Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2528559imm; Thu, 7 Jun 2018 12:10:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ+ZoP8QxfjZOXC8fwGeGYAE5fNl84kYtFOTq3ZOCF08yUcCEC82X3joTk2FNgCMq+q28Eq X-Received: by 2002:a17:902:369:: with SMTP id 96-v6mr3305561pld.64.1528398628877; Thu, 07 Jun 2018 12:10:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528398628; cv=none; d=google.com; s=arc-20160816; b=XBdjKccZBfUq8u/ffHPy8IyZ21H3hh5+8r/daXl4QGkLGDXtcm+MgMRQ0vdCTKJ7T8 JVvw7KQMbMZjp24j1kqr7DkbCvm46y2SR803eXy8Cyz/MkI0RP/BYoEdxthH77hkVFs3 MTPl4lU5kixF0BMAgAantPLoQiSAoa4WSD2VGGQtq+aE0JSfHfWjEOk7yQRqb/dLcDkz 1NQnKNI6bHON1Ver8y23NXlDJyAYZEQrB9jdra+zRRMPVbbu79mrjQpPZXHVnd9oxTgV 5DothD9Vd/p7857keAuelV8hGJHhT0xcXm1t/x/ZrUAz+Rs2M36ZF4Bff3rrJYYcXl9L EgAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=qzqWiQT2oZrLDjIikNpqBRWvckKwqrDY4IJVKk11ZOE=; b=ZSJOsGyoqj8eAOr32/ffki0SOO6ir0F20eS5bt8k9iLebXBKu9j1Xb6gPenmlTDtnX nmf1GFJT6QE5cvSun4WRTF1QTlWGQeQe48ue+x5totVnnvpyiM/oR3K2JOTn/HvDV2aF hkXym/pNLDPveFbKWQBR2h/e5r02Tsm2wX1Cz739wqWf4LWEfMBefOEAOpS9LeK8AyYT WrvPIC+x8cEc6/LpE1jycmZVkajGAjqSAI8vlMuf+1SvivIXSYuX/7pUuFcB8IEdhRP8 6iuL8O35jQXUOcecYZzvzMXwFgIj6gm1QURs/NzOWXyJObvXYaVwXEgMCLvLmk9NCViL f+2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BgYT53Bo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c12-v6si17410619pll.75.2018.06.07.12.10.14; Thu, 07 Jun 2018 12:10:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BgYT53Bo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935698AbeFGSWJ (ORCPT + 99 others); Thu, 7 Jun 2018 14:22:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:60242 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933152AbeFGSWG (ORCPT ); Thu, 7 Jun 2018 14:22:06 -0400 Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 53182208B0 for ; Thu, 7 Jun 2018 18:22:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528395725; bh=87KrFrL2yob3soM7BqH5pKZFRV5AMt3+eqpsu7DlzDQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=BgYT53BoDnbqFh64eh3IkOS2jor5WmSJe2V+MRYuPccpvEs4yvb8e2aUodAq5ru1/ kh7MAIAF+e+jcw6/MUzu5zmjqbWjVx9HtdqM3vRRcV33sQsNrK5S3gBtVrlLZPgCBX REc83hyVBOE5kU2byaJ8Eb7ANw2mmbBRMCRiG/6c= Received: by mail-wm0-f44.google.com with SMTP id x6-v6so19628123wmc.3 for ; Thu, 07 Jun 2018 11:22:05 -0700 (PDT) X-Gm-Message-State: APt69E0kFjAz5fkUOqP59c+/zmFSE1/hcEuBxQ7qWLJj3/mObevFuSEa XBJfLlFjeA0R0J1hn8A4Y4GIhM0ohVIiyX0AKdDrfQ== X-Received: by 2002:a1c:34c9:: with SMTP id b192-v6mr2478788wma.21.1528395723668; Thu, 07 Jun 2018 11:22:03 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-5-yu-cheng.yu@intel.com> In-Reply-To: <20180607143807.3611-5-yu-cheng.yu@intel.com> From: Andy Lutomirski Date: Thu, 7 Jun 2018 11:21:51 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 04/10] x86/cet: Handle thread shadow stack To: Yu-cheng Yu , Florian Weimer Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrote: > > When fork() specifies CLONE_VM but not CLONE_VFORK, the child > needs a separate program stack and a separate shadow stack. > This patch handles allocation and freeing of the thread shadow > stack. Aha -- you're trying to make this automatic. I'm not convinced this is a good idea. The Linux kernel has a long and storied history of enabling new hardware features in ways that are almost entirely useless for userspace. Florian, do you have any thoughts on how the user/kernel interaction for the shadow stack should work? My intuition would be that all shadow stack management should be entirely controlled by userspace -- newly cloned threads (with CLONE_VM) should have no shadow stack initially, and newly started processes should have no shadow stack until they ask for one. If it would be needed for optimization, there could some indication in an ELF binary that it is requesting an initial shadow stack. But maybe some kind of automation like this patch does is actually reasonable. --Andy