On 9/18/2020 2:00 PM, Pavel Machek wrote:
On Fri 2020-09-18 12:32:57, Dave Hansen wrote:
On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
Emulation of the legacy vsyscall page is required by some programs
built before 2013. Newer programs after 2013 don't use it.
Disable vsyscall emulation when Control-flow Enforcement (CET) is
enabled to enhance security.
How does this "enhance security"?
What is the connection between vsyscall emulation and CET?
Boom.
We don't break compatibility by default, and you should not tell
people to enable CET by default if you plan to do this.
I would revise the wording if there is another version. What this patch
does is:
If an application is compiled for CET and the system supports it, then
the application cannot do vsyscall emulation. Earlier we allow the
emulation, and had a patch that fixes the shadow stack and endbr for the
emulation code. Since newer programs mostly do no do the emulation, we
changed the patch do block it when attempted.
This patch would not block any legacy applications or any applications
on older machines.
Yu-cheng