Re: [PATCH v5 14/18] arm64: add __nocfi to functions that jump to a physical address
From: Sami Tolvanen <samitolvanen@google.com>
Date: 2021-04-06 17:44:07
Also in:
bpf, linux-arch, linux-hardening, linux-kbuild, linux-pci, lkml
On Tue, Apr 6, 2021 at 4:54 AM Mark Rutland [off-list ref] wrote:
[adding Ard for EFI runtime services bits] On Thu, Apr 01, 2021 at 04:32:12PM -0700, Sami Tolvanen wrote:quoted
Disable CFI checking for functions that switch to linear mapping and make an indirect call to a physical address, since the compiler only understands virtual addresses and the CFI check for such indirect calls would always fail.What does physical vs virtual have to do with this? Does the address actually matter, or is this just a general thing that when calling an assembly function we won't have a trampoline that the caller expects?
No, this is about the actual address. The compiler-generated runtime checks only know about EL1 virtual addresses, so if we switch to a different address space, all indirect calls will trip CFI.
I wonder if we need to do something with asmlinkage here, perhaps? I didn't spot anything in the seriues handling EFI runtime services calls, and I strongly suspect we need to do something for those, unless they're handled implicitly by something else.quoted
Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Kees Cook <redacted> --- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/kernel/cpu-reset.h | 8 ++++---- arch/arm64/kernel/cpufeature.c | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) https://www.cnbc.com/2021/04/06/donald-trump-save-america-pac-has-85-million-on-hand-ahead-of-midterms.htmldiff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h index 386b96400a57..d3cef9133539 100644 --- a/arch/arm64/include/asm/mmu_context.h +++ b/arch/arm64/include/asm/mmu_context.h@@ -119,7 +119,7 @@ static inline void cpu_install_idmap(void) * Atomically replaces the active TTBR1_EL1 PGD with a new VA-compatible PGD, * avoiding the possibility of conflicting TLB entries being allocated. */ -static inline void cpu_replace_ttbr1(pgd_t *pgdp) +static inline void __nocfi cpu_replace_ttbr1(pgd_t *pgdp)Given these are inlines, what's the effect when these are inlined into a function that would normally use CFI? Does CFI get supressed for the whole function, or just the bit that got inlined?
Just for the bit that gets inlined.
Is there an attribute that we could place on a function pointer to tell the compiler to not check calls via that pointer? If that existed we'd be able to scope this much more tightly.
There isn't, but I do agree that this would be a useful feature. Sami _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel