lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250902081915.GK3245006@noisy.programming.kicks-ass.net>
Date: Tue, 2 Sep 2025 10:19:15 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>
Cc: kees@...nel.org, alyssa.milburn@...el.com, scott.d.constable@...el.com,
	joao@...rdrivepizza.com, andrew.cooper3@...rix.com,
	samitolvanen@...gle.com, nathan@...nel.org,
	alexei.starovoitov@...il.com, mhiramat@...nel.org, ojeda@...nel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86,ibt: Use UDB instead of 0xEA


Because this is all somewhat magical code, and this change is a little
on the large side, it as been suggested I 'upgrade' the Changelog some.

On Mon, Sep 01, 2025 at 09:13:07PM +0200, Peter Zijlstra wrote:
> 
> A while ago [0] FineIBT started using the 0xEA instruction to raise #UD.
> All existing parts will generate #UD in 64bit mode on that instruction.
> 
> However; Intel/AMD have not blessed using this instruction, it is on
> their 'reserved' opcode list for future use.
> 
> Peter Anvin worked the committees and got use of 0xD6 blessed, it
> shall be called UDB (per the next SDM or so), and it being a single
> byte instruction is easy to slip into a single byte immediate -- as
> is done by this very patch.
> 
> Reworking the FineIBT code to use UDB wasn't entirely trivial. Notably
> the FineIBT-BHI1 case ran out of bytes. In order to condense the
> encoding some it was required to move the hash register from R10D to
> EAX (thanks hpa!).
> 
> Per the x86_64 ABI, RAX is used to pass the number of vector registers
> for vararg function calls -- something that should not happen in the
> kernel. More so, the kernel is built with -mskip-rax-setup, which
> should leave RAX completely unused, allowing its re-use.

 [ For BPF; while the bpf2bpf tail-call uses RAX in its calling
   convention, that does not use CFI and is unaffected. Only the
   'regular' C->BPF transition is covered by CFI. ]

The ENDBR poison value is changed from 'OSP NOP3' to 'NOPL -42(%RAX)',
this is basically NOP4 but with UDB as its immediate. As such it is
still a non-standard NOP value unique to prior ENDBR sites, but now
also provides UDB.

Per Agner Fog's optimization guide, Jcc is assumed not-taken. That is,
the expected path should be the fallthrough case for improved
throughput.

Since the preamble now relies on the ENDBR poison to provide UDB, the
code is changed to write the poison right along with the initial
preamble -- this is possible because the ITS mitigation already
disabled IBT over rewriting the CFI scheme.

The scheme in detail:

Preamble:

  FineIBT                       FineIBT-BHI1                    FineIBT-BHI

  __cfi_\func:                  __cfi_\func:                    __cfi_\func:
    endbr                         endbr                           endbr
    subl       $0x12345678, %eax  subl      $0x12345678, %eax     subl       $0x12345678, %eax
    jcc.d32,np \func+3            cmovne    %rax, %rdi            cs cs call __bhi_args_N
                                  jcc.d8,np \func+3
  \func:                        \func:                          \func:
    nopl       -42(%rax)          nopl      -42(%rax)             nopl       -42(%rax)

Notably there are 7 bytes available after the SUBL; this enables the
BHI-1 case to fit without the nasty overlapping case it had
previously. The !BHI case uses Jcc.d32 to consume all 7 bytes without
the need for an additional NOP, while the BHI case uses CS padding to
align the CALL with the end of the preamble such that it returns to
\func+0.

Caller:

  FineIBT                               Paranoid-FineIBT

  fineibt_caller:                       fineibt_caller:
    mov     $0x12345678, %eax             mov    $0x12345678, %eax
    lea     -10(%r11), %r11               cmp    -0x11(%r11), %eax
    nop5                                  cs lea -0x10(%r11), %r11
  retpoline:                            retpoline:
    cs call __x86_indirect_thunk_r11      jne    fineibt_caller+0xd
                                          call   *%r11
                                          nop

Notably this is before apply_retpolines() which will fix up the
retpoline call -- since all parts with IBT also have eIBRS (lets
ignore ITS). Typically the retpoline site is rewritten (when still
intact) into:

    call *r11
    nop3

> [0] 06926c6cdb95 ("x86/ibt: Optimize the FineIBT instruction sequence")
> 
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>

And now I'm going to have to do a patch that makes apply_retpoline()
do CS padding instead of NOP padding for CALL...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ