Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5418983imm;
        Tue, 19 Jun 2018 10:04:35 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKfFfiHwRcIEFuBKnLb2VX/mmYShqj3RfyXm1C61BKoanke9IAfpL/S8pv/R4+QmP705rIN
X-Received: by 2002:a62:9d82:: with SMTP id a2-v6mr19030747pfk.223.1529427875696;
        Tue, 19 Jun 2018 10:04:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529427875; cv=none;
        d=google.com; s=arc-20160816;
        b=JvVEdbFC/j6epyNbxWJir21q244AvaciJudIXfvAzaOM4YwxjLtrQO0oigKNOZfTEU
         HDfit8EUp4T2IhPUl4LgsZGwpjDWd3nKXSsXrNJM88a7hj1xq0fo1k4DZZJHFEeIhd6F
         +HiI/wkFI/BRTvJYHoVCu2k7S9LPorXtY784YVB4JZHApPoMjO4zpeEJlsSL1sBjSUL/
         NuP/UC3SX+cfZeh0hBTqZBfPuq+HSBSQ1ppHPNTeNYJxfcGrZLj24VHlPTx9znlpI+L9
         qR6HxErV6WkzUADI/RyPeoqocYTo20WsLS4x6fBaJT5U76pLFRX7eLfHI57ST8DpD0gG
         lHBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :arc-authentication-results;
        bh=6xcRx9rs/z3C5VUiR5tJweOedTP9yQLtsUzhwIjr3d8=;
        b=oXiwBm5bpdwCQcvAtJVaQG9N6opJx7YfvaThhSYCFDbHF+zpJhqy3E7jhEyQ4WZIuL
         Zvl/dutZCyhWbuuwjjE1Qmt6tsKALSjP/FfYCnlJw5xVH5wWBlNQ5bxQ6NSvfVpEFMRr
         wPEQtJENvqTq/p66E88RTn1pBmXby/+E2MXTdCwXcZRXhh9QYrqFUWxr+3UGpvsdYWzV
         66BL/oNnj3eHqej958Nz6NHd2uiqB7SPSORmrmnSKfJ42228bum5VTdu/6UP+5nnlbHp
         GBKULMOHUNenYvAFs+M/cEVEg/nC5E+RgSWDQZli5K8f2iTYIff9IrgfLc/dckOnhhhU
         rMhg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k5-v6si140818plt.178.2018.06.19.10.04.19;
        Tue, 19 Jun 2018 10:04:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S967018AbeFSRDK (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Tue, 19 Jun 2018 13:03:10 -0400
Received: from mga12.intel.com ([192.55.52.136]:22922 "EHLO mga12.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S966775AbeFSRDI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jun 2018 13:03:08 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
  by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jun 2018 10:03:07 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.51,243,1526367600"; 
   d="scan'208";a="48294842"
Received: from 2b52.sc.intel.com ([143.183.136.147])
  by fmsmga007.fm.intel.com with ESMTP; 19 Jun 2018 10:03:07 -0700
Message-ID: <1529427588.23068.7.camel@intel.com>
Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack
From:   Yu-cheng Yu <yu-cheng.yu@intel.com>
To:     Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@amacapital.net>
Cc:     Andy Lutomirski <luto@kernel.org>,
        "H. J. Lu" <hjl.tools@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        LKML <linux-kernel@vger.kernel.org>, linux-doc@vger.kernel.org,
        Linux-MM <linux-mm@kvack.org>,
        linux-arch <linux-arch@vger.kernel.org>, X86 ML <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        "Shanbhogue, Vedvyas" <vedvyas.shanbhogue@intel.com>,
        "Ravi V. Shankar" <ravi.v.shankar@intel.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Oleg Nesterov <oleg@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
        mike.kravetz@oracle.com, Florian Weimer <fweimer@redhat.com>
Date:   Tue, 19 Jun 2018 09:59:48 -0700
In-Reply-To: <CAGXu5jJNgu4bW_Zthqjfpe9gLxK0zxG8QFEqqK+pJNebz6tUaw@mail.gmail.com>
References: <20180607143807.3611-1-yu-cheng.yu@intel.com>
         <20180607143807.3611-7-yu-cheng.yu@intel.com>
         <CALCETrU6axo158CiSCRRkC4GC5hib9hypC98t7LLjA3gDaacsw@mail.gmail.com>
         <1528403417.5265.35.camel@2b52.sc.intel.com>
         <CALCETrXz3WWgZwUXJsDTWvmqKUArQFuMH1xJdSLVKFpTysNWxg@mail.gmail.com>
         <CAMe9rOr49V8rqRa_KVsw61PWd+crkQvPDgPKtvowazjmsfgWWQ@mail.gmail.com>
         <alpine.DEB.2.21.1806121155450.2157@nanos.tec.linutronix.de>
         <CAMe9rOoCiXQ4iVD3j_AHGrvEXtoaVVZVs7H7fCuqNEuuR5j+2Q@mail.gmail.com>
         <CALCETrXO8R+RQPhJFk4oiA4PF77OgSS2Yro_POXQj1zvdLo61A@mail.gmail.com>
         <CAMe9rOpLxPussn7gKvn0GgbOB4f5W+DKOGipe_8NMam+Afd+RA@mail.gmail.com>
         <CALCETrWmGRkQvsUgRaj+j0CP4beKys+TT5aDR5+18nuphwr+Cw@mail.gmail.com>
         <CAMe9rOpzcCdje=bUVs+C1WrY6GuwA-8AUFVLOG325LGz7KHJxw@mail.gmail.com>
         <alpine.DEB.2.21.1806122046520.1592@nanos.tec.linutronix.de>
         <CAMe9rOrGjJf0aMnUjAP38MqvOiW3=iXGQjcUT3O=f9pE85hXaw@mail.gmail.com>
         <CALCETrVsh5t-V1Sm88LsZE_+DS0GE_bMWbcoX3SjD6GnrB08Pw@mail.gmail.com>
         <CAGXu5jK0gospOXRpN6zYiQPXOZeE=YpVAz2qu4Zc3-32v85+EQ@mail.gmail.com>
         <569B4719-6283-4575-A16E-D0A78D280F4E@amacapital.net>
         <CAGXu5jJNgu4bW_Zthqjfpe9gLxK0zxG8QFEqqK+pJNebz6tUaw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2018-06-19 at 09:44 -0700, Kees Cook wrote:
> On Tue, Jun 19, 2018 at 7:50 AM, Andy Lutomirski <luto@amacapital.net
> > wrote:
> > 
> > > 
> > > On Jun 18, 2018, at 5:52 PM, Kees Cook <keescook@chromium.org>
> > > wrote:
> > > Following Linus's request for "slow introduction" of new security
> > > features, likely the best approach is to default to "relaxed"
> > > (with a
> > > warning about down-grades), and allow distros/end-users to pick
> > > "forced" if they know their libraries are all CET-enabled.
> > I still don’t get what “relaxed” is for.  I think the right design
> > is:
> > 
> > Processes start with CET on or off depending on the ELF note, but
> > they start with CET unlocked no matter what. They can freely switch
> > CET on and off (subject to being clever enough not to crash if they
> > turn it on and then return right off the end of the shadow stack)
> > until they call ARCH_CET_LOCK.
> I'm fine with this. I'd expect modern loaders to just turn on CET and
> ARCH_CET_LOCK immediately and be done with it. :P

This is the current implementation.  If the loader has CET in its ELF
header, it is executed with CET on.  The loader will turn off CET if
the application being loaded does not support it (in the ELF header).
 The loader calls ARCH_CET_LOCK before passing to the application.  But
how do we handle dlopen?

> > 
> > Ptrace gets new APIs to turn CET on and off and to lock and unlock
> > it.  If an attacker finds a “ptrace me and turn off CET” gadget,
> > then they might as well just do “ptrace me and write shell code”
> > instead. It’s basically the same gadget. Keep in mind that the
> > actual sequence of syscalls to do this is incredibly complicated.
> Right -- if an attacker can control ptrace of the target, we're way
> past CET. The only concern I have, though, is taking advantage of
> expected ptracing. For example: browsers tend to have crash handlers
> that launch a ptracer. If ptracing disabled CET for all threads, this
> won't by safe: an attacker just gains control in two threads, crashes
> one to get the ptracer to attach, which disables CET in the other
> thread and the attacker continues ROP as normal. As long as the
> ptrace
> disabling is thread-specific, I think this will be okay.

If ptrace can turn CET on/off and it is thread-specific, do we still
need ptrace lock/unlock?

Yu-cheng