Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5525470imm; Tue, 12 Jun 2018 09:06:17 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKjOTnYe1Xlu5bEyG9uUl7Nps2H5hK542tKg3OrJXvYdv2UpqUaRpB9xeawTIwan8DwCpCh X-Received: by 2002:a17:902:7604:: with SMTP id k4-v6mr1042900pll.13.1528819577278; Tue, 12 Jun 2018 09:06:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528819577; cv=none; d=google.com; s=arc-20160816; b=c7tvEKzrv9VwcvyWSyNXvJjRzfaGpzqwXiaL2IGl+DmbR9uQNKfevhqDA3CbbPNzo6 07eVVL1BRk90Om4T9K0/AH0D+urEhTBJp7yA4f5swc07hUzdd8J8/JH/mq3euV0iVYPg aRr58+BUOtqLK1SJ3xBYYTgGTN2siRzBEpmcMo7XPzj9fK8FtcwVdTclcPVSzVk2vbfl peAqxh8UXpE8OZoo8Tk5AW11ccYf84aX4Z+0/Gvte7EJZr7NymkSejoJmb7MaiBujKF1 Wa053bqScIBDMplnU4UdaK2/kkSQbKPpPjXBbLPU074KMQrR8QH+DS7KI6dsW5Km54Yp eVow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=TFQQIbLGTzW2bFSoSf10vd13MEIKws0HjwYno/jdX2U=; b=JouhlLWKX6siKMgCSUW32zXQovnGonDZqNzaGtorbOiBgFXhdLrYes72kSZrr8BeeP KI06ND9FP3cF0egm99zt/vGwOU+p+PvRJXD7n70Jh2LzNubE4UMAiwUUxeM1qJQSWaLQ RsfnYZgRu/QMOePDLdcwcwDEjIIyVajNPMo9zDacl/I8cgjxyAS7JzXMRnzXRHr2HZDZ PHqEiOiDtOBOdjPhmarOF4x1NTwu6iAlvN4LJsJ+p9nE6YP/Qp32yivXtQy2ggKV8sRc eqdNGoqAjZnsH+O0toYszVdG4E1mQFHfCsua4pbhegX7wvGfjzd9/b21y7q5UsY5PRYk tGPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="WExk16/D"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12-v6si293663pgs.538.2018.06.12.09.06.03; Tue, 12 Jun 2018 09:06:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="WExk16/D"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934463AbeFLQF1 (ORCPT + 99 others); Tue, 12 Jun 2018 12:05:27 -0400 Received: from mail-ot0-f195.google.com ([74.125.82.195]:40681 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933137AbeFLQFZ (ORCPT ); Tue, 12 Jun 2018 12:05:25 -0400 Received: by mail-ot0-f195.google.com with SMTP id w9-v6so23194474otj.7; Tue, 12 Jun 2018 09:05:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TFQQIbLGTzW2bFSoSf10vd13MEIKws0HjwYno/jdX2U=; b=WExk16/D049ZstxhL3eG61ZP9GiPS09La9q2FWsOuZvyqTv7GKHeXu7ZcTJ7TOJoQ0 4n/FDzfGWNnHp6jrGOXNZoSw8yZX5zmGpJGZKhPzPqfoRxGos7LcG3BCupz9iDVsOwUG lenjtqqUMAH1n/2+rNRlQZkoAd/tTpoOkxXD5Gz0mQwM1i6wom5UyFW2RQxUa2F0XzuP +rlQQZUgDsf24o3pJjM2DydCwK0c9IKtJ4kCi77LUUZocyteBqU1kjF8wdDVz2wcAckv 4ifmIMo+ANCHWjBkHFomXole2WglSyNb2D6I1QqjrHZWrNYbQ0VyLVFTWNtSm/Hw1gOd nKgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TFQQIbLGTzW2bFSoSf10vd13MEIKws0HjwYno/jdX2U=; b=ZkNwk0b8aEW95CLvjFPoNafmOXp2xV9WjEPx0s4N8/6/tN62RifYbqqhzmlPDCXuRX f92wkVkHUhXk5ZOgKG7pe7sG8ZwfqBpJYB+bcHtD4cPP2ndRIRdsq2z30FgiypnPFY/M OBTPbCqVPavvlP0W/j0JuhY/UMG5kyUfXtZWezhCxMwSav9SSGJFOzYGOCMg0lYXVgEt IsKy5d8k5WK3GacSN4dxD19RXg7RRW4wOCvmxyg5hqK6VYM+xyy/h43PZwowOAnlkN7C uEB64I8m5NZjeW9VSD9LhodJfqNxw8tCbR4VHmFKDVxE2/sJGZRfCv+adZFsfR8eA+Ar IE1Q== X-Gm-Message-State: APt69E3kAI9EJtIVsENpfPPaX9IZzeCnbBNYoO57Y1X4sNiwJaltUcr3 0QBCE912yys9Y3z5wDnG8BOZ9bDMTC7+V3PkIGM= X-Received: by 2002:a9d:62d3:: with SMTP id z19-v6mr651115otk.159.1528819525168; Tue, 12 Jun 2018 09:05:25 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:7019:0:0:0:0:0 with HTTP; Tue, 12 Jun 2018 09:05:24 -0700 (PDT) In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-7-yu-cheng.yu@intel.com> <1528403417.5265.35.camel@2b52.sc.intel.com> From: "H.J. Lu" Date: Tue, 12 Jun 2018 09:05:24 -0700 Message-ID: Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack To: Andy Lutomirski Cc: Thomas Gleixner , Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Ingo Molnar , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 12, 2018 at 9:01 AM, Andy Lutomirski wrote: > On Tue, Jun 12, 2018 at 4:43 AM H.J. Lu wrote: >> >> On Tue, Jun 12, 2018 at 3:03 AM, Thomas Gleixner wrote: >> > On Thu, 7 Jun 2018, H.J. Lu wrote: >> >> On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski wrote: >> >> > Why is the lockout necessary? If user code enables CET and tries to >> >> > run code that doesn't support CET, it will crash. I don't see why we >> >> > need special code in the kernel to prevent a user program from calling >> >> > arch_prctl() and crashing itself. There are already plenty of ways to >> >> > do that :) >> >> >> >> On CET enabled machine, not all programs nor shared libraries are >> >> CET enabled. But since ld.so is CET enabled, all programs start >> >> as CET enabled. ld.so will disable CET if a program or any of its shared >> >> libraries aren't CET enabled. ld.so will lock up CET once it is done CET >> >> checking so that CET can't no longer be disabled afterwards. >> > >> > That works for stuff which loads all libraries at start time, but what >> > happens if the program uses dlopen() later on? If CET is force locked and >> > the library is not CET enabled, it will fail. >> >> That is to prevent disabling CET by dlopening a legacy shared library. >> >> > I don't see the point of trying to support CET by magic. It adds complexity >> > and you'll never be able to handle all corner cases correctly. dlopen() is >> > not even a corner case. >> >> That is a price we pay for security. To enable CET, especially shadow >> shack, the program and all of shared libraries it uses should be CET >> enabled. Most of programs can be enabled with CET by compiling them >> with -fcf-protection. > > If you charge too high a price for security, people may turn it off. > I think we're going to need a mode where a program says "I want to use > the CET, but turn it off if I dlopen an unsupported library". There > are programs that load binary-only plugins. You can do # export GLIBC_TUNABLES=glibc.tune.hwcaps=-SHSTK which turns off shadow stack. -- H.J.