From: Mark Brown <broonie@kernel.org>
To: Stefan O'Rear <sorear@fastmail.com>
Cc: Rick P Edgecombe <rick.p.edgecombe@intel.com>,
Rich Felker <dalias@libc.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
"musl@lists.openwall.com" <musl@lists.openwall.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Jonathan Corbet <corbet@lwn.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
Oliver Upton <oliver.upton@linux.dev>,
Palmer Dabbelt <palmer@dabbelt.com>, debug <debug@rivosinc.com>,
Albert Ou <aou@eecs.berkeley.edu>,
"shuah@kernel.org" <shuah@kernel.org>,
Arnd Bergmann <arnd@arndb.de>, Marc Zyngier <maz@kernel.org>,
"oleg@redhat.com" <oleg@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
Kees Cook <keescook@chromium.org>,
James Morse <james.morse@arm.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Will Deacon <will@kernel.org>,
Christian Brauner <brauner@kernel.org>,
Thiago Jung Bauermann <thiago.bauermann@linaro.org>,
"H.J. Lu" <hjl.tools@gmail.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
Paul Walmsley <paul.walmsley@sifive.com>,
Ard Biesheuvel <ardb@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>
Subject: Re: [musl] Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace
Date: Wed, 21 Feb 2024 00:40:16 +0000 [thread overview]
Message-ID: <4be8dc73-4873-44e5-8ef6-62e55d5023a7@sirena.org.uk> (raw)
In-Reply-To: <063acc75-ea1d-4dd3-aecb-e5c8884005db@app.fastmail.com>
[-- Attachment #1: Type: text/plain, Size: 2676 bytes --]
On Tue, Feb 20, 2024 at 06:59:58PM -0500, Stefan O'Rear wrote:
> On Tue, Feb 20, 2024, at 6:30 PM, Edgecombe, Rick P wrote:
> > Maybe I'm misunderstanding. I thought the proposal included allowing
> > shadow stack access to convert normal address ranges to shadow stack,
> > and normal writes to convert shadow stack to normal.
> Ideally for riscv only writes would cause conversion, an incssp underflow
> which performs shadow stack reads would be able to fault early.
> For arm, since a syscall is needed anyway to set up the token in a new
> shadow stack region, it would make sense for conversion from non-shadow
> to shadow usage to never be automatic.
Well, we only need the token to pivot in userspace so we could
*potentially* work something out as part of the conversion process.
It's not filling me with enthusiasm though, and I've certainly not
actually thought it through yet.
> > I agree though that the late allocation failures are not great. Mark is
> > working on clone3 support which should allow moving the shadow stack
> > allocation to happen in userspace with the normal stack. Even for riscv
> > though, doesn't it need to update a new register in stack switching?
> > BTW, x86 shadow stack has a mode where the shadow stack is writable
> > with a special instruction (WRSS). It enables the SSP to be set
> > arbitrarily by writing restore tokens. We discussed this as an option
> > to make the existing longjmp() and signal stuff work more transparently
> > for glibc.
We have this feature on arm64 too, plus a separately controllable push
instruction (though that's less useful here).
> > BTW, when I talk about "not supporting" I don't mean the app should
> > crash. I mean it should instead run normally, just without shadow stack
> > enabled. Not sure if that was clear. Since shadow stack is not
> > essential for an application to function, it is only security hardening
> > on top.
> I appreciate that. How far can we go in that direction? If we can
> automatically disable shadow stacks on any call to makecontext, sigaltstack,
> or pthread_attr_setstack without causing other threads to crash if they were
> in the middle of shadow stack maintenance we can probably simplify this
> proposal, although I need to think more about what's possible.
Aside from concerns about disabling over all the threads in the process
(which should be solvable if annoying) this would be incompatible with
policies which prevent disabling of shadow stacks, and it feels like it
might end up being a gadget people could use which will concern some
people. There's a tension here between compatibility and the security
applications of these features.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2024-02-21 0:43 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org>
2024-02-20 16:36 ` Stefan O'Rear
2024-02-20 18:41 ` Edgecombe, Rick P
2024-02-20 18:57 ` Rich Felker
2024-02-20 23:30 ` Edgecombe, Rick P
2024-02-20 23:54 ` dalias
2024-02-21 0:35 ` Edgecombe, Rick P
2024-02-21 0:44 ` Mark Brown
2024-02-21 1:27 ` dalias
2024-02-21 2:11 ` Edgecombe, Rick P
2024-02-21 4:18 ` Edgecombe, Rick P
2024-02-21 13:53 ` Mark Brown
2024-02-21 14:58 ` dalias
2024-02-21 17:36 ` Mark Brown
2024-02-21 17:57 ` dalias
2024-02-21 18:12 ` Edgecombe, Rick P
2024-02-21 18:30 ` dalias
2024-02-21 18:53 ` Edgecombe, Rick P
2024-02-21 19:06 ` dalias
2024-02-21 19:22 ` Edgecombe, Rick P
2024-02-21 20:18 ` H.J. Lu
2024-02-21 20:25 ` H.J. Lu
2024-02-21 21:12 ` H.J. Lu
2024-02-21 20:18 ` dalias
2024-02-22 13:57 ` Mark Brown
2024-02-21 18:32 ` Mark Brown
2024-02-21 19:10 ` dalias
2024-03-02 14:57 ` Szabolcs Nagy
2024-03-02 15:05 ` H.J. Lu
2024-03-14 14:03 ` Mark Brown
2024-02-20 23:59 ` Stefan O'Rear
2024-02-21 0:40 ` Mark Brown [this message]
2024-02-21 4:30 ` Edgecombe, Rick P
2024-02-20 20:14 ` Mark Brown
2024-02-20 23:30 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4be8dc73-4873-44e5-8ef6-62e55d5023a7@sirena.org.uk \
--to=broonie@kernel.org \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dalias@libc.org \
--cc=debug@rivosinc.com \
--cc=ebiederm@xmission.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=maz@kernel.org \
--cc=musl@lists.openwall.com \
--cc=oleg@redhat.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=sorear@fastmail.com \
--cc=suzuki.poulose@arm.com \
--cc=thiago.bauermann@linaro.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).