On Wed, May 11, 2022 at 11:12 AM +08, Xu Kuohai wrote:
On 5/10/2022 5:36 PM, Jakub Sitnicki wrote:
On Sun, Apr 24, 2022 at 11:40 AM -04, Xu Kuohai wrote:
[...]
@@ -281,12 +290,15 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) * */
- if (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL))
emit(A64_BTI_C, ctx);I'm no arm64 expert, but this looks like a fix for BTI.
Currently we never emit BTI because ARM64_BTI_KERNEL depends on ARM64_PTR_AUTH_KERNEL, while BTI must be the first instruction for the jump target [1]. Am I following correctly?
Not quite correct. When the jump target is a PACIASP instruction, no Branch Target Exception is generated, so there is no need to insert a BTI before PACIASP [2].
In order to attach trampoline to bpf prog, a MOV and NOP are inserted before the PACIASP, so BTI instruction is required to avoid Branch Target Exception.
The reason for inserting NOP before PACIASP instead of after PACIASP is that no call frame is built before entering trampoline, so there is no return address on the stack and nothing to be protected by PACIASP.
[2] https://developer.arm.com/documentation/ddi0596/2021-12/Base-Instructions/BT...
That makes sense. Thanks for the explanation!