Re: [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2020-02-26 at 09:03 -0800, Dave Hansen wrote:
> On 2/5/20 10:19 AM, Yu-cheng Yu wrote:
> > Introduce Kconfig option: X86_INTEL_SHADOW_STACK_USER.
> > 
> > Shadow Stack (SHSTK) provides protection against function return address
> > corruption.  It is active when the kernel has this feature enabled, and
> > both the processor and the application support it.  When this feature is
> > enabled, legacy non-SHSTK applications continue to work, but without SHSTK
> > protection.
> > 
> > The user-mode SHSTK protection is only implemented for the 64-bit kernel.
> > IA32 applications are supported under the compatibility mode.
> 
> I think what you're trying to say here is that the hardware supports
> shadow stacks with 32-bit kernels.  However, this series does not
> include that support and we have no plans to add it.
> 
> Right?

Yes.

> 
> I'll let others weigh in, but I rather dislike the use of acronyms here.
>  I'd much rather see the english "shadow stack" everywhere than SHSTK.

I will change to shadow stack.

> 
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 5e8949953660..6c34b701c588 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -1974,6 +1974,28 @@ config X86_INTEL_TSX_MODE_AUTO
> >  	  side channel attacks- equals the tsx=auto command line parameter.
> >  endchoice
> >  
> > +config X86_INTEL_CET
> > +	def_bool n
> > +
> > +config ARCH_HAS_SHSTK
> > +	def_bool n
> > +
> > +config X86_INTEL_SHADOW_STACK_USER
> > +	prompt "Intel Shadow Stack for user-mode"
> 
> Nit: this whole thing is to support more than a single stack.  I'd make
> this plural at least in the text: "shadow stacks".

OK.

> 
> > +	def_bool n
> > +	depends on CPU_SUP_INTEL && X86_64
> > +	select ARCH_USES_HIGH_VMA_FLAGS
> > +	select X86_INTEL_CET
> > +	select ARCH_HAS_SHSTK
> > +	---help---
> > +	  Shadow Stack (SHSTK) provides protection against program
> > +	  stack corruption.  It is active when the kernel has this
> > +	  feature enabled, and the processor and the application
> > +	  support it.  When this feature is enabled, legacy non-SHSTK
> > +	  applications continue to work, but without SHSTK protection.
> > +
> > +	  If unsure, say y.
> 
> This is missing a *lot* of information.
> 
> What matters to someone turning this on?
> 
> 1. It's a hardware feature.  This only matters if you have the right
>    hardware
> 2. It's a security hardening feature.  You dance around this, but need
>    to come out and say it.
> 3. Apps must be enabled to use it.  You get no protection "for free" on
>    old userspace.
> 4. The hardware supports user and kernel, but this option is for
>    userspace only.

I will update the help text.

Yu-cheng




[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux