| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202510221238.F35859A@keescook> Date: Wed, 22 Oct 2025 12:39:08 -0700 From: Kees Cook <kees@...nel.org> To: Andrew Pinski <andrew.pinski@....qualcomm.com> Cc: Qing Zhao <qing.zhao@...cle.com>, Andrew Pinski <pinskia@...il.com>, Jakub Jelinek <jakub@...hat.com>, Martin Uecker <uecker@...raz.at>, Richard Biener <rguenther@...e.de>, Joseph Myers <josmyers@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Ard Biesheuvel <ardb@...nel.org>, Jeff Law <jeffreyalaw@...il.com>, Jan Hubicka <hubicka@....cz>, Richard Earnshaw <richard.earnshaw@....com>, Richard Sandiford <richard.sandiford@....com>, Marcus Shawcroft <marcus.shawcroft@....com>, Kyrylo Tkachov <kyrylo.tkachov@....com>, Kito Cheng <kito.cheng@...il.com>, Palmer Dabbelt <palmer@...belt.com>, Andrew Waterman <andrew@...ive.com>, Jim Wilson <jim.wilson.gcc@...il.com>, Dan Li <ashimida.1990@...il.com>, Sami Tolvanen <samitolvanen@...gle.com>, Ramon de C Valle <rcvalle@...gle.com>, Joao Moreira <joao@...rdrivepizza.com>, Nathan Chancellor <nathan@...nel.org>, Bill Wendling <morbo@...gle.com>, "Osterlund, Sebastian" <sebastian.osterlund@...el.com>, "Constable, Scott D" <scott.d.constable@...el.com>, gcc-patches@....gnu.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH v5 5/7] aarch64: Add AArch64 Kernel Control Flow Integrity implementation On Wed, Oct 22, 2025 at 12:27:53PM -0700, Andrew Pinski wrote: > On Wed, Oct 22, 2025 at 12:21 PM Kees Cook <kees@...nel.org> wrote: > > > > On Wed, Oct 22, 2025 at 12:14:32PM -0700, Andrew Pinski wrote: > > > On Wed, Oct 22, 2025 at 11:27 AM Kees Cook <kees@...nel.org> wrote: > > > > > > > > Implement AArch64-specific KCFI backend. > > > > > > > > - Trap debugging through ESR (Exception Syndrome Register) encoding > > > > in BRK instruction immediate values. > > > > > > > > - Scratch register allocation using w16/w17 (x16/x17) following > > > > AArch64 procedure call standard for intra-procedure-call registers, > > > > which already makes x16/x17 available through existing clobbers. > > > > > > > > - Incompatible with -ffixed-x16 or -ffixed-x17. > > > > > > Can you explain why? > > > The documentation for `-ffixed-` says this: > > > ``` > > > -ffixed-reg > > > Treat the register named reg as a fixed register; generated code > > > should never refer to it (except perhaps as a stack pointer, frame > > > pointer or in some other fixed role). > > > ``` > > > In this case it is a `in some other fixed role`. Or is the problem you > > > are using the allocator to figure out which is free? > > > In the case of indirect tail calls, x17/x16 is always used for the > > > pointer (since r9-5291-g901e66e03e1cd8). > > > Which is the register class TAILCALL_ADDR_REGS. > > > I think it is compatible with doing -ffixed-x17 (or -ffixed-x16) > > > because it is a "fixed role" at this point. > > > Though If both are supplied GCC will fall over anyways (will file a > > > bug about that in a few minutes). > > > > This was done based on feedback from the riscv patch in v2: > > https://lore.kernel.org/linux-hardening/dbf9a593-e19d-4f53-96d0-d067868f40b5@gmail.com/ > > > > Jeff's interpretation of -ffixed-reg seemed to imply "GCC should not touch > > this register", which seemed sensible to me from the perspective of the > > "generated code should never refer to it" bit. How that interacts with > > the "except perhaps as ... some other fixed role" is totally unclear to > > me. > > > > Shall I drop all of the -ffixed-reg logic for all backends? > > I cannot comment on other targets; they might still want it. For > aarch64, it does not make sense to check x16/x17 being fixed when > using KFCI. For aarch64, I suspect the check will be a generic check > that is not connected to KFCI for the reasons why I mentioned about. Okay, so for aarch64 KCFI, I should drop the -ffixed-reg conflict checking logic? -- Kees Cook
Powered by blists - more mailing lists