[RFC PATCH v2 00/21] KCFI support

Sami Tolvanen posted 21 patches 1 week, 3 days ago
Makefile                                  |  13 +-
arch/Kconfig                              |  21 +-
arch/arm64/crypto/ghash-ce-core.S         |   5 +-
arch/arm64/crypto/sm3-ce-core.S           |   3 +-
arch/arm64/include/asm/brk-imm.h          |   6 +
arch/arm64/include/asm/compiler.h         |  16 -
arch/arm64/include/asm/ftrace.h           |   2 +-
arch/arm64/include/asm/mmu_context.h      |   4 +-
arch/arm64/kernel/acpi_parking_protocol.c |   2 +-
arch/arm64/kernel/alternative.c           |   2 +-
arch/arm64/kernel/cpu-reset.S             |   5 +-
arch/arm64/kernel/cpufeature.c            |   4 +-
arch/arm64/kernel/ftrace.c                |   2 +-
arch/arm64/kernel/machine_kexec.c         |   2 +-
arch/arm64/kernel/psci.c                  |   2 +-
arch/arm64/kernel/smp_spin_table.c        |   2 +-
arch/arm64/kernel/traps.c                 |  46 ++-
arch/arm64/kernel/vdso/Makefile           |   3 +-
arch/arm64/mm/proc.S                      |   5 +-
arch/x86/Kconfig                          |   2 +
arch/x86/crypto/blowfish-x86_64-asm_64.S  |   5 +-
arch/x86/entry/vdso/Makefile              |   3 +-
arch/x86/include/asm/linkage.h            |  12 +
arch/x86/kernel/traps.c                   |  60 +++-
arch/x86/lib/memcpy_64.S                  |   3 +-
arch/x86/purgatory/Makefile               |   4 +
arch/x86/tools/relocs.c                   |   1 +
drivers/firmware/efi/libstub/Makefile     |   2 +
drivers/firmware/psci/psci.c              |   6 +-
drivers/misc/lkdtm/usercopy.c             |   2 +-
include/asm-generic/bug.h                 |  16 -
include/asm-generic/vmlinux.lds.h         |  37 +--
include/linux/cfi.h                       |  65 ++--
include/linux/cfi_types.h                 |  57 ++++
include/linux/compiler-clang.h            |   6 +-
include/linux/compiler.h                  |  16 +-
include/linux/compiler_types.h            |   4 -
include/linux/init.h                      |   6 +-
include/linux/module.h                    |  10 +-
include/linux/pci.h                       |   4 +-
kernel/cfi.c                              | 343 ++++------------------
kernel/kthread.c                          |   3 +-
kernel/module.c                           |  49 +---
kernel/workqueue.c                        |   2 +-
scripts/kallsyms.c                        |   1 +
scripts/module.lds.S                      |  23 +-
tools/objtool/check.c                     |   4 +
47 files changed, 357 insertions(+), 534 deletions(-)
create mode 100644 include/linux/cfi_types.h
[RFC PATCH v2 00/21] KCFI support
Posted by Sami Tolvanen 1 week, 3 days ago
KCFI is a proposed forward-edge control-flow integrity scheme for
Clang, which is more suitable for kernel use than the existing CFI
scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't
alter function references to point to a jump table, and won't break
function address equality. The latest LLVM patch is here:

  https://reviews.llvm.org/D119296

This RFC series replaces the current arm64 CFI implementation with
KCFI and adds support for x86_64.

KCFI requires assembly functions that are indirectly called from C
code to be annotated with type identifiers. As type information is
only available in C, the compiler emits expected type identifiers into
the symbol table, so they can be referenced from assembly without
having to hardcode type hashes. Patch 7 adds helper macros for
annotating functions, and patches 9 and 17 add annotations.

In case of a type mismatch, KCFI always traps. To support error
handling, the compiler generates a .kcfi_traps section for x86_64,
which contains the locations of each trap, and for arm64, encodes
the necessary register information to the ESR. Patches 10 and 20 add
arch-specific error handlers.

To test this series, you'll need to compile your own Clang toolchain
with the patches linked above. You can also find the complete source
tree here:

  https://github.com/samitolvanen/llvm-project/commits/kcfi-rfc-v2

This series is also available in GitHub:

  https://github.com/samitolvanen/linux/commits/kcfi-rfc-v2

Sami Tolvanen (21):
  efi/libstub: Filter out CC_FLAGS_CFI
  arm64/vdso: Filter out CC_FLAGS_CFI
  kallsyms: Ignore __kcfi_typeid_
  cfi: Remove CONFIG_CFI_CLANG_SHADOW
  cfi: Drop __CFI_ADDRESSABLE
  cfi: Switch to -fsanitize=kcfi
  cfi: Add type helper macros
  psci: Fix the function type for psci_initcall_t
  arm64: Add types to indirect called assembly functions
  arm64: Add CFI error handling
  arm64: Drop unneeded __nocfi attributes
  treewide: Drop function_nocfi
  treewide: Drop WARN_ON_FUNCTION_MISMATCH
  treewide: Drop __cficanonical
  objtool: Don't warn about __cfi_ preambles falling through
  x86/tools/relocs: Ignore __kcfi_typeid_ relocations
  x86: Add types to indirectly called assembly functions
  x86/purgatory: Disable CFI
  x86/vdso: Disable CFI
  x86: Add support for CONFIG_CFI_CLANG
  init: Drop __nocfi from __init

 Makefile                                  |  13 +-
 arch/Kconfig                              |  21 +-
 arch/arm64/crypto/ghash-ce-core.S         |   5 +-
 arch/arm64/crypto/sm3-ce-core.S           |   3 +-
 arch/arm64/include/asm/brk-imm.h          |   6 +
 arch/arm64/include/asm/compiler.h         |  16 -
 arch/arm64/include/asm/ftrace.h           |   2 +-
 arch/arm64/include/asm/mmu_context.h      |   4 +-
 arch/arm64/kernel/acpi_parking_protocol.c |   2 +-
 arch/arm64/kernel/alternative.c           |   2 +-
 arch/arm64/kernel/cpu-reset.S             |   5 +-
 arch/arm64/kernel/cpufeature.c            |   4 +-
 arch/arm64/kernel/ftrace.c                |   2 +-
 arch/arm64/kernel/machine_kexec.c         |   2 +-
 arch/arm64/kernel/psci.c                  |   2 +-
 arch/arm64/kernel/smp_spin_table.c        |   2 +-
 arch/arm64/kernel/traps.c                 |  46 ++-
 arch/arm64/kernel/vdso/Makefile           |   3 +-
 arch/arm64/mm/proc.S                      |   5 +-
 arch/x86/Kconfig                          |   2 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S  |   5 +-
 arch/x86/entry/vdso/Makefile              |   3 +-
 arch/x86/include/asm/linkage.h            |  12 +
 arch/x86/kernel/traps.c                   |  60 +++-
 arch/x86/lib/memcpy_64.S                  |   3 +-
 arch/x86/purgatory/Makefile               |   4 +
 arch/x86/tools/relocs.c                   |   1 +
 drivers/firmware/efi/libstub/Makefile     |   2 +
 drivers/firmware/psci/psci.c              |   6 +-
 drivers/misc/lkdtm/usercopy.c             |   2 +-
 include/asm-generic/bug.h                 |  16 -
 include/asm-generic/vmlinux.lds.h         |  37 +--
 include/linux/cfi.h                       |  65 ++--
 include/linux/cfi_types.h                 |  57 ++++
 include/linux/compiler-clang.h            |   6 +-
 include/linux/compiler.h                  |  16 +-
 include/linux/compiler_types.h            |   4 -
 include/linux/init.h                      |   6 +-
 include/linux/module.h                    |  10 +-
 include/linux/pci.h                       |   4 +-
 kernel/cfi.c                              | 343 ++++------------------
 kernel/kthread.c                          |   3 +-
 kernel/module.c                           |  49 +---
 kernel/workqueue.c                        |   2 +-
 scripts/kallsyms.c                        |   1 +
 scripts/module.lds.S                      |  23 +-
 tools/objtool/check.c                     |   4 +
 47 files changed, 357 insertions(+), 534 deletions(-)
 create mode 100644 include/linux/cfi_types.h

-- 
2.36.0.550.gb090851708-goog
Re: [RFC PATCH v2 00/21] KCFI support
Posted by Peter Zijlstra 6 days, 21 hours ago
On Fri, May 13, 2022 at 01:21:38PM -0700, Sami Tolvanen wrote:
> KCFI is a proposed forward-edge control-flow integrity scheme for
> Clang, which is more suitable for kernel use than the existing CFI
> scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't
> alter function references to point to a jump table, and won't break
> function address equality. The latest LLVM patch is here:
> 
>   https://reviews.llvm.org/D119296
> 
> This RFC series replaces the current arm64 CFI implementation with
> KCFI and adds support for x86_64.

You have some weird behaviour vs weak functions (I so hate those)...

100: 0000000000000980     9 FUNC    LOCAL  DEFAULT    2 __cfi_free_initmem
233: 0000000000000989    35 FUNC    WEAK   DEFAULT    2 free_initmem

With the result that on the final link:

   179: 00000000000009b0     9 FUNC    LOCAL  DEFAULT    1 __cfi_free_initmem
  8689: 00000000000007f0     9 FUNC    LOCAL  DEFAULT   65 __cfi_free_initmem
173283: 00000000000007f9   198 FUNC    GLOBAL DEFAULT   65 free_initmem

This is getting me objtool issues (I'll fix them) but perhaps it's
something you can do something about as well.
Re: [RFC PATCH v2 00/21] KCFI support
Posted by Sami Tolvanen 6 days, 9 hours ago
On Tue, May 17, 2022 at 1:58 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Fri, May 13, 2022 at 01:21:38PM -0700, Sami Tolvanen wrote:
> > KCFI is a proposed forward-edge control-flow integrity scheme for
> > Clang, which is more suitable for kernel use than the existing CFI
> > scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't
> > alter function references to point to a jump table, and won't break
> > function address equality. The latest LLVM patch is here:
> >
> >   https://reviews.llvm.org/D119296
> >
> > This RFC series replaces the current arm64 CFI implementation with
> > KCFI and adds support for x86_64.
>
> You have some weird behaviour vs weak functions (I so hate those)...
>
> 100: 0000000000000980     9 FUNC    LOCAL  DEFAULT    2 __cfi_free_initmem
> 233: 0000000000000989    35 FUNC    WEAK   DEFAULT    2 free_initmem
>
> With the result that on the final link:
>
>    179: 00000000000009b0     9 FUNC    LOCAL  DEFAULT    1 __cfi_free_initmem
>   8689: 00000000000007f0     9 FUNC    LOCAL  DEFAULT   65 __cfi_free_initmem
> 173283: 00000000000007f9   198 FUNC    GLOBAL DEFAULT   65 free_initmem
>
> This is getting me objtool issues (I'll fix them) but perhaps it's
> something you can do something about as well.

Good catch, I'll fix this.

Sami