Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5555776imm; Tue, 12 Jun 2018 09:32:52 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLaP1KdJHaYydvPHkEHTBhz9Ub4Cw+TpVq+pXE3Rf1DBfQW2xUfk4xYPag13/RrCwJAjw1b X-Received: by 2002:a62:c16:: with SMTP id u22-v6mr1100453pfi.177.1528821172252; Tue, 12 Jun 2018 09:32:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528821172; cv=none; d=google.com; s=arc-20160816; b=Yf9EP9F6lCdYgERd4PZX3Y126v5d91fLkinmsknvcj9r6tTmAlQMRDcGjaV28Rq5RY djNabCeXfHIfOd1q1DGELkWEGVnN6jTwJHw178t79w1QqAYWsYcobx1VGR6IFaQXiZw6 BREQp6Fmn1YPFshL6DRZe+ucS1wbxama7sckn8z9FGgjpJehGPKS4NNvAYOfdtjTQ/E/ 9II2aNSLef7sMI60/WmpR4x9kN5wGaEff+x8O3wZVXpHfN7CHAiBfHvidCxC5lj4WrNz y8kvh4XnK4P79SOR6cudxZkwI9f7VcJJ/clcSGzcm1E5bqTCsptpmxLoOrzjsoM86KRl vaSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=wxcZtKpbpK8q3OM4rY0mQ4aD3dZKlC5QPR2Hbjq36ZE=; b=h1TG6smwPwf2rw+wbHsfVfhnDUezW5I2+y5+B0hEzYzBhJsJziVax7QZXX7QiTpPCO 0JwoxsYqTRrxDUXTLljypRxGdgnoTkQbqpdpKcT0D/HTaqut5ANjAps9Oy20+mEq+2y0 2lUWoZy9BTs6JqoumQqw8aEC4OTFrQpb4yQS+YvgNKOy4uhXVuipOIbVJpt7NdaE0ZiK VbgQc3Uivr0THkZHX8zhWUq0KenZfgxQ3O4k0QpaasVjAuHauMtKNQrS6eaOwtXqIfeZ 2h3EhNfJbnFzzkRQywsnNhAygBwSHV2lXG2yWaqLTQueOJKfvia9RgVsB3Ze/8UpZwwa fO3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sG8YSDcy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x24-v6si498452pln.22.2018.06.12.09.32.37; Tue, 12 Jun 2018 09:32:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sG8YSDcy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934747AbeFLQbn (ORCPT + 99 others); Tue, 12 Jun 2018 12:31:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:51590 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933640AbeFLQbl (ORCPT ); Tue, 12 Jun 2018 12:31:41 -0400 Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 76956208BA for ; Tue, 12 Jun 2018 16:31:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528821100; bh=XEIlOvbbDQXqm/v1NOApDSTHjmyoqmcoPR8PlYxjRUU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=sG8YSDcyBVhPHJkW8zk+n/AC15dWjLRY96+mYlXCw5weX3oYZ5ANjes8dTZXQlwWU w1Hobd7W7X10laXcC5CQv/jrTn+fpsah7jNDGEK6AFLMOvhrRTNrH3td0lUxHkrV2y jTMaj90bOPL4JllpHrZboyei7504ltK0SiLjoStw= Received: by mail-wm0-f47.google.com with SMTP id p126-v6so141019wmb.2 for ; Tue, 12 Jun 2018 09:31:40 -0700 (PDT) X-Gm-Message-State: APt69E2j5/BniKYEsMD6IlHnawrjQbebExRKifnld8ZQVkxwZNULqVLQ M7IrOZNnrtvBUrS53G2T7iRH0GOktouk55wp1fCjFw== X-Received: by 2002:a1c:f902:: with SMTP id x2-v6mr702631wmh.116.1528821098859; Tue, 12 Jun 2018 09:31:38 -0700 (PDT) MIME-Version: 1.0 References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <1528815820.8271.16.camel@2b52.sc.intel.com> <1528820489.9324.14.camel@2b52.sc.intel.com> In-Reply-To: <1528820489.9324.14.camel@2b52.sc.intel.com> From: Andy Lutomirski Date: Tue, 12 Jun 2018 09:31:26 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) To: Yu-cheng Yu Cc: Andrew Lutomirski , bsingharora@gmail.com, LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 12, 2018 at 9:24 AM Yu-cheng Yu wrote: > > On Tue, 2018-06-12 at 09:00 -0700, Andy Lutomirski wrote: > > On Tue, Jun 12, 2018 at 8:06 AM Yu-cheng Yu wrote: > > > > > > On Tue, 2018-06-12 at 20:56 +1000, Balbir Singh wrote: > > > > > > > > On 08/06/18 00:37, Yu-cheng Yu wrote: > > > > > This series introduces CET - Shadow stack > > > > > > > > > > At the high level, shadow stack is: > > > > > > > > > > Allocated from a task's address space with vm_flags VM_SHSTK; > > > > > Its PTEs must be read-only and dirty; > > > > > Fixed sized, but the default size can be changed by sys admin. > > > > > > > > > > For a forked child, the shadow stack is duplicated when the next > > > > > shadow stack access takes place. > > > > > > > > > > For a pthread child, a new shadow stack is allocated. > > > > > > > > > > The signal handler uses the same shadow stack as the main program. > > > > > > > > > > > > > Even with sigaltstack()? > > > > > > > > > > > > Balbir Singh. > > > > > > Yes. > > > > > > > I think we're going to need some provision to add an alternate signal > > stack to handle the case where the shadow stack overflows. > > The shadow stack stores only return addresses; its consumption will not > exceed a percentage of (program stack size + sigaltstack size) before > those overflow. When that happens, there is usually very little we can > do. So we set a default shadow stack size that supports certain nested > calls and allow sys admin to adjust it. > Of course there's something you can do: add a sigaltstack-like stack switching mechanism. Have a reserve shadow stack and, when a signal is delivered (possibly guarded by other conditions like "did the shadow stack overflow"), switch to a new shadow stack and maybe write a special token to the new shadow stack that says "signal delivery jumped here and will restore to the previous shadow stack and such-and-such address on return". Also, I have a couple of other questions after reading the documentation some more: 1. Why on Earth does INCSSP only take an 8-bit number of frames to skip? It seems to me that code that calls setjmp() and then calls longjmp() while nested more than 256 function call levels will crash. 2. The mnemonic RSTORSSP makes no sense to me. RSTORSSP is a stack *switch* operation not a stack *restore* operation, unless I'm seriously misunderstanding. 3. Is there anything resembling clear documentation of the format of the shadow stack? That is, what types of values might be found on the shadow stack and what do they all mean? 4. Usually Intel doesn't submit upstream Linux patches for ISA extensions until the ISA is documented for real. CET does not appear to be documented for real. Could Intel kindly release something that at least claims to be authoritative documentation? --Andy