Re: [PATCH v8 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: Andrew Pinski <andrew.pinski@oss.qualcomm.com>
Cc: Qing Zhao <qing.zhao@oracle.com>, Uros Bizjak <ubizjak@gmail.com>,
	Joseph Myers <josmyers@redhat.com>,
	Richard Biener <rguenther@suse.de>,
	Jeff Law <jeffreyalaw@gmail.com>,
	Andrew Pinski <pinskia@gmail.com>,
	Jakub Jelinek <jakub@redhat.com>,
	Martin Uecker <uecker@tugraz.at>,
	Peter Zijlstra <peterz@infradead.org>,
	Ard Biesheuvel <ardb@kernel.org>, Jan Hubicka <hubicka@ucw.cz>,
	Richard Earnshaw <richard.earnshaw@arm.com>,
	Richard Sandiford <richard.sandiford@arm.com>,
	Marcus Shawcroft <marcus.shawcroft@arm.com>,
	Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
	Kito Cheng <kito.cheng@gmail.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Andrew Waterman <andrew@sifive.com>,
	Jim Wilson <jim.wilson.gcc@gmail.com>,
	Dan Li <ashimida.1990@gmail.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	Ramon de C Valle <rcvalle@google.com>,
	Joao Moreira <joao@overdrivepizza.com>,
	Nathan Chancellor <nathan@kernel.org>,
	Bill Wendling <morbo@google.com>,
	"Osterlund, Sebastian" <sebastian.osterlund@intel.com>,
	"Constable, Scott D" <scott.d.constable@intel.com>,
	gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation
Date: Thu, 20 Nov 2025 16:18:33 -0800	[thread overview]
Message-ID: <202511201606.079192C85@keescook> (raw)
In-Reply-To: <CALvbMcBmEi8bv2dAo2nj=6hTQSaH_-ym2VbAkx__j6XQ+w6eeA@mail.gmail.com>

On Thu, Nov 20, 2025 at 03:10:41PM -0800, Andrew Pinski wrote:
> On Thu, Nov 20, 2025 at 2:57 PM Andrew Pinski
> <andrew.pinski@oss.qualcomm.com> wrote:
> > Also I am still trying to figure out and understand the interaction
> > between x16 and x17 in some cases.
> > Because I thought indirect calls/jumps will be using x16/x17 for those
> > to support BTI.
> 
> Oh yes:
> (define_register_constraint "Ucr"
>     "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
>   "@internal Registers to be used for an indirect call.
>    This is usually the general registers, but when we are hardening against
>    Straight Line Speculation we disallow x16, x17, and x30 so we can use
>    indirection stubs.  These indirection stubs cannot use the above registers
>    since they will be reached by a BL that may have to go through a linker
>    veneer.")
> 
> But you don't change Ucr so in theory x16/x17 could be used for call_value_insn.
> (I can't get that one using x16/x17 right now).
> 
> Oh and sibcall_insn uses Ucs which is defined as:
> (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
>   "@internal Registers suitable for an indirect tail call")
> TAILCALL_ADDR_REGS is a register class which just contains x16/x17.

Hm, I will need to study this more closely. I wonder if both kcfi and sls
hardening end up being self-contained users of the scratch registers? I'll
double check that my kernel test builds have SLS hardening enabled. (And
I'll likely need to add some aarch64-specific sibcall tests with/without
SLS hardening to see the resulting asm.)

> I don't see a testcase for indirect sibcall either.
> 
> ```
> typedef void (*fptr)(void);
> void f(fptr a)
> {
>   a();
> }
> ```
> Is a testcase for the indirect sibcall case.

I did include basic tests for a variety of sibcalls in the patch that
added the general tests; see gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
(though I named it "tail calls"), and the fptr test includes an argument
(the comment is x86-specific, but it should be a valid test for all archs):

+/* Indirect call through function pointer parameter.  */
+int test_param_indirect_call(func_ptr_t handler, int x) {
+    /* This is an indirect call that should be converted to tail call:
+       Without -fno-optimize-sibling-calls should become "jmp *%rdi"
+       With -fno-optimize-sibling-calls should be "call *%rdi"  */
+    return handler(x);
+}

-Kees

-- 
Kees Cook

next prev parent reply	other threads:[~2025-11-21  0:18 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-20 22:21 [PATCH v8 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook
2025-11-20 22:21 ` [PATCH v8 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-11-20 22:21 ` [PATCH v8 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-11-20 22:21 ` [PATCH v8 3/7] kcfi: Add regression test suite Kees Cook
2025-11-20 22:21 ` [PATCH v8 4/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-11-20 22:21 ` [PATCH v8 5/7] aarch64: Add AArch64 " Kees Cook
2025-11-20 22:57   ` Andrew Pinski
2025-11-20 23:10     ` Andrew Pinski
2025-11-21  0:18       ` Kees Cook [this message]
2025-11-21  0:30     ` Kees Cook
2025-11-21  3:28       ` Andrew Pinski
2025-11-21  3:43       ` Andrew Pinski
2025-11-20 22:21 ` [PATCH v8 6/7] arm: Add ARM 32-bit " Kees Cook
2025-11-20 22:21 ` [PATCH v8 7/7] riscv: Add RISC-V " Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202511201606.079192C85@keescook \
    --to=kees@kernel.org \
    --cc=andrew.pinski@oss.qualcomm.com \
    --cc=andrew@sifive.com \
    --cc=ardb@kernel.org \
    --cc=ashimida.1990@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=hubicka@ucw.cz \
    --cc=jakub@redhat.com \
    --cc=jeffreyalaw@gmail.com \
    --cc=jim.wilson.gcc@gmail.com \
    --cc=joao@overdrivepizza.com \
    --cc=josmyers@redhat.com \
    --cc=kito.cheng@gmail.com \
    --cc=kyrylo.tkachov@arm.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=marcus.shawcroft@arm.com \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=palmer@dabbelt.com \
    --cc=peterz@infradead.org \
    --cc=pinskia@gmail.com \
    --cc=qing.zhao@oracle.com \
    --cc=rcvalle@google.com \
    --cc=rguenther@suse.de \
    --cc=richard.earnshaw@arm.com \
    --cc=richard.sandiford@arm.com \
    --cc=samitolvanen@google.com \
    --cc=scott.d.constable@intel.com \
    --cc=sebastian.osterlund@intel.com \
    --cc=ubizjak@gmail.com \
    --cc=uecker@tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.