Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp400164imm; Thu, 7 Jun 2018 21:39:12 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJvqafTSXk8PbOWOcZ7+ZxAXzt5VEOdbzkrBMBW5uC6b00f8qWIB32/KWHPVPxPOiVwdm6B X-Received: by 2002:a63:66c3:: with SMTP id a186-v6mr3821344pgc.408.1528432752491; Thu, 07 Jun 2018 21:39:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528432752; cv=none; d=google.com; s=arc-20160816; b=Ho9or7YwJKGegFfAHFHv/20GtXEk0jPi6lLtYuEMWDV1ehbl01XYCE0Rlb9qJcFA73 1qg3aJ2Zw5desuJaV9anMPc4nsDqptu4a8oKkBIXzLW9zYLSOWzoG5HoqkioMpAkmemW rcw/aPY6/ACgbaUfkradmi5PLzMg/HC/5FaRDY+keDy9ZjcL3rkx1D+BnxHYV10A5mzD jj/SA0EVKICb/iYiA5mmE8KgcPZK5UG+4rDZsp62jnRMJC6KOMPLjBoszJahm0H8J1VG KVyLFPx2wpDWX9SlIVxRl2AxAvgEhqhONZgUWrdyG75OtWpGe/50zbPMkFIwQww6IT45 btrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=9moBiWMp/6ov1JYyhI2DiqPhnAVG6KbrSPsgj4MrtqY=; b=uLnCxLbIcvHUMss6eMbIzX5Quy8ZgPuzRvxFyrBBPkKydQORoK/9JX4nGQo/PPHbLQ P8tmOVOOsitWBCM7pqDpE6wj1AF6kPA4/Ysvih2vWZap/qyCrRNGL4lcfbXILL4TKTPK dSv9/wRqa8+V/v5OtLZPhFGywebnyzEamKWpz+0H6QGYF/ouo9Dqc4+C0h0h8klGe9NG /itigjzzr3p3DsFFTRLrDZq4a0GVdqTNS6HGDAAJJaEGy0h8EAL7MhsKPW7xFuNszsXe 5JAhfqIjuS+kzMPadob1IAVoJ+UjUF0K6zRgIKju2ZMLZtHR5TeHlfar6cRkVAAMG4xV ykFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MbqOl+Dh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x135-v6si17226309pgx.424.2018.06.07.21.38.58; Thu, 07 Jun 2018 21:39:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MbqOl+Dh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751234AbeFHEiT (ORCPT + 99 others); Fri, 8 Jun 2018 00:38:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:47186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750829AbeFHEiR (ORCPT ); Fri, 8 Jun 2018 00:38:17 -0400 Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 533F520895 for ; Fri, 8 Jun 2018 04:38:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528432696; bh=lPdBK5FFP8eQWZExAdb9H7HnZzyQ6rQLjxpLJ8Ru4eM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=MbqOl+DhxsfXHG14X4161IAtmaMYTfYPcoKN7v/c+r1ynmH81lTCdFe/H1XAufbsK c+dxLBjYDyZEFQ299OoJufRrQaLfpZ8mxSzAX+lEJmUaGOfs4Q6XxOc7raIHXiO2BS QHz+6wzoLjVsI90+16PwMh7mU6BHRt6rWGb83CzE= Received: by mail-wm0-f52.google.com with SMTP id 69-v6so1060016wmf.3 for ; Thu, 07 Jun 2018 21:38:16 -0700 (PDT) X-Gm-Message-State: APt69E3dIm/AQnqL4NAhpCuh+8GjljfhS9L9p/CTaCnQjkXav0hJ49bq yX7rev1Lo7QPPaetGs24bT7O/2T5v9s11OwogPz46g== X-Received: by 2002:a1c:4a9d:: with SMTP id n29-v6mr314605wmi.46.1528432694803; Thu, 07 Jun 2018 21:38:14 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-7-yu-cheng.yu@intel.com> <1528403417.5265.35.camel@2b52.sc.intel.com> In-Reply-To: From: Andy Lutomirski Date: Thu, 7 Jun 2018 21:38:03 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack To: "H. J. Lu" Cc: Andrew Lutomirski , Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 7, 2018 at 9:10 PM H.J. Lu wrote: > > On Thu, Jun 7, 2018 at 4:01 PM, Andy Lutomirski wrote: > > On Thu, Jun 7, 2018 at 3:02 PM H.J. Lu wrote: > >> > >> On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski wrote: > >> > On Thu, Jun 7, 2018 at 1:33 PM Yu-cheng Yu wrote: > >> >> > >> >> On Thu, 2018-06-07 at 11:48 -0700, Andy Lutomirski wrote: > >> >> > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrote: > >> >> > > > >> >> > > The following operations are provided. > >> >> > > > >> >> > > ARCH_CET_STATUS: > >> >> > > return the current CET status > >> >> > > > >> >> > > ARCH_CET_DISABLE: > >> >> > > disable CET features > >> >> > > > >> >> > > ARCH_CET_LOCK: > >> >> > > lock out CET features > >> >> > > > >> >> > > ARCH_CET_EXEC: > >> >> > > set CET features for exec() > >> >> > > > >> >> > > ARCH_CET_ALLOC_SHSTK: > >> >> > > allocate a new shadow stack > >> >> > > > >> >> > > ARCH_CET_PUSH_SHSTK: > >> >> > > put a return address on shadow stack > >> >> > > > >> >> > > ARCH_CET_ALLOC_SHSTK and ARCH_CET_PUSH_SHSTK are intended only for > >> >> > > the implementation of GLIBC ucontext related APIs. > >> >> > > >> >> > Please document exactly what these all do and why. I don't understand > >> >> > what purpose ARCH_CET_LOCK and ARCH_CET_EXEC serve. CET is opt in for > >> >> > each ELF program, so I think there should be no need for a magic > >> >> > override. > >> >> > >> >> CET is initially enabled if the loader has CET capability. Then the > >> >> loader decides if the application can run with CET. If the application > >> >> cannot run with CET (e.g. a dependent library does not have CET), then > >> >> the loader turns off CET before passing to the application. When the > >> >> loader is done, it locks out CET and the feature cannot be turned off > >> >> anymore until the next exec() call. > >> > > >> > Why is the lockout necessary? If user code enables CET and tries to > >> > run code that doesn't support CET, it will crash. I don't see why we > >> > need special code in the kernel to prevent a user program from calling > >> > arch_prctl() and crashing itself. There are already plenty of ways to > >> > do that :) > >> > >> On CET enabled machine, not all programs nor shared libraries are > >> CET enabled. But since ld.so is CET enabled, all programs start > >> as CET enabled. ld.so will disable CET if a program or any of its shared > >> libraries aren't CET enabled. ld.so will lock up CET once it is done CET > >> checking so that CET can't no longer be disabled afterwards. > > > > Yeah, I got that. No one has explained *why*. > > It is to prevent malicious code from disabling CET. > By the time malicious code issue its own syscalls, you've already lost the battle. I could probably be convinced that a lock-CET-on feature that applies *only* to the calling thread and is not inherited by clone() is a decent idea, but I'd want to see someone who understands the state of the art in exploit design justify it. You're also going to need to figure out how to make CRIU work if you allow locking CET on. A priori, I think we should just not provide a lock mechanism. > > (Also, shouldn't the vDSO itself be marked as supporting CET?) > > No. vDSO is loaded by kernel. vDSO in CET kernel is CET > compatible. > I think the vDSO should do its best to act like a real DSO. That means that, if the vDSO supports CET, it should advertise support for CET using the Linux ABI. Since you're going to require GCC 8 anyway, this should be a single line of code in the Makefile.