Re: [PATCH 15/29] x86: Disable IBT around firmware
From: Kees Cook
Date: Mon Feb 21 2022 - 10:55:04 EST
On February 21, 2022 2:06:15 AM PST, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>
>Could you trim replies so that I can actually find what you write?
Sorry, yes; I was on my phone where the interface is awkward.
>On Mon, Feb 21, 2022 at 12:27:20AM -0800, Kees Cook wrote:
>> Please make these both __always_inline so there no risk of them ever gaining ENDBRs and being used by ROP to disable IBT...
>
>Either that or mark them __noendbr. The below seems to work.
>
>Do we have a preference?
Ah yeah, that works for me.
A small bike shed: should __noendbr have an alias, like __never_indirect or something, so there is an arch-agnostic way to do this that actually says what it does? (yes, it's in x86-only code now, hence the bike shed...)
-Kees
--
Kees Cook