From: "H.J. Lu" <hjl.tools@gmail.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "dalias@libc.org" <dalias@libc.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
"suzuki.poulose@arm.com" <suzuki.poulose@arm.com>,
"Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>,
"musl@lists.openwall.com" <musl@lists.openwall.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
"corbet@lwn.net" <corbet@lwn.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"broonie@kernel.org" <broonie@kernel.org>,
"oliver.upton@linux.dev" <oliver.upton@linux.dev>,
"palmer@dabbelt.com" <palmer@dabbelt.com>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"aou@eecs.berkeley.edu" <aou@eecs.berkeley.edu>,
"shuah@kernel.org" <shuah@kernel.org>,
"arnd@arndb.de" <arnd@arndb.de>,
"maz@kernel.org" <maz@kernel.org>,
"oleg@redhat.com" <oleg@redhat.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"james.morse@arm.com" <james.morse@arm.com>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
"will@kernel.org" <will@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"paul.walmsley@sifive.com" <paul.walmsley@sifive.com>,
"ardb@kernel.org" <ardb@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"thiago.bauermann@linaro.org" <thiago.bauermann@linaro.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"sorear@fastmail.com" <sorear@fastmail.com>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>
Subject: Re: [musl] Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace
Date: Wed, 21 Feb 2024 12:18:37 -0800 [thread overview]
Message-ID: <CAMe9rOoUO-D7Uoj9s3eq+w9pJBZ=iucEDpU4hqtJYtPmW5T4dQ@mail.gmail.com> (raw)
In-Reply-To: <e3a432c0fa9f5fe837e9d2fc7b36304709a34428.camel@intel.com>
On Wed, Feb 21, 2024 at 11:22 AM Edgecombe, Rick P
<rick.p.edgecombe@intel.com> wrote:
>
> On Wed, 2024-02-21 at 14:06 -0500, dalias@libc.org wrote:
> > Due to arbitrarily nestable signal frames, no, this does not suffice.
> > An interrupted operation using the lock could be arbitrarily delayed,
> > even never execute again, making any call to dlopen deadlock.
>
> Doh! Yep, it is not robust to this. The only thing that could be done
> would be a timeout in dlopen(). Which would make the whole thing just
> better than nothing.
>
> >
> > >
> >
> > It's fine to turn RDSSP into an actual emulated read of the SSP, or
> > at
> > least an emulated load of zero so that uninitialized data is not left
> > in the target register.
>
> We can't intercept RDSSP, but it becomes a NOP by default. (disclaimer
> x86-only knowledge).
>
> > If doing the latter, code working with the
> > shadow stack just needs to be prepared for the possibility that it
> > could be async-disabled, and check the return value.
> >
> > I have not looked at all the instructions that become #UD but I
> > suspect they all have reasonable trivial ways to implement a
> > "disabled" version of them that userspace can act upon reasonably.
>
> This would have to be thought through functionally and performance
> wise. I'm not opposed if can come up with a fully fleshed out plan. How
> serious are you in pursuing musl support, if we had something like
> this?
>
> HJ, any thoughts on whether glibc would use this as well?
Assuming that we are talking about permissive mode, if kernel can
suppress UD, we don't need to disable SHSTK. Glibc can enable
ARCH_SHSTK_SUPPRESS_UD instead.
> It is probably worth mentioning that from the security side (as Mark
> mentioned there is always tension in the tradeoffs on these features),
> permissive mode is seen by some as something that weakens security too
> much. Apps could call dlopen() on a known unsupported DSO before doing
> ROP. I don't know if you have any musl users with specific shadow stack
> use cases to ask about this.
--
H.J.
next prev parent reply other threads:[~2024-02-21 20:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org>
2024-02-20 16:36 ` Stefan O'Rear
2024-02-20 18:41 ` Edgecombe, Rick P
2024-02-20 18:57 ` Rich Felker
2024-02-20 23:30 ` Edgecombe, Rick P
2024-02-20 23:54 ` dalias
2024-02-21 0:35 ` Edgecombe, Rick P
2024-02-21 0:44 ` Mark Brown
2024-02-21 1:27 ` dalias
2024-02-21 2:11 ` Edgecombe, Rick P
2024-02-21 4:18 ` Edgecombe, Rick P
2024-02-21 13:53 ` Mark Brown
2024-02-21 14:58 ` dalias
2024-02-21 17:36 ` Mark Brown
2024-02-21 17:57 ` dalias
2024-02-21 18:12 ` Edgecombe, Rick P
2024-02-21 18:30 ` dalias
2024-02-21 18:53 ` Edgecombe, Rick P
2024-02-21 19:06 ` dalias
2024-02-21 19:22 ` Edgecombe, Rick P
2024-02-21 20:18 ` H.J. Lu [this message]
2024-02-21 20:25 ` H.J. Lu
2024-02-21 21:12 ` H.J. Lu
2024-02-21 20:18 ` dalias
2024-02-22 13:57 ` Mark Brown
2024-02-21 18:32 ` Mark Brown
2024-02-21 19:10 ` dalias
2024-03-02 14:57 ` Szabolcs Nagy
2024-03-02 15:05 ` H.J. Lu
2024-03-14 14:03 ` Mark Brown
2024-02-20 23:59 ` Stefan O'Rear
2024-02-21 0:40 ` Mark Brown
2024-02-21 4:30 ` Edgecombe, Rick P
2024-02-20 20:14 ` Mark Brown
2024-02-20 23:30 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMe9rOoUO-D7Uoj9s3eq+w9pJBZ=iucEDpU4hqtJYtPmW5T4dQ@mail.gmail.com' \
--to=hjl.tools@gmail.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dalias@libc.org \
--cc=debug@rivosinc.com \
--cc=ebiederm@xmission.com \
--cc=fweimer@redhat.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=maz@kernel.org \
--cc=musl@lists.openwall.com \
--cc=oleg@redhat.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=sorear@fastmail.com \
--cc=suzuki.poulose@arm.com \
--cc=thiago.bauermann@linaro.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).