[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <64f2f090-682e-17af-5ecf-e9dca4f2c76e@citrix.com>
Date: Fri, 25 Feb 2022 09:22:26 +0000
From: Andrew Cooper <Andrew.Cooper3@...rix.com>
To: Kees Cook <keescook@...omium.org>,
Peter Zijlstra <peterz@...radead.org>
CC: "x86@...nel.org" <x86@...nel.org>,
"joao@...rdrivepizza.com" <joao@...rdrivepizza.com>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"jpoimboe@...hat.com" <jpoimboe@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"ndesaulniers@...gle.com" <ndesaulniers@...gle.com>,
"samitolvanen@...gle.com" <samitolvanen@...gle.com>,
"mark.rutland@....com" <mark.rutland@....com>,
"alyssa.milburn@...el.com" <alyssa.milburn@...el.com>,
"mbenes@...e.cz" <mbenes@...e.cz>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"mhiramat@...nel.org" <mhiramat@...nel.org>,
"alexei.starovoitov@...il.com" <alexei.starovoitov@...il.com>,
Andrew Cooper <Andrew.Cooper3@...rix.com>
Subject: Re: [PATCH v2 07/39] x86/entry: Sprinkle ENDBR dust
On 25/02/2022 00:42, Kees Cook wrote:
> On Thu, Feb 24, 2022 at 03:51:45PM +0100, Peter Zijlstra wrote:
>> The SYSCALL entry points are found through taking their respective
>> address in order to program them in the MSRs, while the exception
>> entry points are found through UNWIND_HINT_IRET_REGS.
> Stupid question: does CET consider exception and syscall entry points to
> be indirect calls? (I would expect so, but they're ever so slightly
> differently executed...)
Yes it does. What happens is that on ring transition, microcode forces
the WAIT-FOR-ENDBR state.
For IDT entries, this protects against a single stray write hijacking
control flow.
SYSCALL/SYSENTER in principle don't need to be, IMO. They're rooted in
MSRs rather than RAM, and if an attacker has hijacked the system enough
to change those, then the absence of ENDBR is not going to save you.
However, from a consistency and implementation point of view, you don't
want to be special casing how a ring transition was triggered.
~Andrew
Powered by blists - more mailing lists