From: Sami Tolvanen <samitolvanen@google.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
alyssa.milburn@intel.com, scott.d.constable@intel.com,
joao@overdrivepizza.com, andrew.cooper3@citrix.com,
jpoimboe@kernel.org, jose.marchesi@oracle.com,
hjl.tools@gmail.com, ndesaulniers@google.com, nathan@kernel.org,
ojeda@kernel.org, kees@kernel.org, alexei.starovoitov@gmail.com,
mhiramat@kernel.org
Subject: Re: [PATCH 00/11] x86/ibt: FineIBT-BHI
Date: Thu, 13 Feb 2025 19:12:02 +0000 [thread overview]
Message-ID: <20250213191202.GA3105334@google.com> (raw)
In-Reply-To: <20250213114547.GB30841@noisy.programming.kicks-ass.net>
On Thu, Feb 13, 2025 at 12:45:47PM +0100, Peter Zijlstra wrote:
> On Thu, Feb 13, 2025 at 11:48:02AM +0100, Peter Zijlstra wrote:
>
> > > One thing I realized is that CONFIG_CFI_PERMISSIVE doesn't actually do
> > > anything when FineIBT is used since we lose track of CFI trap
> > > locations. I'm not sure if that's worth fixing, but perhaps we could
> > > disable FineIBT when permissive mode is enabled to avoid confusion?
> >
> > Hmm, yeah, that's one thing I keep forgetting about. Let me try and fix
> > it and see how ugly it gets before offering an opinion :-)
>
> Completely untested and on top of this series minus the last two patches
> -- basically what I just pushed into:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/core
>
> WDYT?
>
> ---
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index e285933506e9..1fec1e445a25 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -1410,6 +1410,36 @@ static void poison_cfi(void *addr)
> }
> }
>
> +bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
> +{
> + /*
> + * FineIBT preamble:
> + *
> + * __cfi_foo:
> + * endbr64
> + * subl $0x12345678, %r10d
> + * jz 1f
> + * ud2
> + * 1: nop
> + * foo:
> + *
> + * regs->ip points to the UD2 instruction.
> + */
> + unsigned long addr = regs->ip - (4+7+2);
> + u32 hash;
> +
> + if (!is_endbr((void *)addr)) {
> +Efault:
> + return false;
> + }
> +
> + *target = addr + fineibt_preamble_size;
> +
> + __get_kernel_nofault(&hash, *(u32 *)(addr + fineibt_preamble_hash), u32, Efault);
You have an extra * here, should be just (u32 *).
> + *type = (u32)regs->r10 + hash;
> + return true;
> +}
> +
> #else
>
> static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
> @@ -1421,6 +1451,11 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
> static void poison_cfi(void *addr) { }
> #endif
>
> +bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type)
> +{
> + return false;
> +}
> +
> #endif
>
> void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
> diff --git a/arch/x86/kernel/cfi.c b/arch/x86/kernel/cfi.c
> index e6bf78fac146..4c682076c656 100644
> --- a/arch/x86/kernel/cfi.c
> +++ b/arch/x86/kernel/cfi.c
> @@ -61,6 +61,8 @@ static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
> return true;
> }
>
> +extern bool decode_fineibt_insn(struct pt_regs *regs, unsigned long *target, u32 *type);
> +
> /*
> * Checks if a ud2 trap is because of a CFI failure, and handles the trap
> * if needed. Returns a bug_trap_type value similarly to report_bug.
> @@ -70,11 +72,25 @@ enum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
> unsigned long target;
> u32 type;
>
> - if (!is_cfi_trap(regs->ip))
> - return BUG_TRAP_TYPE_NONE;
> + switch (cfi_mode) {
> + case CFI_KCFI:
> + if (!is_cfi_trap(regs->ip))
> + return BUG_TRAP_TYPE_NONE;
> +
> + if (!decode_cfi_insn(regs, &target, &type))
> + return report_cfi_failure_noaddr(regs, regs->ip);
> +
> + break;
>
> - if (!decode_cfi_insn(regs, &target, &type))
> - return report_cfi_failure_noaddr(regs, regs->ip);
> + case CFI_FINEIBT:
> + if (!decode_fineibt_insn(regs, &target, &type))
> + return BUG_TRAP_TYPE_NONE;
> +
> + break;
> +
> + default:
> + return BUG_TRAP_TYPE_NONE;
> + }
>
> return report_cfi_failure(regs, regs->ip, &target, type);
> }
Otherwise, LGTM.
One minor issue is that since the trap is in the preamble, we don't
get caller information in the warning message:
[ 19.080184] CFI failure at __cfi_lkdtm_increment_int+0xd/0x10
(target: lkdtm_increment_int+0x0/0x20; expected type: 0x7e0c52a5)
But this is followed by a call trace, so it's not really necessary
either. With the __get_kernel_nofault argument fixed:
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Sami
next prev parent reply other threads:[~2025-02-13 19:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-07 12:15 [PATCH 00/11] x86/ibt: FineIBT-BHI Peter Zijlstra
2025-02-07 12:15 ` [PATCH 01/11] objtool: Move dodgy linker warn to verbose Peter Zijlstra
2025-02-07 12:15 ` [PATCH 02/11] x86/ibt: Clean up is_endbr() Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 03/11] x86,kcfi: Fix EXPORT_SYMBOL vs kCFI Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 04/11] x86/cfi: Clean up linkage Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 05/11] x86/boot: Mark start_secondary() with __noendbr Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 06/11] x86/alternative: Simplify callthunk patching Peter Zijlstra
2025-02-07 17:23 ` Josh Poimboeuf
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 07/11] x86/traps: Cleanup and robustify decode_bug() Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 08/11] x86/ibt: Clean up poison_endbr() Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 09/11] x86/early_printk: Harden early_serial Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2025-02-07 12:15 ` [PATCH 10/11] x86: BHI stubs Peter Zijlstra
2025-02-07 12:15 ` [PATCH 11/11] x86/fineibt: Add FineIBT+BHI mitigation Peter Zijlstra
2025-02-14 18:02 ` Kees Cook
2025-02-15 10:40 ` Peter Zijlstra
2025-02-10 18:29 ` [PATCH 00/11] x86/ibt: FineIBT-BHI Sami Tolvanen
2025-02-13 10:48 ` Peter Zijlstra
2025-02-13 11:45 ` Peter Zijlstra
2025-02-13 19:12 ` Sami Tolvanen [this message]
2025-02-14 9:26 ` Peter Zijlstra
2025-02-15 10:56 ` [tip: x86/core] x86/ibt: Handle FineIBT in handle_cfi_failure() tip-bot2 for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250213191202.GA3105334@google.com \
--to=samitolvanen@google.com \
--cc=alexei.starovoitov@gmail.com \
--cc=alyssa.milburn@intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=hjl.tools@gmail.com \
--cc=joao@overdrivepizza.com \
--cc=jose.marchesi@oracle.com \
--cc=jpoimboe@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=scott.d.constable@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox