lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250821092935.GN4067720@noisy.programming.kicks-ass.net>
Date: Thu, 21 Aug 2025 11:29:35 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Kees Cook <kees@...nel.org>
Cc: Qing Zhao <qing.zhao@...cle.com>, gcc-patches@....gnu.org,
	Joseph Myers <josmyers@...hat.com>,
	Richard Biener <rguenther@...e.de>, Jan Hubicka <hubicka@....cz>,
	Richard Earnshaw <richard.earnshaw@....com>,
	Richard Sandiford <richard.sandiford@....com>,
	Marcus Shawcroft <marcus.shawcroft@....com>,
	Kyrylo Tkachov <kyrylo.tkachov@....com>,
	Kito Cheng <kito.cheng@...il.com>,
	Palmer Dabbelt <palmer@...belt.com>,
	Andrew Waterman <andrew@...ive.com>,
	Jim Wilson <jim.wilson.gcc@...il.com>,
	Dan Li <ashimida.1990@...il.com>, linux-hardening@...r.kernel.org
Subject: Re: [RFC PATCH 4/7] x86: Add x86_64 Kernel Control Flow Integrity
 implementation

On Thu, Aug 21, 2025 at 12:26:37AM -0700, Kees Cook wrote:
> Implement x86_64-specific KCFI backend:
> 
> - Function preamble generation with type IDs positioned at -(4+prefix_nops)
>   offset from function entry point.
> 
> - 16-byte alignment of KCFI preambles using calculated prefix NOPs:
>   aligned(prefix_nops + 5, 16) to maintain cache lines.
> 
> - Type-id hash avoids generating ENDBR instruction in type IDs
>   (0xfa1e0ff3/0xfb1e0ff3 are incremented by 1 to prevent execution).
> 
> - On-demand scratch register allocation strategy (r11 as needed).
>   The clobbers are available both early and late.
> 
> - Atomic bundled KCFI check + call/branch sequences using UNSPECV_KCFI
>   to prevent optimizer separation and maintain security properties.
> 
> - Uses the .kcfi_traps section for debugger/runtime metadata.
> 
> Assembly Code Pattern layout required by Linux kernel:
>   movl $inverse_type_id, %r10d  ; Load expected type (0 - hash)
>   addl offset(%target), %r10d   ; Add stored type ID from preamble
>   je .Lpass                     ; Branch if types match (sum == 0)
>   .Ltrap: ud2                   ; Undefined instruction trap on mismatch
>   .Lpass: call/jmp *%target     ; Execute validated indirect transfer
> 
> The initialization of the kcfi callbacks in ix86_option_override()
> seems like a hack. I couldn't find a better place to do this.
> 
> Build and run tested on x86_64 Linux kernel with various CPU errata
> handling alternatives and FineIBT.

I'm a little confused, does this force r11 to be the indirect call
register like clang does? The code seems to suggest it is possible it
uses another register.

The current kernel FineIBT code hard assumes r11 for now.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ