On Wed, Apr 24, 2013 at 04:04:53PM -0700, Andi Kleen wrote: > Possible options: > > I) Disable FAR calls for ANY_CALL/RETURNS. > This just means syscalls are not logged > as calls. This also lowers the overhead of call logging. > This changes semantics slightly. > This is reasonable on Sandy Bridge and later, but would > cause additional problems on Nehalem and Westmere with > their additional filters. > > II) Simple disable any filtering for kernel space. > This means interrupts in kernel space are reported as calls > and on Nehalem/Westmere some indirect jumps are reported > as calls too > > III) Enumerate all the kernel entry points and check. > Any bad call must have a kernel entry point as to. > This seemed to fragile to maintain. > > IV) Enumerate all kernel code and check for these ranges. > Quite complicated, especially with the new kernel code JITs. > Would also allow to probe for kernel code (defeating randomized kernel) So why not do the same as we do for userspace? Copy MAX_INSN_SIZE bytes and trap -EFAULT. With Steven's recent NMI nesting stuff we should be able to take the fault and do the fixup_exception() thing. Or alternatively we could software walk the kernel pagetables. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html