On 05.03.2025 15:48, Roger Pau Monné wrote:
> On Tue, Feb 25, 2025 at 12:37:00PM +0100, Jan Beulich wrote:
>> __init{const,data}_cf_clobber can have an effect only for pointers
>> actually populated in the respective tables. While not the case for SVM
>> right now, VMX installs a number of pointers only under certain
>> conditions. Hence the respective functions would have their ENDBR purged
>> only when those conditions are met. Invoke "pruning" functions after
>> having copied the respective tables, for them to install any "missing"
>> pointers.
>>
>> Signed-off-by: Jan Beulich <jbeul...@suse.com>
>
> Acked-by: Roger Pau Monné <roger....@citrix.com>
Thanks.
> However I find this filling slightly ugly, and prone to be forgotten
> when further hooks are added.
Indeed. Luckily, while undesirable, that wouldn't be an outright bug.
> Would it make sense to delay enabling of IBT until after alternatives
> have been applied, and thus simply not use the cf_clobber attribute on
> functions that are patched to not be indirectly called?
>
> We could still enable IBT before starting the APs.
I'd prefer if Andrew answered this. It looks like it might be an option,
but it also feels as if this would (if only a little) complicate logic
overall.
Jan
