On Tue, 2025-03-18 at 10:14 -0700, Josh Poimboeuf wrote: > On Tue, Mar 18, 2025 at 03:56:36PM +0000, David Woodhouse wrote: > > But on the whole, I'm not sure the CFI check is worth it. > > > > CFI checks that the caller and callee agree about the prototype of the > > function being called. There are two main benefits of this: > > > > • to protect against attacks where function pointers are substituted > > for gadgets. > > > > • to protect against genuine bugs, where the caller and the callee > > disagree about the function arguments. > > AFAIK the first one is the main point of CFI. In the general case yes. I just don't think it matters much for relocate_kernel(). > > For the relocate_kernel() case I don't think we care much about the > > first. Without a CFI prologue, no *other* code can be tricked into > > calling relocate_kernel() > > But for FineIBT the hash is checked on the callee side. So it loses > FineIBT protection. Right now the relocate_kernel() code doesn't even have an endbr, does it? So it isn't a useful gadget? > > — and besides, it's in the kernel's data > > section and isn't executable anyway until the kexec code copies it to a > > page that *is*. > > Does the code get copied immediately before getting called, or can it be > initialized earlier during boot when kdump does its initial setup? It's initialized earlier, in machine_kexec_prepare(), and then the page is set ROX.
<<attachment: smime.p7s>>
