Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5617861imm; Tue, 12 Jun 2018 10:28:59 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLKhkuGVArysOHp9GiWPVbhixH/F0KKts+4a+9idm0H5MmC5aSlAHUqd09bHrH8o3IW7fz4 X-Received: by 2002:a17:902:24c7:: with SMTP id l7-v6mr1434316plg.170.1528824539769; Tue, 12 Jun 2018 10:28:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528824539; cv=none; d=google.com; s=arc-20160816; b=zgAEFrvOXXvBDBbCymdsBm54w9/470kEGUCIbTLzR2LhS4p3IzymZDs/Q2qArgKAT8 jdToDP38vGentKl9DAjN2NRA0he2lf2fUlrrY6nsagPr8kGUkBUULXXzJll+esYaXqbL TkPAFIHjEGk7e8XGnn1AiZrGsafgNMZG58vHyNBnTbHjraPAn/V7yRqFevxd2J8fJDKn jCtFAcLJ5RfRXYe3wJitykYh2KWqezBfkjr4nYeha+aT4ppvjZLgvoHZ2R9Lcl7jDRm3 bcdPvXCZgZyfjYdmPkyPgenwyl9Ddm7gE6gotTlQfrB6HbgKnODOgchG/o2dFehRsAmb yvhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=h6DhKaCgt4DqNGbvY657wqFXLcSieycbNU+PAhocWgw=; b=d0zriidM+aWs67ZV9fmLqEcdlPk/Pbp1QMH1IPJE7A3XsDh7R2Et1zDLow2v0xMLDZ 0HsgJcKxgAiymzG3NWAKopChC1d2rCNTGWM+CW8Db1NtqERLYx7oMMrDMhvDFWMkpH3g A8stc4I+VBbRUtlXIy5M3XL5723FzvuVrbBMSX9QKrUAnhnkeF3BQX/t8xWK7ssoHs3d 0O/vqnYu34FE7gv1M3YlHl82GrTBd1hfIKNwIsaPYhepLplQG1+mvnlnkkXn3S6dfgxp 8o9GDiibx2fZDZvRfFOD1WWV8R9dOVP1J0hvk4Aq+cE0/+eXajndOuBMehid27ex0HR9 CAOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si634986pfd.73.2018.06.12.10.28.45; Tue, 12 Jun 2018 10:28:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933700AbeFLR1v (ORCPT + 99 others); Tue, 12 Jun 2018 13:27:51 -0400 Received: from mga14.intel.com ([192.55.52.115]:4939 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932976AbeFLR1s (ORCPT ); Tue, 12 Jun 2018 13:27:48 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Jun 2018 10:27:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,215,1526367600"; d="scan'208";a="47197170" Received: from 2b52.sc.intel.com (HELO [143.183.136.147]) ([143.183.136.147]) by fmsmga008.fm.intel.com with ESMTP; 12 Jun 2018 10:27:48 -0700 Message-ID: <1528824280.9447.30.camel@2b52.sc.intel.com> Subject: Re: [PATCH 00/10] Control Flow Enforcement - Part (3) From: Yu-cheng Yu To: Andy Lutomirski Cc: bsingharora@gmail.com, LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Date: Tue, 12 Jun 2018 10:24:40 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <1528815820.8271.16.camel@2b52.sc.intel.com> <1528820489.9324.14.camel@2b52.sc.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-06-12 at 09:31 -0700, Andy Lutomirski wrote: > On Tue, Jun 12, 2018 at 9:24 AM Yu-cheng Yu wrote: > > > > On Tue, 2018-06-12 at 09:00 -0700, Andy Lutomirski wrote: > > > On Tue, Jun 12, 2018 at 8:06 AM Yu-cheng Yu wrote: > > > > > > > > On Tue, 2018-06-12 at 20:56 +1000, Balbir Singh wrote: > > > > > > > > > > On 08/06/18 00:37, Yu-cheng Yu wrote: > > > > > > This series introduces CET - Shadow stack > > > > > > > > > > > > At the high level, shadow stack is: > > > > > > > > > > > > Allocated from a task's address space with vm_flags VM_SHSTK; > > > > > > Its PTEs must be read-only and dirty; > > > > > > Fixed sized, but the default size can be changed by sys admin. > > > > > > > > > > > > For a forked child, the shadow stack is duplicated when the next > > > > > > shadow stack access takes place. > > > > > > > > > > > > For a pthread child, a new shadow stack is allocated. > > > > > > > > > > > > The signal handler uses the same shadow stack as the main program. > > > > > > > > > > > > > > > > Even with sigaltstack()? > > > > > > > > > > > > > > > Balbir Singh. > > > > > > > > Yes. > > > > > > > > > > I think we're going to need some provision to add an alternate signal > > > stack to handle the case where the shadow stack overflows. > > > > The shadow stack stores only return addresses; its consumption will not > > exceed a percentage of (program stack size + sigaltstack size) before > > those overflow. When that happens, there is usually very little we can > > do. So we set a default shadow stack size that supports certain nested > > calls and allow sys admin to adjust it. > > > > Of course there's something you can do: add a sigaltstack-like stack > switching mechanism. Have a reserve shadow stack and, when a signal > is delivered (possibly guarded by other conditions like "did the > shadow stack overflow"), switch to a new shadow stack and maybe write > a special token to the new shadow stack that says "signal delivery > jumped here and will restore to the previous shadow stack and > such-and-such address on return". If (shstk size == (stack size + sigaltstack size)), then shstk will not overflow before program stack overflows and sigaltstack also overflows. Let me think about this. > Also, I have a couple of other questions after reading the > documentation some more: > > 1. Why on Earth does INCSSP only take an 8-bit number of frames to > skip? It seems to me that code that calls setjmp() and then calls > longjmp() while nested more than 256 function call levels will crash. GLIBC takes care of more than 256 functions calls. > 2. The mnemonic RSTORSSP makes no sense to me. RSTORSSP is a stack > *switch* operation not a stack *restore* operation, unless I'm > seriously misunderstanding. The intention is to switch shadow stacks with tokens. RSTORSSP restores to a previous shadow stack address from a restore token. > 3. Is there anything resembling clear documentation of the format of > the shadow stack? That is, what types of values might be found on the > shadow stack and what do they all mean? Only return addresses and restore tokens can be on a user-mode shadow stack. The restore token has the incoming shadow stack address plus one bit indicating 64/32-bit mode. I will put this into Documentation/x86/intel_cet.txt. > > 4. Usually Intel doesn't submit upstream Linux patches for ISA > extensions until the ISA is documented for real. CET does not appear > to be documented for real. Could Intel kindly release something that > at least claims to be authoritative documentation? > > --Andy