On Thu, Oct 06, 2022 at 12:38:06AM +0000, Edgecombe, Rick P wrote: > On Mon, 2022-10-03 at 21:37 -0700, Kees Cook wrote: > > On Mon, Oct 03, 2022 at 04:00:36PM -0700, Andy Lutomirski wrote: > > > On 10/3/22 15:28, Kees Cook wrote: > > > > On Thu, Sep 29, 2022 at 03:29:26PM -0700, Rick Edgecombe wrote: > > > > > For the current shadow stack implementation, shadow stacks > > > > > contents easily > > > > > be arbitrarily provisioned with data. > > > > > > > > I can't parse this sentence. > > > > > > > > > This property helps apps protect > > > > > themselves better, but also restricts any potential apps that > > > > > may want to > > > > > do exotic things at the expense of a little security. > > > > > > > > Is anything using this right now? Wouldn't thing be safer without > > > > WRSS? > > > > (Why can't we skip this patch?) > > > > > > > > > > So that people don't write programs that need either (shstk off) or > > > (shstk > > > on and WRSS on) and crash or otherwise fail on kernels that support > > > shstk > > > but don't support WRSS, perhaps? > > > > Right, yes. I meant more "what programs currently need WRSS to > > operate > > under shstk? (And what is it that they are doing that needs it?)" > > > > All is see currently is compiler self-tests and emulators using it? > > > https://codesearch.debian.net/search?q=%5Cb%28wrss%7CWRSS%29%5Cb&literal=0&perpkg=1 > > Most apps that weren't just automatically compiled haven't had > implementation effort yet. (of course glibc has had a bunch) I hope we > would see more of that when we finally get it upstream. So I think a > better question is, how many apps will need WRSS when they go to enable > shadow stack. I'm thinking the answer must be some and it could be nice > to catch them when they first investigate enabling it. > > But yes, except for Mike's CRIU branch, there aren't any programs that > use it today, and we could drop it for a first implementation. I don't > see it as something that would only make things less safe though. It > just lets apps that can't easily work within the stricter shadow stack > environment, at least get access to a weaker but still beneficial one. > > Kees, did you catch that it can be locked off while enabling shadow > stack? Yup, saw that! Looks good. Thanks. :) -- Kees Cook
