x86/cfi: Add 'cfi=warn' boot option

author Peter Zijlstra <peterz@infradead.org>

Mon, 24 Feb 2025 12:37:04 +0000 (13:37 +0100)

committer Ingo Molnar <mingo@kernel.org>

Wed, 26 Feb 2025 11:10:48 +0000 (12:10 +0100)
author Peter Zijlstra <peterz@infradead.org>
Mon, 24 Feb 2025 12:37:04 +0000 (13:37 +0100)
committer Ingo Molnar <mingo@kernel.org>
Wed, 26 Feb 2025 11:10:48 +0000 (12:10 +0100)
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c

index 247ee5ffbff4734bdc31fa21f1f3f56fec422e76..1142ebd3bb49cde8890498bc29ea8f6dbc0d012e 100644 (file)
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1022,6 +1022,9 @@ static __init int cfi_parse_cmdline(char *str)
                         cfi_mode = CFI_FINEIBT;
                 } else if (!strcmp(str, "norand")) {
                         cfi_rand = false;
+               } else if (!strcmp(str, "warn")) {
+                       pr_alert("CFI mismatch non-fatal!\n");
+                       cfi_warn = true;
                 } else {
                         pr_err("Ignoring unknown cfi option (%s).", str);
                 }
diff --git a/include/linux/cfi.h b/include/linux/cfi.h

index f0df518e11dd15a63aa3561355f71afe66c45e9f..1db17ecbb86c6b186d0b14c90c7285128824cac0 100644 (file)
--- a/include/linux/cfi.h
+++ b/include/linux/cfi.h
@@ -11,6 +11,8 @@
  #include <linux/module.h>
  #include <asm/cfi.h>
  
+extern bool cfi_warn;
+
  #ifndef cfi_get_offset
  static inline int cfi_get_offset(void)
  {
diff --git a/kernel/cfi.c b/kernel/cfi.c

index 08caad7767176e2c119d2443f84ab7ee61ac0463..19be7963954202dfbc5100e0eb6136ff6231e035 100644 (file)
--- a/kernel/cfi.c
+++ b/kernel/cfi.c
@@ -7,6 +7,8 @@
  
  #include <linux/cfi.h>
  
+bool cfi_warn __ro_after_init = IS_ENABLED(CONFIG_CFI_PERMISSIVE);
+
  enum bug_trap_type report_cfi_failure(struct pt_regs *regs, unsigned long addr,
                                       unsigned long *target, u32 type)
  {
@@ -17,7 +19,7 @@ enum bug_trap_type report_cfi_failure(struct pt_regs *regs, unsigned long addr,
                 pr_err("CFI failure at %pS (no target information)\n",
                        (void *)addr);
  
-       if (IS_ENABLED(CONFIG_CFI_PERMISSIVE)) {
+       if (cfi_warn) {
                 __warn(NULL, 0, (void *)addr, 0, regs, NULL);
                 return BUG_TRAP_TYPE_WARN;
         }
author	Peter Zijlstra <peterz@infradead.org>
	Mon, 24 Feb 2025 12:37:04 +0000 (13:37 +0100)
committer	Ingo Molnar <mingo@kernel.org>
	Wed, 26 Feb 2025 11:10:48 +0000 (12:10 +0100)
arch/x86/kernel/alternative.c		patch \| blob \| blame \| history
include/linux/cfi.h		patch \| blob \| blame \| history
kernel/cfi.c		patch \| blob \| blame \| history