style(9) prefers not mixing comment styles - i.e. don't have some /* */ comments and some // comments

Should have SPDX and copyright lines

New file without copyright or license/SPDX?

If sys/systm.h is included, no need in cdefs.h or types.h

cdefs.h is not needed

kassert.h is provided by systm.h

What is the reason for two #ifdef KERNEL blocks? And why this ifdef is needed at all for kernel source file?

Same etc ...

Don't you need to check that trapped instruction is indeed UD2?

De-indent the continuation line by 4 spaces.

Why these prototypes cannot go into e.g. machine/trap.h?

If changing the comment from single-line into multi-line, follow style.

/*
 * Comment text.
 */

I suggest to remove all that #ifdef KCFI braces, there and in parsing the module ELFs. The only thing that should be left under #ifdef is the actual code that does the calculations.

I think you can reduce namespace pollution by removing sys/proc.h (and probably sys/types.h as well), and just forward-declare

struct trapframe;

before cfi_handler() declaration.

Is there any cost or problem from always annotating functions with __NOCFI?

Also, consider moving this definition to sys/cdefs.h

Can this single prototype go into some existing header? IMO it does not make sense to add new header file for single prototype.

Add these members unconditionally.

Remove this comment.

"All rights reserved." is not needed anymore.

This is actually BSD-3-Clause license. If you want BSD-2-Clause, you can refer the first part of /COPYRIGHT

"All rights reserved." is not needed anymore.

This is actually BSD-3-Clause license. If you want BSD-2-Clause, you can refer the first part of /COPYRIGHT

I discover amd64/traps.h only include x86 one and only put some #define inside.

Is it fine to move these two function declaration inside?

No, there is no cost. KCFI checks in forward egde ( The caller checks if callee is legal). So add this in caller side actually disable all check inside the caller function.

I see kcsan only has one prototype inside header too. I don't find any suitable place to put this signature. Or should we move these sanitizer into one header?

If it fine to remove the ifdef in this structure? I think it may be somehow important?

Note that this is generally unsafe and might cause nested fault. You only know that the byte at tf_rip is valid and can be accessed because attempt to execute caused #UD and not #PF. But either byte before or after it might be not mapped.
You need to check that the accesses are safe before doing them, or place an exception handler around accesses using pcb_onfault.

This still does not check for UD2. UD2 is 0x0f 0x0b, you only check the second byte.

Absolutely fine, just brace them with #ifdef _KERNEL.

Put it into e.g. sys/systm.h, which is the collection of the random things already. There is no harm from the unused prototype.

It is highly desirable that kernel binary interface was invariant WRT config options. This is why I suggested to remove the #ifdef, to have the same struct linker_file size/layout without dependency on the option.

Could you please tell me the detail on how to achieve the safe access with

place an exception handler around accesses using pcb_onfault?

Since we cannot check if the address before ud2 and after ud2 is safe to access.

Traps.h is used by .s files which cannot define structure inside. Can we put into the systm.h? Clang actually support KCFI on arm, riscv. But I only implement the x86 one.

Try D49566. I did not tested it.

systm.h is fine.

It works as usual

You should not ignore errors from safe_read().

Oops.

switching to

for (idx = 0; idx < 14; idx++)                                                                                                             
          if (safe_read(tf->tf_rip - 12 + idx, buffer + idx))
              return false;

fail the KCFI check and make kernel go through the origianl path thus panic.

I can confirm that safe_read reads something as it passes all KCFI check.

I can confirm that safe_read reads something as it passes all KCFI check "in the version that does not check the error".

Still not done

Could you, instead of hardcoding the encoding in C, find the sequence in the compiled code? I mean, produce some label that points to the CFI sequence and compare the faulted instruction with it. Then if clang or clang-asm generate something different in binary, we do not even notice.

Does is_cfi_exception() match your expectation?

ALso, KCFI already provides a .cfi.traps section that contains all CFI fault PCs, so this code mainly serves as a fast path. I don’t think LLVM will change this sequence easily, but I understand your concern. I can remove the function entirely if needed.

Ok, no need to remove the function. I suggest to add the comment in line of your response to point out the section, and the purpose of the buffer matching.

This comment should go into the #ifdef KCFI block.

Ok. Thank you!