From: Peter Zijlstra <peterz@infradead.org>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: x86@kernel.org, Kees Cook <keescook@chromium.org>,
Sami Tolvanen <samitolvanen@google.com>,
Joao Moreira <joao@overdrivepizza.com>,
linux-kernel@vger.kernel.org, Mark Rutland <mark.rutland@arm.com>,
Josh Poimboeuf <jpoimboe@redhat.com>
Subject: Re: [PATCH] x86/ibt: Implement FineIBT
Date: Sat, 22 Oct 2022 17:03:45 +0200 [thread overview]
Message-ID: <Y1QGUXSc43rInacJ@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20221021230859.gysp5v3yzfqz4xgb@treble>
On Fri, Oct 21, 2022 at 04:08:59PM -0700, Josh Poimboeuf wrote:
> On Tue, Oct 18, 2022 at 03:35:50PM +0200, Peter Zijlstra wrote:
> > +#ifdef CONFIG_FINEIBT
> > +/*
> > + * kCFI FineIBT
> > + *
> > + * __cfi_\func: __cfi_\func:
> > + * movl $0x12345678,%eax endbr64 // 4
> > + * nop subl $0x12345678,%r10d // 7
> > + * nop jz 1f // 2
> > + * nop ud2 // 2
> > + * nop 1: nop // 1
> > + * nop
> > + * nop
> > + * nop
> > + * nop
> > + * nop
> > + * nop
> > + * nop
>
> All the "CFI" naming everywhere is very unfortunate. We already have
> "call frame information" in both the toolchain and objtool.
>
> The feature is called "kCFI" anyway, can Clang call the symbols
> '__kcfi_*'?
I think the compiler patch is already merged in clang, not sure that's
still an option, Sami?
> > +++ b/tools/objtool/builtin-check.c
> > @@ -79,6 +79,7 @@ const struct option check_options[] = {
> > OPT_BOOLEAN('s', "stackval", &opts.stackval, "validate frame pointer rules"),
> > OPT_BOOLEAN('t', "static-call", &opts.static_call, "annotate static calls"),
> > OPT_BOOLEAN('u', "uaccess", &opts.uaccess, "validate uaccess rules for SMAP"),
> > + OPT_BOOLEAN(0 , "cfi", &opts.cfi, "generate cfi_sites"),
>
> "annotate kernel control flow integrity (kCFI) function preambles" ?
Sure.
> > +++ b/tools/objtool/check.c
> > @@ -861,6 +861,62 @@ static int create_ibt_endbr_seal_section
> > return 0;
> > }
> >
> > +static int create_cfi_sections(struct objtool_file *file)
> > +{
> > + struct section *sec, *s;
> > + struct symbol *sym;
> > + unsigned int *loc;
> > + int idx;
> > +
> > + sec = find_section_by_name(file->elf, ".cfi_sites");
> > + if (sec) {
> > + INIT_LIST_HEAD(&file->call_list);
> > + WARN("file already has .cfi_sites section, skipping");
> > + return 0;
> > + }
> > +
> > + idx = 0;
> > + for_each_sec(file, s) {
> > + if (!s->text)
> > + continue;
> > +
> > + list_for_each_entry(sym, &s->symbol_list, list) {
> > + if (strncmp(sym->name, "__cfi_", 6))
> > + continue;
>
> Also make sure it's STT_FUNC.
OK.
next prev parent reply other threads:[~2022-10-22 15:04 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 13:35 [PATCH] x86/ibt: Implement FineIBT Peter Zijlstra
2022-10-18 14:43 ` David Laight
2022-10-18 15:58 ` Joao Moreira
2022-10-18 17:20 ` Kees Cook
2022-10-18 20:09 ` Joao Moreira
2022-10-19 5:33 ` Kees Cook
2022-10-18 21:27 ` David Laight
2022-10-18 14:47 ` Peter Zijlstra
2022-10-18 18:09 ` Kees Cook
2022-10-18 19:56 ` Peter Zijlstra
2022-10-18 23:31 ` Josh Poimboeuf
2022-10-19 5:22 ` Kees Cook
2022-10-19 11:38 ` Peter Zijlstra
2022-10-19 5:14 ` Kees Cook
2022-10-18 19:59 ` Peter Zijlstra
2022-10-18 21:09 ` Peter Zijlstra
2022-10-19 5:05 ` Kees Cook
2022-10-19 12:03 ` Peter Zijlstra
2022-10-19 15:22 ` Sami Tolvanen
2022-10-20 11:04 ` Peter Zijlstra
2022-10-18 19:59 ` Joao Moreira
2022-10-19 5:32 ` Kees Cook
2022-10-19 19:35 ` Joao Moreira
2022-10-18 20:05 ` Peter Zijlstra
2022-10-19 5:00 ` Kees Cook
2022-10-18 20:09 ` Peter Zijlstra
2022-10-18 20:17 ` Joao Moreira
2022-10-18 20:30 ` Peter Zijlstra
2022-10-19 4:48 ` Joao Moreira
2022-10-19 5:19 ` Kees Cook
2022-10-31 19:13 ` Joao Moreira
2022-11-01 21:39 ` Kees Cook
2022-11-01 21:50 ` Joao Moreira
2024-05-06 17:36 ` Kees Cook
2024-05-07 1:45 ` Joao Moreira
2022-10-19 5:18 ` Kees Cook
2022-10-19 5:16 ` Kees Cook
2022-10-20 11:05 ` Peter Zijlstra
2022-10-18 23:38 ` Josh Poimboeuf
2022-10-19 7:29 ` Peter Zijlstra
2022-10-21 23:08 ` Josh Poimboeuf
2022-10-22 15:03 ` Peter Zijlstra [this message]
2022-10-24 17:15 ` Sami Tolvanen
2022-10-24 18:38 ` Joao Moreira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1QGUXSc43rInacJ@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=joao@overdrivepizza.com \
--cc=jpoimboe@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.