Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4163953yba;
        Tue, 9 Apr 2019 12:33:18 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyFDk2gxJcT8EAhKsRAuOdbM16xHgNhu1kXPL48RhQ/aHknF3Msv/ozJCTMuBwfb0s7gDWD
X-Received: by 2002:a63:2bc8:: with SMTP id r191mr36883232pgr.72.1554838398903;
        Tue, 09 Apr 2019 12:33:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554838398; cv=none;
        d=google.com; s=arc-20160816;
        b=GdB6zz8AJ9YtFSzWnbxl0IVQiY/XUfARQo+3nfhPgFgvQ7FemNPqa0LSBD7dNTFF63
         t+q+zUQOsUW84+6FDnP/tRC8O02Csy1BIhVjxs5EoNxx+iLChbcit9cDhOrn6cQgIlpp
         +8xdeu8oN+Ixmun663AyRJ6HqLsA/PTILGh9oeKgLaNpokvvWfyr+PIO87UtF6RC74hN
         N3F85NUG/Th+06jPJv8JHosT8ozUCDGWX8yMbVXdnTsE6cTU/2WXb2s7JJozj2RlFPta
         gjHQ0UjZhNmI3iYRQRzP4qu/3GYoiQtSDg7afjcrsrX4qEWeHxBgPM69BYhlQN3sSSX7
         hABQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:thread-topic:thread-index
         :content-transfer-encoding:mime-version:subject:message-id:cc:to
         :from:date:dkim-signature:dkim-filter;
        bh=kIN9MrbIG6csDhz8Dt9rOKAIp2X1+m6j+Dj2PzDB9TI=;
        b=XEf7TInekelBDD96xED7d6w0ccQVo4EPF9X3Kiy6pGdjrOlUr40KUyUMDqGnyxGJaC
         C1wX7UmqhNe39oBiVlf1alW9EVsy37iquJwl/EuUDYAb3mCwf3z6Mor8FMGrzpLJsH02
         9Dat5z9LdIpQzBaX235J0KfA5uDIb3U1rj3QXKPaI5Yn8CSZ722CKfIdejOAGpSpazcO
         P1tocHQaDBAFy9DY+jC8yF9LkGNLO6XFH1Iy7qLeGZnCCyPLh0oKBhI4/v4FWip+tauQ
         h45riyUwBHLb/Lf4qMbcqkKlA4od4AudcK5p/Mc4VWglVy5BOCzpSBaujl0XHD4ALuzC
         bRAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@efficios.com header.s=default header.b=FHQCAPmb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y191si29163159pgd.218.2019.04.09.12.33.01;
        Tue, 09 Apr 2019 12:33:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@efficios.com header.s=default header.b=FHQCAPmb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726632AbfDITcX (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 9 Apr 2019 15:32:23 -0400
Received: from mail.efficios.com ([167.114.142.138]:49592 "EHLO
        mail.efficios.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726415AbfDITcV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Apr 2019 15:32:21 -0400
Received: from localhost (ip6-localhost [IPv6:::1])
        by mail.efficios.com (Postfix) with ESMTP id 6476C1D32D8;
        Tue,  9 Apr 2019 15:32:20 -0400 (EDT)
Received: from mail.efficios.com ([IPv6:::1])
        by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10032)
        with ESMTP id 79BBmovTSlrn; Tue,  9 Apr 2019 15:32:20 -0400 (EDT)
Received: from localhost (ip6-localhost [IPv6:::1])
        by mail.efficios.com (Postfix) with ESMTP id 24A8C1D32D0;
        Tue,  9 Apr 2019 15:32:20 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com 24A8C1D32D0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficios.com;
        s=default; t=1554838340;
        bh=kIN9MrbIG6csDhz8Dt9rOKAIp2X1+m6j+Dj2PzDB9TI=;
        h=Date:From:To:Message-ID:MIME-Version;
        b=FHQCAPmbowu9sRS1Tf/GBnY6nM/blkQYobLj2NclFGqAuw/W5t1fmaMj2qCUYgRBH
         bGJVAa9sA3bSjtoDX0dNI3sCaB4x/zByUg5KTd8dy1gEosjTmJqfT+W1QgFzdDC6ps
         uzFxnFuHmd3B8hCOgLM7JTzRSnEVjl13LDOBliFtIwtvRiW5fs/zsdck/wBP466E2B
         /hCwAmYkbagyW7zF7NqrxFyRBSRDeHjqU6uC1PFr1kt18s/tlH8Eb5I/xe51z1NOVO
         JBH0y+J1uPYsXB25V4Eti4+4W/7HWpEnAm6/ikz4bTQrsRucVwZvpl1fG1+ZXDVJEl
         Ip4IWTHU8qitA==
X-Virus-Scanned: amavisd-new at efficios.com
Received: from mail.efficios.com ([IPv6:::1])
        by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10026)
        with ESMTP id z9PNttRSc8K0; Tue,  9 Apr 2019 15:32:20 -0400 (EDT)
Received: from mail02.efficios.com (mail02.efficios.com [167.114.142.138])
        by mail.efficios.com (Postfix) with ESMTP id 080881D32C5;
        Tue,  9 Apr 2019 15:32:20 -0400 (EDT)
Date:   Tue, 9 Apr 2019 15:32:20 -0400 (EDT)
From:   Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To:     Will Deacon <will.deacon@arm.com>
Cc:     libc-alpha <libc-alpha@sourceware.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Carlos O'Donell <carlos@redhat.com>
Message-ID: <1050734985.2625.1554838340011.JavaMail.zimbra@efficios.com>
Subject: rseq/arm32: choosing rseq code signature
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [167.114.142.138]
X-Mailer: Zimbra 8.8.12_GA_3794 (ZimbraWebClient - FF66 (Linux)/8.8.12_GA_3794)
Thread-Index: lqjgiUr5F3kvBEqSpepP+LTQoQudsQ==
Thread-Topic: rseq/arm32: choosing rseq code signature
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Will,

We are about to include the code signature required prior to restartable
sequences abort handlers into glibc, which will make this ABI choice final.
We need architecture maintainer input on that signature value.

That code signature is placed before each abort handler, so the kernel can
validate that it is indeed jumping to an abort handler (and not some
arbitrary attacker-chosen code). The signature is never executed.

The current discussion thread on the glibc mailing list leads us towards
using a trap with uncommon immediate operand, which simplifies integration
with disassemblers, emulators, makes it easier to debug if the control
flow gets redirected there by mistake, and is nicer for some architecture's
speculative execution.

We can have different signatures for each sub-architecture, as long as they
don't have to co-exist within the same process. We can special-case with
#ifdef for each sub-architecture and endianness if need be. If the architecture
has instruction set extensions that can co-exist with the architecture
instruction set within the same process (e.g. thumb for arm), we need to take
into account to which instruction the chosen signature value would map (and
possibly decide if we need to extend rseq to support many signatures).

Here is an example of rseq signature definition template:

/*
 * TODO: document trap instruction objdump output on each sub-architecture
 * instruction sets, as well as instruction set extensions.
 */
#define RSEQ_SIG 0x########

Ideally we'd need a patch on top of the Linux kernel
tools/testing/selftests/rseq/rseq-arm.h file that updates
the signature value, so I can then pick it up for the glibc
patchset.

Thanks!

Mathieu

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com