On Fri, Feb 28, 2025 at 05:53:07PM +0800, Menglong Dong wrote:
> I tested it a little by enabling CFI_CLANG and the extra 5-bytes
> padding. It works fine, as mostly CFI_CLANG use
> CONFIG_FUNCTION_PADDING_BYTES to find the tags. I'll
> do more testing on CFI_CLANG to make sure everything goes
> well.
I don't think you understand; please read:
arch/x86/kernel/alternative.c:__apply_fineibt()
and all the code involved with patching FineIBT. I think you'll find it
very broken if you change anything here.
Can you post an actual function preamble from a kernel with
CONFIG_FINEIBT=y with your changes on?
Ex.
$ objdump -wdr build/kernel/futex/core.o
Disassembly of section .text:
0000000000000000 <__cfi_futex_hash>:
0: b9 93 0c f9 ad mov $0xadf90c93,%ecx
0000000000000005 <.Ltmp0>:
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
0000000000000010 <futex_hash>:
10: f3 0f 1e fa endbr64
14: e8 00 00 00 00 call 19 <futex_hash+0x9> 15: R_X86_64_PLT32 __fentry__-0x4
19: 8b 47 10 mov 0x10(%rdi),%eax
Any change to the layout here *WILL* break the FineIBT code.
If you want to test, make sure your build has FINEIBT=y and boot on an
Intel CPU that has CET-IBT (alderlake and later).
