Support Intel IBT in SpiderMonkey JIT
Categories
(Core :: JavaScript Engine: JIT, enhancement, P3)
Tracking
()
People
(Reporter: tcampbell, Unassigned)
References
(Blocks 1 open bug)
Details
To support Indirect Branch Tracking (IBT) security feature, we need the JITs to add special marker instructions at targets of indirect jmp/call.
|
Reporter | |
Comment 1•6 years ago
|
||
On Matrix, bwidawsk points out there is a hacky attempt that someone has explored of this against ESR-68.
https://github.com/hjl-tools/gecko-dev/tree/hjl/cet/esr68
|
||
Updated•3 years ago
|
|
||
Comment 2•2 years ago
|
||
Fwiw, i dunno what's the priority of this, but OpenBSD recently enabled IBT by default for amd64 (and BTI for arm64), cf http://undeadly.org/cgi?action=article;sid=20230714121907
For the mozilla ports, it's been opted-out. The chromium port has it enabled, with patches for v8 & boringssl, per https://github.com/openbsd/ports/commit/8485e4d8db4d9325cce4db61881648dfcfce5ef1 (& https://chromium-review.googlesource.com/c/v8/v8/+/4637222 for the upstream work in v8). dav1d has also been patched to support IBT/BTI, cf https://github.com/openbsd/ports/commit/b6d45e3ac4bd376136963e892eb795a0eadf1606 among others.
so, for firefox to be IBT/BTI-enabled on hw that supports it (bug #1626950 mentioned it wasnt there yet 3 years ago, but nowadays it is..), my understanding (as a mere packager, definitely not an asm hacker) is that what's needed is:
- patches for dav1d (being upstreamed)
- support in the JIT (this bug)
- something else in nss ?
|
|
||
Comment 3•2 years ago
|
||
ted, any hope for this to be repriorized ? for now on OpenBSD firefox is built with a special flag that bypasses IBT enforcement that is our default, but that flag might not last forever.
|
|
||
Comment 4•2 years ago
|
||
:jandem, i've seen some work in bug #1749665 while blindly forward-porting the commits from https://github.com/hjl-tools/gecko-dev/commits/hjl/cet/esr68 to 121 (i really have no idea what i'm doing), any idea if that work was mostly for CET or also paves the way for IBT ?
|
|
||
Comment 5•2 years ago
|
||
hjl, what was the status of your github branch back in 2020 ? exploratory ? work in progress ?
|
||
Comment 6•2 years ago
|
||
(In reply to Landry Breuil (:gaston) from comment #4)
:jandem, i've seen some work in bug #1749665 while blindly forward-porting the commits from https://github.com/hjl-tools/gecko-dev/commits/hjl/cet/esr68 to 121 (i really have no idea what i'm doing), any idea if that work was mostly for CET or also paves the way for IBT ?
Bug 1749665 wasn't for CET, but it did make it possible for us to disable all JIT code generation for a process at runtime which let us improve the sandbox for these processes.
It probably does simplify IBT a little bit as side-effect because we used to have an indirect call there instead of the inline assembly we have today.
|
|
||
Comment 7•2 years ago
|
||
(In reply to Landry Breuil (:gaston) from comment #3)
ted, any hope for this to be repriorized ? for now on OpenBSD firefox is built with a special flag that bypasses IBT enforcement that is our default, but that flag might not last forever.
To answer this question also: we looked into it earlier this year and we think support for IBT and BTI would be nice to have. It requires finding all indirect branch targets so it's not super trivial and would be easier for someone with experience working on SpiderMonkey's JIT backend. Implementing this is currently not a priority for us, but we're happy to give feedback or pointers if someone is interested in contributing.
|
||
Comment 8•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:willyelm, since the bug has recent activity, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•