Commit 865dad20 authored by Linus Torvalds's avatar Linus Torvalds
Browse files
Pull kcfi updates from Kees Cook:
 "This replaces the prior support for Clang's standard Control Flow
  Integrity (CFI) instrumentation, which has required a lot of special
  conditions (e.g. LTO) and work-arounds.

  The new implementation ("Kernel CFI") is specific to C, directly
  designed for the Linux kernel, and takes advantage of architectural
  features like x86's IBT. This series retains arm64 support and adds
  x86 support.

  GCC support is expected in the future[1], and additional "generic"
  architectural support is expected soon[2].

  Summary:

   - treewide: Remove old CFI support details

   - arm64: Replace Clang CFI support with Clang KCFI support

   - x86: Introduce Clang KCFI support"

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048 [1]
Link: https://github.com/samitolvanen/llvm-project/commits/kcfi_generic [2]

* tag 'kcfi-v6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (22 commits)
  x86: Add support for CONFIG_CFI_CLANG
  x86/purgatory: Disable CFI
  x86: Add types to indirectly called assembly functions
  x86/tools/relocs: Ignore __kcfi_typeid_ relocations
  kallsyms: Drop CONFIG_CFI_CLANG workarounds
  objtool: Disable CFI warnings
  objtool: Preserve special st_shndx indexes in elf_update_symbol
  treewide: Drop __cficanonical
  treewide: Drop WARN_ON_FUNCTION_MISMATCH
  treewide: Drop function_nocfi
  init: Drop __nocfi from __init
  arm64: Drop unneeded __nocfi attributes
  arm64: Add CFI error handling
  arm64: Add types to indirect called assembly functions
  psci: Fix the function type for psci_initcall_t
  lkdtm: Emit an indirect call for CFI tests
  cfi: Add type helper macros
  cfi: Switch to -fsanitize=kcfi
  cfi: Drop __CFI_ADDRESSABLE
  cfi: Remove CONFIG_CFI_CLANG_SHADOW
  ...
parents 12ed00ba 3c516f89
Loading
Loading
Loading
Loading
+1 −12
Original line number Diff line number Diff line
@@ -1001,18 +1001,7 @@ export CC_FLAGS_LTO
endif

ifdef CONFIG_CFI_CLANG
CC_FLAGS_CFI	:= -fsanitize=cfi \
		   -fsanitize-cfi-cross-dso \
		   -fno-sanitize-cfi-canonical-jump-tables \
		   -fno-sanitize-trap=cfi \
		   -fno-sanitize-blacklist

ifdef CONFIG_CFI_PERMISSIVE
CC_FLAGS_CFI	+= -fsanitize-recover=cfi
endif

# If LTO flags are filtered out, we must also filter out CFI.
CC_FLAGS_LTO	+= $(CC_FLAGS_CFI)
CC_FLAGS_CFI	:= -fsanitize=kcfi
KBUILD_CFLAGS	+= $(CC_FLAGS_CFI)
export CC_FLAGS_CFI
endif
+5 −13
Original line number Diff line number Diff line
@@ -744,11 +744,13 @@ config ARCH_SUPPORTS_CFI_CLANG
	  An architecture should select this option if it can support Clang's
	  Control-Flow Integrity (CFI) checking.

config ARCH_USES_CFI_TRAPS
	bool

config CFI_CLANG
	bool "Use Clang's Control Flow Integrity (CFI)"
	depends on LTO_CLANG && ARCH_SUPPORTS_CFI_CLANG
	depends on CLANG_VERSION >= 140000
	select KALLSYMS
	depends on ARCH_SUPPORTS_CFI_CLANG
	depends on $(cc-option,-fsanitize=kcfi)
	help
	  This option enables Clang’s forward-edge Control Flow Integrity
	  (CFI) checking, where the compiler injects a runtime check to each
@@ -760,16 +762,6 @@ config CFI_CLANG

	    https://clang.llvm.org/docs/ControlFlowIntegrity.html

config CFI_CLANG_SHADOW
	bool "Use CFI shadow to speed up cross-module checks"
	default y
	depends on CFI_CLANG && MODULES
	help
	  If you select this option, the kernel builds a fast look-up table of
	  CFI check functions in loaded modules to reduce performance overhead.

	  If unsure, say Y.

config CFI_PERMISSIVE
	bool "Use CFI in permissive mode"
	depends on CFI_CLANG
+3 −2
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@
 */

#include <linux/linkage.h>
#include <linux/cfi_types.h>
#include <asm/assembler.h>

	SHASH		.req	v0
@@ -350,11 +351,11 @@ CPU_LE( rev64 T1.16b, T1.16b )
	 * void pmull_ghash_update(int blocks, u64 dg[], const char *src,
	 *			   struct ghash_key const *k, const char *head)
	 */
SYM_FUNC_START(pmull_ghash_update_p64)
SYM_TYPED_FUNC_START(pmull_ghash_update_p64)
	__pmull_ghash	p64
SYM_FUNC_END(pmull_ghash_update_p64)

SYM_FUNC_START(pmull_ghash_update_p8)
SYM_TYPED_FUNC_START(pmull_ghash_update_p8)
	__pmull_ghash	p8
SYM_FUNC_END(pmull_ghash_update_p8)

+2 −1
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@
 */

#include <linux/linkage.h>
#include <linux/cfi_types.h>
#include <asm/assembler.h>

	.irp		b, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
@@ -73,7 +74,7 @@
	 *                       int blocks)
	 */
	.text
SYM_FUNC_START(sm3_ce_transform)
SYM_TYPED_FUNC_START(sm3_ce_transform)
	/* load state */
	ld1		{v8.4s-v9.4s}, [x0]
	rev64		v8.4s, v8.4s
+6 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@
 * 0x401: for compile time BRK instruction
 * 0x800: kernel-mode BUG() and WARN() traps
 * 0x9xx: tag-based KASAN trap (allowed values 0x900 - 0x9ff)
 * 0x8xxx: Control-Flow Integrity traps
 */
#define KPROBES_BRK_IMM			0x004
#define UPROBES_BRK_IMM			0x005
@@ -28,4 +29,9 @@
#define KASAN_BRK_IMM			0x900
#define KASAN_BRK_MASK			0x0ff

#define CFI_BRK_IMM_TARGET		GENMASK(4, 0)
#define CFI_BRK_IMM_TYPE		GENMASK(9, 5)
#define CFI_BRK_IMM_BASE		0x8000
#define CFI_BRK_IMM_MASK		(CFI_BRK_IMM_TARGET | CFI_BRK_IMM_TYPE)

#endif
Loading