[PATCH v8 0/9] CFI for ARM32 using LLVM

[Ard Biesheuvel]

On Mon, 29 Apr 2024 at 15:22, Russell King (Oracle)
<linux at armlinux.org.uk> wrote:
>
> I've applied this to a separate branch, and it should be in
> linux-next by tomorrow.
>
> As mentioned today on a previous iteration of the patch series,
> I'm not all that happy with the introduction of delay-inducing
> branches to solve CFI issues especially on the early CPUs where
> a branch causes the CPUs pipeline to be flushed - thus making
> branches expensive.
>
> Can we make these branches conditional on the use of CFI?
>
> Didn't Ard mention there was a way to do this using symbol aliases?
>

Yes, but only if the prototypes are identical. Not sure why Linus
decided to keep this separate, but 9386/2 implements this for
flush_user_cache_all() vs. flush_kern_cache_all().

For coherent_user_range() vs. coherent_kern_range(), the return type
is different (void vs int)

So we could either make coherent_kern_range() return int as well, or
alternatively, we could emit the branch instructions only when CFI is
enabled (as in that case, SYM_TYPED_FUNC_START() expands to something
that prevents a fall through)

E.g.,

--- a/arch/arm/mm/cache-v4wt.S
+++ b/arch/arm/mm/cache-v4wt.S
@@ -108,7 +108,9 @@ SYM_FUNC_END(v4wt_flush_user_cache_range)
  *     - end    - virtual end address
  */
 SYM_TYPED_FUNC_START(v4wt_coherent_kern_range)
+#ifdef CONFIG_CFI_CLANG
        b       v4wt_coherent_user_range
+#endif
 SYM_FUNC_END(v4wt_coherent_kern_range)

 /*

AFAICT, SYM_TYPED_FUNC_START() does not prevent a fall through if
CFI_CLANG is disabled, but someone should double check.