On Mon, Feb 14, 2022 at 01:24:33PM +0100, Alexander Lobakin wrote: > > One idea I mentioned before, it may be worth exploring changing the "F" > > in FGKASLR to "File" instead of "Function". In other words, only > > shuffle at an object-file granularity. Then, even with duplicates, the > > <file+function> symbol pair doesn't change in the symbol table. And as > > a bonus, it should help FGKASLR i-cache performance, significantly. > > Yeah, I keep that in mind. However, this wouldn't solve the > duplicate static function names problem, right? > Let's say you have a static function f() in file1 and f() in file2, > then the layout each boot can be > > .text.file1 or .text.file2 > f() f() > .text.file2 .text.file1 > f() f() > > and position-based search won't work anyway, right? Right, so we'd have to abandon position-based search in favor of file+func based search. It's not perfect because there are still a few file+func duplicates. But it might be good enough. We would presumably just refuse to patch a duplicate. Or we could remove them (and enforce their continued removal with tooling-based warnings). Another variant of this which I described here https://lore.kernel.org/all/20210125172124.awabevkpvq4poqxf@treble/ would be to keep it function-granular, but have kallsyms keep track of what file each func belongs to. Then livepatch could still do the file+func based search. -- Josh
