Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp37288rwi; Tue, 18 Oct 2022 13:45:54 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7VdvRExI8gdgl5GB7HNCyHY0XmWqifAvIns0Mwr33fT8+tTE99Xvm9LaHLcaQ43sUOlu/l X-Received: by 2002:a17:906:cc58:b0:78d:d47e:19f2 with SMTP id mm24-20020a170906cc5800b0078dd47e19f2mr3919226ejb.388.1666125954245; Tue, 18 Oct 2022 13:45:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666125954; cv=none; d=google.com; s=arc-20160816; b=IziFKzn0HjsJ8XHAmmFPXS0hM9yAJIY7jI6AhOzPkTkSkCPxOAg9JkuN7iV8bYs2DK H53Os56BZT6Kl3Jjv+hAohBYDbbiMeMH71jxKhU+CI6adNujC4MP+l63r2e/bl2XM6Ga 5hXSFLhVyMYdqyE7vE/RDlUByz3gPaKnkuD2l6dNta34U4f4YwSHPY4BEKxGC6fWlDrp 79j20vRfIOY7iMyNmSal58Qusc0IspIv2N7qavPSiSb2JI+zR0q1eRB0f1TXbvqzqC0G AqFC7PRPauTGrWBwV/AcIXb7fNgqtRS2lzb+ksQgVaKs7CdHsCsqVzP5gnrwWxVlo4nT W7+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=yFK1sDCWMWP48Ez2zYuTyqlegBGlfpemKafjqH7EJlY=; b=VpKJfPOjT0A8+A+/k+ODMsPICnYJIsxeeTabtb4045+nwUflncRF4N41fZcLyaFNTt in/RO0+PDrkNMtQBN+w6UGcTSBsor7uCzIKqZXDgNys1zTiCT3zA3C7vFW0KMUcmvDdL G13BZ5jV5HXZWiLW0UussnW3r76KmHkuR8NTrk801YlKk56MmbLOYbI2x+AJ2cmoO5U8 mmYrfzDyr29j4xpJrgAMAhZFnm+Rhm5JDjpL0SPCNJZqaV2IlmAc6pc2qoVH2zVIri/X 2WRUkeNGJKOY45UWwkDQ54anX4cZXEdYZo6sPhaQMB9VQwYCAADyR/0PirOold/ur0Is sN2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=oX8X3QGv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q21-20020a50cc95000000b0045bc5ea5334si11540836edi.115.2022.10.18.13.44.39; Tue, 18 Oct 2022 13:45:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=oX8X3QGv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229727AbiJRT5C (ORCPT + 99 others); Tue, 18 Oct 2022 15:57:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229685AbiJRT5B (ORCPT ); Tue, 18 Oct 2022 15:57:01 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DF9E9FC7 for ; Tue, 18 Oct 2022 12:57:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=yFK1sDCWMWP48Ez2zYuTyqlegBGlfpemKafjqH7EJlY=; b=oX8X3QGvqB4Tk5I37rI/YJNmus vQB+9IWFv5D7jGOT4uipCDeX1rcvI/zbsM7AWcql9+xCBRcObnmmsdcJYx4V//mYqsazwG7IfBen9 rk8W799yte5J32xwCH4/Hxk+AhgIVKDz+0K6w6U1+uLWpa8cqBgn+w5TSFJfvS99cEp+y9b30dnnu ozTF+iTO5cuB/PXNz7pH3QskMPYsAsFzhMc+do9UYZ/620yG3BPsGConibq/JoR5aC8yR46Nh6Jdi YyuhZFMJWjJd9pA1qe9BbkCCVT0R5CLXdmz7SFrlKsvV2uKqnXVaaHqi9XFywk4MWUmkUl1L8F8di XeQ4QTyQ==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1okshg-00Ayu9-7S; Tue, 18 Oct 2022 19:56:44 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 2CBDF30012F; Tue, 18 Oct 2022 21:56:37 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id DCDF928574AD9; Tue, 18 Oct 2022 21:56:36 +0200 (CEST) Date: Tue, 18 Oct 2022 21:56:36 +0200 From: Peter Zijlstra To: Kees Cook Cc: x86@kernel.org, Sami Tolvanen , Joao Moreira , linux-kernel@vger.kernel.org, Mark Rutland , Josh Poimboeuf Subject: Re: [PATCH] x86/ibt: Implement FineIBT Message-ID: References: <202210181020.79AF7F7@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202210181020.79AF7F7@keescook> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 18, 2022 at 11:09:13AM -0700, Kees Cook wrote: > > +config FINEIBT > > + def_bool y > > + depends on X86_KERNEL_IBT && CFI_CLANG > > + select CALL_PADDING > > To that end, can we please make this a prompted choice? How about something like so instead? --- Subject: x86/cfi: Boot time selection of CFI scheme From: Peter Zijlstra Date: Tue Oct 18 21:50:54 CEST 2022 Add the "cfi=" boot parameter to allow users to select a scheme at boot time. Signed-off-by: Peter Zijlstra (Intel) --- arch/x86/kernel/alternative.c | 103 +++++++++++++++++++++++++++++++++--------- 1 file changed, 83 insertions(+), 20 deletions(-) --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -702,6 +702,47 @@ void __init_or_module noinline apply_ibt #endif /* CONFIG_X86_KERNEL_IBT */ #ifdef CONFIG_FINEIBT + +enum cfi_mode { + CFI_DEFAULT, + CFI_OFF, + CFI_KCFI, + CFI_FINEIBT, +}; + +static enum cfi_mode cfi_mode __ro_after_init = CFI_DEFAULT; + +static __init int cfi_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + while (str) { + char *next = strchr(str, ','); + if (next) { + *next = 0; + next++; + } + + if (!strcmp(str, "auto")) { + cfi_mode = CFI_DEFAULT; + } else if (!strcmp(str, "off")) { + cfi_mode = CFI_OFF; + } else if (!strcmp(str, "kcfi")) { + cfi_mode = CFI_KCFI; + } else if (!strcmp(str, "fineibt")) { + cfi_mode = CFI_FINEIBT; + } else { + pr_err("Ignoring unknown cfi option (%s).", str); + } + + str = next; + } + + return 0; +} +early_param("cfi", cfi_parse_cmdline); + /* * kCFI FineIBT * @@ -868,30 +909,52 @@ static void __apply_fineibt(s32 *start_r "FineIBT preamble wrong size: %ld", fineibt_preamble_size)) return; - if (!HAS_KERNEL_IBT || !cpu_feature_enabled(X86_FEATURE_IBT)) + if (cfi_mode == CFI_DEFAULT) { + cfi_mode = CFI_KCFI; + if (HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT)) + cfi_mode = CFI_FINEIBT; + } + + switch (cfi_mode) { + case CFI_OFF: + ret = cfi_disable_callers(start_retpoline, end_retpoline); + if (ret) + goto err; + + if (builtin) + pr_info("Disabling CFI\n"); return; - /* - * Rewrite the callers to not use the __cfi_ stubs, such that we might - * rewrite them. This disables all CFI. If this succeeds but any of the - * later stages fails, we're without CFI. - */ - ret = cfi_disable_callers(start_retpoline, end_retpoline); - if (ret) - goto err; - - ret = cfi_rewrite_preamble(start_cfi, end_cfi); - if (ret) - goto err; - - ret = cfi_rewrite_callers(start_retpoline, end_retpoline); - if (ret) - goto err; + case CFI_KCFI: + if (builtin) + pr_info("Using kCFI\n"); + return; - if (builtin) - pr_info("Using FineIBT CFI\n"); + case CFI_FINEIBT: + /* + * Rewrite the callers to not use the __cfi_ stubs, such that we might + * rewrite them. This disables all CFI. If this succeeds but any of the + * later stages fails, we're without CFI. + */ + ret = cfi_disable_callers(start_retpoline, end_retpoline); + if (ret) + goto err; + + ret = cfi_rewrite_preamble(start_cfi, end_cfi); + if (ret) + goto err; + + ret = cfi_rewrite_callers(start_retpoline, end_retpoline); + if (ret) + goto err; - return; + if (builtin) + pr_info("Using FineIBT CFI\n"); + return; + + default: + break; + } err: pr_err("Something went horribly wrong trying to rewrite the CFI implementation.\n");