From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3425F2101 for ; Wed, 4 May 2022 07:34:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=cTSIQdlg91RSK+na/NVKBd/Ax/ZBULg9Q/4Gx74hmBE=; b=DJ4sRfVFdZHqiUR1scXw9foZfl L7yKxBEJhUhm/nN8KNGznPTfuCfQS10cTZGTZncnxpQcvHtmIibXuZIf4BWhkVTwUsXutzODCujTX 9ol5m6lfkrhF1XEjyiZyaKvorG5EUGu2bSqA/FcWM5LcriPRGK2tDMPLFNt4Lz0WYO0NKcTysvqe1 ju+XiMI9AoOmYgIRswBct3J0G8rSnfT/S/lYzMGoHVAa5UY/87fStP27Br/E5nPYN5Sh2OitDpTAx CPy06b7r2hzVIO98a1HVNwlRWcw0xPwXqpEILLaa17u5ZiJGLI0PMYOMFXL3CPPGYkmCdK5kE6dIL wBOgZgjg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nm9Wd-00B171-EK; Wed, 04 May 2022 07:34:19 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 7BD913004B5; Wed, 4 May 2022 09:34:18 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 3EF7E2029A1DC; Wed, 4 May 2022 09:34:18 +0200 (CEST) Date: Wed, 4 May 2022 09:34:18 +0200 From: Peter Zijlstra To: Peter Collingbourne Cc: Sami Tolvanen , Kees Cook , Mark Rutland , Josh Poimboeuf , Will Deacon , Catalin Marinas , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , LKML , X86 ML , linux-hardening@vger.kernel.org, linux-arm-kernel , llvm@lists.linux.dev Subject: Re: [RFC PATCH 00/21] KCFI support Message-ID: References: <20220429203644.2868448-1-samitolvanen@google.com> <202204291545.47C6A97EA2@keescook> Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Tue, May 03, 2022 at 03:35:34PM -0700, Peter Collingbourne wrote: > On Mon, May 2, 2022 at 1:02 PM Peter Zijlstra wrote: > > > > On Mon, May 02, 2022 at 08:22:57AM -0700, Sami Tolvanen wrote: > > > > > > Anyway, I think I hate that __builtin, I'd *much* rather see a variable > > > > attribute or qualifier for this, such that one can mark a function > > > > pointer as not doing CFI. > > > > > > > > I simply doesn't make sense to have a builtin that operates on an > > > > expression. The whole thing is about indirect calls, IOW function > > > > pointers. > > > > > > I also thought an attribute would be more convenient, but the compiler > > > folks prefer a built-in: > > > > > > https://reviews.llvm.org/D122673 > > > > That seems to mostly worry about C++ things (overload sets, template > > specialization, name mangling) we kernel folks don't seem to much care > > about. > > > > I'll stick with saying type system makes more sense to me though. > > I'd say it's not only the C++ issues but more the "action at a > distance" that's implied by having this be part of the type system. > With this being in the function type it's hard to tell whether any > particular call will have CFI disabled, without needing to go and look > at how the function pointer is defined. Look at how we use volatile: *(volatile int *)(&foo) we don't use volatile on actual variable definitions (much), but instead cast it in at the usage site. Same can be done with this if so desired. > On the other hand, if we > explicitly mark up the calls with CFI disabled, the code becomes > easier to audit (think Rust "unsafe" blocks). I don't know any Rust. To me Rust still looks like line noise. > Does it seem any better to you to have this be marked up via the > function expression, rather than the call? The idea is that this would > always compile to a check-free function call, no matter what "func" > is: > > __builtin_kcfi_call_unchecked(func)(args) > > We already have this, to some degree, with KCFI as implemented: CFI > checks are disabled if the function expression refers to a declared > function. The builtin would allow overriding the decision to also > disable CFI checks for function expressions that use the builtin. It > also wouldn't preclude a type based system later on (the builtin would > become effectively a cast to the "unchecked" type). That's still a bit naf; you've effectively made that builtin a type-cast. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 74229C433F5 for ; Wed, 4 May 2022 07:35:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Q4UL5OdkKmQX18PgFYcSP2MMGWFospbvh0BY5jzTH1c=; b=E1ounrjoI8343s aTwHQjihbtdS0FCx1+Ht3MUX7d7pPyNEAMqdWq0UFYEX/vR5Iv3CYyagRa8Qq5KUsIjQd3gytlYrE 4IJ72ekYlgjH3TVboQACTHm3Gfi/ZwvPD0XAAOA7Cf63ZdOJ5rwq5NSHO87E1k3W3wb5KN6j+mGtV O/cAPRDW0w8KZlWuPTPOMzwU2B9mVe9MN4msWqSdgNAeaqbp6jasP59el1uUaDomnZSZeJufRBHsy WjO/Is2oEIv1AM+WfgSuN/Z1ibIrj1AL4ESkD7ILq5j/q9gAiIDn9ONij4Sv3LBkVaTczPXdouB4J lNpJPIBfZDO5lfBTLvNg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nm9Wl-009H03-MC; Wed, 04 May 2022 07:34:27 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nm9Wj-009Gyz-Vv for linux-arm-kernel@bombadil.infradead.org; Wed, 04 May 2022 07:34:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=cTSIQdlg91RSK+na/NVKBd/Ax/ZBULg9Q/4Gx74hmBE=; b=DJ4sRfVFdZHqiUR1scXw9foZfl L7yKxBEJhUhm/nN8KNGznPTfuCfQS10cTZGTZncnxpQcvHtmIibXuZIf4BWhkVTwUsXutzODCujTX 9ol5m6lfkrhF1XEjyiZyaKvorG5EUGu2bSqA/FcWM5LcriPRGK2tDMPLFNt4Lz0WYO0NKcTysvqe1 ju+XiMI9AoOmYgIRswBct3J0G8rSnfT/S/lYzMGoHVAa5UY/87fStP27Br/E5nPYN5Sh2OitDpTAx CPy06b7r2hzVIO98a1HVNwlRWcw0xPwXqpEILLaa17u5ZiJGLI0PMYOMFXL3CPPGYkmCdK5kE6dIL wBOgZgjg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nm9Wd-00B171-EK; Wed, 04 May 2022 07:34:19 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 7BD913004B5; Wed, 4 May 2022 09:34:18 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 3EF7E2029A1DC; Wed, 4 May 2022 09:34:18 +0200 (CEST) Date: Wed, 4 May 2022 09:34:18 +0200 From: Peter Zijlstra To: Peter Collingbourne Cc: Sami Tolvanen , Kees Cook , Mark Rutland , Josh Poimboeuf , Will Deacon , Catalin Marinas , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , LKML , X86 ML , linux-hardening@vger.kernel.org, linux-arm-kernel , llvm@lists.linux.dev Subject: Re: [RFC PATCH 00/21] KCFI support Message-ID: References: <20220429203644.2868448-1-samitolvanen@google.com> <202204291545.47C6A97EA2@keescook> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, May 03, 2022 at 03:35:34PM -0700, Peter Collingbourne wrote: > On Mon, May 2, 2022 at 1:02 PM Peter Zijlstra wrote: > > > > On Mon, May 02, 2022 at 08:22:57AM -0700, Sami Tolvanen wrote: > > > > > > Anyway, I think I hate that __builtin, I'd *much* rather see a variable > > > > attribute or qualifier for this, such that one can mark a function > > > > pointer as not doing CFI. > > > > > > > > I simply doesn't make sense to have a builtin that operates on an > > > > expression. The whole thing is about indirect calls, IOW function > > > > pointers. > > > > > > I also thought an attribute would be more convenient, but the compiler > > > folks prefer a built-in: > > > > > > https://reviews.llvm.org/D122673 > > > > That seems to mostly worry about C++ things (overload sets, template > > specialization, name mangling) we kernel folks don't seem to much care > > about. > > > > I'll stick with saying type system makes more sense to me though. > > I'd say it's not only the C++ issues but more the "action at a > distance" that's implied by having this be part of the type system. > With this being in the function type it's hard to tell whether any > particular call will have CFI disabled, without needing to go and look > at how the function pointer is defined. Look at how we use volatile: *(volatile int *)(&foo) we don't use volatile on actual variable definitions (much), but instead cast it in at the usage site. Same can be done with this if so desired. > On the other hand, if we > explicitly mark up the calls with CFI disabled, the code becomes > easier to audit (think Rust "unsafe" blocks). I don't know any Rust. To me Rust still looks like line noise. > Does it seem any better to you to have this be marked up via the > function expression, rather than the call? The idea is that this would > always compile to a check-free function call, no matter what "func" > is: > > __builtin_kcfi_call_unchecked(func)(args) > > We already have this, to some degree, with KCFI as implemented: CFI > checks are disabled if the function expression refers to a declared > function. The builtin would allow overriding the decision to also > disable CFI checks for function expressions that use the builtin. It > also wouldn't preclude a type based system later on (the builtin would > become effectively a cast to the "unchecked" type). That's still a bit naf; you've effectively made that builtin a type-cast. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel