Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4810676imm; Mon, 18 Jun 2018 23:42:32 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIW00uivOuRHVpbnIFupfeWpLniCaj+Ktqo9ErXBs3pbndI+tI4a3PxTRcudmgfZ41Zi1ZL X-Received: by 2002:a63:8b44:: with SMTP id j65-v6mr14063394pge.203.1529390551969; Mon, 18 Jun 2018 23:42:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529390551; cv=none; d=google.com; s=arc-20160816; b=r+2DnBcCIqhGwtcewo8DGiHBCkVltqf2Sg/9qg/FJAtaK3qzJ7TEpmUvt3Swik7MGf G8mIpg0AuX2ZL9AAn/edsCLRa+eypbtQX0qOrcKXWWH0+YIMRJFoc49mj9gO9DIW3gZ+ 2yebnBQJIztUmrO9HtuF67Fn2ceJ8VSGHedSapGMS30uj5fJlawz/VNIQs1+M0Cm3IDh m5F92oqPQP2LaAw/fXbLoDI7EKzx5N0nYy1JHOUuCU5AyhSDrCMc69Z2hKOEunWLFHm1 ZAhLGrF+XLjfjxl579HeksgvX0QsBMEUtp7U17U/Wn3sPHCu6EjTOx5XQ0UClaX3PUC3 wW1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=9lg+rSTp6YexEhmV6otN2jQPsx3swUWZgMutbBaLlvk=; b=zZPvtKGXu6ANKklmKd7bwpkoDC96CLnNgWv3qHV6Sjn1GZDdPM3vXx7bwblolABUAZ iwrO3BtRPc/mwx0O5tfVi6fsTcbxpnI11w+h38mAMHUyFcluy16fbjtDe78ZGMRIWi89 lU1pHdOYLy+Ei1xJ6xStsKLRaKFVK2YdR9nelQ354bdFaW9iiUK9qu0qr3BycxuZrL1x EvpEMBlv1Ky5eBn/C8XpbptU12RH1y61f/tQtPvJEBsLosbH5O2g3QJSwBRZ7nAjmN5g 4iFa6Gdhp1X/UBU3dYX3sPzf6jQNRfHpjn2aX+6Q+y8IR4VxGW/tEGBk6edeysC6iltM xK5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8-v6si16448524plr.422.2018.06.18.23.42.18; Mon, 18 Jun 2018 23:42:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755674AbeFSGlE (ORCPT + 99 others); Tue, 19 Jun 2018 02:41:04 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:46980 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750816AbeFSGlC (ORCPT ); Tue, 19 Jun 2018 02:41:02 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1AA3281A4E99; Tue, 19 Jun 2018 06:41:01 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-135.ams2.redhat.com [10.36.116.135]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 567847C37; Tue, 19 Jun 2018 06:40:55 +0000 (UTC) Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack To: Kees Cook , Andy Lutomirski Cc: "H. J. Lu" , Thomas Gleixner , Yu-cheng Yu , LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Ingo Molnar , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <1528403417.5265.35.camel@2b52.sc.intel.com> From: Florian Weimer Message-ID: Date: Tue, 19 Jun 2018 08:40:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 19 Jun 2018 06:41:01 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 19 Jun 2018 06:41:01 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'fweimer@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/19/2018 02:52 AM, Kees Cook wrote: > Adding Florian to CC, but if something gets CET enabled, it really > shouldn't have a way to turn it off. If there's a way to turn it off, > all the ROP research will suddenly turn to exactly one gadget before > doing the rest of the ROP: turning off CET. Right now ROP is: use > stack-pivot gadget, do everything else. Allowed CET to turn off will > just add one step: use CET-off gadget, use stack-pivot gadget, do > everything else. :P > > Following Linus's request for "slow introduction" of new security > features, likely the best approach is to default to "relaxed" (with a > warning about down-grades), and allow distros/end-users to pick > "forced" if they know their libraries are all CET-enabled. The dynamic linker can tell beforehand (before executing any user code) whether a process image supports CET. So there doesn't have to be anything gradual about it per se to preserve backwards compatibility. The idea to turn off CET probably comes from the desire to support dlopen. I'm not sure if this is really necessary because the complexity is rather nasty. (We currently do something similar for executable stacks.) I'd rather have a switch to turn off the feature upon process start. Things like NSS and PAM modules need to be recompiled early. (I hope that everything that goes directly to the network via custom protocols or hardware such as smartcards is proxied via daemons these days.) Thanks, Florian