On Mon, Jan 22, 2024 at 12:21:47PM +0100, Jan Beulich wrote: > On 22.01.2024 12:02, Roger Pau Monne wrote: > > The minimal function size requirements for an x86 livepatch are either 5 > > bytes > > (for jmp) or 9 bytes (for endbr + jmp), and always 4 bytes on Arm. Ensure > > that > > distance between functions entry points is always at least of the minimal > > required size for livepatch instruction replacement to be successful. > > > > Add an additional align directive to the linker script, in order to ensure > > that > > the next section placed after the .text.* (per-function sections) is also > > aligned to the required boundary, so that the distance of the last function > > entry point with the next symbol is also of minimal size. > > > > Note that it's possible for the compiler to end up using a higher function > > alignment regardless of the passed value, so this change just make sure that > > the minimum required for livepatch to work is present. Different compilers > > handle the option differently, as clang will ignore -falign-functions value > > if it's smaller than the one that would be set by the optimization level, > > while > > gcc seems to always honor the function alignment passed in > > -falign-functions. > > In order to cope with this behavior and avoid that setting -falign-functions > > results in an alignment inferior to what the optimization level would have > > selected force x86 release builds to use a function alignment of 16 bytes. > > Nit: A comma after "selected" may help readability. > > > --- a/xen/Kconfig > > +++ b/xen/Kconfig > > @@ -37,6 +37,27 @@ config CC_HAS_VISIBILITY_ATTRIBUTE > > config CC_SPLIT_SECTIONS > > bool > > > > +# Set function alignment. > > +# > > +# Allow setting on a boolean basis, and then convert such selection to an > > +# integer for the build system and code to consume more easily. > > +# > > +# Requires clang >= 7.0.0 > > +config CC_HAS_FUNCTION_ALIGNMENT > > + def_bool $(cc-option,-falign-functions) > > Nit: Maybe better have a blank line here? > > > +config FUNCTION_ALIGNMENT_4B > > + bool > > +config FUNCTION_ALIGNMENT_8B > > + bool > > +config FUNCTION_ALIGNMENT_16B > > + bool > > +config FUNCTION_ALIGNMENT > > + int > > + depends on CC_HAS_FUNCTION_ALIGNMENT > > + default 16 if FUNCTION_ALIGNMENT_16B > > + default 8 if FUNCTION_ALIGNMENT_8B > > + default 4 if FUNCTION_ALIGNMENT_4B > > + > > source "arch/$(SRCARCH)/Kconfig" > > > > config DEFCONFIG_LIST > >[...] > > --- a/xen/arch/x86/xen.lds.S > > +++ b/xen/arch/x86/xen.lds.S > > @@ -99,6 +99,10 @@ SECTIONS > > *(.text) > > #ifdef CONFIG_CC_SPLIT_SECTIONS > > *(.text.*) > > +#endif > > +#ifdef CONFIG_FUNCTION_ALIGNMENT > > + /* Ensure enough distance with the next placed section. */ > > + . = ALIGN(CONFIG_FUNCTION_ALIGNMENT); > > #endif > > *(.text.__x86_indirect_thunk_*) > > I continue to fail to see how an alignment directive can guarantee minimum > distance. In the worst case such a directive inserts nothing at all.
I'm confused, you did provide a RB for this in v4: https://lore.kernel.org/xen-devel/4cad003f-dda0-4e22-a770-5a5ff56f4...@suse.com/ Which is basically the same code with a few comments and wording adjustments. > IOW > at the very least there's a non-spelled-out assumption here about the last > item in the earlier section having suitable alignment and thus, if small > in size, being suitably padded. Please bear with me, but I'm afraid I don't understand your concerns. For livepatch build tools (which is the only consumer of such alignments) we already have the requirement that a function in order to be suitable for being live patched must reside in it's own section. We do want to aim for functions (even assembly ones) to live in their own sections in order to be live patched, and to be properly aligned. However it's also fine for functions to use a different (smaller) alignment, the livepatch build tools will detect this and use the alignment reported. While we want to get to a point where everything that we care to patch lives in it's own section, and is properly padded to ensure minimal required space, I don't see why the proposed approach here should be blocked, as it's a step in the right direction of achieving the goal. Granted, there's still assembly code that won't be suitably padded, but the livepatch build tools won't assume it to be padded. After your series to enable assembly annotations we can also make sure the assembly annotated functions live in separate sections and are suitably aligned. > Personally I don't think merely spelling > out such a requirement would help - it would end up being a trap for > someone to fall into. > I'm further curious why .text.__x86_indirect_thunk_* is left past the > inserted alignment. While pretty unlikely, isn't it in principle possible > for the thunks there to also need patching? Aren't we instead requiring > then that assembly functions (and thunks) all be suitably aligned as well? Those are defined in assembly, so requires CONFIG_FUNCTION_ALIGNMENT to also be applied to the function entry points in assembly files. Thanks, Roger.
