On Wed, Apr 22, 2020 at 06:39:47PM +0100, Will Deacon wrote: > On Mon, Apr 20, 2020 at 02:18:30PM -0700, Sami Tolvanen wrote: > > On Mon, Apr 20, 2020 at 06:17:28PM +0100, Will Deacon wrote: > > > > + * The shadow call stack is aligned to SCS_SIZE, and grows > > > > + * upwards, so we can mask out the low bits to extract the base > > > > + * when the task is not running. > > > > + */ > > > > + return (void *)((unsigned long)task_scs(tsk) & ~(SCS_SIZE - 1)); > > > > > > Could we avoid forcing this alignment it we stored the SCS pointer as a > > > (base,offset) pair instead? That might be friendlier on the allocations > > > later on. > > > > The idea is to avoid storing the current task's shadow stack address in > > memory, which is why I would rather not store the base address either. > > What I mean is that, instead of storing the current shadow stack pointer, > we instead store a base and an offset. We can still clear the base, as you > do with the pointer today, and I don't see that the offset is useful to > an attacker on its own. I see what you mean. However, even if we store the base address + the offset, we still need aligned allocation if we want to clear the address. This would basically just move __scs_base() logic to cpu_switch_to() / scs_save(). > But more generally, is it really worthwhile to do this clearing at all? Can > you (or Kees?) provide some justification for it, please? We don't do it > for anything else, e.g. the pointer authentication keys, so something > feels amiss here. Like Kees pointed out, this makes it slightly harder to locate the current task's shadow stack pointer. I realize there are other useful targets in thread_info, but we would rather not make this any easier than necessary. Is your primary concern here the cost of doing this, or just that it doesn't sufficiently improve security? Sami