The 03/03/2023 08:57, H.J. Lu wrote: > On Fri, Mar 3, 2023 at 8:31 AM szabolcs.nagy@xxxxxxx > <szabolcs.nagy@xxxxxxx> wrote: > > longjmp to different stack should work: it can do the same as > > setcontext/swapcontext: scan for the pivot token. then only > > longjmp out of alt shadow stack fails. (this is non-conforming > > longjmp use, but e.g. qemu relies on it.) > > Restore token may not be used with longjmp. Unlike setcontext/swapcontext, > longjmp is optional. If longjmp isn't called, there will be an extra > token on shadow > stack and RET will fail. what do you mean longjmp is optional? it can scan the target shadow stack and decide if it's the same as the current one or not and in the latter case there should be a restore token to switch to. then it can INCSSP to reach the target SSP state. qemu does setjmp, then swapcontext, then longjmp back. swapcontext can change the stack, but leaves a token behind so longjmp can switch back.
