[PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

[PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

[Xin Li (Intel)]

The FRED specification has been changed in v9.0 to state that there
is no need for FRED event handlers to begin with ENDBR64, because
in the presence of supervisor indirect branch tracking, FRED event
delivery does not enter the WAIT_FOR_ENDBRANCH state.

As a result, remove ENDBR64 from FRED entry points.

Then add ANNOTATE_NOENDBR to indicate that FRED entry points will
never be used for indirect calls to suppress an objtool warning.

This change implies that any indirect CALL/JMP to FRED entry points
causes #CP in the presence of supervisor indirect branch tracking.

Credit goes to Jennifer Miller <jmill@asu.edu> and other contributors
from Arizona State University whose research shows that placing ENDBR
at entry points has negative value thus led to this change.

Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Cc: Jennifer Miller <jmill@asu.edu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: stable@vger.kernel.org # v6.9+
---

Change in v3:
*) Revise the FRED spec change description to clearly indicate that it
   deviates from previous versions and is based on new research showing
   that placing ENDBR at entry points has negative value (Andrew Cooper).

Change in v2:
*) CC stable and add a fixes tag (PeterZ).
---
 arch/x86/entry/entry_64_fred.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S
index 29c5c32c16c3..907bd233c6c1 100644
--- a/arch/x86/entry/entry_64_fred.S
+++ b/arch/x86/entry/entry_64_fred.S
@@ -16,7 +16,7 @@
 
 .macro FRED_ENTER
 	UNWIND_HINT_END_OF_STACK
-	ENDBR
+	ANNOTATE_NOENDBR
 	PUSH_AND_CLEAR_REGS
 	movq	%rsp, %rdi	/* %rdi -> pt_regs */
 .endm
-- 
2.50.1

Re: [PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

[Xin Li]

On 7/15/2025 11:33 PM, Xin Li (Intel) wrote:
> The FRED specification has been changed in v9.0 to state that there
> is no need for FRED event handlers to begin with ENDBR64, because
> in the presence of supervisor indirect branch tracking, FRED event
> delivery does not enter the WAIT_FOR_ENDBRANCH state.
> 
> As a result, remove ENDBR64 from FRED entry points.
> 
> Then add ANNOTATE_NOENDBR to indicate that FRED entry points will
> never be used for indirect calls to suppress an objtool warning.
> 
> This change implies that any indirect CALL/JMP to FRED entry points
> causes #CP in the presence of supervisor indirect branch tracking.
> 
> Credit goes to Jennifer Miller <jmill@asu.edu> and other contributors
> from Arizona State University whose research shows that placing ENDBR
> at entry points has negative value thus led to this change.
> 
> Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
> Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
> Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Xin Li (Intel) <xin@zytor.com>
> Cc: Jennifer Miller <jmill@asu.edu>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> Cc: H. Peter Anvin <hpa@zytor.com>
> Cc: stable@vger.kernel.org # v6.9+
> ---
> 
> Change in v3:
> *) Revise the FRED spec change description to clearly indicate that it
>     deviates from previous versions and is based on new research showing
>     that placing ENDBR at entry points has negative value (Andrew Cooper).
> 
> Change in v2:
> *) CC stable and add a fixes tag (PeterZ).
> ---
>   arch/x86/entry/entry_64_fred.S | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S
> index 29c5c32c16c3..907bd233c6c1 100644
> --- a/arch/x86/entry/entry_64_fred.S
> +++ b/arch/x86/entry/entry_64_fred.S
> @@ -16,7 +16,7 @@
>   
>   .macro FRED_ENTER
>   	UNWIND_HINT_END_OF_STACK
> -	ENDBR
> +	ANNOTATE_NOENDBR
>   	PUSH_AND_CLEAR_REGS
>   	movq	%rsp, %rdi	/* %rdi -> pt_regs */
>   .endm


Ping :)

Re: [PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

[Dave Hansen]

On 7/15/25 23:33, Xin Li (Intel) wrote:
> The FRED specification has been changed in v9.0 to state that there
> is no need for FRED event handlers to begin with ENDBR64, because
> in the presence of supervisor indirect branch tracking, FRED event
> delivery does not enter the WAIT_FOR_ENDBRANCH state.
> 
> As a result, remove ENDBR64 from FRED entry points.

So, the spec is being updated or has been updated to reflect the new
architecture, right?

Remind me, are there no FRED systems out in the wild today, so we don't
have to worry about breaking anything?

Re: [PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

[H. Peter Anvin]

On 2025-08-13 14:07, Dave Hansen wrote:
> On 7/15/25 23:33, Xin Li (Intel) wrote:
>> The FRED specification has been changed in v9.0 to state that there
>> is no need for FRED event handlers to begin with ENDBR64, because
>> in the presence of supervisor indirect branch tracking, FRED event
>> delivery does not enter the WAIT_FOR_ENDBRANCH state.
>>
>> As a result, remove ENDBR64 from FRED entry points.
> 
> So, the spec is being updated or has been updated to reflect the new
> architecture, right?
> 
> Remind me, are there no FRED systems out in the wild today, so we don't
> have to worry about breaking anything?

Correct. The FRED v9 spec contains this change.

All production hardware and late pre-production hardware will have this.

	-hpa