[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250902081915.GK3245006@noisy.programming.kicks-ass.net>
Date: Tue, 2 Sep 2025 10:19:15 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>
Cc: kees@...nel.org, alyssa.milburn@...el.com, scott.d.constable@...el.com,
joao@...rdrivepizza.com, andrew.cooper3@...rix.com,
samitolvanen@...gle.com, nathan@...nel.org,
alexei.starovoitov@...il.com, mhiramat@...nel.org, ojeda@...nel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86,ibt: Use UDB instead of 0xEA
Because this is all somewhat magical code, and this change is a little
on the large side, it as been suggested I 'upgrade' the Changelog some.
On Mon, Sep 01, 2025 at 09:13:07PM +0200, Peter Zijlstra wrote:
>
> A while ago [0] FineIBT started using the 0xEA instruction to raise #UD.
> All existing parts will generate #UD in 64bit mode on that instruction.
>
> However; Intel/AMD have not blessed using this instruction, it is on
> their 'reserved' opcode list for future use.
>
> Peter Anvin worked the committees and got use of 0xD6 blessed, it
> shall be called UDB (per the next SDM or so), and it being a single
> byte instruction is easy to slip into a single byte immediate -- as
> is done by this very patch.
>
> Reworking the FineIBT code to use UDB wasn't entirely trivial. Notably
> the FineIBT-BHI1 case ran out of bytes. In order to condense the
> encoding some it was required to move the hash register from R10D to
> EAX (thanks hpa!).
>
> Per the x86_64 ABI, RAX is used to pass the number of vector registers
> for vararg function calls -- something that should not happen in the
> kernel. More so, the kernel is built with -mskip-rax-setup, which
> should leave RAX completely unused, allowing its re-use.
[ For BPF; while the bpf2bpf tail-call uses RAX in its calling
convention, that does not use CFI and is unaffected. Only the
'regular' C->BPF transition is covered by CFI. ]
The ENDBR poison value is changed from 'OSP NOP3' to 'NOPL -42(%RAX)',
this is basically NOP4 but with UDB as its immediate. As such it is
still a non-standard NOP value unique to prior ENDBR sites, but now
also provides UDB.
Per Agner Fog's optimization guide, Jcc is assumed not-taken. That is,
the expected path should be the fallthrough case for improved
throughput.
Since the preamble now relies on the ENDBR poison to provide UDB, the
code is changed to write the poison right along with the initial
preamble -- this is possible because the ITS mitigation already
disabled IBT over rewriting the CFI scheme.
The scheme in detail:
Preamble:
FineIBT FineIBT-BHI1 FineIBT-BHI
__cfi_\func: __cfi_\func: __cfi_\func:
endbr endbr endbr
subl $0x12345678, %eax subl $0x12345678, %eax subl $0x12345678, %eax
jcc.d32,np \func+3 cmovne %rax, %rdi cs cs call __bhi_args_N
jcc.d8,np \func+3
\func: \func: \func:
nopl -42(%rax) nopl -42(%rax) nopl -42(%rax)
Notably there are 7 bytes available after the SUBL; this enables the
BHI-1 case to fit without the nasty overlapping case it had
previously. The !BHI case uses Jcc.d32 to consume all 7 bytes without
the need for an additional NOP, while the BHI case uses CS padding to
align the CALL with the end of the preamble such that it returns to
\func+0.
Caller:
FineIBT Paranoid-FineIBT
fineibt_caller: fineibt_caller:
mov $0x12345678, %eax mov $0x12345678, %eax
lea -10(%r11), %r11 cmp -0x11(%r11), %eax
nop5 cs lea -0x10(%r11), %r11
retpoline: retpoline:
cs call __x86_indirect_thunk_r11 jne fineibt_caller+0xd
call *%r11
nop
Notably this is before apply_retpolines() which will fix up the
retpoline call -- since all parts with IBT also have eIBRS (lets
ignore ITS). Typically the retpoline site is rewritten (when still
intact) into:
call *r11
nop3
> [0] 06926c6cdb95 ("x86/ibt: Optimize the FineIBT instruction sequence")
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
And now I'm going to have to do a patch that makes apply_retpoline()
do CS padding instead of NOP padding for CALL...
Powered by blists - more mailing lists