On 05.03.2025 18:26, Roger Pau Monné wrote:
> On Wed, Mar 05, 2025 at 05:23:05PM +0100, Jan Beulich wrote:
>> On 05.03.2025 16:39, Roger Pau Monné wrote:
>>> On Wed, Mar 05, 2025 at 04:02:51PM +0100, Jan Beulich wrote:
>>>> On 05.03.2025 15:48, Roger Pau Monné wrote:
>>>>> On Tue, Feb 25, 2025 at 12:37:00PM +0100, Jan Beulich wrote:
>>>>>> __init{const,data}_cf_clobber can have an effect only for pointers
>>>>>> actually populated in the respective tables. While not the case for SVM
>>>>>> right now, VMX installs a number of pointers only under certain
>>>>>> conditions. Hence the respective functions would have their ENDBR purged
>>>>>> only when those conditions are met. Invoke "pruning" functions after
>>>>>> having copied the respective tables, for them to install any "missing"
>>>>>> pointers.
>>>>>>
>>>>>> Signed-off-by: Jan Beulich <jbeul...@suse.com>
>>>>>
>>>>> Acked-by: Roger Pau Monné <roger....@citrix.com>
>>>>
>>>> Thanks.
>>>>
>>>>> However I find this filling slightly ugly, and prone to be forgotten
>>>>> when further hooks are added.
>>>>
>>>> Indeed. Luckily, while undesirable, that wouldn't be an outright bug.
>>>>
>>>>> Would it make sense to delay enabling of IBT until after alternatives
>>>>> have been applied, and thus simply not use the cf_clobber attribute on
>>>>> functions that are patched to not be indirectly called?
>>
>> Hmm, wait - how would that work? cf_clobber is used on function pointer
>> tables; any function indirectly callable prior to patching still needs
>> marking with cf_check, for build-time analysis to not throw errors (with
>> the specially patched gcc that Andrew prepared with a patch of H.J.'s).
>
> Yeah, we would need something there?
>
> Maybe disable such detection around alternative_{,v}call() usages if
> possible?
>
> I assume the build-time detection is done based on call sites?
I think the build-time detection is based on places where addresses of
functions are taken. Call sites are close to impossible to re-associate
with the possible set of functions being called. If at all, that would
require the compiler to have a view of the entire image. Whereas the
warnings are issued as individual objects are being built.
Jan
> We
> would need to figure out whether the detection can be disabled for
> chunks of code.
>
> Thanks, Roger.
