Re: Linux 6.6-rc3 (DEBUG_VIRTUAL is unhappy on x86)
From: Sumit Garg
Date: Thu Oct 05 2023 - 09:58:33 EST
On Thu, 5 Oct 2023 at 06:16, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, 3 Oct 2023 at 05:06, Sumit Garg <sumit.garg@xxxxxxxxxx> wrote:
> >
> > However, on the flip side I think there are security benefits here. We
> > wouldn't like any indirect branch speculation attack to leak the trusted
> > key material contents here.
>
> No. Turning *one* indirect call static isn't a security benefit. That
> argument is just bogus.
Okay I guess there is some confusion here. I was referring to
following calls in my prior reply:
static_call(trusted_key_get_random)
static_call(trusted_key_seal)
static_call(trusted_key_unseal)
but it looks like you are only concerned about:
static_call(trusted_key_init)
static_call_cond(trusted_key_exit)
So I agree with you as I can't envision an attack which can be carried
out by trusted_key_init() and trusted_key_exit() indirect calls.
@Jarkko, if you agree then I can convert these two callbacks to use
indirect calls instead.
>
> This code needs to be fixed. No static call rewriting for call-sites
> that are just used once.
@Peter, can we have a policy enforced for module __init and __exit
functions somehow at compile time? If not then can we have it
documented somewhere to mention static call invocations aren't
supported from these functions?
-Sumit
>
> Linus