPUBnSgxf7lBmvwt+JUqN8I/voVmFWafRtbEYxK/1Z6i1YIt/fhrhdTEC 9LRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=hgJ42YjX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i8-20020a1709064fc800b0072b872932d6si23139190ejw.567.2022.07.18.17.09.47; Mon, 18 Jul 2022 17:10:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=hgJ42YjX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235210AbiGRXv4 (ORCPT + 99 others); Mon, 18 Jul 2022 19:51:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234917AbiGRXvz (ORCPT ); Mon, 18 Jul 2022 19:51:55 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB67AA1B3 for ; Mon, 18 Jul 2022 16:51:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=T/yu627okIMF8pkzQTskW4G+bhjAWqQn59g/hCVl4vQ=; b=hgJ42YjXJVq2yjLkZQvnstNq+6 sSU18LaePJgiL6nPI6CmL6Sfj5A5yPouYQ9JlomEinMYdB87P25obqtiAKs2O0Cxc8etiGc9kxQEz 0cqeIzu0KZAE9wlWfG5TNdeoakUJZ8a8E2gY25IC2SKtoNQBjc5rSc9FaOotiVmCDc6fK12LIoWIT aX9lxo0gtVU+K1kgaNOggqB6J+PoKYHydbCa2TYqM/jGKWajLMzTT6tWoZtxc8v9PmjP+eJwCZZCB aTy9oy+3HK76s1+WOFOy6yBAxa62TkIDZ5/dlF4eH/JyTG7bqhaLzQK+y5odZ3l0mmRdB1BW6xi2Z 5I01jivg==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=worktop.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oDaWC-00D9eD-Tu; Mon, 18 Jul 2022 23:51:18 +0000 Received: by worktop.programming.kicks-ass.net (Postfix, from userid 1000) id 64DF99802A7; Tue, 19 Jul 2022 01:51:14 +0200 (CEST) Date: Tue, 19 Jul 2022 01:51:14 +0200 From: Peter Zijlstra To: Sami Tolvanen Cc: Thomas Gleixner , Linus Torvalds , LKML , the arch/x86 maintainers , Tim Chen , Josh Poimboeuf , Andrew Cooper , Pawan Gupta , Johannes Wikner , Alyssa Milburn , Jann Horn , "H.J. Lu" , Joao Moreira , Joseph Nuzman , Steven Rostedt , Juergen Gross , Masami Hiramatsu , Alexei Starovoitov , Daniel Borkmann Subject: Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation Message-ID: References: <20220716230344.239749011@linutronix.de> <87wncauslw.ffs@tglx> <87tu7euska.ffs@tglx> <87o7xmup5t.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 18, 2022 at 03:48:04PM -0700, Sami Tolvanen wrote: > On Mon, Jul 18, 2022 at 2:18 PM Peter Zijlstra wrote: > > > > On Mon, Jul 18, 2022 at 10:44:14PM +0200, Thomas Gleixner wrote: > > > And we need input from the Clang folks because their CFI work also puts > > > stuff in front of the function entry, which nicely collides. > > > > Right, I need to go look at the latest kCFI patches, that sorta got > > side-tracked for working on all the retbleed muck :/ > > > > Basically kCFI wants to preface every (indirect callable) function with: > > > > __cfi_\func: > > int3 > > movl $0x12345678, %rax > > int3 > > int3 > > \func: > > Yes, and in order to avoid scattering the code with call target > gadgets, the preamble should remain immediately before the function. I think we have a little room, but yes, -6 is just right to hit the UD2. > > Ofc, we can still put the whole: > > > > sarq $5, PER_CPU_VAR(__x86_call_depth); > > jmp \func_direct > > > > thing in front of that. > > Sure, that would work. So if we assume \func starts with ENDBR, and further assume we've fixed up every direct jmp/call to land at +4, we can overwrite the ENDBR with part of the SARQ, that leaves us 6 more byte, placing the immediate at -10 if I'm not mis-counting. Now, the call sites are: 41 81 7b fa 78 56 34 12 cmpl $0x12345678, -6(%r11) 74 02 je 1f 0f 0b ud2 e8 00 00 00 00 1: call __x86_indirect_thunk_r11 That means the offset of +10 lands in the middle of the CALL instruction, and since we only have 16 thunks there is a limited number of byte patterns available there. This really isn't as nice as the -6 but might just work well enough, hmm? > > But it does somewhat destroy the version I had that only needs the > > 10 bytes padding for the sarq. > > There's also the question of how function alignment should work in the > KCFI case. Currently, the __cfi_ preamble is 16-byte aligned, which > obviously means the function itself isn't. That seems unfortunate, at least the intel parts have a 16 byte i-fetch window (IIRC) so aligning the actual instructions at 16 bytes gets you the best bang for the buck wrt ifetch (functions are random access and not sequential). Also, since we're talking at least 4 bytes more padding over the 7 that are required by the kCFI scheme, the FineIBT alternative gets a little more room to breathe. I'm thinking we can have the FineIBT landing site at -16. __fineibt_\func: endbr64 # 4 xorl $0x12345678, %r10d # 7 je \func+4 # 2 ud2 # 2 \func: nop4 ... With the callsite looking like: nop7 movl $0x12345678, %r10d # 7 call *%r11 # 3 or something like that (everything having IBT has eIBRS at the very least).