From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9A831361 for ; Mon, 16 May 2022 17:15:37 +0000 (UTC) Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-2fb9a85a124so157670917b3.13 for ; Mon, 16 May 2022 10:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=sG0LBzcw6X5gtPxGyrwzWMTlfNPOaO9928SvntnUZYb9/aTe8ETQvXR+oTGM+2Q01E FT27+UEachU8nZ1/6NE6iFT0H7w2Z3yA+Xt2mScQcVbGHTAWTIC7oC4Ow2OaFjZ9yRPC zsYacU5leVMUJP7q08JQQ5kO8v4LF8Y18NuJOV1FQrJzkb1Q6HVJDb2aR5qUZZ4fxb8L j83sHlqEvTkYQHwcihaYzN7Qej80njRn7ld+NLQm+PvbJhpZV4rhRz6XHZUrjQV7dE19 0b1Wx+2l3Noy/e5cucVImILRyz95RaT9Ba/0fxbWcc15VZWfUSGKEh7MDJ5UgWmgO8Wm Fp5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=0blsiN5N/K+qzO1eUhXUU46yN/u+igdyENahHcEJ9aG+o/P4ymQ9v+xQL8P1zLXyKN HALMY07tVP4YCmaogRW+q71N1k4zEQ8M7wm34bIiXQTw12ekwN0nXegkHXG9Ifjssjgq fl5uiffjUcfWe53mKfou3s7MID6cd5NxCxL03FVuC33ZuVyr4MIUirgsQucNByz2XTpX BNQBvBkViAj1++DeXH9E1s7nJEwG+LByb7Cy3I12WvLx8uSn211D+Yuj3OL6jL7W7RWz uDmIyKI+0cm4vcsQoGfI1/2g0yqG1o4i2tFeB8C+O/zRLaAbUS17QANGYZGSogAR3Wul CemA== X-Gm-Message-State: AOAM533vY71A1r30+b1tEZW0quBPs2voycioEdaNMjlFSAt7nIsXaf1t ZjdPJ2hZd+i9M7pF91gXggBRZOLSSJgHhQgj1S4PBg== X-Google-Smtp-Source: ABdhPJwVJxOR6miZJ4+xQc2WHDZMKppmkvrGNnjVqxWGG/tKcoV/VdOV2r77ffndCOhGZP+04/DkGyU0orcJhTS4elU= X-Received: by 2002:a0d:d747:0:b0:2ff:22b9:9281 with SMTP id z68-20020a0dd747000000b002ff22b99281mr186733ywd.305.1652721336717; Mon, 16 May 2022 10:15:36 -0700 (PDT) Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> In-Reply-To: From: Sami Tolvanen Date: Mon, 16 May 2022 10:15:00 -0700 Message-ID: Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG To: Peter Zijlstra Cc: linux-kernel@vger.kernel.org, Kees Cook , Josh Poimboeuf , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" On Mon, May 16, 2022 at 2:54 AM Peter Zijlstra wrote: > > On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler injects a type preamble > > immediately before each function and a check to validate the target > > function type before indirect calls: > > > > ; type preamble > > __cfi_function: > > int3 > > int3 > > mov , %eax > > int3 > > int3 > > function: > > ... > > When I enable CFI_CLANG and X86_KERNEL_IBT I get: > > 0000000000000c80 <__cfi_io_schedule_timeout>: > c80: cc int3 > c81: cc int3 > c82: b8 b5 b1 39 b3 mov $0xb339b1b5,%eax > c87: cc int3 > c88: cc int3 > > 0000000000000c89 : > c89: f3 0f 1e fa endbr64 > > > That seems unfortunate. Would it be possible to get an additional > compiler option to suppress the endbr for all symbols that get a __cfi_ > preaamble? What's the concern with the endbr? Dropping it would currently break the CFI+IBT combination on newer hardware, no? > Also, perhaps s/CFI_CLANG/KERNEL_CFI/ or somesuch, so that GCC might > also implement this same scheme (in time)? I'm fine with renaming the config. > > ; indirect call check > > cmpl , -6(%r11) > > je .Ltmp1 > > ud2 > > .Ltmp1: > > call __x86_indirect_thunk_r11 > > The first one I try and find looks like: > > 26: 41 81 7b fa a6 96 9e 38 cmpl $0x389e96a6,-0x6(%r11) > 2e: 74 02 je 32 <__traceiter_sched_kthread_stop+0x29> > 30: 0f 0b ud2 > 32: 4c 89 f6 mov %r14,%rsi > 35: e8 00 00 00 00 call 3a <__traceiter_sched_kthread_stop+0x31> 36: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4 > > This must not be. If I'm to rewrite that lot to: > > movl $\hash, %r10d > sub $9, %r11 > call *%r11 > .nop 4 > > Then there must not be spurious instruction in between the ud2 and the > indirect call/retpoline thing. With the current compiler patch, LLVM sets up function arguments after the CFI check. if it's a problem, we can look into changing that. Sami From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D6A8CC433EF for ; Mon, 16 May 2022 17:16:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=MOys2XwunkxCkgxQYjx8mlPqkkXPEAFu7CvqUrdgq+U=; b=H7nnWVp/9X0lgf fxQTEb5RxypEPuKE6D/2M5rxf238ce7V+vWD/e6mfst8aCqDXfk/R3E2SRxeBtcGtykUMBYgwph7T pWidn49xcZQ1hsrF+pJxPCmmmuLU7kh+awzsAsbYD3Sn5A9L+5KsRCe9gjJIPdvUyFcehDPnfEyJa C20/A5JL53ck68ni9rN6TXYHggdLcqjJPopg6J4QdUWiuMM8mbHZmp4m39zm/uo0G0czRjbKMHyKs BjV/86Jl5fHzNlwmrzNRG06jR0x5mUEYYkqS4RnW+b+evoa3qquslASTwLQexl7q+9kbFVvXnkovb xR4B4js4k2Vrkb7zFbIA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nqeJp-009IeZ-T3; Mon, 16 May 2022 17:15:42 +0000 Received: from mail-yw1-x1130.google.com ([2607:f8b0:4864:20::1130]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nqeJm-009IdA-Kj for linux-arm-kernel@lists.infradead.org; Mon, 16 May 2022 17:15:39 +0000 Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-2ebf4b91212so160970477b3.8 for ; Mon, 16 May 2022 10:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=sG0LBzcw6X5gtPxGyrwzWMTlfNPOaO9928SvntnUZYb9/aTe8ETQvXR+oTGM+2Q01E FT27+UEachU8nZ1/6NE6iFT0H7w2Z3yA+Xt2mScQcVbGHTAWTIC7oC4Ow2OaFjZ9yRPC zsYacU5leVMUJP7q08JQQ5kO8v4LF8Y18NuJOV1FQrJzkb1Q6HVJDb2aR5qUZZ4fxb8L j83sHlqEvTkYQHwcihaYzN7Qej80njRn7ld+NLQm+PvbJhpZV4rhRz6XHZUrjQV7dE19 0b1Wx+2l3Noy/e5cucVImILRyz95RaT9Ba/0fxbWcc15VZWfUSGKEh7MDJ5UgWmgO8Wm Fp5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SGf6wjrvSBA9+5luKWtA8S1TB1Ho/iykZkRoevKUR/M=; b=sJbAJ7Ha2wE7CmPMKjdoaLuUMHq34xsiie55N6LJE2e2bsWY8DHGRidkEFDDs5SC4f 7NwwcKgcKh2KZ1YaQHplxQDm9K7vRAcYLw6CoaRHfv2Jm0RRMH05vT9hEro81+b4+vfE /8snUPDN+wEW/bj3i71rs1yJN0F1O9gjMJSCPgIv63dtRQJrxGJJkaFPQki8GMb6mfXy 786hGSPqAKzWG9ki+XzBapnxE0EHOeI7EJh4QxBGgjaizHDS+1kVo5eToxWhGFNU+F1A YZVqljv8UA0iuXsse2IW/GqkKcBpRONk1k3Jnk35vJES3vZFN69Tt63y0yxmB7ypw388 84Nw== X-Gm-Message-State: AOAM532Lk5mxK2dxM2IQEcZoImDnB/JjbEYG1R3c2FuEaOSvWZwuFdgm F00kvbeiB4ps9unl1ERL6L7X33i3VbCQuHPmcFbS+g== X-Google-Smtp-Source: ABdhPJwVJxOR6miZJ4+xQc2WHDZMKppmkvrGNnjVqxWGG/tKcoV/VdOV2r77ffndCOhGZP+04/DkGyU0orcJhTS4elU= X-Received: by 2002:a0d:d747:0:b0:2ff:22b9:9281 with SMTP id z68-20020a0dd747000000b002ff22b99281mr186733ywd.305.1652721336717; Mon, 16 May 2022 10:15:36 -0700 (PDT) MIME-Version: 1.0 References: <20220513202159.1550547-1-samitolvanen@google.com> <20220513202159.1550547-21-samitolvanen@google.com> In-Reply-To: From: Sami Tolvanen Date: Mon, 16 May 2022 10:15:00 -0700 Message-ID: Subject: Re: [RFC PATCH v2 20/21] x86: Add support for CONFIG_CFI_CLANG To: Peter Zijlstra Cc: linux-kernel@vger.kernel.org, Kees Cook , Josh Poimboeuf , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220516_101538_717488_0CAB9C82 X-CRM114-Status: GOOD ( 20.48 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, May 16, 2022 at 2:54 AM Peter Zijlstra wrote: > > On Fri, May 13, 2022 at 01:21:58PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler injects a type preamble > > immediately before each function and a check to validate the target > > function type before indirect calls: > > > > ; type preamble > > __cfi_function: > > int3 > > int3 > > mov , %eax > > int3 > > int3 > > function: > > ... > > When I enable CFI_CLANG and X86_KERNEL_IBT I get: > > 0000000000000c80 <__cfi_io_schedule_timeout>: > c80: cc int3 > c81: cc int3 > c82: b8 b5 b1 39 b3 mov $0xb339b1b5,%eax > c87: cc int3 > c88: cc int3 > > 0000000000000c89 : > c89: f3 0f 1e fa endbr64 > > > That seems unfortunate. Would it be possible to get an additional > compiler option to suppress the endbr for all symbols that get a __cfi_ > preaamble? What's the concern with the endbr? Dropping it would currently break the CFI+IBT combination on newer hardware, no? > Also, perhaps s/CFI_CLANG/KERNEL_CFI/ or somesuch, so that GCC might > also implement this same scheme (in time)? I'm fine with renaming the config. > > ; indirect call check > > cmpl , -6(%r11) > > je .Ltmp1 > > ud2 > > .Ltmp1: > > call __x86_indirect_thunk_r11 > > The first one I try and find looks like: > > 26: 41 81 7b fa a6 96 9e 38 cmpl $0x389e96a6,-0x6(%r11) > 2e: 74 02 je 32 <__traceiter_sched_kthread_stop+0x29> > 30: 0f 0b ud2 > 32: 4c 89 f6 mov %r14,%rsi > 35: e8 00 00 00 00 call 3a <__traceiter_sched_kthread_stop+0x31> 36: R_X86_64_PLT32 __x86_indirect_thunk_r11-0x4 > > This must not be. If I'm to rewrite that lot to: > > movl $\hash, %r10d > sub $9, %r11 > call *%r11 > .nop 4 > > Then there must not be spurious instruction in between the ud2 and the > indirect call/retpoline thing. With the current compiler patch, LLVM sets up function arguments after the CFI check. if it's a problem, we can look into changing that. Sami _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel