From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
x86@kernel.org, joao@overdrivepizza.com, hjl.tools@gmail.com,
andrew.cooper3@citrix.com, linux-kernel@vger.kernel.org,
ndesaulniers@google.com, samitolvanen@google.com
Subject: Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups
Date: Wed, 9 Feb 2022 12:41:41 +0100 [thread overview]
Message-ID: <20220209114141.GN23216@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <202202081542.F685EC23@keescook>
On Tue, Feb 08, 2022 at 03:43:27PM -0800, Kees Cook wrote:
> On Wed, Nov 24, 2021 at 11:30:37AM -0800, Josh Poimboeuf wrote:
> > On Mon, Nov 22, 2021 at 06:03:07PM +0100, Peter Zijlstra wrote:
> > > +static int validate_ibt_reloc(struct objtool_file *file, struct reloc *reloc, char **name)
> > > +{
> > > + struct instruction *dest;
> > > + struct section *sec;
> > > + unsigned long off;
> > > +
> > > + sec = reloc->sym->sec;
> > > + off = reloc->sym->offset + reloc->addend;
> > > +
> > > + dest = find_insn(file, sec, off);
> > > + if (!dest)
> > > + return 0;
> > > +
> > > + if (name && dest->func)
> > > + *name = dest->func->name;
> >
> > I think these checks can be further narrowed down by only looking for
> > X86_64_64 relocs.
> >
> > > + list_for_each_entry(insn, &file->endbr_list, call_node) {
> > > + if (ibt_seal) {
> > > + elf_write_insn(file->elf, insn->sec,
> > > + insn->offset, insn->len,
> > > + arch_nop_insn(insn->len));
> > > + }
> >
> > Like the retpoline rewriting, I'd much rather have objtool create
> > annotations which the kernel can then read and patch itself.
> >
> > e.g. have '.ibt.direct_call_sites' and '.ibt.unused_endbr_insns'
> > sections.
>
> Why have the kernel do that work at every boot when it can be known at
> link time?
I have patches that write a 4 byte #UD there instead of a nop. That
would make !IBT hardware splat as well when it hits a sealed function
(and in that case actually having those extra ENDBR generated is a
bonus).
Anyway, I have some newer patches and some hardware, except it's a NUC
and working with those things is a royal pain in the arse since they
don't have serial. I finally did get XHCI debug port working, but
there's no XDBC grub support, so now I managed to boot a dead kernel and
the thing is a brick until I can be arsed to connect a keybaord and
screen to it again :-(
KVM/qemu has no IBT support merged yet, so I can't use that either.
next prev parent reply other threads:[~2022-02-09 12:03 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-22 17:03 [RFC][PATCH 0/6] x86: Kernel IBT beginnings Peter Zijlstra
2021-11-22 17:03 ` [RFC][PATCH 1/6] x86: Annotate _THIS_IP_ Peter Zijlstra
2021-11-23 13:53 ` Mark Rutland
2021-11-23 14:14 ` Peter Zijlstra
2021-11-24 18:18 ` Josh Poimboeuf
2021-11-22 17:03 ` [RFC][PATCH 2/6] x86: Base IBT bits Peter Zijlstra
2022-02-08 23:32 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 3/6] x86: Add ENDBR to IRET-to-Self Peter Zijlstra
2021-11-22 18:09 ` Peter Zijlstra
2022-02-08 23:33 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 4/6] objtool: Read the _THIS_IP_ hints Peter Zijlstra
2021-11-22 17:03 ` [RFC][PATCH 5/6] x86: Sprinkle ENDBR dust Peter Zijlstra
2021-11-23 14:00 ` Mark Rutland
2021-11-23 14:21 ` Peter Zijlstra
2022-02-08 23:38 ` Kees Cook
2021-11-22 17:03 ` [RFC][PATCH 6/6] objtool: Add IBT validation / fixups Peter Zijlstra
2021-11-24 19:30 ` Josh Poimboeuf
2022-02-08 23:43 ` Kees Cook
2022-02-09 5:09 ` Josh Poimboeuf
2022-02-09 11:41 ` Peter Zijlstra [this message]
2022-02-09 11:45 ` Peter Zijlstra
2021-12-24 2:05 ` joao
2022-02-08 23:42 ` Kees Cook
2022-02-09 2:21 ` Joao Moreira
2022-02-09 4:05 ` Kees Cook
2022-02-09 5:18 ` Joao Moreira
2022-02-11 13:38 ` Peter Zijlstra
2022-02-14 21:38 ` Sami Tolvanen
2022-02-14 22:25 ` Peter Zijlstra
2022-02-15 16:56 ` Sami Tolvanen
2022-02-15 20:03 ` Kees Cook
2022-02-15 21:05 ` Peter Zijlstra
2022-02-15 23:05 ` Kees Cook
2022-02-15 23:38 ` Joao Moreira
2022-02-16 12:24 ` Peter Zijlstra
2022-02-15 20:53 ` Peter Zijlstra
2022-02-15 22:45 ` Joao Moreira
2022-02-16 0:57 ` Andrew Cooper
2022-03-02 3:06 ` Peter Collingbourne
2022-03-02 3:32 ` Joao Moreira
2022-06-08 17:53 ` Fāng-ruì Sòng
2022-06-09 0:05 ` Sami Tolvanen
2021-11-23 7:58 ` [RFC][PATCH 0/6] x86: Kernel IBT beginnings Christoph Hellwig
2021-11-23 9:02 ` Peter Zijlstra
2022-02-08 23:48 ` Kees Cook
2022-02-09 0:09 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220209114141.GN23216@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=andrew.cooper3@citrix.com \
--cc=hjl.tools@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ndesaulniers@google.com \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.