Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable

From: Kees Cook
Date: Mon Jul 29 2024 - 20:41:43 EST

Next message: Song Liu: "[PATCH 0/3] Fix kallsyms with CONFIG_LTO_CLANG"
Previous message: kernel test robot: "[tip:irq/core 23/30] drivers/irqchip/irq-armada-370-xp.c:263:44: error: 'd' undeclared"
In reply to: jvoisin: "Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 29, 2024 at 02:35:02PM +0200, jvoisin wrote:
> > Since FineIBT performs checking at the destination, it is weaker against
> > attacks that can construct arbitrary executable memory contents. As such,
> > some system builders want to run with FineIBT disabled by default. Allow
> > the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
> > newly introduced CONFIG_CFI_AUTO_DEFAULT.
>
> I'm confused as why you think that KCFI is stronger/better than FineIBT.

Sure, can I try to explain this more.

> The latter is compatible with execute-only memory,

Yes, and since Linux doesn't have kernel execute-only memory (and likely
won't for some time), it doesn't make sense to use FineIBT over KCFI for
that reason.

> makes use of hardware support,

Hm? KCFI does too. IBT is still enabled with KCFI (when the hardware
supports it).

> doesn't need LTO,

KCFI doesn't need LTO either.

> is faster,

What? Measured how? I feel like you're thinking about the old Clang CFI,
not the modern KCFI implementation.

> … moreover, I don't see why an
> attacker able to "construct arbitrary executable memory contents"
> wouldn't be able to bypass KCFI as well,

To bypass KCFI, the attacker additionally needs a targeted memory
exposure to get the correct function hash that they must include before
the malicious function they construct. With FineIBT, no such exposure is
needed.

> since its threat model
> (https://github.com/kcfi/docs/blob/master/kCFI_whitepaper.pdf)
> explicitly says "We assume an OS that fully implements the W^X policy
> [56,58,106] preventing direct code injection in kernel space."

I mean, a whitepaper's threat model is nice and all, but this just isn't
the reality. Linux certainly tries to maintain W^X, but there are bugs
and things like BPF, which can be manipulated to gain attacker-controlled
executable code injected into the kernel address space. (e.g. BPF will
flip a writable region from RW to RX, so W^X is maintained spatially but
not temporally.)

So without execute-only memory, some deployments prefer to not weaken
the CFI implementation to allow for hash checking bypasses. Once X-O
exists, FineIBT is a slam-dunk over KCFI. :)

-Kees

--
Kees Cook

Next message: Song Liu: "[PATCH 0/3] Fix kallsyms with CONFIG_LTO_CLANG"
Previous message: kernel test robot: "[tip:irq/core 23/30] drivers/irqchip/irq-armada-370-xp.c:263:44: error: 'd' undeclared"
In reply to: jvoisin: "Re: [PATCH] x86/alternatives: Make FineIBT mode Kconfig selectable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]