Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1606202rwi; Wed, 19 Oct 2022 12:53:01 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4ud0DXr7Cq2HThQdry8M+iFfE9lcVXtzKw8Q/cXXs+Gpu9VWhe3tMgmMUDTtzI+DCBEqSl X-Received: by 2002:a17:90a:c388:b0:20a:db9d:8337 with SMTP id h8-20020a17090ac38800b0020adb9d8337mr11386038pjt.61.1666209181042; Wed, 19 Oct 2022 12:53:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666209181; cv=none; d=google.com; s=arc-20160816; b=DkKLJ1nQnrYcOCisH1Rd1LtEb00BJYc7mgkPij+CZNjbeIOFLsz3oCUM7qJ4rhfwLe cz+cH8k0dT+Pom9g2eTqSp6QNbzPX2Q+Y9TZx5Znonrx8QpZrns3Tnblc75tHoDrLuaF OKjt6MnExysZuu3ZCw6v8y0dclB4bqoBgMHK54VUkOl3F4uI0ykVcsD/cbf1J734sHDR YsrDnaoeNOb7TRM64LriUmTESSjurFWzNW3kTj6MWFXmghxDfn69hFcO2OaqMG9ABG36 ZN0JAwJefdj1u8rdtGA+8HwjmclWmclBGvij7q/q8v6FXaVaD5YJ7cqGtOettHX6Dhd+ koMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=n+5AyqJw1b/RwR2kXPQJEL7z+c4+Vye3N101CFRVkVQ=; b=CoDJPhY5lJlPQkhIeejdCQjr+daneWywXc3ZNh1RjUW7/SAFs9/mTprVatQW2imQEX jlVSrV0JRgrBdOurVpIqL8CQuakU5C96eJj2SoWSZkGOFBqt5UxU+Fr+Kqwha05mqyqU UXEp8K8Wl4hvgl8xOOV8NGQ4gQY4yiTgt/QhZ5+3eyJQzz5klj4eCK57WcWaVKm4BI/i 3R5WrHj+3P2LGp/jFDEiNdLuk3goo6+OOG2YcNWOdsDtmcbXPKvph2Amg33yjaBcCb7N SMj/6nwmRSaFzKKYC4CAStjlN8o2XksXPcAXTvUyCDau6h9mYeS+gOxHhMK+eSWJzHdr TIZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e14-20020a63ee0e000000b004393f624553si20406244pgi.864.2022.10.19.12.52.47; Wed, 19 Oct 2022 12:53:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230259AbiJSTfi (ORCPT + 99 others); Wed, 19 Oct 2022 15:35:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58516 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229971AbiJSTf3 (ORCPT ); Wed, 19 Oct 2022 15:35:29 -0400 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E98AD160215 for ; Wed, 19 Oct 2022 12:35:27 -0700 (PDT) Received: (Authenticated sender: joao@overdrivepizza.com) by mail.gandi.net (Postfix) with ESMTPA id 5F0A6E0005; Wed, 19 Oct 2022 19:35:25 +0000 (UTC) MIME-Version: 1.0 Date: Wed, 19 Oct 2022 12:35:25 -0700 From: Joao Moreira To: Kees Cook Cc: Peter Zijlstra , x86@kernel.org, Sami Tolvanen , linux-kernel@vger.kernel.org, Mark Rutland , Josh Poimboeuf Subject: Re: [PATCH] x86/ibt: Implement FineIBT In-Reply-To: <202210182222.64C2D87E0@keescook> References: <202210181020.79AF7F7@keescook> <5094174a77cdc44cf50c346bf1617555@overdrivepizza.com> <202210182222.64C2D87E0@keescook> Message-ID: <8b580fc28f17a644c114e9cbfca57733@overdrivepizza.com> X-Sender: joao@overdrivepizza.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> > >> If we look back at how well ASLR did over the years I think we can't >> really >> rely that randomizing the hashes will solve anything. So what you are >> suggesting is that we flip a "viable defence against SpectreBHB" for a >> randomization-based scheme, when what we really should be doing is >> getting >> constant blinding enabled by default. > > I don't think any of these things are mutually exclusive. The > randomization means an additional step (and possibly additional > primitive) > is needed for an attack chain. Since we get this from a one-time cost > on our end, that seems like reasonable value. > I think I misunderstood your original comment/suggestion, so my bad for the noise. And yeah, I agree that randomization is relevant from the perspective of security in depth. With this said, FWIIW, all suggestions sound good to me. >> >> Assuming we got 16 bytes padding to play with on each function >> prologue, you >> can randomize between 0-11 in which offset you emit the ENDBR >> instruction. >> Caller/Callee would look like (hopefully I did not mess-up offset): >> >> : >> and 0xf3, r11b >> call *r11 >> >> : >> nop >> nop >> nop >> endbr // <- this position is randomized/patched during boot time. >> nop >> nop >> ... >> >> And of course, you get more entropy as you increase the padding nop >> area. > > Oh, I kind of like this -- it'd need to be per matching hash. This > would > require roughly 3 bits of entropy exposure of the .text area. For X^R, > that becomes annoying for an attacker, though likely once close enough, > multiple attempts could find it, assume panic_on_oops/warn wasn't set. > > Anyway, this sounds like an interesting idea to keep in our back > pocket... Agreed. It is hard to implement this because the space overhead would be too big for meaningful entropy. Yet, again, could be a trick in a swiss army knife for future problems. Tks, Joao