Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4163952yba;
        Tue, 9 Apr 2019 12:33:18 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxQY9pgKNqz3DqcliIo2Z9faSKQFS/MGreGUCzOjV8BMrJbY7L0cNO9g9lvv+pciWY8jJ4B
X-Received: by 2002:a63:2b41:: with SMTP id r62mr34792905pgr.403.1554838398898;
        Tue, 09 Apr 2019 12:33:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554838398; cv=none;
        d=google.com; s=arc-20160816;
        b=02PyGNaS8s/43s+U54uqA4DqUOgWvWWGUc7a4yOGAhSvjGuoBQY+yNDVTkQ62KZvzD
         8aDKDWi1LjeokBCJXn9tcDT/x/lwb0Fu25+3Cag/yzKuzMiw72ggatjhchz60/kItpCG
         ZbSR0JF1oeCFdu62vtraqWcWQquIDjlSGDZnkHHmRwwTrE3/Dl/aPJwieXoKzXPozAmq
         92+EvLtGntLMOPP1YFCmPVMyJeoZrrQbtCHQybSt/2gQIRrJwAxmjx+9hcpE5rQSwhLX
         wVWGjag4kvbA5RNQUf2Cj4sQQ8VVxnQjpO2MCWYG65idRvxlqQhlHMA+PsJTEv4lac4a
         C29Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:thread-topic:thread-index
         :content-transfer-encoding:mime-version:subject:message-id:cc:to
         :from:date:dkim-signature:dkim-filter;
        bh=RIC/P5A/Z0g1MEWs57Icu43/KtRHSKBbQigvsK7pRVc=;
        b=Jk2GM1ss9NL76F2L7k6njUgXrRZQpkaYQQl04dxnyF/oV4mM0X6R4BB3XDxywIu8xM
         3eivjw4gnx6VGS4AT2atcmkZJ4EdCMPkPoBaSU88EMrhl9rhSbyYXNW/nbk/yxaT3sAE
         DfiD/oJ1jIPd+kah5JcUWbYN8HghEr5Mk+VGMDG8QjpH8XysHSyicfchSK4Wk7jC4Bl/
         exPDRLDJlEPWqOiveDn61j7S6rihspg4HV1CvLgkFbgS+0AgyN8eSIstfkQY2Mxs3JOW
         Nl4fdqXe4opgpbYN5wBA4Ehcoa+MyB8AjDH1iaEzkVFiS3DeW/p+9S+vrBMjvm3u6pdk
         9fkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@efficios.com header.s=default header.b=YRAwfDAW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p6si30260735pgs.407.2019.04.09.12.32.59;
        Tue, 09 Apr 2019 12:33:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@efficios.com header.s=default header.b=YRAwfDAW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726535AbfDITcT (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 9 Apr 2019 15:32:19 -0400
Received: from mail.efficios.com ([167.114.142.138]:49560 "EHLO
        mail.efficios.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726415AbfDITcS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Apr 2019 15:32:18 -0400
Received: from localhost (ip6-localhost [IPv6:::1])
        by mail.efficios.com (Postfix) with ESMTP id 375841D32AE;
        Tue,  9 Apr 2019 15:32:17 -0400 (EDT)
Received: from mail.efficios.com ([IPv6:::1])
        by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10032)
        with ESMTP id b5o0xCtcQ29c; Tue,  9 Apr 2019 15:32:16 -0400 (EDT)
Received: from localhost (ip6-localhost [IPv6:::1])
        by mail.efficios.com (Postfix) with ESMTP id BB8FE1D32A6;
        Tue,  9 Apr 2019 15:32:16 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com BB8FE1D32A6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficios.com;
        s=default; t=1554838336;
        bh=RIC/P5A/Z0g1MEWs57Icu43/KtRHSKBbQigvsK7pRVc=;
        h=Date:From:To:Message-ID:MIME-Version;
        b=YRAwfDAWQqikCdX2ZxAa9R3CP3BuevqRyv9ai3VxmHUz8MvLfpV3lGvNzNeWAtYh1
         PdzGlg7rKEimJo8AM2nh0h5sfXxkasatDCCiqE2TnEYbTpfArRhuWaNhHBKq7JWG/1
         sYKVBmipPNciCcBHCm6wFzlH65bTuPnCHey4/X3VEMy80s5cKn6wmCr9NrIv8pIasU
         wGPp4vhusidPGCMg4BS9Fc0hS/pnu2j0plRCL/594XmJA4O5L1M0339luXQKiS2BRH
         t2VFtusW05YVQGVGVLDVNpK9RRFM5b5QsRq/KGNaOCLuIXsLxeKq6qLbOzGUASQQhA
         VzxB7kUD/okSA==
X-Virus-Scanned: amavisd-new at efficios.com
Received: from mail.efficios.com ([IPv6:::1])
        by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10026)
        with ESMTP id Hebn4mgG_Tem; Tue,  9 Apr 2019 15:32:16 -0400 (EDT)
Received: from mail02.efficios.com (mail02.efficios.com [167.114.142.138])
        by mail.efficios.com (Postfix) with ESMTP id 9A4041D329E;
        Tue,  9 Apr 2019 15:32:16 -0400 (EDT)
Date:   Tue, 9 Apr 2019 15:32:16 -0400 (EDT)
From:   Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To:     Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@amacapital.net>,
        Peter Zijlstra <peterz@infradead.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Andi Kleen <andi@firstfloor.org>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>
Cc:     libc-alpha <libc-alpha@sourceware.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Carlos O'Donell <carlos@redhat.com>, x86@kernel.org
Message-ID: <11513896.2624.1554838336494.JavaMail.zimbra@efficios.com>
Subject: rseq/x86: choosing rseq code signature
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [167.114.142.138]
X-Mailer: Zimbra 8.8.12_GA_3794 (ZimbraWebClient - FF66 (Linux)/8.8.12_GA_3794)
Thread-Index: p8pmmV5FDxK+Lim3zGdIPg86Ryyj/Q==
Thread-Topic: rseq/x86: choosing rseq code signature
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

We are about to include the code signature required prior to restartable
sequences abort handlers into glibc, which will make this ABI choice final.
We need architecture maintainer input on that signature value.

That code signature is placed before each abort handler, so the kernel can
validate that it is indeed jumping to an abort handler (and not some
arbitrary attacker-chosen code). The signature is never executed.

Currently, tools/testing/selftests/rseq/rseq-x86.h defines RSEQ_SIG
as 0x53053053, and uses it as an immediate operand to the following
instruction opcodes (as suggested by Andy Lutomirski):

x86-32:
- .byte 0x0f, 0x1f, 0x05: nopl <sig>

x86-64:
- .byte 0x0f, 0x1f, 0x05: nopl <sig>(%rip)

The current discussion thread on the glibc mailing list leads us towards
using a trap with uncommon immediate operand, which simplifies integration
with disassemblers, emulators, makes it easier to debug if the control
flow gets redirected there by mistake, and is nicer for some architecture's
speculative execution.

The main advantage of choosing a trap instruction over a no-op is to ensure the
program traps if the execution flow gets redirected to the signature by mistake
(makes it easier to debug). It's not a hard requirement, but it would be a bonus.

Are there trap instructions that take an uncommon 4-byte immediate
operand you would recommend on x86 32/64 ? Or is the current choice of
nopl confirmed to be right one ?

Here is an example of rseq signature definition template:

/*
 * TODO: document trap instruction objdump output on each sub-architecture
 * instruction sets, as well as instruction set extensions.
 */
#define RSEQ_SIG 0x########

Thanks!

Mathieu

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com