Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5228699imm; Tue, 12 Jun 2018 04:50:14 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJLn7aK3T3EB3RkAwekLkTxnXRl77z9I44mKRhtK/HsZZcHFtQCBcPeWDHQ/M7rjXv/aFvm X-Received: by 2002:a65:660c:: with SMTP id w12-v6mr15874pgv.404.1528804214698; Tue, 12 Jun 2018 04:50:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528804214; cv=none; d=google.com; s=arc-20160816; b=NfBwxv70A5iJtYcbNG/SK2mM5rshUwuzAw66a5dnmVHG6lPReysN3vHgL0/roHQ9hX TnX6yUChk8/dGCtjU080FrtHW0C8HQBJ9B+qvfYUW2buaJHvFXaS+XxoINNF+AxRU+wL W+tPMI7Y3GiUpDeRSaUcQsKGKoVh4yudusvIqXlUz0NUE5mm9o9vr5p/w7VnZ6LJdW+Q FLBSGP0FRWuXlptS0ltHACAtf4G/hSZDVmv+ZW7TuCSDCBD6aJ9dBOeE4vVNvoSjqQvb XCT6HnMErtp9AeNKD6jkc7XtIxHlvTP/O0gEbDZaqb/EfPGKw+VUG3V3PhcFMriSv+Kf 87zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=n7EOqQTRPF9XI+2b894weAYj/hPS2OyKbWBt3ey6gmk=; b=zjvemyY6taRcPBFg4BpsiYb2feE3s4yUQWDtnOgtDCJHlVdwSbx6giQ6BKVo/V/lvC ocnGzS4DyaG4j5ySQosa6qRnJR9lZEomduod2Xw7o+lFySA+QSubTr3nsxbHHBareHeM xRedi3aJmTj5tb92V/Dhptn31lliPiFlu/fYjem+eJ+pjEHIQkQmTympKMsPbtXizvae bOnACXV76QJt3o17j4JKT9sqDF18Z3g/YDpV3OqkmakOiUCufPoeJkxU3yZq8ErEXygi l8UB+58FnPYUr3t/wycXh1oQWHj2sExMrIgAB2GDM03mAbYmP9LIRyxC11DWEsLUy0kP /YFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ntCKsRSr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z14-v6si609746pgc.313.2018.06.12.04.49.58; Tue, 12 Jun 2018 04:50:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ntCKsRSr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932807AbeFLLnx (ORCPT + 99 others); Tue, 12 Jun 2018 07:43:53 -0400 Received: from mail-ot0-f195.google.com ([74.125.82.195]:34693 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754019AbeFLLnv (ORCPT ); Tue, 12 Jun 2018 07:43:51 -0400 Received: by mail-ot0-f195.google.com with SMTP id r18-v6so13185694otk.1; Tue, 12 Jun 2018 04:43:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n7EOqQTRPF9XI+2b894weAYj/hPS2OyKbWBt3ey6gmk=; b=ntCKsRSrLeQHBMb19+FYtFn0qq+TX93ZybiyaiC9nsJ7ZlgUBiVqEeWkNFvaDnb5iR eUFAKeAPnV+5PvvS7lcPlC85rt4OpGzMEtMUYIIWDJZpNiiW9VdePV6IHHPc6shsVuK4 peRC9ilh/SFMkiNxjakW1IQJKBGtReiGta/5+WWsixsuqEtpX6XCelCshR6olQdku4Zk VYe5p0RQCp/AYnLZMGhr4nYg8Nm/Y0ih60f7Pij3pPM3l+aYSpXd8bFJ0uBzDtSlCI0g phrrlS+atMJ7GEctsejRoiYkiapfqzcahvEzU3zyNXP6XoxCRCkbd9OyDKSCALpJEyEM rUAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n7EOqQTRPF9XI+2b894weAYj/hPS2OyKbWBt3ey6gmk=; b=KYZWDxCoEaQvyieAYhx94BlB2S3cHVr4y4qUYfhv3SwvIaAGh8MuesuPwDCeIOopeU Cc5a9HLRaPa8PgbVt1GuYOrImKzJdAS0SVcr35O/ld/7uOXcS5cACS9NPAnpswqZsIdj vceusi9b9NSy2HaVAUrVsqyJzj4H1yD3Vow4CFlkg6Ts1QdJVcIioSDHJWV8aD1GDxip 9nWNijZgOgSRcaIXhNlcOQ5fJPdZKr2YorFAU9nAVhIjsQlYGLTf3vHwH2JN5OFNUJao U8KCtnwjPkfwyBgECmbIe+bUXa3m5/aBljSv6ev1EK0y0Beez3GQwir1ljVfkyHm3sRS ua+A== X-Gm-Message-State: APt69E3LWKmeO3b+MJt2u+uz6YjaUqqp4RSx7ekqKk++GukXFylNGQAx UvsbKck+8vV84VFy+lXWCjiF5BePaE1PiU6ooHw= X-Received: by 2002:a9d:2ed3:: with SMTP id w77-v6mr3410ota.123.1528803830389; Tue, 12 Jun 2018 04:43:50 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:7019:0:0:0:0:0 with HTTP; Tue, 12 Jun 2018 04:43:49 -0700 (PDT) In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-7-yu-cheng.yu@intel.com> <1528403417.5265.35.camel@2b52.sc.intel.com> From: "H.J. Lu" Date: Tue, 12 Jun 2018 04:43:49 -0700 Message-ID: Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack To: Thomas Gleixner Cc: Andy Lutomirski , Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Ingo Molnar , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 12, 2018 at 3:03 AM, Thomas Gleixner wrote: > On Thu, 7 Jun 2018, H.J. Lu wrote: >> On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski wrote: >> > Why is the lockout necessary? If user code enables CET and tries to >> > run code that doesn't support CET, it will crash. I don't see why we >> > need special code in the kernel to prevent a user program from calling >> > arch_prctl() and crashing itself. There are already plenty of ways to >> > do that :) >> >> On CET enabled machine, not all programs nor shared libraries are >> CET enabled. But since ld.so is CET enabled, all programs start >> as CET enabled. ld.so will disable CET if a program or any of its shared >> libraries aren't CET enabled. ld.so will lock up CET once it is done CET >> checking so that CET can't no longer be disabled afterwards. > > That works for stuff which loads all libraries at start time, but what > happens if the program uses dlopen() later on? If CET is force locked and > the library is not CET enabled, it will fail. That is to prevent disabling CET by dlopening a legacy shared library. > I don't see the point of trying to support CET by magic. It adds complexity > and you'll never be able to handle all corner cases correctly. dlopen() is > not even a corner case. That is a price we pay for security. To enable CET, especially shadow shack, the program and all of shared libraries it uses should be CET enabled. Most of programs can be enabled with CET by compiling them with -fcf-protection. > Occasionally stuff needs to be recompiled to utilize new mechanisms, see > retpoline ... > > Thanks, > > tglx > -- H.J.