Re: [PATCH v5 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: Andrew Pinski <andrew.pinski@oss.qualcomm.com>
Cc: Qing Zhao <qing.zhao@oracle.com>,
	Andrew Pinski <pinskia@gmail.com>,
	Jakub Jelinek <jakub@redhat.com>,
	Martin Uecker <uecker@tugraz.at>,
	Richard Biener <rguenther@suse.de>,
	Joseph Myers <josmyers@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Ard Biesheuvel <ardb@kernel.org>,
	Jeff Law <jeffreyalaw@gmail.com>, Jan Hubicka <hubicka@ucw.cz>,
	Richard Earnshaw <richard.earnshaw@arm.com>,
	Richard Sandiford <richard.sandiford@arm.com>,
	Marcus Shawcroft <marcus.shawcroft@arm.com>,
	Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
	Kito Cheng <kito.cheng@gmail.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Andrew Waterman <andrew@sifive.com>,
	Jim Wilson <jim.wilson.gcc@gmail.com>,
	Dan Li <ashimida.1990@gmail.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	Ramon de C Valle <rcvalle@google.com>,
	Joao Moreira <joao@overdrivepizza.com>,
	Nathan Chancellor <nathan@kernel.org>,
	Bill Wendling <morbo@google.com>,
	"Osterlund, Sebastian" <sebastian.osterlund@intel.com>,
	"Constable, Scott D" <scott.d.constable@intel.com>,
	gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v5 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation
Date: Wed, 22 Oct 2025 12:39:08 -0700	[thread overview]
Message-ID: <202510221238.F35859A@keescook> (raw)
In-Reply-To: <CALvbMcAjVAW-YxLE+qcFLNXVKy0neDop0b1bi=_YfB=8JqBNDA@mail.gmail.com>

On Wed, Oct 22, 2025 at 12:27:53PM -0700, Andrew Pinski wrote:
> On Wed, Oct 22, 2025 at 12:21 PM Kees Cook <kees@kernel.org> wrote:
> >
> > On Wed, Oct 22, 2025 at 12:14:32PM -0700, Andrew Pinski wrote:
> > > On Wed, Oct 22, 2025 at 11:27 AM Kees Cook <kees@kernel.org> wrote:
> > > >
> > > > Implement AArch64-specific KCFI backend.
> > > >
> > > > - Trap debugging through ESR (Exception Syndrome Register) encoding
> > > >   in BRK instruction immediate values.
> > > >
> > > > - Scratch register allocation using w16/w17 (x16/x17) following
> > > >   AArch64 procedure call standard for intra-procedure-call registers,
> > > >   which already makes x16/x17 available through existing clobbers.
> > > >
> > > > - Incompatible with -ffixed-x16 or -ffixed-x17.
> > >
> > > Can you explain why?
> > > The documentation for `-ffixed-` says this:
> > > ```
> > > -ffixed-reg
> > > Treat the register named reg as a fixed register; generated code
> > > should never refer to it (except perhaps as a stack pointer, frame
> > > pointer or in some other fixed role).
> > > ```
> > > In this case it is a `in some other fixed role`. Or is the problem you
> > > are using the allocator to figure out which is free?
> > > In the case of indirect tail calls, x17/x16 is always used for the
> > > pointer (since r9-5291-g901e66e03e1cd8).
> > > Which is the register class TAILCALL_ADDR_REGS.
> > > I think it is compatible with doing -ffixed-x17 (or -ffixed-x16)
> > > because it is a "fixed role" at this point.
> > > Though If both are supplied GCC will fall over anyways (will file a
> > > bug about that in a few minutes).
> >
> > This was done based on feedback from the riscv patch in v2:
> > https://lore.kernel.org/linux-hardening/dbf9a593-e19d-4f53-96d0-d067868f40b5@gmail.com/
> >
> > Jeff's interpretation of -ffixed-reg seemed to imply "GCC should not touch
> > this register", which seemed sensible to me from the perspective of the
> > "generated code should never refer to it" bit. How that interacts with
> > the "except perhaps as ... some other fixed role" is totally unclear to
> > me.
> >
> > Shall I drop all of the -ffixed-reg logic for all backends?
> 
> I cannot comment on other targets; they might still want it. For
> aarch64, it does not make sense to check x16/x17 being fixed when
> using KFCI. For aarch64, I suspect the check will be a generic check
> that is not connected to KFCI for the reasons why I mentioned about.

Okay, so for aarch64 KCFI, I should drop the -ffixed-reg conflict
checking logic?

-- 
Kees Cook

next prev parent reply	other threads:[~2025-10-22 19:39 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-22 18:22 [PATCH v5 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook
2025-10-22 18:22 ` [PATCH v5 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-10-22 18:22 ` [PATCH v5 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-10-22 19:36   ` Andrew Pinski
2025-10-28 15:51   ` Qing Zhao
2025-10-22 18:22 ` [PATCH v5 3/7] kcfi: Add regression test suite Kees Cook
2025-10-22 18:22 ` [PATCH v5 4/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-10-22 18:22 ` [PATCH v5 5/7] aarch64: Add AArch64 " Kees Cook
2025-10-22 19:14   ` Andrew Pinski
2025-10-22 19:21     ` Kees Cook
2025-10-22 19:27       ` Andrew Pinski
2025-10-22 19:39         ` Kees Cook [this message]
2025-10-22 19:33   ` Andrew Pinski
2025-10-22 20:05     ` Kees Cook
2025-10-22 18:22 ` [PATCH v5 6/7] arm: Add ARM 32-bit " Kees Cook
2025-10-22 18:22 ` [PATCH v5 7/7] riscv: Add RISC-V " Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202510221238.F35859A@keescook \
    --to=kees@kernel.org \
    --cc=andrew.pinski@oss.qualcomm.com \
    --cc=andrew@sifive.com \
    --cc=ardb@kernel.org \
    --cc=ashimida.1990@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=hubicka@ucw.cz \
    --cc=jakub@redhat.com \
    --cc=jeffreyalaw@gmail.com \
    --cc=jim.wilson.gcc@gmail.com \
    --cc=joao@overdrivepizza.com \
    --cc=josmyers@redhat.com \
    --cc=kito.cheng@gmail.com \
    --cc=kyrylo.tkachov@arm.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=marcus.shawcroft@arm.com \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=palmer@dabbelt.com \
    --cc=peterz@infradead.org \
    --cc=pinskia@gmail.com \
    --cc=qing.zhao@oracle.com \
    --cc=rcvalle@google.com \
    --cc=rguenther@suse.de \
    --cc=richard.earnshaw@arm.com \
    --cc=richard.sandiford@arm.com \
    --cc=samitolvanen@google.com \
    --cc=scott.d.constable@intel.com \
    --cc=sebastian.osterlund@intel.com \
    --cc=uecker@tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.