| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrXv5vYxV+R4xAiKXMgHYeeDE5y4_Oj8Jx6pFiFq5+tXOQ@mail.gmail.com>
Date: Fri, 5 Oct 2018 11:00:58 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Josh Poimboeuf <jpoimboe@...hat.com>
Cc: Andrew Lutomirski <luto@...nel.org>,
"Jason A. Donenfeld" <Jason@...c4.com>,
LKML <linux-kernel@...r.kernel.org>,
Eric Biggers <ebiggers@...nel.org>,
Samuel Neves <sneves@....uc.pt>, Arnd Bergmann <arnd@...db.de>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Paul Mackerras <paulus@...ba.org>,
Michael Ellerman <mpe@...erman.id.au>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Kees Cook <keescook@...omium.org>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Greg KH <gregkh@...uxfoundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Richard Weinberger <richard@....at>,
Peter Zijlstra <peterz@...radead.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>
Subject: Re: [RFC PATCH 0/9] patchable function pointers for pluggable crypto routines
On Fri, Oct 5, 2018 at 10:28 AM Ard Biesheuvel
<ard.biesheuvel@...aro.org> wrote:
>
> On 5 October 2018 at 19:26, Andy Lutomirski <luto@...nel.org> wrote:
> > On Fri, Oct 5, 2018 at 10:15 AM Ard Biesheuvel
> > <ard.biesheuvel@...aro.org> wrote:
> >>
> >> On 5 October 2018 at 15:37, Jason A. Donenfeld <Jason@...c4.com> wrote:
> >> ...
> >> > Therefore, I think this patch goes in exactly the wrong direction. I
> >> > mean, if you want to introduce dynamic patching as a means for making
> >> > the crypto API's dynamic dispatch stuff not as slow in a post-spectre
> >> > world, sure, go for it; that may very well be a good idea. But
> >> > presenting it as an alternative to Zinc very widely misses the point and
> >> > serves to prolong a series of bad design choices, which are now able to
> >> > be rectified by putting energy into Zinc instead.
> >> >
> >>
> >> This series has nothing to do with dynamic dispatch: the call sites
> >> call crypto functions using ordinary function calls (although my
> >> example uses CRC-T10DIF), and these calls are redirected via what is
> >> essentially a PLT entry, so that we can supsersede those routines at
> >> runtime.
> >
> > If you really want to do it PLT-style, then just do:
> >
> > extern void whatever_func(args);
> >
> > Call it like:
> > whatever_func(args here);
> >
> > And rig up something to emit asm like:
> >
> > GLOBAL(whatever_func)
> > jmpq default_whatever_func
> > ENDPROC(whatever_func)
> >
> > Architectures without support can instead do:
> >
> > void whatever_func(args)
> > {
> > READ_ONCE(patchable_function_struct_for_whatever_func->ptr)(args);
> > }
> >
> > and patch the asm function for basic support. It will be slower than
> > necessary, but maybe the relocation trick could be used on top of this
> > to redirect the call to whatever_func directly to the target for
> > architectures that want to squeeze out the last bit of performance.
> > This might actually be the best of all worlds: easy implementation on
> > all architectures, no inline asm, and the totally non-magical version
> > works with okay performance.
> >
> > (Is this what your code is doing? I admit I didn't follow all the way
> > through all the macros.)
>
> Basically
Adding Josh Poimboeuf.
Here's a sketch of how this could work for better performance. For a
static call "foo" that returns void and takes no arguments, the
generic implementation does something like this:
extern void foo(void);
struct static_call {
void (*target)(void);
/* arch-specific part containing an array of struct static_call_site */
};
void foo(void)
{
READ_ONCE(__static_call_foo->target)();
}
Arch code overrides it to:
GLOBAL(foo)
jmpq *__static_call_foo(%rip)
ENDPROC(foo)
and some extra asm to emit a static_call_site object saying that the
address "foo" is a jmp/call instruction where the operand is at offset
1 into the instruction. (Or whatever the offset is.)
The patch code is like:
void set_static_call(struct static_call *call, void *target)
{
/* take a spinlock? */
WRITE_ONCE(call->target, target);
arch_set_static_call(call, target);
}
and the arch code patches the call site if needed.
On x86, an even better implementation would have objtool make a bunch
of additional static_call_site objects for each call to foo, and
arch_set_static_call() would update all of them, too. Using
text_poke_bp() if needed, and "if needed" can maybe be clever and
check the alignment of the instruction. I admit that I never actually
remember the full rules for atomically patching an instruction on x86
SMP. (Hmm. This will be really epically slow. Maybe we don't care.
Or we could finally optimize text_poke, etc to take a list of pokes to
do and do them as a batch. But that's not a prerequisite for the rest
of this.)
What do you all think?
Powered by blists - more mailing lists