Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C

[PATCH v5 00/15] x86: Add support for Clang CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 01/15] objtool: Add CONFIG_CFI_CLANG support · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 01/15] objtool: Add CONFIG_CFI_CLANG support · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 01/15] objtool: Add CONFIG_CFI_CLANG support · Josh Poimboeuf <hidden> · 2021-10-14
Re: [PATCH v5 01/15] objtool: Add CONFIG_CFI_CLANG support · Peter Zijlstra <peterz@infradead.org> · 2021-10-14
Re: [PATCH v5 01/15] objtool: Add CONFIG_CFI_CLANG support · Sami Tolvanen <samitolvanen@google.com> · 2021-10-14
[PATCH v5 02/15] objtool: Add ASM_STACK_FRAME_NON_STANDARD · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 02/15] objtool: Add ASM_STACK_FRAME_NON_STANDARD · Kees Cook <hidden> · 2021-10-13
[PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · "Andy Lutomirski" <luto@kernel.org> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Thomas Gleixner <hidden> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · "Andy Lutomirski" <luto@kernel.org> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · "Andy Lutomirski" <luto@kernel.org> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Thomas Gleixner <hidden> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · "Andy Lutomirski" <luto@kernel.org> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Josh Poimboeuf <hidden> · 2021-10-16
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-18
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Thomas Gleixner <hidden> · 2021-10-15
Re: [PATCH v5 03/15] linkage: Add DECLARE_NOT_CALLED_FROM_C · Josh Poimboeuf <hidden> · 2021-10-16
[PATCH v5 04/15] cfi: Add DEFINE_CFI_IMMEDIATE_RETURN_STUB · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 04/15] cfi: Add DEFINE_CFI_IMMEDIATE_RETURN_STUB · Kees Cook <hidden> · 2021-10-13
[PATCH v5 05/15] tracepoint: Exclude tp_stub_func from CFI checking · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 05/15] tracepoint: Exclude tp_stub_func from CFI checking · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 05/15] tracepoint: Exclude tp_stub_func from CFI checking · Steven Rostedt <rostedt@goodmis.org> · 2021-10-13
[PATCH v5 06/15] ftrace: Use an opaque type for functions not callable from C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 06/15] ftrace: Use an opaque type for functions not callable from C · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 06/15] ftrace: Use an opaque type for functions not callable from C · Steven Rostedt <rostedt@goodmis.org> · 2021-10-13
[PATCH v5 07/15] lkdtm: Disable UNSET_SMEP with CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 08/15] lkdtm: Use an opaque type for lkdtm_rodata_do_nothing · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Borislav Petkov <bp@alien8.de> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Kees Cook <hidden> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Borislav Petkov <bp@alien8.de> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Sami Tolvanen <samitolvanen@google.com> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Nick Desaulniers <hidden> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Kees Cook <hidden> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Steven Rostedt <rostedt@goodmis.org> · 2021-10-14
Re: [PATCH v5 09/15] x86: Use an opaque type for functions not callable from C · Josh Poimboeuf <hidden> · 2021-10-14
[PATCH v5 10/15] x86/purgatory: Disable CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 10/15] x86/purgatory: Disable CFI · Kees Cook <hidden> · 2021-10-13
[PATCH v5 11/15] x86, relocs: Ignore __typeid__ relocations · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 12/15] x86, module: Ignore __typeid__ relocations · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 12/15] x86, module: Ignore __typeid__ relocations · Kees Cook <hidden> · 2021-10-13
[PATCH v5 13/15] x86, cpu: Use LTO for cpu.c with CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 14/15] x86, kprobes: Fix optprobe_template_func type mismatch · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
[PATCH v5 15/15] x86, build: Allow CONFIG_CFI_CLANG to be selected · Sami Tolvanen <samitolvanen@google.com> · 2021-10-13
Re: [PATCH v5 15/15] x86, build: Allow CONFIG_CFI_CLANG to be selected · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Kees Cook <hidden> · 2021-10-13
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Alexander Lobakin <hidden> · 2021-10-19
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-19
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Alexander Lobakin <hidden> · 2021-10-21
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-26
RE: [PATCH v5 00/15] x86: Add support for Clang CFI · David Laight <hidden> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Mark Rutland <mark.rutland@arm.com> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Ard Biesheuvel <ardb@kernel.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Ard Biesheuvel <ardb@kernel.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Ard Biesheuvel <ardb@kernel.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Ard Biesheuvel <ardb@kernel.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-29
[PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-30
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-30
Re: [PATCH] static_call,x86: Robustify trampoline patching · Kees Cook <hidden> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Rasmus Villemoes <linux@rasmusvillemoes.dk> · 2021-11-15
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-30
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-30
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-30
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-10-31
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-01
RE: [PATCH] static_call,x86: Robustify trampoline patching · David Laight <hidden> · 2021-11-01
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-11-01
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Ard Biesheuvel <ardb@kernel.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Kees Cook <hidden> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · "Andy Lutomirski" <luto@kernel.org> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Kees Cook <hidden> · 2021-11-02
Re: [PATCH] static_call,x86: Robustify trampoline patching · Andy Lutomirski <luto@kernel.org> · 2021-11-03
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-03
RE: [PATCH] static_call,x86: Robustify trampoline patching · David Laight <hidden> · 2021-11-03
Re: [PATCH] static_call,x86: Robustify trampoline patching · Andy Lutomirski <luto@kernel.org> · 2021-11-03
Re: [PATCH] static_call,x86: Robustify trampoline patching · Peter Zijlstra <peterz@infradead.org> · 2021-11-02
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Sami Tolvanen <samitolvanen@google.com> · 2021-10-30
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Kees Cook <hidden> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Kees Cook <hidden> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-28
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Kees Cook <hidden> · 2021-10-28
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-28
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Kees Cook <hidden> · 2021-11-02
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Andy Lutomirski <luto@kernel.org> · 2021-11-01
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Peter Zijlstra <peterz@infradead.org> · 2021-10-27
RE: [PATCH v5 00/15] x86: Add support for Clang CFI · David Laight <hidden> · 2021-10-27
Re: [PATCH v5 00/15] x86: Add support for Clang CFI · Mark Rutland <mark.rutland@arm.com> · 2021-10-27
RE: [PATCH v5 00/15] x86: Add support for Clang CFI · David Laight <hidden> · 2021-10-27

From: Thomas Gleixner <hidden>
Date: 2021-10-15 22:18:09
Also in: linux-hardening, lkml

On Fri, Oct 15 2021 at 11:42, Sami Tolvanen wrote:

On Fri, Oct 15, 2021 at 10:57 AM Thomas Gleixner [off-list ref] wrote:

quoted

Not beautiful, but it gives the information which is needed and it tells
me clearly what this is about. While the above lumps everything together
whatever it is.

Sure, that makes sense. Ignoring the macro for a moment, how do you
feel about using incomplete structs for the non-C functions as Andy
suggested?

I think I agreed with that back then when he suggested it the first
time. That still allows me to do a classification:

struct asm_exception
struct asm_xen_hv_call
....

quoted

Having __bikeshedme would allow to do:

   __hardware_call
   __xenhv_call
   __inline_asm_call

or such, which clearly tells how the function should be used and it can
even be validated by tooling.

Previously you suggested adding a built-in function to the compiler:

https://lore.kernel.org/lkml/877dl0sc2m.ffs@nanos.tec.linutronix.de/ (local)

I actually did implement this in Clang, but the feature wasn't
necessary with opaque types, so I never moved forward with those
patches. A built-in also won't make the code any cleaner, which was a
concern last time.

I do agree that a function attribute would look cleaner, but it won't
stop anyone from mistakenly calling these functions from C code, which
was something Andy wanted to address at the same time. Do you still
prefer a function attribute over using an opaque type nevertheless?

For actually callable functions, by some definition of callable,
e.g. the clear_page_*() variants a proper attribute would be definitely
preferred.

That attribute should tell the compiler that the function is using the
register arguments correctly but is not suitable for direct invocation
because it clobbers registers.

So the compiler can just refuse to call such a function if used directly
without an inline asm wrapper which describes the clobbers, right?

But thinking more about clobbers. The only "annotation" of clobbers we
have today are the clobbers in the inline asm, which is fragile too.

Something like

 __attribute__ ((clobbers ("rcx", "rax")))

might be useful by itself because it allows validation of the clobbers
in the inline asm wrappers and also allows a analysis tool to look at
the ASM code and check whether the above list is correct.

Hmm?

Thanks,

        tglx

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help