Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp64225imm; Thu, 7 Jun 2018 13:54:35 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ1rLxNYhxWfq7m+NBS2m31U8rPT0Sh0rArqrsBeNPzSs0oLHU0jlPA0PVAeNXFuWqvw35G X-Received: by 2002:a65:4587:: with SMTP id o7-v6mr2822358pgq.386.1528404875670; Thu, 07 Jun 2018 13:54:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528404875; cv=none; d=google.com; s=arc-20160816; b=Snf9TvapjJiw17Bl9cZQ1HrXbC7vKJGXSUQUNL/xv0XpcHBhx+fh4iwnoFBqrmTyvv 1P2BXjsiaSdlR8gTGj4P5rqgOsnP4jE6ZkxL4J0ugxcE+faqglQ7Z+e8DqjUNxZt5WL2 ktULaPvjq4ZdHGg0ElNa7HtMC6pYb+Voug3zVAYJRSY+fRGZYIIN2YJ+P4t9cv7q6SS/ DBHsIZOi142K79utwHcw3zV/hEFopLldc6yjiN7RVoz5OUZNaz9Zy/mJWu9PU/7oARqm hl4Alt8YbDSly+O831rhdlWYe46BjJHV7rQcSvnQw51ozUrn4pXvJPCZNvrhUjZwS5qt 1sxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature:arc-authentication-results; bh=Eibr2llKxC8g0OM+65JEfpbnogU+LtOCD0CUcq4zcUs=; b=eL0Yb46N0T5kvROGNJ0EF947x3FSfognMcbKLsXt2NOMHThnOHcKv0U3u+dQajT3Af zmC8gDviUdGG9cZheZOrwB9N8LVjv5QXBYW6wJO4QtM011G0tJtoe1VBcpde9Wu2+FZb Od/0OolbXljMxdCJQq6xW4ZT2v/i7WfzFeg1ZRYkpULIeCh5/clF2X0MvumUOY80sCwM GrsaW8vELlutyX842qozJyzNQuE1GCLXxu4/uHFdZdR7QRa2b5HnFct1R1BTe9nd0PG2 /bgntObSS4gH+JXz8VHfPxi4QgIyVkQJTvdOJqEggRy6OEUdGZWhAkePhfpfPb/xoP/X uXsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cP6MLTon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c24-v6si54308595plo.489.2018.06.07.13.54.21; Thu, 07 Jun 2018 13:54:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cP6MLTon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932471AbeFGUx6 (ORCPT + 99 others); Thu, 7 Jun 2018 16:53:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:40948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753260AbeFGUx4 (ORCPT ); Thu, 7 Jun 2018 16:53:56 -0400 Received: from mail-wr0-f178.google.com (mail-wr0-f178.google.com [209.85.128.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 90A76208B2 for ; Thu, 7 Jun 2018 20:53:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528404835; bh=kIDoHe33oqzBtjUlSVvhJ4ihMwGu5pSiq6i65T1FsKg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=cP6MLTonwjWllFuTqgglaTDFopBrXji1V36oapxPoHSZnnQzU9agXTdPOVkUDalOq FBrn+VzNCBHds2T4Pk8UWxptDIhj3KyP8/ibsQhGRBLRYKcswxVQde8C8tLuA6wkWP nzBd7LPhd5geDvpmTwJZ4V3gzEH5+GZ5YJBcag/A= Received: by mail-wr0-f178.google.com with SMTP id h10-v6so11183584wrq.8 for ; Thu, 07 Jun 2018 13:53:55 -0700 (PDT) X-Gm-Message-State: APt69E1HH0IYSyURzy5+7I61anUBLoM6ZNzW7DIh+5FrCKuPoCmppNZ8 4cMFWgje3DxePfGb0C1xe/dGFH+zcW03ojV/MroImw== X-Received: by 2002:adf:b445:: with SMTP id v5-v6mr2780352wrd.67.1528404833918; Thu, 07 Jun 2018 13:53:53 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-5-yu-cheng.yu@intel.com> <3c1bdf85-0c52-39ed-a799-e26ac0e52391@redhat.com> In-Reply-To: <3c1bdf85-0c52-39ed-a799-e26ac0e52391@redhat.com> From: Andy Lutomirski Date: Thu, 7 Jun 2018 13:53:41 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 04/10] x86/cet: Handle thread shadow stack To: Florian Weimer Cc: Andrew Lutomirski , Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 7, 2018 at 12:47 PM Florian Weimer wrote: > > On 06/07/2018 08:21 PM, Andy Lutomirski wrote: > > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrot= e: > >> > >> When fork() specifies CLONE_VM but not CLONE_VFORK, the child > >> needs a separate program stack and a separate shadow stack. > >> This patch handles allocation and freeing of the thread shadow > >> stack. > > > > Aha -- you're trying to make this automatic. I'm not convinced this > > is a good idea. The Linux kernel has a long and storied history of > > enabling new hardware features in ways that are almost entirely > > useless for userspace. > > > > Florian, do you have any thoughts on how the user/kernel interaction > > for the shadow stack should work? > > I have not looked at this in detail, have not played with the emulator, > and have not been privy to any discussions before these patches have > been posted, however =E2=80=A6 > > I believe that we want as little code in userspace for shadow stack > management as possible. One concern I have is that even with the code > we arguably need for various kinds of stack unwinding, we might have > unwittingly built a generic trampoline that leads to full CET bypass. I was imagining an API like "allocate a shadow stack for the current thread, fail if the current thread already has one, and turn on the shadow stack". glibc would call clone and then call this ABI pretty much immediately (i.e. before making any calls from which it expects to return). We definitely want strong enough user control that tools like CRIU can continue to work. I haven't looked at the SDM recently enough to remember for sure, but I'm reasonably confident that user code can learn the address of its own shadow stack. If nothing else, CRIU needs to be able to restore from a context where there's a signal on the stack and the signal frame contains a shadow stack pointer. > > I also expect that we'd only have donor mappings in userspace anyway, > and that the memory is not actually accessible from userspace if it is > used for a shadow stack. > > > My intuition would be that all > > shadow stack management should be entirely controlled by userspace -- > > newly cloned threads (with CLONE_VM) should have no shadow stack > > initially, and newly started processes should have no shadow stack > > until they ask for one. > > If the new thread doesn't have a shadow stack, we need to disable > signals around clone, and we are very likely forced to rewrite the early > thread setup in assembler, to avoid spurious calls (including calls to > thunks to get EIP on i386). I wouldn't want to do this If we can avoid > it. Just using C and hoping to get away with it doesn't sound greater, > either. And obviously there is the matter that the initial thread setup > code ends up being that universal trampoline. > Only if the trampoline works if the shadow stack is already enabled. I could very easily be convinced that automatic shadow stack setup is a good idea, but I still think we need manual control for CRIU and such.