From: Kees Cook <kees@kernel.org>
To: jvoisin <julien.voisin@dustri.org>
Cc: ast@kernel.org, bp@alien8.de, dave.hansen@linux.intel.com,
hpa@zytor.com, jgross@suse.com, jpoimboe@kernel.org,
leitao@debian.org, linux-hardening@vger.kernel.org,
linux-kernel@vger.kernel.org, mingo@redhat.com,
nathan@kernel.org, peterz@infradead.org, samitolvanen@google.com,
tglx@linutronix.de, x86@kernel.org
Subject: Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable
Date: Mon, 29 Jul 2024 17:41:34 -0700 [thread overview]
Message-ID: <202407291720.1E1B193A@keescook> (raw)
In-Reply-To: <c875722b-0434-41fe-b375-cc685498c444@dustri.org>
On Mon, Jul 29, 2024 at 02:35:02PM +0200, jvoisin wrote:
> > Since FineIBT performs checking at the destination, it is weaker against
> > attacks that can construct arbitrary executable memory contents. As such,
> > some system builders want to run with FineIBT disabled by default. Allow
> > the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
> > newly introduced CONFIG_CFI_AUTO_DEFAULT.
>
> I'm confused as why you think that KCFI is stronger/better than FineIBT.
Sure, can I try to explain this more.
> The latter is compatible with execute-only memory,
Yes, and since Linux doesn't have kernel execute-only memory (and likely
won't for some time), it doesn't make sense to use FineIBT over KCFI for
that reason.
> makes use of hardware support,
Hm? KCFI does too. IBT is still enabled with KCFI (when the hardware
supports it).
> doesn't need LTO,
KCFI doesn't need LTO either.
> is faster,
What? Measured how? I feel like you're thinking about the old Clang CFI,
not the modern KCFI implementation.
> … moreover, I don't see why an
> attacker able to "construct arbitrary executable memory contents"
> wouldn't be able to bypass KCFI as well,
To bypass KCFI, the attacker additionally needs a targeted memory
exposure to get the correct function hash that they must include before
the malicious function they construct. With FineIBT, no such exposure is
needed.
> since its threat model
> (https://github.com/kcfi/docs/blob/master/kCFI_whitepaper.pdf)
> explicitly says "We assume an OS that fully implements the W^X policy
> [56,58,106] preventing direct code injection in kernel space."
I mean, a whitepaper's threat model is nice and all, but this just isn't
the reality. Linux certainly tries to maintain W^X, but there are bugs
and things like BPF, which can be manipulated to gain attacker-controlled
executable code injected into the kernel address space. (e.g. BPF will
flip a writable region from RW to RX, so W^X is maintained spatially but
not temporally.)
So without execute-only memory, some deployments prefer to not weaken
the CFI implementation to allow for hash checking bypasses. Once X-O
exists, FineIBT is a slam-dunk over KCFI. :)
-Kees
--
Kees Cook
prev parent reply other threads:[~2024-07-30 0:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-01 0:02 [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable Kees Cook
2024-05-01 16:33 ` Nathan Chancellor
2024-05-01 20:13 ` Kees Cook
2024-05-01 20:18 ` Sami Tolvanen
2024-07-29 12:35 ` jvoisin
2024-07-30 0:41 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202407291720.1E1B193A@keescook \
--to=kees@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jpoimboe@kernel.org \
--cc=julien.voisin@dustri.org \
--cc=leitao@debian.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=peterz@infradead.org \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox