x86/cfi: Add "debug" option to "cfi=" bootparam

author Kees Cook <kees@kernel.org>

Thu, 4 Sep 2025 03:46:44 +0000 (20:46 -0700)

committer Peter Zijlstra <peterz@infradead.org>

Thu, 4 Sep 2025 19:59:08 +0000 (21:59 +0200)
author Kees Cook <kees@kernel.org>
Thu, 4 Sep 2025 03:46:44 +0000 (20:46 -0700)
committer Peter Zijlstra <peterz@infradead.org>
Thu, 4 Sep 2025 19:59:08 +0000 (21:59 +0200)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt

index 8bbffbb334ab95e6a22a4963aab9c3a7e182cf7f..c8337d0e6ba354d4283d5db375d3090ea4a13f9f 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -624,6 +624,7 @@
                         bhi:      Enable register poisoning to stop speculation
                                   across FineIBT. (Disabled by default.)
                         warn:     Do not enforce CFI checking: warn only.
+                       debug:    Report CFI initialization details.
  
         cgroup_disable= [KNL] Disable a particular controller or optional feature
                         Format: {name of the controller(s) or feature(s) to disable}
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c

index d8f4ac95b4dfd00c4323a07415cb50572f2e4f5d..7d4a992dadc358e178b51eeeaf3e8ba6a33b2554 100644 (file)
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1177,6 +1177,7 @@ void __init_or_module apply_seal_endbr(s32 *start, s32 *end) { }
  #endif
  
  enum cfi_mode cfi_mode __ro_after_init = __CFI_DEFAULT;
+static bool cfi_debug __ro_after_init;
  
  #ifdef CONFIG_FINEIBT_BHI
  bool cfi_bhi __ro_after_init = false;
@@ -1259,6 +1260,8 @@ static __init int cfi_parse_cmdline(char *str)
                 } else if (!strcmp(str, "off")) {
                         cfi_mode = CFI_OFF;
                         cfi_rand = false;
+               } else if (!strcmp(str, "debug")) {
+                       cfi_debug = true;
                 } else if (!strcmp(str, "kcfi")) {
                         cfi_mode = CFI_KCFI;
                 } else if (!strcmp(str, "fineibt")) {
@@ -1707,6 +1710,8 @@ static int cfi_rewrite_callers(s32 *start, s32 *end)
         return 0;
  }
  
+#define pr_cfi_debug(X...) if (cfi_debug) pr_info(X)
+
  static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
                             s32 *start_cfi, s32 *end_cfi, bool builtin)
  {
@@ -1734,6 +1739,7 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
          * rewrite them. This disables all CFI. If this succeeds but any of the
          * later stages fails, we're without CFI.
          */
+       pr_cfi_debug("CFI: disabling all indirect call checking\n");
         ret = cfi_disable_callers(start_retpoline, end_retpoline);
         if (ret)
                 goto err;
@@ -1744,14 +1750,19 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
                         cfi_bpf_hash = cfi_rehash(cfi_bpf_hash);
                         cfi_bpf_subprog_hash = cfi_rehash(cfi_bpf_subprog_hash);
                 }
+               pr_cfi_debug("CFI: cfi_seed: 0x%08x\n", cfi_seed);
  
+               pr_cfi_debug("CFI: rehashing all preambles\n");
                 ret = cfi_rand_preamble(start_cfi, end_cfi);
                 if (ret)
                         goto err;
  
+               pr_cfi_debug("CFI: rehashing all indirect calls\n");
                 ret = cfi_rand_callers(start_retpoline, end_retpoline);
                 if (ret)
                         goto err;
+       } else {
+               pr_cfi_debug("CFI: rehashing disabled\n");
         }
  
         switch (cfi_mode) {
@@ -1761,6 +1772,7 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
                 return;
  
         case CFI_KCFI:
+               pr_cfi_debug("CFI: re-enabling all indirect call checking\n");
                 ret = cfi_enable_callers(start_retpoline, end_retpoline);
                 if (ret)
                         goto err;
@@ -1771,17 +1783,20 @@ static void __apply_fineibt(s32 *start_retpoline, s32 *end_retpoline,
                 return;
  
         case CFI_FINEIBT:
+               pr_cfi_debug("CFI: adding FineIBT to all preambles\n");
                 /* place the FineIBT preamble at func()-16 */
                 ret = cfi_rewrite_preamble(start_cfi, end_cfi);
                 if (ret)
                         goto err;
  
                 /* rewrite the callers to target func()-16 */
+               pr_cfi_debug("CFI: rewriting indirect call sites to use FineIBT\n");
                 ret = cfi_rewrite_callers(start_retpoline, end_retpoline);
                 if (ret)
                         goto err;
  
                 /* now that nobody targets func()+0, remove ENDBR there */
+               pr_cfi_debug("CFI: removing old endbr insns\n");
                 cfi_rewrite_endbr(start_cfi, end_cfi);
  
                 if (builtin) {
@@ -2324,6 +2339,7 @@ void __init alternative_instructions(void)
  
         __apply_fineibt(__retpoline_sites, __retpoline_sites_end,
                         __cfi_sites, __cfi_sites_end, true);
+       cfi_debug = false;
  
         /*
          * Rewrite the retpolines, must be done before alternatives since
author	Kees Cook <kees@kernel.org>
	Thu, 4 Sep 2025 03:46:44 +0000 (20:46 -0700)
committer	Peter Zijlstra <peterz@infradead.org>
	Thu, 4 Sep 2025 19:59:08 +0000 (21:59 +0200)
Documentation/admin-guide/kernel-parameters.txt		patch \| blob \| history
arch/x86/kernel/alternative.c		patch \| blob \| history