On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> wrote: > > When fork() specifies CLONE_VM but not CLONE_VFORK, the child > needs a separate program stack and a separate shadow stack. > This patch handles allocation and freeing of the thread shadow > stack. Aha -- you're trying to make this automatic. I'm not convinced this is a good idea. The Linux kernel has a long and storied history of enabling new hardware features in ways that are almost entirely useless for userspace. Florian, do you have any thoughts on how the user/kernel interaction for the shadow stack should work? My intuition would be that all shadow stack management should be entirely controlled by userspace -- newly cloned threads (with CLONE_VM) should have no shadow stack initially, and newly started processes should have no shadow stack until they ask for one. If it would be needed for optimization, there could some indication in an ELF binary that it is requesting an initial shadow stack. But maybe some kind of automation like this patch does is actually reasonable. --Andy
