On Fri, Apr 26, 2019 at 09:49:56AM +0200, Peter Zijlstra wrote: > On Fri, Apr 26, 2019 at 12:45:49AM +0300, Mike Rapoport wrote: > > The initial SCI implementation allows access to any kernel data, but it > > limits access to the code in the following way: > > * calls and jumps to known code symbols without offset are allowed > > * calls and jumps into a known symbol with offset are allowed only if that > > symbol was already accessed and the offset is in the next page > > * all other code access are blocked > > So if you have a large function and an in-function jump skips a page > you're toast. Right :( > Why not employ the instruction decoder we have and unconditionally allow > all direct JMP/CALL but verify indirect JMP/CALL and RET ? Apparently I didn't dig deep enough to find the instruction decoder :) Surely I can use it. > Anyway, I'm fearing the overhead of this one, this cannot be fast. Well, I think that the verification itself is not what will slow things down the most. IMHO, the major overhead is coming from cr3 switch. -- Sincerely yours, Mike.
