Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3681906rwi; Fri, 21 Oct 2022 21:29:55 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Q/zZjTskD1uIwZX3ddLcvVzaa/e5sQkkf0pYSZs1MtfulTaDHVG5MDkYKGfIyWx/CtNy2 X-Received: by 2002:a17:906:730e:b0:78d:94ab:77c2 with SMTP id di14-20020a170906730e00b0078d94ab77c2mr18561941ejc.639.1666412994745; Fri, 21 Oct 2022 21:29:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666412994; cv=none; d=google.com; s=arc-20160816; b=ubTckvUUzwvfXJGOmfe6aR8G/kHYhFJ2nlQfolvHUbHs6cSoPJMkeFCpg/DkQOifQr jAv4HWyifMpnLoY/Na/h/gp0pz8r+19Mw5x5RSqrZvziTn3O0fcWbeu/pkB+uaTnBzjK mkeWWfKOk3Cg1pb3n+io3caaiEh5vvlmC4mhtEXxu+dMIIWnD3Qyy3oNDfIHicGT382U e34Jo60lZo6ySurJ1fIXg6dXD3TcEI9bo2bWdFxih9qZj5/+vKqMs/rd6RLBU9HZKdDR 5YnX1kiWyAzbtJuIAuOT+Z3E9MfZP+oDipxXT69qgsz8FcUHx34VU3BISxTXlStgOPp4 H6jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=HzRG8DueJFVBMoBP3WLGrZ36/yY2O+ekECOxt59Gcj0=; b=DmVzVjy+wziroUQkPYdey7w1O7ZITMIYB9N6MpnSm6MnxL7zTYad+uS2QhedkXIIOA k4+WyWfX2006irL5kS+f5yA8HDcfh+TidsmWEPVgSOdkyFoLSJofzbCpGFtwiZAhAJBd /1AgqyHUXYti42Lj1xwJudyrGSR9x0o4h88w1isQ/C2HhJA8MXs699W+RUUT7RK+pICE vgyS1AXNlf30I30kFPVPXUQGWcqtI5K/qQq65Q46ZTvjR/rQBYAD03HM0t9V/9ek4edG uResXJ9+A8GzObOGb/mnKLGvM7siO4i/qZY11k4VI5A2efKXA4LZLaG5Qx6Tb+ISUP2r Gwzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="mGit/OKf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bk2-20020a170906b0c200b0077f2779c178si19434459ejb.254.2022.10.21.21.29.28; Fri, 21 Oct 2022 21:29:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="mGit/OKf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229822AbiJVEPI (ORCPT + 99 others); Sat, 22 Oct 2022 00:15:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229864AbiJVEPB (ORCPT ); Sat, 22 Oct 2022 00:15:01 -0400 Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C3D03FF3A for ; Fri, 21 Oct 2022 21:14:56 -0700 (PDT) Received: by mail-lj1-x22f.google.com with SMTP id a25so6279686ljk.0 for ; Fri, 21 Oct 2022 21:14:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HzRG8DueJFVBMoBP3WLGrZ36/yY2O+ekECOxt59Gcj0=; b=mGit/OKfyUTcqGootPlZvse7XEQUFvO23uFrEXaDR5RVDaIlVGo6ZEa5Oat75+yNrt uh/9w+hk9w7cgMNJ9Vg946Zvdsg/YcyUfsvog0yB4eKVbtn/Xb/tmHTk6THA5w5jc+b1 iOFMkUh/xpBzGy37JyyoMhDjAaUDj8n2tinf110KgtA2NCTBhEd2+4jqWc0wFfOp45sr LxNiFLkDBd/IM96oF/3p4SPDEFWNxSCgV4FYTtA3A5sFougMfCMfYxER2DunRAh6cILs UH38cqcZc3sishuc5Cg4QXgRnP48/x+lR7ejK6KSKMrGMmiLF/c2KaZuI/1B0imqriFf 2abw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HzRG8DueJFVBMoBP3WLGrZ36/yY2O+ekECOxt59Gcj0=; b=c92JlR8o7FXHH0XOZOYoUKifeuUsmggZdN9wykY1qEV22G9ethDKIKdbjQYAwG3IOH TgfqAoq3gorhZHOs0YP3OfGcj51oGdVVe2yVCalqW8aYruLjsxcepNdY45HIqSKgXvI1 MF33OGylJEV5iruRViTiEoDgnZANZ30YFwCrok9eKsPXdg2vDFiOKK6l5dRAFOCjEiGR NYss3pRCoSzCbisoVNj2R1GuVEF5Pvm151is4GZwynnRlUBlwrv+R02L2K5RWPd9WsYW z8sq8655SZTvsgOH/xOhONPy9sSONjm1E6GZhC6beI/EdZ08oMg5lzafZchVEKhGgt9E xzZQ== X-Gm-Message-State: ACrzQf1EDkjhI9smBbTMbr979fz1dPT9HFW4nr+ChIbLipZfsJFLQprd o5HL/AguNRuyka7qk0M0ptxZYuxDigHbGH5YZ1oDEA== X-Received: by 2002:a2e:9256:0:b0:26e:197d:3ff6 with SMTP id v22-20020a2e9256000000b0026e197d3ff6mr8269040ljg.518.1666412093751; Fri, 21 Oct 2022 21:14:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Fangrui Song Date: Fri, 21 Oct 2022 21:14:41 -0700 Message-ID: Subject: Re: kCFI && patchable-function-entry=M,N To: Sami Tolvanen Cc: Mark Rutland , llvm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Joao Moreira , Josh Poimboeuf , Kees Cook , Nathan Chancellor , Nick Desaulniers , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 21, 2022 at 10:39 AM Sami Tolvanen wr= ote: > > On Fri, Oct 21, 2022 at 8:56 AM Mark Rutland wrote= : > > > > Hi, > > > > For arm64, I'd like to use -fatchable-function-entry=3DM,N (where N > 0= ), for our > > ftrace implementation, which instruments *some* but not all functions. > > Unfortuntately, this doesn't play nicely with -fsanitize=3Dkcfi, as ins= trumented > > and non-instrumented functions don't agree on where the type hash shoul= d live > > relative to the function entry point, making them incompatible with one= another. > > Yes, the current implementation assumes that if prefix nops are used, > all functions have the same number of them. > > > Is there any mechanism today that we could use to solve this, or could = we > > extend clang to have some options to control this behaviour? > > I don't think there's a mechanism to work around the issue right now, > but we could just change where the hash is emitted on arm64. > > > It would also be helpful to have a symbol before both the hash and pre-= function > > NOPs so that we can filter those out of probes patching (I see that x86= does > > this with the __cfi_function symbol). > > Adding a symbol before the hash isn't a problem, but if we move the > hash and want the symbol to be placed before the prefix nops as well, > we might need a flag to control this. Fangrui, what do you think? > > Sami Since the kcfi code expects the hash to appear in a specific location so that an instrumented indirect jump can reliably obtain the hash. For a translation unit `-fpatchable-function-entry=3DN,M` may be specified or not, and we want both to work. Therefore, I agree that a consistent hash location will help. This argument favors placing M nops before the hash. The downside is a restriction on how the M nops can be used. Previously if M>0, the runtime code needs to check whether a BTI exists to locate the N-M after-function-entry NOPs. If the hash appears after the M nops, the runtime code needs to additionally knows whether the hash exists. My question is how to reliably detect this. If there is motivation using M>0, I'd like to know the concrete code sequence for `-fpatchable-function-entry=3DN,M` and how the runtime code detects the NOPs with optional hash and optional BTI. --=20 =E5=AE=8B=E6=96=B9=E7=9D=BF