On Mon, Feb 13, 2023 at 2:17 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Mon, Feb 13, 2023 at 12:49 PM Nick Desaulniers > <ndesaulniers@xxxxxxxxxx> wrote: > > > > I haven't looked at the series in question, but note that this compile > > time warning is meant to help us catch Control Flow Integrity runtime > > violations, which may result in a panic. Here's the tracking issue for the other warnings of this type in the kernel, nearly all the warnings are in one driver: https://github.com/ClangBuiltLinux/linux/issues/1724 > It's a transition from kernel to bpf prog. > If CFI trips on it it will trip on all transitions. > All calls from kernel into bpf are more or less the same. > Not sure what it means for other archs, but on x86 JIT emits 'endbr' > insn to make IBT/CFI happy. While IBT allows indirect calls to any function that starts with endbr, CFI is more fine-grained and requires the function pointer type to match the function type, which further limits possible call targets. To actually enforce this, the compiler emits a type hash prefix for each function, and a check before each indirect call to ensure the call target has the expected prefix. The commit message here has an example of the code the compiler generates: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c516f89e17e56b4738f05588e51267e295b5e63 As calling a JIT compiled function would obviously trip CFI, indirect call checking is currently disabled in BPF dispatcher functions (using the __nocfi attribute). However, BPF trampolines still have the same problem, I believe. I wouldn't mind coming up with a solution for CFI+BPF JIT compatibility, but I haven't had much time to look into this. Basically, in places where we currently emit an endbr instruction, we should also emit a type hash prefix. Generating type prefixes for functions called through a dispatcher shouldn't be that hard because the function type is always the same, but figuring out the correct type for indirect calls that don't go through a dispatcher might not be entirely trivial, although I'm sure the BPF verifier/compiler must have this information. FineIBT also complicates matters a bit here as the actual prefix format differs from the basic KCFI prefix. I'm not sure if Peter or Joao have had time to look at this, but I would be happy to hear any suggestions you might have. Sami
