Re: [PATCH v3 16/16] objtool: Validate kCFI calls
From: Peter Zijlstra
Date: Mon Jul 14 2025 - 06:54:50 EST
On Mon, Jul 14, 2025 at 12:20:27PM +0200, Peter Zijlstra wrote:
> --- a/arch/x86/platform/efi/efi_stub_64.S
> +++ b/arch/x86/platform/efi/efi_stub_64.S
> @@ -11,6 +11,10 @@
> #include <asm/nospec-branch.h>
>
> SYM_FUNC_START(__efi_call)
> + /*
> + * The EFI code doesn't have any CFI, annotate away the CFI violation.
> + */
> + ANNOTATE_NOCFI_SYM
> pushq %rbp
> movq %rsp, %rbp
> and $~0xf, %rsp
FWIW, we should probably do something like this as well.
---
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -562,6 +562,13 @@ __noendbr u64 ibt_save(bool disable)
{
u64 msr = 0;
+ /*
+ * Firmware code will not provide the same level of
+ * control-flow-integriry. Taint the kernel to let the user know.
+ */
+ if (disable || (IS_ENABLED(CONFIG_CFI_CLANG) && cfi_mode != CFI_OFF))
+ add_taint(TAINT_CFI, LOCKDEP_STILL_OK);
+
if (cpu_feature_enabled(X86_FEATURE_IBT)) {
rdmsrq(MSR_IA32_S_CET, msr);
if (disable)
--- a/include/linux/panic.h
+++ b/include/linux/panic.h
@@ -73,7 +73,8 @@ static inline void set_arch_panic_timeou
#define TAINT_RANDSTRUCT 17
#define TAINT_TEST 18
#define TAINT_FWCTL 19
-#define TAINT_FLAGS_COUNT 20
+#define TAINT_CFI 20
+#define TAINT_FLAGS_COUNT 21
#define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1)
struct taint_flag {