lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2f7f899cb75b79b08b0662ff4d2cb877@overdrivepizza.com>
Date:   Mon, 18 Jul 2022 15:47:29 -0700
From:   Joao Moreira <joao@...rdrivepizza.com>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        "Torvalds, Linus" <torvalds@...ux-foundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        the arch/x86 maintainers <x86@...nel.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        "Cooper, Andrew" <andrew.cooper3@...rix.com>,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
        Johannes Wikner <kwikner@...z.ch>,
        Alyssa Milburn <alyssa.milburn@...ux.intel.com>,
        Jann Horn <jannh@...gle.com>, "H.J. Lu" <hjl.tools@...il.com>,
        "Moreira, Joao" <joao.moreira@...el.com>,
        "Nuzman, Joseph" <joseph.nuzman@...el.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        "Gross, Jurgen" <jgross@...e.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, samitolvanen@...gle.com
Subject: Re: [patch 00/38] x86/retbleed: Call depth tracking mitigation

On 2022-07-18 15:22, Thomas Gleixner wrote:
> On Mon, Jul 18 2022 at 23:18, Peter Zijlstra wrote:
>> On Mon, Jul 18, 2022 at 10:44:14PM +0200, Thomas Gleixner wrote:
>>> And we need input from the Clang folks because their CFI work also 
>>> puts
>>> stuff in front of the function entry, which nicely collides.
>> 
>> Right, I need to go look at the latest kCFI patches, that sorta got
>> side-tracked for working on all the retbleed muck :/
>> 
>> Basically kCFI wants to preface every (indirect callable) function 
>> with:
>> 
>> __cfi_\func:
>> 	int3
>>         movl $0x12345678, %rax
>>         int3
>>         int3
>> \func:
>>         endbr
>> \func_direct:
>> 
>> Ofc, we can still put the whole:
>> 
>> 	sarq	$5, PER_CPU_VAR(__x86_call_depth);
>> 	jmp	\func_direct
>> 
>> thing in front of that. But it does somewhat destroy the version I had
>> that only needs the 10 bytes padding for the sarq.
> 
> Right, because it needs the jump. I was just chatting with Jaoa about
> that over IRC.
> 
> The jump slow things down. Jaoa has ideas and will reply soonish.

So, IIRC, kCFI will do something like this to validate call targets 
based on the hash as described on Peter's e-mail:

func_whatever:
	...
	cmpl $0x\hash, -6(%rax)
	je 1f
	ud2
1:
	call *%rax
	...

Thus the hash will be 6 bytes before the function entry point. Then we 
can get the compiler to emit a padding area before the __cfi_\func 
snippet and, during boot, if the CPU needs the call depth tracking 
mitigation, we:
- move the __cfi_func into the padding area
- patch the call depth tracking snippet ahead of it (overwriting the old 
__cfi_\func:)
- fix the cmpl offset in the caller

func_whatever:
	...
	cmpl $0x\hash, -FIXED_OFFSET(%rax)
	je 1f
	ud2
1:
	call *%rax
	...

This approach is very similar to what we discussed in the past for 
replacing kCFI with FineIBT if CET is available. Also, it would prevent 
the need for any jump and would keep the additional padding area in 10 
bytes.

Tks,
Joao


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ