On Thu, Aug 21, 2025 at 11:46:17AM -0700, Kees Cook wrote: > On Thu, Aug 21, 2025 at 11:29:35AM +0200, Peter Zijlstra wrote: > > On Thu, Aug 21, 2025 at 12:26:37AM -0700, Kees Cook wrote: > > > Build and run tested on x86_64 Linux kernel with various CPU errata > > > handling alternatives and FineIBT.
Turns out my configs were broken -- I only tested non-retpoline. > > > > I'm a little confused, does this force r11 to be the indirect call > > register like clang does? The code seems to suggest it is possible it > > uses another register. > > > > The current kernel FineIBT code hard assumes r11 for now. > > Oh, it looked like it wasn't always r11. Does clang force the call > register to be r11? I only do that here if the call expression isn't a > register (similar to -mindirect-branch-register). Looking at the retpoline > implementation, I see __x86_indirect_thunk_* being generated for all the > general registers. Hm, but in looking now I see all the hard-coded r11 use > in the fineibt alternatives. I wonder if my boot testing is somehow not > triggering the FineIBT alternatives patching? I will investigate more... I've found my Kconfig problem now. Confirmed that this RFC does _not_ work with retpoline (much less FineIBT). I will get that fixed for the next version. -- Kees Cook
