Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6640547rwi; Mon, 24 Oct 2022 04:21:37 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5EyhiuNKcAE0PEix8qGPz9f4cHRLqp3rN9e2B76e9mExWiKiuAJjLrM2Eb67E8FBTAImSb X-Received: by 2002:a05:6402:1947:b0:461:a47d:274 with SMTP id f7-20020a056402194700b00461a47d0274mr7028373edz.165.1666610496840; Mon, 24 Oct 2022 04:21:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666610496; cv=none; d=google.com; s=arc-20160816; b=H+STvVoepJGvFQotojlO0sdsgcwlRgCLdonDQgmPShRmHqdiG49CRcLO3QpKQDko2g P17fOyGZXXt5VArM9lxpYABu3SsFt2Jde+42BN68a9WU6COXHaxCk86YBWE7YxISGjIF ehhaInRaGa2Y7PvPJe+AWsJv7Vym4oOnXQ3UISDpJDnN0objvdXfV/HwE2VQHwsIIrRV uZqM/SWAws8LJFLFAUDQ9wsU8YY3/01zYzgWlcHkpDHA/ZPkOU9wFzjkxghyBZJERary ebti7DQItdhBv5w+VivKgk9ZNOFK0X+BtSKeg/h6IXwbbGKTaIb3MJPBymk4fA/jEktw xwtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=v5vZFxnCWatfvGTnvl75sTh7A+ZfiDeINLend/fb1d0=; b=RA9A5WN1hGdLUlmcib9oEgSbpTK+OYuxu4DlqSOxRBATSD7TRQlO8WaYuTjTSwHtYZ TccpwsKj2UUpaA3rrr9LYNuYVDGj+mpBb8Y3fhyECIjEZyqNIikqMEmGngsrVtFH9OfR sqTxBlpvQ6hOlA8+JjmGLgH7fB6YJADYhUq4eG+04eGhol7+1HU0CjOoPItZ/uOleNYe FrNpmlS5mcKAzZePkfr71aoPtEvY8DSlcpJCWASgjWarBuHrP65n1ycMKrGqn5lfuPVi 8r3hVU0Vy7NBTCkxq7xBVtwBYPoCE0nPLBArPKjjmHd/xUfCvoS7ZWgp190O5ydb369e 3ssw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i6-20020a05640242c600b0045cf886717esi31823052edc.18.2022.10.24.04.21.10; Mon, 24 Oct 2022 04:21:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230064AbiJXLSf (ORCPT + 99 others); Mon, 24 Oct 2022 07:18:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49712 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230055AbiJXLSc (ORCPT ); Mon, 24 Oct 2022 07:18:32 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E4E5C5FDD9 for ; Mon, 24 Oct 2022 04:18:30 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D8E23D6E; Mon, 24 Oct 2022 04:18:36 -0700 (PDT) Received: from FVFF77S0Q05N (unknown [10.57.7.186]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D162B3F7B4; Mon, 24 Oct 2022 04:18:28 -0700 (PDT) Date: Mon, 24 Oct 2022 12:18:26 +0100 From: Mark Rutland To: Fangrui Song Cc: Sami Tolvanen , llvm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Joao Moreira , Josh Poimboeuf , Kees Cook , Nathan Chancellor , Nick Desaulniers , Peter Zijlstra Subject: Re: kCFI && patchable-function-entry=M,N Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 21, 2022 at 09:14:41PM -0700, Fangrui Song wrote: > On Fri, Oct 21, 2022 at 10:39 AM Sami Tolvanen wrote: > > > > On Fri, Oct 21, 2022 at 8:56 AM Mark Rutland wrote: > > > > > > Hi, > > > > > > For arm64, I'd like to use -fatchable-function-entry=M,N (where N > 0), for our > > > ftrace implementation, which instruments *some* but not all functions. > > > Unfortuntately, this doesn't play nicely with -fsanitize=kcfi, as instrumented > > > and non-instrumented functions don't agree on where the type hash should live > > > relative to the function entry point, making them incompatible with one another. > > > > Yes, the current implementation assumes that if prefix nops are used, > > all functions have the same number of them. > > > > > Is there any mechanism today that we could use to solve this, or could we > > > extend clang to have some options to control this behaviour? > > > > I don't think there's a mechanism to work around the issue right now, > > but we could just change where the hash is emitted on arm64. > > > > > It would also be helpful to have a symbol before both the hash and pre-function > > > NOPs so that we can filter those out of probes patching (I see that x86 does > > > this with the __cfi_function symbol). > > > > Adding a symbol before the hash isn't a problem, but if we move the > > hash and want the symbol to be placed before the prefix nops as well, > > we might need a flag to control this. Fangrui, what do you think? > > > > Sami > > Since the kcfi code expects the hash to appear in a specific location > so that an instrumented indirect jump can reliably obtain the hash. > For a translation unit `-fpatchable-function-entry=N,M` may be > specified or not, and we want both to work. Therefore, I agree that a > consistent hash location will help. This argument favors placing M > nops before the hash. The downside is a restriction on how the M nops > can be used. Previously if M>0, the runtime code needs to check > whether a BTI exists to locate the N-M after-function-entry NOPs. If > the hash appears after the M nops, the runtime code needs to > additionally knows whether the hash exists. My question is how to > reliably detect this. That's a fair point. For detecting BTI we can scan the binary for BTI/NOP at M instructions into the patch-site, but a similar approach won't be reliable for the type hash since the type hash itself could have the same bit pattern as an instruction. > If there is motivation using M>0, I'd like to know the concrete code > sequence for `-fpatchable-function-entry=N,M` and how the runtime code > detects the NOPs with optional hash and optional BTI. For the BTI case alone, I have code at: https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/commit/?h=arm64/ftrace/per-callsite-ops&id=272a580fd5b7acc31747505d71530cee7cc2837d ... the gist being that it checks the instruction M insns after the start of the patch site. For the type hash, I think there are a few options, e.g. * Restricting the type hash to a set of values that can be identified (e.g. encoding those as a permanently-undefined UDF with a 16-bit immediate). * Adding options to record additional metadata along with the pointer to the patch-site in the __patchable_function_entries section. * Adding an option to record patch-site variants to sub-sections of the __patchable_function_entries section, so that at link time these can be grouped separately, e.g. * __patchable_function_entries.??? // no BTI, no type hash * __patchable_function_entries.bti // has BTI * __patchable_function_entries.bti_cfi // has BTI and type hash * __patchable_function_entries.cfi // has type hash Do any of those approaches sound plausible to you? Thanks, Mark.