On Tue, 2023-06-13 at 16:15 +0100, Mark Brown wrote: > > I would expect the integration with stack switching and unwinding > > differs between architectures even if the core mechanism is > > similar. > > It's probably tempting to handle shadow stack placement > > differently, > > too. > > Yeah, there's likely to be some differences (though given the amount > of > discussion on the x86 implementation I'm trying to follow the > decisions > there as much as reasonable on the basis that we should hopefully > come > to the same conclusions). It seemed worth mentioning as a needless > bump, OTOH I defninitely don't see it as critical. Two things that came up as far as unifying the interface were: 1. The map_shadow_stack syscall x86 shadow stack does some optional pre-populating of the shadow stack memory. And in additional not all types of memory are supported (private anonymous only). This is partly to strengthen the security (which might be a cross-arch thing) and also partly due to x86's Write=0,Dirty=1 PTE bit combination. So a new syscall fit better. Some core-mm folks were not super keen on overloading mmap() to start doing things like writing to the memory being mapped, as well. 2. The arch_prctl() interface While enable and disable might be shared, there are some arch-specific stuff for x86 like enabling the WRSS instruction. For x86 all of the exercising of the kernel interface was in arch specific code, so unifying the kernel interface didn't save much on the user side. If there turns out to be some unification opportunities when everything is explored and decided on, we could have the option of tying x86's feature into it later. I think the map_shadow_stack syscall had the most debate. But the arch_prctl() was mostly agreed on IIRC. The debate was mostly with glibc folks and the riscv shadow stack developer. For my part, the thing I would really like to see unified as much as possible is at the app developer's interface (glibc/gcc). The idea would be to make it easy for app developers to know if their app supports shadow stack. There will probably be some differences, but it would be great if there was mostly the same behavior and a small list of differences. I'm thinking about the behavior of longjmp(), swapcontext(), etc.
