On Wed, May 11, 2022 at 11:12 AM +08, Xu Kuohai wrote: > On 5/10/2022 5:36 PM, Jakub Sitnicki wrote: >> On Sun, Apr 24, 2022 at 11:40 AM -04, Xu Kuohai wrote: [...] >>> @@ -281,12 +290,15 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) >>> * >>> */ >>> >>> + if (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL)) >>> + emit(A64_BTI_C, ctx); >> >> I'm no arm64 expert, but this looks like a fix for BTI. >> >> Currently we never emit BTI because ARM64_BTI_KERNEL depends on >> ARM64_PTR_AUTH_KERNEL, while BTI must be the first instruction for the >> jump target [1]. Am I following correctly? >> >> [1] https://lwn.net/Articles/804982/ >> > > Not quite correct. When the jump target is a PACIASP instruction, no > Branch Target Exception is generated, so there is no need to insert a > BTI before PACIASP [2]. > > In order to attach trampoline to bpf prog, a MOV and NOP are inserted > before the PACIASP, so BTI instruction is required to avoid Branch > Target Exception. > > The reason for inserting NOP before PACIASP instead of after PACIASP is > that no call frame is built before entering trampoline, so there is no > return address on the stack and nothing to be protected by PACIASP. > > [2] > https://developer.arm.com/documentation/ddi0596/2021-12/Base-Instructions/BTI--Branch-Target-Identification-?lang=en That makes sense. Thanks for the explanation!
