From: Mark Rutland <mark.rutland@arm.com>
To: Quentin Perret <qperret@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
James Morse <james.morse@arm.com>, Will Deacon <will@kernel.org>,
Frederic Weisbecker <frederic@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Sami Tolvanen <samitolvanen@google.com>,
Andy Lutomirski <luto@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>
Subject: Re: [PATCH v6 2/2] arm64: implement support for static call trampolines
Date: Wed, 10 Nov 2021 11:09:40 +0000 [thread overview]
Message-ID: <YYuoawC2CpornRSG@FVFF77S0Q05N> (raw)
In-Reply-To: <YYrFvXg12eANs0gz@google.com>
Hi,
On Tue, Nov 09, 2021 at 07:02:21PM +0000, Quentin Perret wrote:
> On Tuesday 09 Nov 2021 at 19:09:21 (+0100), Ard Biesheuvel wrote:
> > Android relies heavily on tracepoints for vendor hooks, and given the
> > performance impact of CFI on indirect calls, there has been interest
> > in enabling static calls to replace them.
Hhmm.... what exactly is a "vendor hook" in this context, and what is it doing
with a tracepoint? From an upstream perspective that sounds somewhat fishy
usage.
> > Quentin, anything to add here?
>
> Yes, Android should definitely benefit from static calls.
>
> Modules attaching to tracepoints cause a measurable overhead w/ CFI as
> the jump target is a bit harder to verify if it is not in-kernel.
Where does that additional overhead come from when the target is not in-kernel?
I hope that I am wrong in understanding that __cfi_slowpath_diag() means we're
always doing an out-of-line check when calling into a module?
If that were the case, that would seem to be a much more general problem with
the current clang CFI scheme, and my fear here is that we're adding fragility
and complexity in specific plces to work around general problems with the CFI
scheme.
Thanks,
Mark.
> But sadly that's a common pattern for GKI. The current 'workaround' in
> Android has been to just plain disable CFI around all tracepoints in the
> kernel, which is a bit sad from a security PoV. But there was really no other
> option at the time, and we needed the performance back. Static calls would be
> a far superior solution as they would avoid much of the CFI overhead, and are
> not vulnerable in the CFI sense (that is, the branch target can't be easily
> overridden with a random OOB write from a dodgy driver). So yes, we'd really
> like to have those please :)
>
> Thanks,
> Quentin
next prev parent reply other threads:[~2021-11-10 11:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-05 14:59 [PATCH v6 0/2] static call support for arm64 Ard Biesheuvel
2021-11-05 14:59 ` [PATCH v6 1/2] static_call: use non-function types to refer to the trampolines Ard Biesheuvel
2021-11-08 10:08 ` Peter Zijlstra
2021-11-05 14:59 ` [PATCH v6 2/2] arm64: implement support for static call trampolines Ard Biesheuvel
2021-11-08 10:23 ` Peter Zijlstra
2021-11-08 11:29 ` Ard Biesheuvel
2021-11-08 11:52 ` Peter Zijlstra
2021-11-09 17:55 ` Mark Rutland
2021-11-09 18:09 ` Ard Biesheuvel
2021-11-09 19:02 ` Quentin Perret
2021-11-10 11:09 ` Mark Rutland [this message]
2021-11-10 12:05 ` Quentin Perret
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YYuoawC2CpornRSG@FVFF77S0Q05N \
--to=mark.rutland@arm.com \
--cc=ardb@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=frederic@kernel.org \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=qperret@google.com \
--cc=rostedt@goodmis.org \
--cc=samitolvanen@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).