Re: [PATCH v8 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation

Linux Hardening
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: Andrew Pinski <andrew.pinski@oss.qualcomm.com>
Cc: Qing Zhao <qing.zhao@oracle.com>, Uros Bizjak <ubizjak@gmail.com>,
	Joseph Myers <josmyers@redhat.com>,
	Richard Biener <rguenther@suse.de>,
	Jeff Law <jeffreyalaw@gmail.com>,
	Andrew Pinski <pinskia@gmail.com>,
	Jakub Jelinek <jakub@redhat.com>,
	Martin Uecker <uecker@tugraz.at>,
	Peter Zijlstra <peterz@infradead.org>,
	Ard Biesheuvel <ardb@kernel.org>, Jan Hubicka <hubicka@ucw.cz>,
	Richard Earnshaw <richard.earnshaw@arm.com>,
	Richard Sandiford <richard.sandiford@arm.com>,
	Marcus Shawcroft <marcus.shawcroft@arm.com>,
	Kyrylo Tkachov <kyrylo.tkachov@arm.com>,
	Kito Cheng <kito.cheng@gmail.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Andrew Waterman <andrew@sifive.com>,
	Jim Wilson <jim.wilson.gcc@gmail.com>,
	Dan Li <ashimida.1990@gmail.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	Ramon de C Valle <rcvalle@google.com>,
	Joao Moreira <joao@overdrivepizza.com>,
	Nathan Chancellor <nathan@kernel.org>,
	Bill Wendling <morbo@google.com>,
	"Osterlund, Sebastian" <sebastian.osterlund@intel.com>,
	"Constable, Scott D" <scott.d.constable@intel.com>,
	gcc-patches@gcc.gnu.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation
Date: Thu, 20 Nov 2025 16:18:33 -0800	[thread overview]
Message-ID: <202511201606.079192C85@keescook> (raw)
In-Reply-To: <CALvbMcBmEi8bv2dAo2nj=6hTQSaH_-ym2VbAkx__j6XQ+w6eeA@mail.gmail.com>

On Thu, Nov 20, 2025 at 03:10:41PM -0800, Andrew Pinski wrote:
> On Thu, Nov 20, 2025 at 2:57 PM Andrew Pinski
> <andrew.pinski@oss.qualcomm.com> wrote:
> > Also I am still trying to figure out and understand the interaction
> > between x16 and x17 in some cases.
> > Because I thought indirect calls/jumps will be using x16/x17 for those
> > to support BTI.
> 
> Oh yes:
> (define_register_constraint "Ucr"
>     "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
>   "@internal Registers to be used for an indirect call.
>    This is usually the general registers, but when we are hardening against
>    Straight Line Speculation we disallow x16, x17, and x30 so we can use
>    indirection stubs.  These indirection stubs cannot use the above registers
>    since they will be reached by a BL that may have to go through a linker
>    veneer.")
> 
> But you don't change Ucr so in theory x16/x17 could be used for call_value_insn.
> (I can't get that one using x16/x17 right now).
> 
> Oh and sibcall_insn uses Ucs which is defined as:
> (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
>   "@internal Registers suitable for an indirect tail call")
> TAILCALL_ADDR_REGS is a register class which just contains x16/x17.

Hm, I will need to study this more closely. I wonder if both kcfi and sls
hardening end up being self-contained users of the scratch registers? I'll
double check that my kernel test builds have SLS hardening enabled. (And
I'll likely need to add some aarch64-specific sibcall tests with/without
SLS hardening to see the resulting asm.)

> I don't see a testcase for indirect sibcall either.
> 
> ```
> typedef void (*fptr)(void);
> void f(fptr a)
> {
>   a();
> }
> ```
> Is a testcase for the indirect sibcall case.

I did include basic tests for a variety of sibcalls in the patch that
added the general tests; see gcc/testsuite/gcc.dg/kcfi/kcfi-tail-calls.c
(though I named it "tail calls"), and the fptr test includes an argument
(the comment is x86-specific, but it should be a valid test for all archs):

+/* Indirect call through function pointer parameter.  */
+int test_param_indirect_call(func_ptr_t handler, int x) {
+    /* This is an indirect call that should be converted to tail call:
+       Without -fno-optimize-sibling-calls should become "jmp *%rdi"
+       With -fno-optimize-sibling-calls should be "call *%rdi"  */
+    return handler(x);
+}

-Kees

-- 
Kees Cook

next prev parent reply	other threads:[~2025-11-21  0:18 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-20 22:21 [PATCH v8 0/7] Introduce Kernel Control Flow Integrity ABI [PR107048] Kees Cook
2025-11-20 22:21 ` [PATCH v8 1/7] typeinfo: Introduce KCFI typeinfo mangling API Kees Cook
2025-11-20 22:21 ` [PATCH v8 2/7] kcfi: Add core Kernel Control Flow Integrity infrastructure Kees Cook
2025-11-20 22:21 ` [PATCH v8 3/7] kcfi: Add regression test suite Kees Cook
2025-11-20 22:21 ` [PATCH v8 4/7] x86: Add x86_64 Kernel Control Flow Integrity implementation Kees Cook
2025-11-20 22:21 ` [PATCH v8 5/7] aarch64: Add AArch64 " Kees Cook
2025-11-20 22:57   ` Andrew Pinski
2025-11-20 23:10     ` Andrew Pinski
2025-11-21  0:18       ` Kees Cook [this message]
2025-11-21  0:30     ` Kees Cook
2025-11-21  3:28       ` Andrew Pinski
2025-11-21  3:43       ` Andrew Pinski
2025-11-20 22:21 ` [PATCH v8 6/7] arm: Add ARM 32-bit " Kees Cook
2025-11-20 22:21 ` [PATCH v8 7/7] riscv: Add RISC-V " Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202511201606.079192C85@keescook \
    --to=kees@kernel.org \
    --cc=andrew.pinski@oss.qualcomm.com \
    --cc=andrew@sifive.com \
    --cc=ardb@kernel.org \
    --cc=ashimida.1990@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=hubicka@ucw.cz \
    --cc=jakub@redhat.com \
    --cc=jeffreyalaw@gmail.com \
    --cc=jim.wilson.gcc@gmail.com \
    --cc=joao@overdrivepizza.com \
    --cc=josmyers@redhat.com \
    --cc=kito.cheng@gmail.com \
    --cc=kyrylo.tkachov@arm.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=marcus.shawcroft@arm.com \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=palmer@dabbelt.com \
    --cc=peterz@infradead.org \
    --cc=pinskia@gmail.com \
    --cc=qing.zhao@oracle.com \
    --cc=rcvalle@google.com \
    --cc=rguenther@suse.de \
    --cc=richard.earnshaw@arm.com \
    --cc=richard.sandiford@arm.com \
    --cc=samitolvanen@google.com \
    --cc=scott.d.constable@intel.com \
    --cc=sebastian.osterlund@intel.com \
    --cc=ubizjak@gmail.com \
    --cc=uecker@tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox