Hi all!

Having landed much of the previous series in tip/x86/core, I was hoping for an
easy time landing the final two patches.. alas.

This whole FineIBT SYSCALL pivot thing showed up, which got me to develop the
paranoid FineIBT variant. And because testing I added a cfi=warn knob, and then
I migrated bhi to an option etc..

Then just as I was to post this stuff, Scott out-nerds me with a whole new
instruction sequence. Which got me to rework the entire pile once again, and
it is now another 10 patches again :/

Anyway, be warned, Scott loves overlapping instructions.

This is tested with:

  cfi=fineibt,warn
  cfi=fineibt,warn,paranoid
  cfi=fineibt,warn,bhi
  cfi=fineibt,warn,paranoid,bhi
  cfi=fineibt,paranoid,bhi

Also note that LKDTM's CFI_FORWARD_PROTO test will do a double splat for
paranoid in warn/permissive mode, since both the caller and callee hash check
will fail.

Also available at:

  git://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/fineibt-bhi2

Previous version at:

  https://lkml.kernel.org/r/20250207121529.222723073@infradead.org

Paranoid discussion at:

  https://lkml.kernel.org/r/20250215210729.GA25168@noisy.programming.kicks-ass.net

---
 Makefile                      |   3 +
 arch/x86/Kconfig              |   8 +
 arch/x86/include/asm/bug.h    |   3 +
 arch/x86/include/asm/cfi.h    |  19 ++-
 arch/x86/include/asm/ibt.h    |   4 +
 arch/x86/kernel/alternative.c | 363 +++++++++++++++++++++++++++++++++++++-----
 arch/x86/kernel/cfi.c         |  18 ++-
 arch/x86/kernel/traps.c       |  46 +++++-
 arch/x86/lib/Makefile         |   3 +-
 arch/x86/lib/bhi.S            | 146 +++++++++++++++++
 arch/x86/net/bpf_jit_comp.c   |  30 ++--
 11 files changed, 579 insertions(+), 64 deletions(-)

On Wed, Feb 19, 2025 at 05:21:07PM +0100, Peter Zijlstra wrote:
> Hi all!
> 
> Having landed much of the previous series in tip/x86/core, I was hoping for an
> easy time landing the final two patches.. alas.
> 
> This whole FineIBT SYSCALL pivot thing showed up, which got me to develop the
> paranoid FineIBT variant. And because testing I added a cfi=warn knob, and then
> I migrated bhi to an option etc..
> 
> Then just as I was to post this stuff, Scott out-nerds me with a whole new
> instruction sequence. Which got me to rework the entire pile once again, and
> it is now another 10 patches again :/
> 
> Anyway, be warned, Scott loves overlapping instructions.
> 
> This is tested with:
> 
>   cfi=fineibt,warn
>   cfi=fineibt,warn,paranoid
>   cfi=fineibt,warn,bhi
>   cfi=fineibt,warn,paranoid,bhi
>   cfi=fineibt,paranoid,bhi
> 
> Also note that LKDTM's CFI_FORWARD_PROTO test will do a double splat for
> paranoid in warn/permissive mode, since both the caller and callee hash check
> will fail.
> 
> Also available at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/fineibt-bhi2

I've updated this tree with the latest version of the patches.

Notably, Kees, I've not taken your Reviewed-by tag for patches that saw
significant rework -- even when in response to your own feedback :)

(ud_type propagation is now gone)

I'll repost in a few days, to give people a chance to catch up.

On Wed, Feb 19, 2025 at 05:21:07PM +0100, Peter Zijlstra wrote:
> Also note that LKDTM's CFI_FORWARD_PROTO test will do a double splat for
> paranoid in warn/permissive mode, since both the caller and callee hash check
> will fail.

Hah! I will declare that as Working As Intended, though I guess it is a
bit noisy. But given permissive is mainly a debugging feature, I think
this is fine.

-- 
Kees Cook