On Mon, Jul 14, 2025 at 12:49:19PM +0200, Peter Zijlstra wrote:
> On Mon, Jul 14, 2025 at 12:20:27PM +0200, Peter Zijlstra wrote:
>
> > --- a/arch/x86/platform/efi/efi_stub_64.S
> > +++ b/arch/x86/platform/efi/efi_stub_64.S
> > @@ -11,6 +11,10 @@
> > #include <asm/nospec-branch.h>
> >
> > SYM_FUNC_START(__efi_call)
> > + /*
> > + * The EFI code doesn't have any CFI, annotate away the CFI violation.
> > + */
> > + ANNOTATE_NOCFI_SYM
> > pushq %rbp
> > movq %rsp, %rbp
> > and $~0xf, %rsp
>
> FWIW, we should probably do something like this as well.
>
> ---
>
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -562,6 +562,13 @@ __noendbr u64 ibt_save(bool disable)
> {
> u64 msr = 0;
>
> + /*
> + * Firmware code will not provide the same level of
> + * control-flow-integriry. Taint the kernel to let the user know.
> + */
> + if (disable || (IS_ENABLED(CONFIG_CFI_CLANG) && cfi_mode != CFI_OFF))
> + add_taint(TAINT_CFI, LOCKDEP_STILL_OK);
Or perhaps:
WARN_TAINT_ONCE(disable || IS_ENABLED(CONFIG_CFI_CLANG) && cfi_mode !=
CFI_OFF),
TAINT_CFI, "Firmware has weaker CFI");
> +
> if (cpu_feature_enabled(X86_FEATURE_IBT)) {
> rdmsrq(MSR_IA32_S_CET, msr);
> if (disable)
> --- a/include/linux/panic.h
> +++ b/include/linux/panic.h
> @@ -73,7 +73,8 @@ static inline void set_arch_panic_timeou
> #define TAINT_RANDSTRUCT 17
> #define TAINT_TEST 18
> #define TAINT_FWCTL 19
> -#define TAINT_FLAGS_COUNT 20
> +#define TAINT_CFI 20
> +#define TAINT_FLAGS_COUNT 21
> #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1)
>
> struct taint_flag {
