Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp519064rwi; Tue, 18 Oct 2022 22:17:11 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5DuOZOumeiVNltuPxyii/t60wMK2lAMAkT1+M0UgJetPon1br/IBVPkA/KwVEZ7JdoG2W8 X-Received: by 2002:a17:902:d14d:b0:185:31b5:808f with SMTP id t13-20020a170902d14d00b0018531b5808fmr6900543plt.36.1666156621242; Tue, 18 Oct 2022 22:17:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666156621; cv=none; d=google.com; s=arc-20160816; b=VOY4fdK0k2To7p4htG7QF0k64r9pSwshusosdAS8Wye9tcQyvGBKczu/FHs8Ye3iZh eQu0Zp+cWGvzANsQnWZMIi0P7lKY46Lr2nvT/cVA+giap2gHCusdGDAXmEnDIKHb9exZ qGO5OeJllElY3/xxLRruNHeIiQ8vKM47xVIxxJkQn56GkCNM8nDlkTNNbeX2jE7ppegQ IdOD3nk5B0yW0Yx4W6AF5WMzbLtEZbkWE/xujq+dZExbTzXpkTuM6JZQ29vlYqO+YId/ 2mgj+MH3dot8LF+BdJziIOHn/+U9qHxQ3szCQRNlHHNZosyQMxcsmlbgD8/3amg2jD0G uDow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=x7KlOOoo8kFDTx7VjKoH6+Vu0ogQNhNleK4mkk2uZlM=; b=CSlpxE97+1jwYkjQcNLA+PVR/YKhMN2k19DFKviCS24cSEeVafqjHjQScgFTBdkIW1 FmGqprkSVYgQW3k/cyeHHeJrwxta0R3YmEvxOHOhpfD0D7ht3tDts5U38ANj+dKUUR1a NMQGsw8ZdHedsVYq3JJzHZFNCG8HfRM4CiZDhP3paWLokq86Qk/cNKNunUftwTQ7jk5R WVtyli2RtjmnjxCEZQcuLN6/Z1zdALavvd2KNgqQ0BvXPK3QHKik/wb7Tmp+l0B42K8F VB1yE+hb/P6ODGVmHFpftjWRSkoU8Sqt50f/qk+43zpFOHR1JRAvxjtk/spnjKz8SCcu 9Gjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Rm57BG1O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g187-20020a636bc4000000b0045fa6e37564si17258596pgc.816.2022.10.18.22.16.28; Tue, 18 Oct 2022 22:17:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Rm57BG1O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229697AbiJSFAS (ORCPT + 99 others); Wed, 19 Oct 2022 01:00:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229437AbiJSFAQ (ORCPT ); Wed, 19 Oct 2022 01:00:16 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53A7F1FF97 for ; Tue, 18 Oct 2022 22:00:11 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id b5so15227140pgb.6 for ; Tue, 18 Oct 2022 22:00:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=x7KlOOoo8kFDTx7VjKoH6+Vu0ogQNhNleK4mkk2uZlM=; b=Rm57BG1ObCu+WcWIIGa9fmS/6ytUc0FvSPJ/WRP79SFKRTFRFVgHZYyzZ1V9LpX1KQ USCkoxi5bEduel3kJl3d40HDL6dPUNswT4xTdn3S6oOGtTyuYo7B5Ze7qYop0Akqf2Ut BTiiNm3S5y7ZjthnBSt6XiNKAwc7VLl9FEufs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=x7KlOOoo8kFDTx7VjKoH6+Vu0ogQNhNleK4mkk2uZlM=; b=5g9Asfm3LXVUwZ5JAgTZjr9iXRM4nFYdaMvi/AdswwnCoj5frGAM6Y1XvlKRr8uF+e dkmcQ+Qlugvz8SOuS1JtwsyxBZ3AmZBXEazBtsJ2uV6N6kwRmFmtd5etRx8jKbePDTgt lpqEjdG+fBrPZxvzFGdhEmpKAXbXVgf7Qera6g43X6zeDDZ8mSMRQMEczaEErb4JM0LO CD7AvvpySubV8z4BCRNmmv7x6jTWee35WHA0ULsdZSucj9QIMct6PJreTGnOXlGPD1rI xBNPT/eOxsBYda/RgHM7teIIYwBlp2mjN8r+yRdiVCXUPk/UxY4gDq0+sO/xtGDHarlE /0qw== X-Gm-Message-State: ACrzQf2dKJWIGDo7DtOVCorbPEstym1V/9ZoXdFzvSZjpHOElumlUv/J NwI/M0SXY4FVcF6y7iXGiUfIMQ== X-Received: by 2002:a05:6a00:1907:b0:557:e83b:1671 with SMTP id y7-20020a056a00190700b00557e83b1671mr6494585pfi.65.1666155610773; Tue, 18 Oct 2022 22:00:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u125-20020a627983000000b005615c8a660csm10226516pfc.65.2022.10.18.22.00.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Oct 2022 22:00:09 -0700 (PDT) Date: Tue, 18 Oct 2022 22:00:08 -0700 From: Kees Cook To: Peter Zijlstra Cc: x86@kernel.org, Sami Tolvanen , Joao Moreira , linux-kernel@vger.kernel.org, Mark Rutland , Josh Poimboeuf Subject: Re: [PATCH] x86/ibt: Implement FineIBT Message-ID: <202210182157.CF5F4403@keescook> References: <202210181020.79AF7F7@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 18, 2022 at 10:05:03PM +0200, Peter Zijlstra wrote: > On Tue, Oct 18, 2022 at 11:09:13AM -0700, Kees Cook wrote: > > I still think it's worth noting it does technically weaken the > > "attacker-controlled executable memory content injection" attack > > requirements, too. While an attacker needs to make sure they place an > > ENDBR at the start of their injected code, they no longer need to also > > learn and inject the CFI hash too, as the malicious code can just not > > do the check at all. The difference in protection currently isn't much. > > Hmm, true; although I do feel that the moment attackers can write code > we might be having worse problems. Totally agreed! :) But this is why I've wanted to keep a bright line between "kernel area", "modules area" and "everything else", in the hopes that we can use other things like PKS to block the "everything else" area, but one thing at a time. > > > It's not a very difficult requirement to get attacker-controlled bytes > > into executable memory, as there are already existing APIs that provide > > this to varying degrees of reachability, utility, and discoverability -- > > for example, BPF JIT when constant blinding isn't enabled (the unfortunate > > default). > > BPF has another problem in that the current control transfer to BPF > progs is nocfi. At the very least we can have them have a hash, no? Yup, it's on the list. -- Kees Cook