public inbox for
 help / color / mirror / Atom feed
From: "Madhavan T. Venkataraman" <>
To: DJ Delorie <>
Subject: Re: [RFC PATCH v3 2/5] x86: Support for Static Trampolines
Date: Thu, 28 Jan 2021 20:38:49 -0600	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 1/28/21 8:09 PM, DJ Delorie wrote:
> "Madhavan T. Venkataraman" <> writes:
>> So, the definition is like this:
>> #if !defined(GENERATE_LIBFFI_MAP) && defined(__ASSEMBLER__) \
>>     && defined(__CET__)
>> # include <cet.h>
>> # define _CET_NOTRACK notrack
>> #else
>> # define _CET_ENDBR
>> # define _CET_NOTRACK
>> #endif
>> Where we include cet.h, CET_ENDBR may still be defined either
>> as endbr64 or empty depending on __CET__ & 1 being non-zero or
>> zero, right?
>> So, would something like this work?
> I suspect you only need one trampoline template, with __CET_ENDBR in it.  Use
> .align instead of hardcoding the right number of NOPs, and other logic
> to figure out the repeat counts.  It's safe to execute endbr64 when CET
> is not enabled.

Yes. But the problem I ran into is that if libffi is compiled with old
compilers that have not yet been updated for Intel CET, the builds fail
because the assembler cannot recognize endbr64 and endbr32.

This happened in CI testing. In the previous version, I had the endbr64 in the code
like you suggested.

As for the repeat count, here is the reason.

I need to pack as many trampolines as possible in a page to conserve memory.
I can do this in one of three ways:

1. Map an anon page and copy the template multiple times into the page creating
   a code table.

   This is only possible if the security settings allow anon memory to be
   mapped with exec permissions.

2. Create a file and write the template multiple times into the file and map
   the file with executable permissions.

   Again, security settings must allow it. They do today. But allowing temp files
   to be mapped with exec permissions presents a security problem. That will
   be addressed in Linux. Microsoft has submitted a Linux Security Module
   implementation which will only allow a file to be mapped with exec
   permissions if the file is a signed file and the sign can be verified.
   Temp files will not have that.

   In our case, we are only writing a read-only buffer in the text segment into
   the temp file. So, it does not really pose a security problem in the sense
   that a hacker cannot modify anything. But the kernel does not know that.
   It may blindly prevent the mapping of a temp file with exec permissions
   because of its inability to validate the contents.

   Because of this reason, I use the temp file approach as a fallback method
   if the 3rd method below fails.
3. Create a code table like I have done and map it directly from the text
   segment. With the code table, the .align will not work because of the
   repeat of the code sequence. Hence, the nops.

I know it is not pretty. But this is my justification for that.


  reply	other threads:[~2021-01-29  2:38 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1ef5c7e1c9a6ebb140a476ba555ec955681f4fba>
2021-01-15 18:46 ` [RFC PATCH v3 0/5] Libffi " madvenka
2021-01-15 18:46   ` [RFC PATCH v3 1/5] " madvenka
2021-01-27  3:31     ` DJ Delorie
2021-01-27 21:51       ` Madhavan T. Venkataraman
2021-01-27 22:15         ` DJ Delorie
2021-01-27 22:43           ` Madhavan T. Venkataraman
2021-01-15 18:46   ` [RFC PATCH v3 2/5] x86: Support for " madvenka
2021-01-27  3:31     ` DJ Delorie
2021-01-28 21:59       ` Madhavan T. Venkataraman
2021-01-28 22:17         ` DJ Delorie
2021-01-28 23:25           ` Madhavan T. Venkataraman
2021-01-29  2:09             ` DJ Delorie
2021-01-29  2:38               ` Madhavan T. Venkataraman [this message]
2021-01-29  2:48                 ` DJ Delorie
2021-01-29  3:24                   ` Madhavan T. Venkataraman
2021-01-29  6:07                     ` DJ Delorie
2021-02-01 19:46                 ` DJ Delorie
2021-01-15 18:46   ` [RFC PATCH v3 3/5] i386: " madvenka
2021-01-15 18:46   ` [RFC PATCH v3 4/5] arm64: " madvenka
2021-01-15 18:46   ` [RFC PATCH v3 5/5] arm: " madvenka
2021-01-26 23:41   ` [RFC PATCH v3 0/5] Libffi " Anthony Green
2021-01-27 17:20     ` Madhavan T. Venkataraman
2021-01-27 18:00       ` Anthony Green
2021-01-27 19:45         ` Madhavan T. Venkataraman
2021-01-28 14:21           ` Anthony Green
2021-01-28 17:01             ` Madhavan T. Venkataraman
2021-02-05 18:20               ` Madhavan T. Venkataraman
2021-02-05 18:46                 ` Anthony Green
2021-02-05 19:38                   ` Madhavan T. Venkataraman
2021-02-07 16:09                     ` Madhavan T. Venkataraman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).