| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Apr 2022 17:42:38 -0700
From: joao@...rdrivepizza.com
To: linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Cc: joao@...rdrivepizza.com, peterz@...radead.org, jpoimboe@...hat.com,
andrew.cooper3@...rix.com, keescook@...omium.org,
samitolvanen@...gle.com, mark.rutland@....com, hjl.tools@...il.com,
alyssa.milburn@...ux.intel.com, ndesaulniers@...gle.com,
gabriel.gomes@...ux.intel.com, rick.p.edgecombe@...el.com
Subject: [RFC PATCH 08/11] x86/ibt: Add CET_TEST module for IBT testing
From: Joao Moreira <joao@...rdrivepizza.com>
Add a kernel module that violates IBT policy on load, triggering a
control protection fault and makes the enforcement visible.
Signed-off-by: Joao Moreira <joao@...rdrivepizza.com>
Tinkered-from-work-by: Alyssa Milburn <alyssa.milburn@...ux.intel.com>
---
arch/x86/Kconfig.debug | 5 +++++
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/cet_test.c | 30 ++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100644 arch/x86/kernel/cet_test.c
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index d3a6f74a94bd..d2463dd912c1 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -279,3 +279,8 @@ endchoice
config FRAME_POINTER
depends on !UNWINDER_ORC && !UNWINDER_GUESS
bool
+
+config X86_CET_TEST
+ depends on m
+ depends on X86_KERNEL_IBT
+ tristate "in-kernel CET testing module"
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index cb947569e9d8..a82bcd14bd40 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -149,6 +149,7 @@ obj-$(CONFIG_UNWINDER_GUESS) += unwind_guess.o
obj-$(CONFIG_AMD_MEM_ENCRYPT) += sev.o
obj-$(CONFIG_X86_KERNEL_FINEIBT) += fineibt.o
+obj-$(CONFIG_X86_CET_TEST) += cet_test.o
###
# 64 bit specific files
diff --git a/arch/x86/kernel/cet_test.c b/arch/x86/kernel/cet_test.c
new file mode 100644
index 000000000000..c48be8cbd0b5
--- /dev/null
+++ b/arch/x86/kernel/cet_test.c
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <linux/module.h>
+
+static int cet_test_init(void)
+{
+ pr_info("CET test, expect faults\n");
+
+ // FIXME: use register_die_notifier
+
+ asm volatile(
+ "lea 1f(%%rip), %%rax\n"
+ "jmp *%%rax\n"
+ "nop\n"
+ "1:\n"
+ /* no endbranch */
+ "nop\n"
+ :::"rax"
+ );
+ return 0;
+}
+
+static void cet_test_exit(void)
+{
+}
+
+module_init(cet_test_init);
+module_exit(cet_test_exit);
+
+MODULE_LICENSE("GPL v2");
--
2.35.1
Powered by blists - more mailing lists