Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2733074rwl; Thu, 13 Apr 2023 10:05:56 -0700 (PDT) X-Google-Smtp-Source: AKy350YE3HU5jBqKlfUS8k50PPLyT7uZGCuZD179fF94lq/XdQFrlvvVOh4oDcnreT/2gh+Z4ES3 X-Received: by 2002:a17:903:185:b0:19d:20a:a219 with SMTP id z5-20020a170903018500b0019d020aa219mr3287080plg.66.1681405555681; Thu, 13 Apr 2023 10:05:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681405555; cv=none; d=google.com; s=arc-20160816; b=Rv2qSxSYz3yU54jmj/gALYEwbtVTUjBJThR5BOQ7i/rzld6fqNZMKumisUpwuOBzt+ 9yVgTjdqZogUFANHMy1WJlV6qhm556yiUGYcY2QIq2pVBEqV0RCz7zsGUqaLgBUTs5aM PoNJvHCyoKt6Grb7/aIsnE0Vel0Riugu0hRf3aU18feI68rcZvU/cYnHwFpFcxIPwIOO xpIezrAq5KDSX5x3vfxza5bCcXtMr918xlDJ2bc4wf8zrXIxMsOJxbDcw10wNxwAS7Hp uu6E7nMCD6osShwf6mMXeAWMa1zSTu2MNW/ODEu6oJPZtXlh7ZXZvhoLs03fDpJd5k1P dPsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ccsEwv5oO7NDzmy7DI9h+6ldasNA+QD8FggJsRLsgZk=; b=T6zhMzVoYbXVU5h9MhncsD/sRL+Flj+2O5aOfbmk7diU0pF55Ju22icxE/PWATPWQM bgMgs+6uswgyKtfpjPYNR0gjmLfRK8Suuy360ZNSk0Ym0ACrTokog4/lrxLhCXx2XbbN k04O/enJvyLbM6rw27QbfHmt6iiwER1UDOq0qA4oObWL0qfbyomsvsX/fqZdTeJxIErF DQr05Vz4aD9KYYsE2ahej4gupfugeAm4vFtsTPr+LTcct7S2lIH8McgrDMzs5X8EN6FU 8N0Dd0cvqmBdKR8h2guSu2N29ktQIbLZEn3ECu09/RZ3gw2nrkwcJ8GdYP+e9PcptWmW FltA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=taQlQ7g8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b6-20020a656686000000b0051909d663desi2417740pgw.481.2023.04.13.10.05.41; Thu, 13 Apr 2023 10:05:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=taQlQ7g8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229965AbjDMRER (ORCPT + 99 others); Thu, 13 Apr 2023 13:04:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36642 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229636AbjDMREP (ORCPT ); Thu, 13 Apr 2023 13:04:15 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C01061AE for ; Thu, 13 Apr 2023 10:04:14 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id m18so15580370plx.5 for ; Thu, 13 Apr 2023 10:04:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681405454; x=1683997454; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ccsEwv5oO7NDzmy7DI9h+6ldasNA+QD8FggJsRLsgZk=; b=taQlQ7g87EtETw7950+oGC++35BjVH5z2ygGlMMbTo5I7kDps9cXFqUloS7mUgBPth di55++ydNmblfUOhmk6Mf0ZCpCc0mg7Vf6yYQEQso89+hO+DKYcj2CoCTaIJIn2Ue3HO //xsWAhOf3MiEmH9CtufeOoszfiO02siNSMA9WvEfdVh/fcgRPIFebc6BJPK1WkgL3tP 87y3YtPmFMfzYiYYqk1EBz0a2F3HU71Xqg/99WsL1W85upYH9GyW5rt4Q6q7PQ2hqU9Z 1mGZ4HIyPU+it7CmDLMyrPIXqht0YEywvU8X36Fw7a9okB6fZv/g78cDMlXq5Qn95K0W G4FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681405454; x=1683997454; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ccsEwv5oO7NDzmy7DI9h+6ldasNA+QD8FggJsRLsgZk=; b=EDCKrUSH1Zf3EkjmnDO7mO+Tevwi3UwUxygyd0RAw2mhYtlrBpNJJCkSBQ7baI8xID ICqb/OBtBY8H0dztha3jOdyFzraBR2Cv5kHU1hFqcAMpOvnInKMXQCYfVnHxoBDkh+3k H5ftb+56gP39qFLa44U0pU/sFWSz4BzMe42im7tnAV47g3l6mdotvCMR0mmJSZyiAxuh ihZDXWaNCUlNpP4kk7UBgPxSX2hRAfkeAgbYTK2GYLwcJI9TfOS+d8KfKK1QEZpbsGha 2WuKK1B/fh14rVzWz3zMFYcZ5Wjf6GEWF2glsC/+N+03hISDexB3RP6LlHMGPUXNmfOo MICA== X-Gm-Message-State: AAQBX9cJ5QWZ47cv0P1gWDSrDKiiUIOTLQSr9LvcfmJqYGy/eEXZbBzH jcDfMzDI9swB56v6BYAu02xN1Q== X-Received: by 2002:a05:6a20:66a1:b0:ea:fb53:4cb1 with SMTP id o33-20020a056a2066a100b000eafb534cb1mr2743042pzh.41.1681405453405; Thu, 13 Apr 2023 10:04:13 -0700 (PDT) Received: from google.com ([2620:15c:2d1:203:fde9:d34:5ee3:d2e8]) by smtp.gmail.com with ESMTPSA id l15-20020a654c4f000000b0051a3c744256sm1618060pgr.93.2023.04.13.10.04.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Apr 2023 10:04:12 -0700 (PDT) Date: Thu, 13 Apr 2023 10:04:05 -0700 From: Nick Desaulniers To: Mark Rutland Cc: madvenka@linux.microsoft.com, jpoimboe@redhat.com, peterz@infradead.org, chenzhongjin@huawei.com, broonie@kernel.org, nobuta.keiya@fujitsu.com, sjitindarsingh@gmail.com, catalin.marinas@arm.com, will@kernel.org, jamorris@linux.microsoft.com, linux-arm-kernel@lists.infradead.org, live-patching@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-toolchains@vger.kernel.org Subject: Re: [RFC PATCH v3 00/22] arm64: livepatch: Use ORC for dynamic frame pointer validation Message-ID: References: <0337266cf19f4c98388e3f6d09f590d9de258dc7> <20230202074036.507249-1-madvenka@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 23, 2023 at 05:17:14PM +0000, Mark Rutland wrote: > Hi Madhavan, > > At a high-level, I think this still falls afoul of our desire to not reverse > engineer control flow from the binary, and so I do not think this is the right > approach. I've expanded a bit on that below. > > I do think it would be nice to have *some* of the objtool changes, as I do > think we will want to use objtool for some things in future (e.g. some > build-time binary patching such as table sorting). > > > Problem > > ======= > > > > Objtool is complex and highly architecture-dependent. There are a lot of > > different checks in objtool that all of the code in the kernel must pass > > before livepatch can be enabled. If a check fails, it must be corrected > > before we can proceed. Sometimes, the kernel code needs to be fixed. > > Sometimes, it is a compiler bug that needs to be fixed. The challenge is > > also to prove that all the work is complete for an architecture. > > > > As such, it presents a great challenge to enable livepatch for an > > architecture. > > There's a more fundamental issue here in that objtool has to reverse-engineer > control flow, and so even if the kernel code and compiled code generation is > *perfect*, it's possible that objtool won't recognise the structure of the > generated code, and won't be able to reverse-engineer the correct control flow. > > We've seen issues where objtool didn't understand jump tables, so support for > that got disabled on x86. A key objection from the arm64 side is that we don't > want to disable compile code generation strategies like this. Further, as > compiles evolve, their code generation strategies will change, and it's likely > there will be other cases that crop up. This is inherently fragile. > > The key objections from the arm64 side is that we don't want to > reverse-engineer details from the binary, as this is complex, fragile, and > unstable. This is why we've previously suggested that we should work with > compiler folk to get what we need. > This still requires reverse-engineering the forward-edge control flow in order > to compute those offets, so the same objections apply with this approach. I do > not think this is the right approach. > > I would *strongly* prefer that we work with compiler folk to get the > information that we need. IDK if it's relevant here, but I did see a commit go by to LLVM that seemed to include such info in a custom ELF section (for the purposes of improving fuzzing, IIUC). Maybe such an encoding scheme could be tested to see if it's reliable or usable? - https://github.com/llvm/llvm-project/commit/3e52c0926c22575d918e7ca8369522b986635cd3 - https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-control-flow > > [...] > > > FWIW, I have also compared the CFI I am generating with DWARF > > information that the compiler generates. The CFIs match a > > 100% for Clang. In the case of gcc, the comparison fails > > in 1.7% of the cases. I have analyzed those cases and found > > the DWARF information generated by gcc is incorrect. The > > ORC generated by my Objtool is correct. > > > Have you reported this to the GCC folk, and can you give any examples? > I'm sure they would be interested in fixing this, regardless of whether we end > up using it. Yeah, at least a bug report is good. "See something, say something."