On Fri, 2023-10-27 at 12:49 +0100, Szabolcs.Nagy@xxxxxxx wrote: > no. the lifetime is the issue: a stack in principle can outlive > a thread and resumed even after the original thread exited. > for that to work the shadow stack has to outlive the thread too. Hmm, this makes me think about the tracing usages. > > (or the other way around: a stack can be freed before the thread > exits, if the thread pivots away from that stack.) > > posix threads etc. don't allow this, but the linux syscall abi > (clone) does allow it. > > i think it is reasonable to tie the shadow stack lifetime to the > thread lifetime, but this clearly introduces a limitation on how > the clone api can be used. such constraint on the userspace > programming model is normally a bad decision, but given that most > software (including all posix conforming code) is not affected, > i think it is acceptable for an opt-in feature like shadow stack. Do you have any updated plans to share around your earlier ideas for token schemes that try to shoot for more compatibility or security?
