From patchwork Thu Jun 22 14:42:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Zijlstra <peterz@infradead.org>
X-Patchwork-Id: 111711
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp5129712vqr;
        Thu, 22 Jun 2023 07:59:35 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ68ET/S64jLFW0jmeD1Bs+Vij0Sr2hnTRfS+FtQKGZFwTR8E5CMSOx9gTzxgkLt7dg0jcGp
X-Received: by 2002:a17:90a:69a2:b0:25b:f9ce:d8df with SMTP id
 s31-20020a17090a69a200b0025bf9ced8dfmr15309589pjj.8.1687445975090;
        Thu, 22 Jun 2023 07:59:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687445975; cv=none;
        d=google.com; s=arc-20160816;
        b=q+YGiw12dzU3pBGUL8dvTuM+bgpgAz/0TeSvhnoLyHklEkA427mU+9+MeECCDw5HFc
         rrAMtK8Gj/O6CI7Jr3iDZsNZYzCNdnGR9qMg62H8xJ8tTJqN2QDAJF0SXtWf8RkKX83E
         BIzPIzyUn2eVllSkl1NPvjW/fCauhhbjLIebpv5CmxCYO+NSY/kt1/r031UnisjMQE08
         aJHkc3SwdR1DEZKJWNPMdK/b+jF0//TR9YrA/dFRM9MucfZldAQYMKKWgLGD0esKVbEA
         UnXoQaHeNy2LXZha/w+0ZDG+mKqmJTFiKC8PoiwdpThBzDT08LTGYN9W606yMttfTQ5Y
         RzHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:mime-version:references:subject:cc:to:from:date
         :user-agent:message-id:dkim-signature;
        bh=QJieZYDWzFCRvSf0wOeMBiP6eKWnKstpX1vra/Nb2RE=;
        b=ptJG6UIft/qS4WyyzPM4tdAygU4kx+AyEGiJe41LWzvk2liQCiCH1mfgVJyDjwo5Mj
         A2wBljq8GUnJxncsK54iuIClFtDOy8GwDB+KtZYLaKBZ2QyFWhluNSfBjr0coOwUS7Oz
         gCFGqBw/RGEZui6jzq+sCuECOvNTZPVOtfDKfSyRTBYWz8P1rhvCNih0snmpvSawmny0
         KKN7Z8Z9ZhMcRLx9KgVerD0oc6gVSFzzfKadA/a816UBZZcG0yw/HKsei9/24enkbfe8
         wAvbX/WYfRY/1aChWDtqL/e29/QiRt1Rq7Gmh0wL3n4pUpKR/SEJdXKs0C9iJhIeXTYN
         eBFg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209
 header.b=t5FAyWdS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 4-20020a630204000000b0054fe7a4c49esi6618667pgc.824.2023.06.22.07.59.22;
        Thu, 22 Jun 2023 07:59:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209
 header.b=t5FAyWdS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231968AbjFVOvB (ORCPT <rfc822;duw91626@gmail.com> + 99 others);
        Thu, 22 Jun 2023 10:51:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56154 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231881AbjFVOug (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Jun 2023 10:50:36 -0400
Received: from casper.infradead.org (casper.infradead.org
 [IPv6:2001:8b0:10b:1236::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BACD19B7
        for <linux-kernel@vger.kernel.org>;
 Thu, 22 Jun 2023 07:50:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=casper.20170209;
 h=Content-Type:MIME-Version:References:
        Subject:Cc:To:From:Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding:
        Content-ID:Content-Description:In-Reply-To;
        bh=QJieZYDWzFCRvSf0wOeMBiP6eKWnKstpX1vra/Nb2RE=;
 b=t5FAyWdSCA8MhmTF70mRlJ8+bF
        PtTAVofzOV0VUJ4IiR6Mj3h2bermXWeNMQu6CTVlEUAHj7O9WATPVBktgOnDycDJWu9ZAh6nY7JXL
        Kci/BqJJMsb5tUV3YqtNL2Q/x7x0IZFV0DMecRpsvSf127dAPsa0FsRHtSaRyTX6RVBa49KwKbFkU
        f5rNyS8G8XvzWrM82W1/Q2pUh6uZ7SSeSYKMOKNY9ugxyEXvyyV/d2AZHHsChCjBAMmsdYuasMPTp
        Vl5cd+fqKKEiEuTe9gWblRPAtTOjqmUdvLcptOBXcBHu2oGQxRO2B6ohEXYnT7IbnHN/4TQrCzJnr
        kwc3bnog==;
Received: from j130084.upc-j.chello.nl ([24.132.130.84]
 helo=noisy.programming.kicks-ass.net)
        by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux))
        id 1qCLdh-00FgfC-Ru; Thu, 22 Jun 2023 14:50:26 +0000
Received: from hirez.programming.kicks-ass.net
 (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits)
 server-digest SHA256)
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id
 3390C3006D5;
        Thu, 22 Jun 2023 16:50:24 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0)
        id 1C78A209D8B3D; Thu, 22 Jun 2023 16:50:24 +0200 (CEST)
Message-ID: <20230622144321.494426891@infradead.org>
User-Agent: quilt/0.66
Date: Thu, 22 Jun 2023 16:42:21 +0200
From: Peter Zijlstra <peterz@infradead.org>
To: x86@kernel.org, alyssa.milburn@linux.intel.com
Cc: linux-kernel@vger.kernel.org, peterz@infradead.org,
        samitolvanen@google.com, keescook@chromium.org,
        jpoimboe@kernel.org, joao@overdrivepizza.com, brgerst@gmail.com
Subject: [PATCH v2 3/6] x86/cfi: Extend ENDBR sealing to kCFI
References: <20230622144218.860926475@infradead.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1769415351008113374?=
X-GMAIL-MSGID: =?utf-8?q?1769415351008113374?=

Kees noted that IBT sealing could be extended to kCFI.

Fundamentally it is the list of functions that do not have their
address taken and are thus never called indirectly. It doesn't matter
that objtool uses IBT infrastructure to determine this list, once we
have it it can also be used to clobber kCFI hashes and seal kCFI
indirect calls.

Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
 arch/x86/kernel/alternative.c |   44 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -778,6 +778,8 @@ void __init_or_module noinline apply_ret
 
 #ifdef CONFIG_X86_KERNEL_IBT
 
+static void poison_cfi(void *addr);
+
 static void __init_or_module poison_endbr(void *addr, bool warn)
 {
 	u32 endbr, poison = gen_endbr_poison();
@@ -802,6 +804,9 @@ static void __init_or_module poison_endb
 
 /*
  * Generated by: objtool --ibt
+ *
+ * Seal the functions for indirect calls by clobbering the ENDBR instructions
+ * and the kCFI hash value.
  */
 void __init_or_module noinline apply_seal_endbr(s32 *start, s32 *end)
 {
@@ -812,7 +817,7 @@ void __init_or_module noinline apply_sea
 
 		poison_endbr(addr, true);
 		if (IS_ENABLED(CONFIG_FINEIBT))
-			poison_endbr(addr - 16, false);
+			poison_cfi(addr - 16);
 	}
 }
 
@@ -1177,6 +1182,41 @@ static void __apply_fineibt(s32 *start_r
 	pr_err("Something went horribly wrong trying to rewrite the CFI implementation.\n");
 }
 
+static inline void poison_hash(void *addr)
+{
+	*(u32 *)addr = 0;
+}
+
+static void poison_cfi(void *addr)
+{
+	switch (cfi_mode) {
+	case CFI_FINEIBT:
+		/*
+		 * __cfi_\func:
+		 *	osp nopl (%rax)
+		 *	subl	$0, %r10d
+		 *	jz	1f
+		 *	ud2
+		 * 1:	nop
+		 */
+		poison_endbr(addr, false);
+		poison_hash(addr + fineibt_preamble_hash);
+		break;
+
+	case CFI_KCFI:
+		/*
+		 * __cfi_\func:
+		 *	movl	$0, %eax
+		 *	.skip	11, 0x90
+		 */
+		poison_hash(addr + 1);
+		break;
+
+	default:
+		break;
+	}
+}
+
 #else
 
 static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
@@ -1184,6 +1224,8 @@ static void __apply_fineibt(s32 *start_r
 {
 }
 
+static void poison_cfi(void *addr) { }
+
 #endif
 
 void apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,