All of lore.kernel.org
 help / color / mirror / Atom feed
From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Sami Tolvanen <samitolvanen@google.com>
Cc: X86 ML <x86@kernel.org>, Kees Cook <keescook@chromium.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Sedat Dilek <sedat.dilek@gmail.com>,
	linux-hardening@vger.kernel.org,
	LKML <linux-kernel@vger.kernel.org>,
	llvm@lists.linux.dev
Subject: Re: [PATCH v4 00/15] x86: Add support for Clang CFI
Date: Tue, 5 Oct 2021 19:42:54 -0700	[thread overview]
Message-ID: <20211006024254.l3mrl2zrdvzpskmd@treble> (raw)
In-Reply-To: <CABCJKucbbFKHRnisu_yLiHkTfcm9Z+haP0CBNg-pLeO6iFxivg@mail.gmail.com>

On Tue, Oct 05, 2021 at 02:52:46PM -0700, Sami Tolvanen wrote:
> On Tue, Oct 5, 2021 at 1:37 PM Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> >
> > On Thu, Sep 30, 2021 at 11:05:16AM -0700, Sami Tolvanen wrote:
> > > This series adds support for Clang's Control-Flow Integrity (CFI)
> > > checking to x86_64. With CFI, the compiler injects a runtime
> > > check before each indirect function call to ensure the target is
> > > a valid function with the correct static type. This restricts
> > > possible call targets and makes it more difficult for an attacker
> > > to exploit bugs that allow the modification of stored function
> > > pointers. For more details, see:
> > >
> > >   https://clang.llvm.org/docs/ControlFlowIntegrity.html
> > >
> > > Note that v4 is based on tip/master. The first two patches contain
> > > objtool support for CFI, the remaining patches change function
> > > declarations to use opaque types, fix type mismatch issues that
> > > confuse the compiler, and disable CFI where it can't be used.
> > >
> > > You can also pull this series from
> > >
> > >   https://github.com/samitolvanen/linux.git x86-cfi-v4
> >
> > Does this work for indirect calls made from alternatives?
> 
> It works in the sense that indirect calls made from alternatives won't
> trip CFI. The compiler doesn't instrument inline assembly.
> 
> > I'm also wondering whether this works on CONFIG_RETPOLINE systems which
> > disable retpolines at runtime, combined with Peter's patch to use
> > objtool to replace retpoline thunk calls with indirect branches:
> >
> >   9bc0bb50727c ("objtool/x86: Rewrite retpoline thunk calls")
> >
> > Since presumably objtool runs after the CFI stuff is inserted.
> 
> The indirect call checking is before the retpoline thunk call, so
> replacing the call with an indirect call isn't a problem.

Ah right.  I managed to forget how this worked and was thinking this
intercepted the indirect call rather than the function pointer.

-- 
Josh


      reply	other threads:[~2021-10-06  2:43 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-30 18:05 [PATCH v4 00/15] x86: Add support for Clang CFI Sami Tolvanen
2021-09-30 18:05 ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 01/15] objtool: Add CONFIG_CFI_CLANG support Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:40   ` Nick Desaulniers
2021-09-30 18:40     ` Nick Desaulniers
2021-10-06  3:36   ` Josh Poimboeuf
2021-10-06 16:18     ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 02/15] objtool: Add ASM_STACK_FRAME_NON_STANDARD Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-10-06  3:37   ` Josh Poimboeuf
2021-09-30 18:05 ` [PATCH v4 03/15] linkage: Add DECLARE_ASM_FUNC_SYMBOL Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 04/15] cfi: Add DEFINE_CFI_IMMEDIATE_RETURN_STUB Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:50   ` Nick Desaulniers
2021-09-30 18:50     ` Nick Desaulniers
2021-10-01 20:07     ` Sami Tolvanen
2021-10-01 20:07       ` Sami Tolvanen
2021-10-04 13:50   ` Peter Zijlstra
2021-10-04 19:10     ` Sami Tolvanen
2021-10-05  6:59       ` Peter Zijlstra
2021-10-05 20:29         ` Sami Tolvanen
2021-10-05 20:56           ` Peter Zijlstra
2021-10-05 21:53             ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 05/15] tracepoint: Exclude tp_stub_func from CFI checking Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:50   ` Nick Desaulniers
2021-09-30 18:50     ` Nick Desaulniers
2021-10-01 20:08     ` Sami Tolvanen
2021-10-01 20:08       ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 06/15] ftrace: Use an opaque type for functions not callable from C Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-10-06  3:29   ` Josh Poimboeuf
2021-10-06 13:02     ` Steven Rostedt
2021-10-06 13:54       ` Josh Poimboeuf
2021-10-06 14:16         ` Steven Rostedt
2021-10-06 16:31       ` Sami Tolvanen
2021-10-06 16:58         ` Steven Rostedt
2021-10-06 17:45           ` Sami Tolvanen
2021-10-06 20:43             ` Josh Poimboeuf
2021-10-06 21:10               ` Steven Rostedt
2021-10-06 21:23                 ` Josh Poimboeuf
2021-10-06 23:14                   ` Sami Tolvanen
2021-10-07  0:56                     ` Steven Rostedt
2021-09-30 18:05 ` [PATCH v4 07/15] lkdtm: Disable UNSET_SMEP with CFI Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 08/15] lkdtm: Use an opaque type for lkdtm_rodata_do_nothing Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 09/15] x86: Use an opaque type for functions not callable from C Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 10/15] x86/purgatory: Disable CFI Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 19:05   ` Nick Desaulniers
2021-09-30 19:05     ` Nick Desaulniers
2021-09-30 18:05 ` [PATCH v4 11/15] x86, relocs: Ignore __typeid__ relocations Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-10-06  3:31   ` Josh Poimboeuf
2021-10-06 16:17     ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 12/15] x86, module: " Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 13/15] x86, cpu: Use LTO for cpu.c with CFI Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 14/15] x86, kprobes: Fix optprobe_template_func type mismatch Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:05 ` [PATCH v4 15/15] x86, build: Allow CONFIG_CFI_CLANG to be selected Sami Tolvanen
2021-09-30 18:05   ` Sami Tolvanen
2021-09-30 18:38 ` [PATCH v4 00/15] x86: Add support for Clang CFI Nick Desaulniers
2021-09-30 18:38   ` Nick Desaulniers
2021-10-01 20:55   ` Sedat Dilek
2021-10-01 20:55     ` Sedat Dilek
2021-10-05 20:36 ` Josh Poimboeuf
2021-10-05 21:52   ` Sami Tolvanen
2021-10-06  2:42     ` Josh Poimboeuf [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211006024254.l3mrl2zrdvzpskmd@treble \
    --to=jpoimboe@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=peterz@infradead.org \
    --cc=samitolvanen@google.com \
    --cc=sedat.dilek@gmail.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.