On Fri, Aug 16, 2024 at 11:51:57AM +0100, Mark Brown wrote: > On Fri, Aug 16, 2024 at 09:44:46AM +0100, Catalin Marinas wrote: > > We could, in theory, consume this token in the parent before the child > > mm is created. The downside is that if a parent forks multiple > > processes using the same shadow stack, it will have to set the token > > each time. I'd be fine with this, that's really only for the mostly > > theoretical case where one doesn't use CLONE_VM and still want a > > separate stack and shadow stack. > > I originally implemented things that way but people did complain about > the !CLONE_VM case, which does TBH seem reasonable. Note that the > parent won't as standard be able to set the token again - since the > shadow stack is not writable to userspace by default it'd instead need > to allocate a whole new shadow stack for each child. Ah, good point. > I change back to parsing the token in the parent but I don't want to end > up in a cycle of bouncing between the two implementations depending on > who's reviewed the most recent version. You and others spent a lot more time looking at shadow stacks than me. I'm not necessarily asking to change stuff but rather understand the choices made. -- Catalin
