On 18 March 2025 22:41:43 GMT, Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote: >On Tue, Mar 18, 2025 at 09:06:58PM +0000, David Woodhouse wrote: >> On Tue, 2025-03-18 at 10:14 -0700, Josh Poimboeuf wrote: >> > On Tue, Mar 18, 2025 at 03:56:36PM +0000, David Woodhouse wrote: >> > > For the relocate_kernel() case I don't think we care much about the >> > > first. Without a CFI prologue, no *other* code can be tricked into >> > > calling relocate_kernel() >> > >> > But for FineIBT the hash is checked on the callee side. So it loses >> > FineIBT protection. >> >> Right now the relocate_kernel() code doesn't even have an endbr, does >> it? So it isn't a useful gadget? > >In that case wouldn't IBT explode when you indirect call it? Or is IBT >getting disabled beforehand? Not sure of the details. The machine_kexec() function which is the *caller* is currently marked with the __nocfi tag which stops any software checks. I guess any hardware feature which requires an endbr to be the target of an indirect branch has to already disabled on the way down? What specifically am I looking for, to check that? Or the hardware support has just never worked with kexec, perhaps? >> > > — and besides, it's in the kernel's data >> > > section and isn't executable anyway until the kexec code copies it to a >> > > page that *is*. >> > >> > Does the code get copied immediately before getting called, or can it be >> > initialized earlier during boot when kdump does its initial setup? >> >> It's initialized earlier, in machine_kexec_prepare(), and then the page >> is set ROX. > >If that happens during boot (like for kdump init) then it'll be in text >the whole time after boot, right? In an executable page, yes.
