[bpf-next v8 0/5] emit ENDBR/BTI instructions for indirect jump targets
Xu Kuohai
xukuohai at huaweicloud.com
Mon Mar 9 23:25:50 PDT 2026
On 3/9/2026 11:00 PM, Alexis Lothoré wrote:
> Hi Xu,
>
> On Mon Mar 9, 2026 at 3:00 PM CET, Xu Kuohai wrote:
>> On architectures with CFI protection enabled that require landing pad
>> instructions at indirect jump targets, such as x86 with CET/IBT eanbled
>> and arm64 with BTI enabled, kernel panics when an indirect jump lands on
>> a target witout landing pad. Therefore, the JIT must emit landing pad
>> instructions for indirect jump targets.
>>
>> The verifier already recognizes which instructions are indirect jump
>> targets during the verification phase. So we can stores this information
>> in env->insn_aux_data and pass it to the JIT as new parameter, so the JIT
>> knows which instructions are indirect jump targets.
>>
>> During JIT, constants blinding is performed. It rewrites the private copy
>> of instructions for the JITed program, but it does not adjust the global
>> env->insn_aux_data array. As a result, after constants blinding, the
>> instruction indexes used by JIT may no longer match the indexes in
>> env->insn_aux_data, so the JIT can not lookup env->insn_aux_data directly.
>>
>> To avoid this mistach, and considering that all existing arch-specific JITs
>> already implement constants blinding with largely duplicated code, move
>> constants blinding from JIT to generic code, before copying instructions
>> for each subprog.
>
> Could you please add me in CC for any future revision ?
>
Sure, will do.
> Thanks,
>
> Alexis
>
More information about the linux-arm-kernel
mailing list