On Mon, Feb 07 2022 at 17:31, Andy Lutomirski wrote:
> So this leaves altshadowstack. If we want to allow userspace to handle
> a shstk overflow, I think we need altshadowstack. And I can easily
> imagine signal handling in a coroutine or user-threading evironment (Go?
> UMCG or whatever it's called?) wanting this. As noted, this obnoxious
> Andy person didn't like putting any shstk-related extensions in the FPU
> state.
>
> For better or for worse, altshadowstack is (I think) fundamentally a new
> API. No amount of ucontext magic is going to materialize an entire
> shadow stack out of nowhere when someone calls sigaltstack(). So the
> questions are: should we support altshadowstack from day one and, if so,
> what should it look like?
I think we should support them from day one.
> So I don't have a complete or even almost complete design in mind, but I
> think we do need to make a conscious decision either to design this
> right or to skip it for v1.
Skipping it might create a fundamental design fail situation as it might
require changes to the shadow stack signal handling in general which
becomes a nightmare once a non-altstack API is exposed.
> As for CRIU, I don't think anyone really expects a new kernel, running
> new userspace that takes advantage of features in the new kernel, to
> work with old CRIU.
Yes, CRIU needs updates, but what ensures that CRIU managed user space
does not use SHSTK if CRIU is not updated yet?
> Upgrading to a SHSTK kernel should still allow using CRIU with
> non-SHSTK userspace, but I don't see how it's possible for CRIU to
> handle SHSTK without updates. We should certainly do our best to make
> CRIU's life easy, though.
Handling CRIU with SHSTK enabled has to be part of the overall design
otherwise we'll either end up with horrible hacks or with a requirement
to change the V1 UAPI....
Thanks,
tglx
