Re: [PATCH 45/48] x86/Kconfig: Enable CONFIG_PREFIX_SYMBOLS for FineIBT

[Peter Zijlstra <peterz@infradead.org>]

On Thu, Apr 23, 2026 at 08:38:02PM -0700, Josh Poimboeuf wrote:

> I discovered it's not just FineIBT, it's basically any CALL_PADDING+CFI,
> like so:

Indeed. This looks good, thanks!

> From: Josh Poimboeuf <jpoimboe@kernel.org>
> Subject: [PATCH] objtool: Grow __cfi_* symbols for all kCFI+CALL_PADDING
> 
> For all CONFIG_CFI+CONFIG_CALL_PADDING configs, the __cfi_ symbols only
> cover the 5-byte kCFI type hash.  After that there also N bytes of NOP
> padding between the hash and the function entry which aren't associated
> with any symbol.
> 
> The NOPs can be replaced with actual code at runtime.  Without a symbol,
> unwinders and tooling have no way of knowing where those bytes belong.
> 
> Grow the existing __cfi_* symbols to fill that gap.
> 
> Also, CONFIG_PREFIX_SYMBOLS has no reason to exist: CONFIG_CALL_PADDING
> is what causes the compiler to emit NOP padding before function entry
> (via -fpatchable-function-entry), so it's the right condition for
> creating prefix symbols.
> 
> Remove CONFIG_PREFIX_SYMBOLS, as it's no longer needed.  Simplify the
> LONGEST_SYM_KUNIT_TEST dependency accordingly.
> 
> Update the --cfi and --prefix usage strings to reflect their current
> scope.
> 
> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
> ---
>  arch/x86/Kconfig                    |  4 ----
>  lib/Kconfig.debug                   |  2 +-
>  scripts/Makefile.lib                |  5 ++++-
>  tools/objtool/builtin-check.c       |  9 +++++++--
>  tools/objtool/check.c               | 13 ++++++++++++-
>  tools/objtool/elf.c                 | 20 ++++++++++++++++++++
>  tools/objtool/include/objtool/elf.h |  1 +
>  7 files changed, 45 insertions(+), 9 deletions(-)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index f3f7cb01d69d..3eb3c48d764a 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2437,10 +2437,6 @@ config CALL_THUNKS
>  	def_bool n
>  	select CALL_PADDING
>  
> -config PREFIX_SYMBOLS
> -	def_bool y
> -	depends on CALL_PADDING && !CFI
> -
>  menuconfig CPU_MITIGATIONS
>  	bool "Mitigations for CPU vulnerabilities"
>  	default y
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 77c3774c1c49..8b41720069b3 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -3059,7 +3059,7 @@ config FORTIFY_KUNIT_TEST
>  config LONGEST_SYM_KUNIT_TEST
>  	tristate "Test the longest symbol possible" if !KUNIT_ALL_TESTS
>  	depends on KUNIT && KPROBES
> -	depends on !PREFIX_SYMBOLS && !CFI && !GCOV_KERNEL
> +	depends on !CALL_PADDING && !GCOV_KERNEL
>  	default KUNIT_ALL_TESTS
>  	help
>  	  Tests the longest symbol possible
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 0718e39cedda..562d89f051f0 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -187,7 +187,10 @@ objtool-args-$(CONFIG_HAVE_JUMP_LABEL_HACK)		+= --hacks=jump_label
>  objtool-args-$(CONFIG_HAVE_NOINSTR_HACK)		+= --hacks=noinstr
>  objtool-args-$(CONFIG_MITIGATION_CALL_DEPTH_TRACKING)	+= --hacks=skylake
>  objtool-args-$(CONFIG_X86_KERNEL_IBT)			+= --ibt
> -objtool-args-$(CONFIG_FINEIBT)				+= --cfi
> +objtool-args-$(CONFIG_CALL_PADDING)			+= --prefix=$(CONFIG_FUNCTION_PADDING_BYTES)
> +ifdef CONFIG_CFI
> +objtool-args-$(CONFIG_CALL_PADDING)			+= --cfi
> +endif
>  objtool-args-$(CONFIG_FTRACE_MCOUNT_USE_OBJTOOL)	+= --mcount
>  ifdef CONFIG_FTRACE_MCOUNT_USE_OBJTOOL
>  objtool-args-$(CONFIG_HAVE_OBJTOOL_NOP_MCOUNT)		+= --mnop
> diff --git a/tools/objtool/builtin-check.c b/tools/objtool/builtin-check.c
> index ec7f10a5ef19..254ceb6b0e2c 100644
> --- a/tools/objtool/builtin-check.c
> +++ b/tools/objtool/builtin-check.c
> @@ -73,7 +73,6 @@ static int parse_hacks(const struct option *opt, const char *str, int unset)
>  
>  static const struct option check_options[] = {
>  	OPT_GROUP("Actions:"),
> -	OPT_BOOLEAN(0,		 "cfi", &opts.cfi, "annotate kernel control flow integrity (kCFI) function preambles"),
>  	OPT_STRING_OPTARG('d',	 "disas", &opts.disas, "function-pattern", "disassemble functions", "*"),
>  	OPT_CALLBACK_OPTARG('h', "hacks", NULL, NULL, "jump_label,noinstr,skylake", "patch toolchain bugs/limitations", parse_hacks),
>  	OPT_BOOLEAN('i',	 "ibt", &opts.ibt, "validate and annotate IBT"),
> @@ -84,7 +83,7 @@ static const struct option check_options[] = {
>  	OPT_BOOLEAN('r',	 "retpoline", &opts.retpoline, "validate and annotate retpoline usage"),
>  	OPT_BOOLEAN(0,		 "rethunk", &opts.rethunk, "validate and annotate rethunk usage"),
>  	OPT_BOOLEAN(0,		 "unret", &opts.unret, "validate entry unret placement"),
> -	OPT_INTEGER(0,		 "prefix", &opts.prefix, "generate prefix symbols"),
> +	OPT_INTEGER(0,		 "prefix", &opts.prefix, "generate or grow prefix symbols for N-byte function padding"),
>  	OPT_BOOLEAN('l',	 "sls", &opts.sls, "validate straight-line-speculation mitigations"),
>  	OPT_BOOLEAN('s',	 "stackval", &opts.stackval, "validate frame pointer rules"),
>  	OPT_BOOLEAN('t',	 "static-call", &opts.static_call, "annotate static calls"),
> @@ -92,6 +91,7 @@ static const struct option check_options[] = {
>  	OPT_CALLBACK_OPTARG(0,	 "dump", NULL, NULL, "orc", "dump metadata", parse_dump),
>  
>  	OPT_GROUP("Options:"),
> +	OPT_BOOLEAN(0,		 "cfi", &opts.cfi, "annotate and grow kCFI preamble symbols (use with --prefix)"),
>  	OPT_BOOLEAN(0,		 "backtrace", &opts.backtrace, "unwind on error"),
>  	OPT_BOOLEAN(0,		 "backup", &opts.backup, "create backup (.orig) file on warning/error"),
>  	OPT_BOOLEAN(0,		 "dry-run", &opts.dryrun, "don't write modifications"),
> @@ -163,6 +163,11 @@ static bool opts_valid(void)
>  		return false;
>  	}
>  
> +	if (opts.cfi && !opts.prefix) {
> +		ERROR("--cfi requires --prefix");
> +		return false;
> +	}
> +
>  	if (opts.disas			||
>  	    opts.hack_jump_label	||
>  	    opts.hack_noinstr		||
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index 410061aeed26..fb24fd284e09 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -923,6 +923,17 @@ static int create_cfi_sections(struct objtool_file *file)
>  			return -1;
>  
>  		idx++;
> +
> +		/*
> +		 * Grow the __cfi_ symbol to fill the NOP gap between the
> +		 * 'mov <hash>, %rax' and the start of the function.
> +		 */
> +		if (sym->len == 5) {
> +			sym->len += opts.prefix;
> +			sym->sym.st_size = sym->len;
> +			if (elf_write_symbol(file->elf, sym))
> +				return -1;
> +		}
>  	}
>  
>  	return 0;
> @@ -4927,7 +4938,7 @@ int check(struct objtool_file *file)
>  			goto out;
>  	}
>  
> -	if (opts.prefix) {
> +	if (opts.prefix && !opts.cfi) {
>  		ret = create_prefix_symbols(file);
>  		if (ret)
>  			goto out;
> diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
> index 2ca1151de815..ede87dd9644c 100644
> --- a/tools/objtool/elf.c
> +++ b/tools/objtool/elf.c
> @@ -983,6 +983,26 @@ struct symbol *elf_create_symbol(struct elf *elf, const char *name,
>  	return sym;
>  }
>  
> +int elf_write_symbol(struct elf *elf, struct symbol *sym)
> +{
> +	struct section *symtab, *symtab_shndx;
> +
> +	symtab = find_section_by_name(elf, ".symtab");
> +	if (!symtab) {
> +		ERROR("no .symtab");
> +		return -1;
> +	}
> +
> +	symtab_shndx = find_section_by_name(elf, ".symtab_shndx");
> +
> +	if (elf_update_symbol(elf, symtab, symtab_shndx, sym))
> +		return -1;
> +
> +	mark_sec_changed(elf, symtab, true);
> +
> +	return 0;
> +}
> +
>  struct symbol *elf_create_section_symbol(struct elf *elf, struct section *sec)
>  {
>  	struct symbol *sym = calloc(1, sizeof(*sym));
> diff --git a/tools/objtool/include/objtool/elf.h b/tools/objtool/include/objtool/elf.h
> index 0fd1a9b563e9..4c8a67a68063 100644
> --- a/tools/objtool/include/objtool/elf.h
> +++ b/tools/objtool/include/objtool/elf.h
> @@ -199,6 +199,7 @@ struct reloc *elf_init_reloc_data_sym(struct elf *elf, struct section *sec,
>  				      struct symbol *sym,
>  				      s64 addend);
>  
> +int elf_write_symbol(struct elf *elf, struct symbol *sym);
>  int elf_write_insn(struct elf *elf, struct section *sec, unsigned long offset,
>  		   unsigned int len, const char *insn);
>  
> -- 
> 2.53.0
>