lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7jpwi6r564hdpw2n7b75o6oqvtjdx3wpmq43e5khhwa2lh3yij@cis5aamxquol>
Date: Wed, 19 Mar 2025 08:47:43 -0700
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: David Woodhouse <dwmw2@...radead.org>
Cc: kexec@...ts.infradead.org, Thomas Gleixner <tglx@...utronix.de>, 
	Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H . Peter Anvin" <hpa@...or.com>, 
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Kai Huang <kai.huang@...el.com>, 
	Nikolay Borisov <nik.borisov@...e.com>, linux-kernel@...r.kernel.org, Simon Horman <horms@...nel.org>, 
	Dave Young <dyoung@...hat.com>, Peter Zijlstra <peterz@...radead.org>, bsz@...zon.de
Subject: Re: [PATCH v7 8/8] [DO NOT MERGE] x86/kexec: Add CFI type
 information to relocate_kernel()

On Wed, Mar 19, 2025 at 01:04:20PM +0000, David Woodhouse wrote:
> On 18 March 2025 22:41:43 GMT, Josh Poimboeuf <jpoimboe@...nel.org> wrote:
> >On Tue, Mar 18, 2025 at 09:06:58PM +0000, David Woodhouse wrote:
> >> On Tue, 2025-03-18 at 10:14 -0700, Josh Poimboeuf wrote:
> >> > On Tue, Mar 18, 2025 at 03:56:36PM +0000, David Woodhouse wrote:
> >> > > For the relocate_kernel() case I don't think we care much about the
> >> > > first. Without a CFI prologue, no *other* code can be tricked into
> >> > > calling relocate_kernel()
> >> > 
> >> > But for FineIBT the hash is checked on the callee side.  So it loses
> >> > FineIBT protection.
> >> 
> >> Right now the relocate_kernel() code doesn't even have an endbr, does
> >> it? So it isn't a useful gadget?
> >
> >In that case wouldn't IBT explode when you indirect call it?  Or is IBT
> >getting disabled beforehand?
> 
> Not sure of the details. The machine_kexec() function which is the
> *caller* is currently marked with the __nocfi tag which stops any
> software checks. I guess any hardware feature which requires an endbr
> to be the target of an indirect branch has to already disabled on the
> way down? What specifically am I looking for, to check that? Or the
> hardware support has just never worked with kexec, perhaps?

Looking at machine_kexec(), it calls cet_disable() before the indirect
call.  So yeah, it seems fine for relocate_kernel() to not have a CFI
prologue or ENDBR.

-- 
Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ