From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Pavel Machek <pavel@ucw.cz>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Michal Marek <mmarek@suse.cz>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andi Kleen <andi@firstfloor.org>,
x86@kernel.org, live-patching@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 00/10] x86/asm: Compile-time asm code validation
Date: Wed, 10 Jun 2015 09:20:21 -0500 [thread overview]
Message-ID: <20150610142021.GC25848@treble.redhat.com> (raw)
In-Reply-To: <20150610134241.GA2993@amd>
On Wed, Jun 10, 2015 at 03:42:41PM +0200, Pavel Machek wrote:
> On Wed 2015-06-10 07:06:08, Josh Poimboeuf wrote:
> > The previous version of this patch set was named "Compile-time stack
> > frame pointer validation". I changed the subject from "frame pointer
> > validation" to "asm code validation" because the focus of the patch set
> > has changed to be less frame pointer-focused and more asm-focused. I
> > also renamed the tool to asmvalidate (it was previously called
> > stackvalidate) and basically rewrote most of the code.
> >
> > The goal of asm validation is to enforce sane rules on asm code: all
> > callable asm functions must be self-contained and properly annotated.
> >
> > Some of the benefits are:
> >
> > - Frame pointers are more reliable.
> >
> > - DWARF CFI metadata can be autogenerated (coming soon).
> >
> > - The asm code becomes less like spaghetti, more like C, and easier to
> > comprehend.
> >
> >
> > The asmvalidate tool runs on every compiled .S file, and enforces the
> > following rules:
> >
> > 1. Each callable function must be annotated with the ELF STT_FUNC type.
> > This is typically done using the existing ENTRY/ENDPROC macros. If
> > asmvalidate finds a return instruction outside of a function, it
> > flags an error, since that usually indicates callable code which
> > should be annotated accordingly.
> >
> > 2. Each callable function must never leave its own bounds (i.e. with a
> > jump to outside the function) except when returning.
> >
> > 3. Each callable non-leaf function must have frame pointer logic (if
> > required by CONFIG_FRAME_POINTER or the architecture's back chain
> > rules). This should by done by the FP_SAVE/FP_RESTORE macros.
> >
> >
> > It currently only supports x86_64, but the code is generic and designed
> > for it to be easy to plug in support for other architectures.
> >
> > There are still a lot of outstanding warnings (which I'll paste as a
> > reply to this email). Once those are all cleaned up, we can change the
> > warnings to build errors and change the default to
> > CONFIG_ASM_VALIDATION=y so the asm code stays clean.
>
> You have interesting definition of "clean".
"clean":
- reliably honors CONFIG_FRAME_POINTER
- reliably creates/generates DWARF CFI metadata
- doesn't break stack walking
- code is more readable
> The reason we sometimes have to use assembly is that it is impossible
> to write corresponding code in C, or that performance would be bad.
Agreed, but I don't see how this patch set prevents those things.
> So... fixing these may have some sense, but I doubt enforcing "you
> can't write real assembly" is a good idea.
You can certainly still write real assembly. This just creates a few
constraints. I really don't think they are very limiting.
--
Josh
next prev parent reply other threads:[~2015-06-10 14:20 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-10 12:06 [PATCH v5 00/10] x86/asm: Compile-time asm code validation Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 01/10] x86/asm: Add FP_SAVE/RESTORE frame pointer macros Josh Poimboeuf
2015-06-10 18:17 ` Pavel Machek
2015-06-10 18:24 ` Josh Poimboeuf
2015-06-11 4:22 ` Jiri Kosina
2015-06-11 6:46 ` Pavel Machek
2015-06-11 12:06 ` Jiri Kosina
2015-06-11 14:18 ` Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 02/10] x86: Compile-time asm code validation Josh Poimboeuf
2015-06-10 17:21 ` Andy Lutomirski
2015-06-10 17:53 ` Josh Poimboeuf
2015-06-10 18:15 ` Andy Lutomirski
2015-06-10 18:58 ` Josh Poimboeuf
2015-06-10 22:17 ` Josh Poimboeuf
2015-06-11 6:08 ` Ingo Molnar
2015-06-11 14:01 ` Josh Poimboeuf
2015-06-11 6:10 ` Ingo Molnar
2015-06-11 14:10 ` Josh Poimboeuf
2015-06-12 11:18 ` Pedro Alves
2015-06-12 14:10 ` Josh Poimboeuf
2015-06-12 16:00 ` Pedro Alves
2015-06-12 16:41 ` Josh Poimboeuf
2015-06-10 18:16 ` Vojtech Pavlik
2015-06-10 18:18 ` Andy Lutomirski
2015-06-10 12:06 ` [PATCH v5 03/10] x86/asm/entry: Fix asmvalidate warnings for entry_64_compat.S Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 04/10] x86/asm/crypto: Fix asmvalidate warnings for aesni-intel_asm.S Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 05/10] x86/asm/crypto: Fix asmvalidate warnings for ghash-clmulni-intel_asm.S Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 06/10] x86/asm/efi: Fix asmvalidate warnings for efi_stub_64.S Josh Poimboeuf
2015-06-11 13:14 ` Matt Fleming
2015-06-12 19:24 ` Borislav Petkov
2015-06-10 12:06 ` [PATCH v5 07/10] x86/asm/acpi: Fix asmvalidate warnings for wakeup_64.S Josh Poimboeuf
2015-06-10 13:19 ` Pavel Machek
2015-06-10 14:08 ` Josh Poimboeuf
2015-06-11 12:36 ` Pavel Machek
2015-06-10 13:21 ` Pavel Machek
2015-06-10 14:13 ` Josh Poimboeuf
2015-06-11 6:13 ` Ingo Molnar
2015-06-10 12:06 ` [PATCH v5 08/10] x86/asm/head: Fix asmvalidate warnings for head_64.S Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 09/10] x86/asm/lib: Fix asmvalidate warnings for lib functions Josh Poimboeuf
2015-06-10 12:06 ` [PATCH v5 10/10] x86/asm/lib: Fix asmvalidate warnings for rwsem.S Josh Poimboeuf
2015-06-10 12:16 ` [PATCH v5 00/10] x86/asm: Compile-time asm code validation Josh Poimboeuf
2015-06-10 13:08 ` Andi Kleen
2015-06-10 13:52 ` Josh Poimboeuf
2015-06-10 14:11 ` Andi Kleen
2015-06-10 14:32 ` Josh Poimboeuf
2015-06-10 15:04 ` Andi Kleen
2015-06-10 15:31 ` Josh Poimboeuf
2015-06-10 16:50 ` Josh Poimboeuf
2015-06-10 18:41 ` Andi Kleen
2015-06-10 19:43 ` Josh Poimboeuf
2015-06-10 18:40 ` Andi Kleen
2015-06-10 19:36 ` Josh Poimboeuf
2015-06-10 19:38 ` Andy Lutomirski
2015-06-10 19:51 ` Josh Poimboeuf
2015-06-10 13:42 ` Pavel Machek
2015-06-10 14:20 ` Josh Poimboeuf [this message]
2015-06-10 18:24 ` Andy Lutomirski
2015-06-10 20:26 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150610142021.GC25848@treble.redhat.com \
--to=jpoimboe@redhat.com \
--cc=andi@firstfloor.org \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mmarek@suse.cz \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox