On Tue, Feb 25, 2025 at 12:37:00PM +0100, Jan Beulich wrote:
> __init{const,data}_cf_clobber can have an effect only for pointers
> actually populated in the respective tables. While not the case for SVM
> right now, VMX installs a number of pointers only under certain
> conditions. Hence the respective functions would have their ENDBR purged
> only when those conditions are met. Invoke "pruning" functions after
> having copied the respective tables, for them to install any "missing"
> pointers.
>
> Signed-off-by: Jan Beulich <jbeul...@suse.com>
Acked-by: Roger Pau Monné <roger....@citrix.com>
However I find this filling slightly ugly, and prone to be forgotten
when further hooks are added.
Would it make sense to delay enabling of IBT until after alternatives
have been applied, and thus simply not use the cf_clobber attribute on
functions that are patched to not be indirectly called?
We could still enable IBT before starting the APs.
Thanks, Roger.
