[PATCH v4 00/15] x86: Add support for Clang CFI
From: Sami Tolvanen
Date: Thu Sep 30 2021 - 14:05:38 EST
This series adds support for Clang's Control-Flow Integrity (CFI)
checking to x86_64. With CFI, the compiler injects a runtime
check before each indirect function call to ensure the target is
a valid function with the correct static type. This restricts
possible call targets and makes it more difficult for an attacker
to exploit bugs that allow the modification of stored function
pointers. For more details, see:
https://clang.llvm.org/docs/ControlFlowIntegrity.html
Note that v4 is based on tip/master. The first two patches contain
objtool support for CFI, the remaining patches change function
declarations to use opaque types, fix type mismatch issues that
confuse the compiler, and disable CFI where it can't be used.
You can also pull this series from
https://github.com/samitolvanen/linux.git x86-cfi-v4
---
Changes in v4:
- Dropped the extable patch after the code was refactored in -tip.
- Switched to __section() instead of open-coding the attribute.
- Added an explicit ifdef for filtering out CC_FLAGS_CFI in
purgatory for readability.
- Added a comment to arch_cfi_jump_reloc_offset() in objtool.
Changes in v3:
- Dropped Clang requirement to >= 13 after the missing compiler
fix was backported there.
- Added DEFINE_CFI_IMMEDIATE_RETURN_STUB to address the issue
with tp_stub_func in kernel/tracepoint.c.
- Renamed asm_func_t to asm_func_ptr.
- Changed extable handlers to use __cficanonical instead of
disabling CFI for fixup_exception.
Changes in v2:
- Dropped the first objtool patch as the warnings were fixed in
separate patches.
- Changed fix_cfi_relocs() in objtool to not rely on jump table
symbols, and to return an error if it can't find a relocation.
- Fixed a build issue with ASM_STACK_FRAME_NON_STANDARD().
- Dropped workarounds for inline assembly references to
address-taken static functions with CFI as this was fixed in
the compiler.
- Changed the C declarations of non-callable functions to use
opaque types and dropped the function_nocfi() patches.
- Changed ARCH_SUPPORTS_CFI_CLANG to depend on Clang >=14 for
the compiler fixes.
Kees Cook (1):
x86, relocs: Ignore __typeid__ relocations
Sami Tolvanen (14):
objtool: Add CONFIG_CFI_CLANG support
objtool: Add ASM_STACK_FRAME_NON_STANDARD
linkage: Add DECLARE_ASM_FUNC_SYMBOL
cfi: Add DEFINE_CFI_IMMEDIATE_RETURN_STUB
tracepoint: Exclude tp_stub_func from CFI checking
ftrace: Use an opaque type for functions not callable from C
lkdtm: Disable UNSET_SMEP with CFI
lkdtm: Use an opaque type for lkdtm_rodata_do_nothing
x86: Use an opaque type for functions not callable from C
x86/purgatory: Disable CFI
x86, module: Ignore __typeid__ relocations
x86, cpu: Use LTO for cpu.c with CFI
x86, kprobes: Fix optprobe_template_func type mismatch
x86, build: Allow CONFIG_CFI_CLANG to be selected
arch/x86/Kconfig | 1 +
arch/x86/include/asm/ftrace.h | 2 +-
arch/x86/include/asm/idtentry.h | 10 +++---
arch/x86/include/asm/page_64.h | 7 ++--
arch/x86/include/asm/paravirt_types.h | 3 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/include/asm/proto.h | 25 ++++++-------
arch/x86/include/asm/uaccess_64.h | 9 ++---
arch/x86/kernel/alternative.c | 2 +-
arch/x86/kernel/ftrace.c | 2 +-
arch/x86/kernel/kprobes/opt.c | 4 +--
arch/x86/kernel/module.c | 4 +++
arch/x86/kernel/paravirt.c | 4 +--
arch/x86/kvm/emulate.c | 4 +--
arch/x86/kvm/kvm_emulate.h | 9 ++---
arch/x86/power/Makefile | 2 ++
arch/x86/purgatory/Makefile | 4 +++
arch/x86/tools/relocs.c | 7 ++++
arch/x86/xen/enlighten_pv.c | 6 ++--
arch/x86/xen/xen-ops.h | 10 +++---
drivers/misc/lkdtm/bugs.c | 2 +-
drivers/misc/lkdtm/lkdtm.h | 2 +-
drivers/misc/lkdtm/perms.c | 2 +-
drivers/misc/lkdtm/rodata.c | 2 +-
include/asm-generic/vmlinux.lds.h | 11 ++++++
include/linux/cfi.h | 13 +++++++
include/linux/ftrace.h | 7 ++--
include/linux/linkage.h | 13 +++++++
include/linux/objtool.h | 6 ++++
kernel/cfi.c | 24 ++++++++++++-
kernel/tracepoint.c | 5 +--
tools/include/linux/objtool.h | 6 ++++
tools/objtool/arch/x86/decode.c | 17 +++++++++
tools/objtool/elf.c | 51 +++++++++++++++++++++++++++
tools/objtool/include/objtool/arch.h | 3 ++
tools/objtool/include/objtool/elf.h | 2 +-
36 files changed, 217 insertions(+), 66 deletions(-)
base-commit: d4bfebd9ef497ee0afb498f6028a5074a6ccf307
--
2.33.0.800.g4c38ced690-goog