Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Dave Hansen <dave.hansen@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>
Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
From: "Yu, Yu-cheng" <yu-cheng.yu@xxxxxxxxx>
Date: Tue, 15 Sep 2020 13:16:41 -0700
Cc: Dave Martin <Dave.Martin@xxxxxxx>, "H.J. Lu" <hjl.tools@xxxxxxxxx>, Florian Weimer <fweimer@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, "open list:DOCUMENTATION" <linux-doc@xxxxxxxxxxxxxxx>, Linux-MM <linux-mm@xxxxxxxxx>, linux-arch <linux-arch@xxxxxxxxxxxxxxx>, Linux API <linux-api@xxxxxxxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Balbir Singh <bsingharora@xxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Cyrill Gorcunov <gorcunov@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, Eugene Syromiatnikov <esyr@xxxxxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, Jonathan Corbet <corbet@xxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Mike Kravetz <mike.kravetz@xxxxxxxxxx>, Nadav Amit <nadav.amit@xxxxxxxxx>, Oleg Nesterov <oleg@xxxxxxxxxx>, Pavel Machek <pavel@xxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Randy Dunlap <rdunlap@xxxxxxxxxxxxx>, "Ravi V. Shankar" <ravi.v.shankar@xxxxxxxxx>, Vedvyas Shanbhogue <vedvyas.shanbhogue@xxxxxxxxx>, Weijiang Yang <weijiang.yang@xxxxxxxxx>
In-reply-to: <6a04252c-da02-0217-270b-650bd3d852c7@intel.com>
References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com> <20200901102758.GY6642@arm.com> <c91bbad8-9e45-724b-4526-fe3674310c57@intel.com> <CALCETrWJQgtO_tP1pEaDYYsFgkZ=fOxhyTRE50THcxYoHyTTwg@mail.gmail.com> <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com> <ed929729-4677-3d3b-6bfd-b379af9272b8@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com> <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <ab1a3344-60f4-9b9d-81d4-e6538fdcafcf@intel.com> <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <a881837d-c844-30e8-a614-8b92be814ef6@intel.com> <cbec8861-8722-ec31-2c02-1cfed20255eb@intel.com> <b3379d26-d8a7-deb7-59f1-c994bb297dcb@intel.com> <a1efc4330a3beff10671949eddbba96f8cde96da.camel@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> <bf2ab309-f8c4-83da-1c0a-5684e5bc5c82@intel.com> <2f137667122486a0cea3b0dbfa99d02f74870673.camel@intel.com> <6a04252c-da02-0217-270b-650bd3d852c7@intel.com>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

On 9/15/2020 12:24 PM, Dave Hansen wrote:

On 9/15/20 12:08 PM, Yu-cheng Yu wrote:

On Mon, 2020-09-14 at 17:12 -0700, Yu, Yu-cheng wrote:

On 9/14/2020 7:50 AM, Dave Hansen wrote:

On 9/11/20 3:59 PM, Yu-cheng Yu wrote:
...

Here are the changes if we take the mprotect(PROT_SHSTK) approach.
Any comments/suggestions?

I still don't like it. :)

I'll also be much happier when there's a proper changelog to accompany
this which also spells out the alternatives any why they suck so much.

[...]

I revised it.  If this turns out needing more work/discussion, we can split it
out from the shadow stack series.


Where does that leave things?  You only get shadow stacks for
single-threaded apps which have the ELF bits set?

As long as the system supports shadow stack, any application canmmap()/mprotect() a shadow stack. A pthread can allocate a shadow stacktoo. However, only shadow stack-enabled programs can activate/use theshadow stack.

References:
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Martin
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Andy Lutomirski
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu-cheng Yu
- Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen
- Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu, Yu-cheng
- Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Yu-cheng Yu
- Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
  - From: Dave Hansen

Prev by Date: Re: [PATCH v3 02/11] xenbus: add freeze/thaw/restore callbacks support
Next by Date: [PATCH] cma: make number of CMA areas dynamic, remove CONFIG_CMA_AREAS
Previous by thread: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
Next by thread: Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
Index(es):
- Date
- Thread

[Index of Archives] [Linux ARM Kernel] [Linux ARM] [Linux Omap] [Fedora ARM] [IETF Annouce] [Bugtraq] [Linux OMAP] [Linux MIPS] [eCos] [Asterisk Internet PBX] [Linux API]