From: Sami Tolvanen <samitolvanen@google.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Joao Moreira <joao@overdrivepizza.com>,
Kees Cook <keescook@chromium.org>, X86 ML <x86@kernel.org>,
hjl.tools@gmail.com, Josh Poimboeuf <jpoimboe@redhat.com>,
andrew.cooper3@citrix.com, LKML <linux-kernel@vger.kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
llvm@lists.linux.dev
Subject: Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups
Date: Mon, 14 Feb 2022 13:38:18 -0800 [thread overview]
Message-ID: <CABCJKuciRBnz4JxBDJC=+kuJn4pU2uBkWPBov7-VL2o2j0F4SA@mail.gmail.com> (raw)
In-Reply-To: <20220211133803.GV23216@worktop.programming.kicks-ass.net>
On Fri, Feb 11, 2022 at 5:38 AM Peter Zijlstra <peterz@infradead.org> wrote:
> I think we'll end up with something related to KCFI, but with distinct
> differences:
>
> - 32bit immediates for smaller code
Sure, I don't see issues with that. Based on a quick test with
defconfig, this reduces vmlinux size by 0.30%.
> - __kcfi_check_fail() is out for smaller code
I'm fine with adding a trap mode that's used by default, but having
more helpful diagnostics when something fails is useful even in
production systems in my experience. This change results in a vmlinux
that's another 0.92% smaller.
> Which then yields:
>
> caller:
> cmpl $0xdeadbeef, -0x4(%rax) # 7 bytes
> je 1f # 2 bytes
> ud2 # 2 bytes
> 1: call __x86_indirect_thunk_rax # 5 bytes
Note that the compiler might not emit this *exact* sequence of
instructions. For example, Clang generates this for events_sysfs_show
with the modified KCFI patch:
2274: cmpl $0x4d7bed9e,-0x4(%r11)
227c: jne 22c0 <events_sysfs_show+0x6c>
227e: call 2283 <events_sysfs_show+0x2f>
227f: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4
...
22c0: ud2
In this case the function has two indirect calls and Clang seems to
prefer to emit just one ud2.
> .align 16
> .byte 0xef, 0xbe, 0xad, 0xde # 4 bytes
> func:
> endbr # 4 bytes
Here func is no longer aligned to 16 bytes, in case that's important.
> Further, Andrew put in the request for __attribute__((cfi_seed(blah)))
> to allow distinguishing indirect functions with otherwise identical
> signature; eg. cookie = hash32(blah##signature).
Sounds reasonable.
> Did I miss anything? Got anything wrong?
How would you like to deal with the 4-byte hashes in objtool? We
either need to annotate all function symbols in the kernel, or we need
a way to distinguish the hashes from random instructions, so we can
also have functions that don't have a type hash.
Sami
next prev parent reply other threads:[~2022-02-14 21:38 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-22 17:03 [RFC][PATCH 0/6] x86: Kernel IBT beginnings Peter Zijlstra
2021-11-22 17:03 ` [RFC][PATCH 1/6] x86: Annotate _THIS_IP_ Peter Zijlstra
2021-11-23 13:53 ` Mark Rutland
2021-11-23 14:14 ` Peter Zijlstra
2021-11-24 18:18 ` Josh Poimboeuf
2021-11-22 17:03 ` [RFC][PATCH 2/6] x86: Base IBT bits Peter Zijlstra
2022-02-08 23:32 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 3/6] x86: Add ENDBR to IRET-to-Self Peter Zijlstra
2021-11-22 18:09 ` Peter Zijlstra
2022-02-08 23:33 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 4/6] objtool: Read the _THIS_IP_ hints Peter Zijlstra
2021-11-22 17:03 ` [RFC][PATCH 5/6] x86: Sprinkle ENDBR dust Peter Zijlstra
2021-11-23 14:00 ` Mark Rutland
2021-11-23 14:21 ` Peter Zijlstra
2022-02-08 23:38 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 6/6] objtool: Add IBT validation / fixups Peter Zijlstra
2021-11-24 19:30 ` Josh Poimboeuf
2022-02-08 23:43 ` Kees Cook
2022-02-09 5:09 ` Josh Poimboeuf
2022-02-09 11:41 ` Peter Zijlstra
2022-02-09 11:45 ` Peter Zijlstra
2021-12-24 2:05 ` joao
2022-02-08 23:42 ` Kees Cook
2022-02-09 2:21 ` Joao Moreira
2022-02-09 4:05 ` Kees Cook
2022-02-09 5:18 ` Joao Moreira
2022-02-11 13:38 ` Peter Zijlstra
2022-02-14 21:38 ` Sami Tolvanen [this message]
2022-02-14 22:25 ` Peter Zijlstra
2022-02-15 16:56 ` Sami Tolvanen
2022-02-15 20:03 ` Kees Cook
2022-02-15 21:05 ` Peter Zijlstra
2022-02-15 23:05 ` Kees Cook
2022-02-15 23:38 ` Joao Moreira
2022-02-16 12:24 ` Peter Zijlstra
2022-02-15 20:53 ` Peter Zijlstra
2022-02-15 22:45 ` Joao Moreira
2022-02-16 0:57 ` Andrew Cooper
2022-03-02 3:06 ` Peter Collingbourne
2022-03-02 3:32 ` Joao Moreira
2022-06-08 17:53 ` Fāng-ruì Sòng
2022-06-09 0:05 ` Sami Tolvanen
2021-11-23 7:58 ` [RFC][PATCH 0/6] x86: Kernel IBT beginnings Christoph Hellwig
2021-11-23 9:02 ` Peter Zijlstra
2022-02-08 23:48 ` Kees Cook
2022-02-09 0:09 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABCJKuciRBnz4JxBDJC=+kuJn4pU2uBkWPBov7-VL2o2j0F4SA@mail.gmail.com' \
--to=samitolvanen@google.com \
--cc=andrew.cooper3@citrix.com \
--cc=hjl.tools@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.