Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5990622yba; Thu, 11 Apr 2019 09:43:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqzSC98NTORVIMsSxmmxz3r9pvWBLj/ytE7DrdQKmczzOaI7P/cFWkd+Nrxu7Vv6sNNASF7m X-Received: by 2002:a63:5405:: with SMTP id i5mr47529195pgb.212.1555001015364; Thu, 11 Apr 2019 09:43:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555001015; cv=none; d=google.com; s=arc-20160816; b=Kgy18nI2KzhxaAypz7cYpg+q9BAZoc/fvUGK05ZNH/w4/tYFnIdUOsXE17hsCoZfYY q8YVWcKGA9RF3f+XHsQMBtJjlVeL4VP9zD2Lb6DWFGPVq/cpiCCAa/iOcIC+dB8VcTvw 8z12ungcJfj9tXkewKaZGRZAlBi2IrA0sTjaaFonaralzhM2nI3YvoxSawitln3p74Hu YIEJohvVS6bZCdadVHmS6yY+WWW0RsPbK5qM2Y0c1hyxBOdAvcgWp/zpH7MOrnUaGlpm LmpUY/A8JtJxV2QDzh0bGXEwhZj1B1q0qaH1dbA+fmqnsVp4IRxb7RxA66yN5Y6GX7K2 sykQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=XlgvkxTcmIbByeaXpYuikR+VTk+dj8OBtuqLYmz2SxI=; b=kr3uymb1sQXS02UGSMcUPGWqs58ual982jsTUaMjLE8o8n5NfvNvTokEh9sj7zZhFc CqjgXxheZkfd4syaeduPjRLqpFPTkTqD3s59fcXRgquNwBgTn8myWZ9C5P2HHTP3jVUF pdzWTgtLOXgvLXv/Yv3zLsxFGn48EaBRKzU++iZNDLc8UAhLRwpR1sp+b/XOFCJHthGS kktMQQ+Mo+3VTFurkhAJ+/8E71jmfcjRXzwX+dClyE64w+wgSfRkbw7PtHCfMRp8Yg4O SY4pGi5Ia8u731iHvbS69AhcSC6MSm8QhbJSLtv+XU6UTOfhil+MtE9rUadWrvpXIBwp GNRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s9si23046743pfa.282.2019.04.11.09.43.18; Thu, 11 Apr 2019 09:43:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726644AbfDKQmY (ORCPT + 99 others); Thu, 11 Apr 2019 12:42:24 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:46124 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726106AbfDKQmX (ORCPT ); Thu, 11 Apr 2019 12:42:23 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4AA02374; Thu, 11 Apr 2019 09:42:23 -0700 (PDT) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 115063F59C; Thu, 11 Apr 2019 09:42:21 -0700 (PDT) Date: Thu, 11 Apr 2019 17:42:19 +0100 From: Will Deacon To: Mathieu Desnoyers Cc: libc-alpha , linux-kernel , carlos , peter.maydell@linaro.org, richard.earnshaw@arm.com Subject: Re: rseq/arm32: choosing rseq code signature Message-ID: <20190411164219.GE29081@fuggles.cambridge.arm.com> References: <1050734985.2625.1554838340011.JavaMail.zimbra@efficios.com> <1933578130.3292.1554928159928.JavaMail.zimbra@efficios.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1933578130.3292.1554928159928.JavaMail.zimbra@efficios.com> User-Agent: Mutt/1.11.1+86 (6f28e57d73f2) () Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mathieu, On Wed, Apr 10, 2019 at 04:29:19PM -0400, Mathieu Desnoyers wrote: > ----- On Apr 9, 2019, at 3:32 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote: > > We are about to include the code signature required prior to restartable > > sequences abort handlers into glibc, which will make this ABI choice final. > > We need architecture maintainer input on that signature value. > > > > That code signature is placed before each abort handler, so the kernel can > > validate that it is indeed jumping to an abort handler (and not some > > arbitrary attacker-chosen code). The signature is never executed. > > > > The current discussion thread on the glibc mailing list leads us towards > > using a trap with uncommon immediate operand, which simplifies integration > > with disassemblers, emulators, makes it easier to debug if the control > > flow gets redirected there by mistake, and is nicer for some architecture's > > speculative execution. > > > > We can have different signatures for each sub-architecture, as long as they > > don't have to co-exist within the same process. We can special-case with > > #ifdef for each sub-architecture and endianness if need be. If the architecture > > has instruction set extensions that can co-exist with the architecture > > instruction set within the same process (e.g. thumb for arm), we need to take > > into account to which instruction the chosen signature value would map (and > > possibly decide if we need to extend rseq to support many signatures). > > > > Here is an example of rseq signature definition template: > > > > /* > > * TODO: document trap instruction objdump output on each sub-architecture > > * instruction sets, as well as instruction set extensions. > > */ > > #define RSEQ_SIG 0x######## > > > > Ideally we'd need a patch on top of the Linux kernel > > tools/testing/selftests/rseq/rseq-arm.h file that updates > > the signature value, so I can then pick it up for the glibc > > patchset. > > Would the following diff work for you ? If so, can I get your > acked-by ? I had a quick chat with Richard and Peter (CC'd), since they're much more familiar with the A32 instruction set than I am and also have a better view of what might already be in use. Peter suggests that anything of the form 0xe7fxdefx should trap in both A32 and T32, although it does assemble to UDF; B in T16. I'm not sure we should get too obsessed with trying to encode a signature that universally decodes to a trap. Whatever you choose, it would be worth checking that it doesn't clash with other allocations such as software breakpoints in GDB. Will > diff --git a/tools/testing/selftests/rseq/rseq-arm.h b/tools/testing/selftests/rseq/rseq-arm.h > index 5f262c54364f..1f261ad2ac1b 100644 > --- a/tools/testing/selftests/rseq/rseq-arm.h > +++ b/tools/testing/selftests/rseq/rseq-arm.h > @@ -5,7 +5,17 @@ > * (C) Copyright 2016-2018 - Mathieu Desnoyers > */ > > -#define RSEQ_SIG 0x53053053 > +/* > + * RSEQ_SIG uses the udf A32 instruction with an uncommon immediate operand > + * value 0x5305. This traps if user-space reaches this instruction by mistake, > + * and the uncommon operand ensures the kernel does not move the instruction > + * pointer to attacker-controlled code on rseq abort. > + * > + * The instruction pattern is: > + * > + * e7f530f5 udf #21253 ; 0x5305 > + */ > +#define RSEQ_SIG 0xe7f530f5 > > #define rseq_smp_mb() __asm__ __volatile__ ("dmb" ::: "memory", "cc") > #define rseq_smp_rmb() __asm__ __volatile__ ("dmb" ::: "memory", "cc") > @@ -78,7 +88,8 @@ do { \ > __rseq_str(table_label) ":\n\t" \ > ".word " __rseq_str(version) ", " __rseq_str(flags) "\n\t" \ > ".word " __rseq_str(start_ip) ", 0x0, " __rseq_str(post_commit_offset) ", 0x0, " __rseq_str(abort_ip) ", 0x0\n\t" \ > - ".word " __rseq_str(RSEQ_SIG) "\n\t" \ > + ".arm\n\t" \ > + ".inst " __rseq_str(RSEQ_SIG) "\n\t" \ > __rseq_str(label) ":\n\t" \ > teardown \ > "b %l[" __rseq_str(abort_label) "]\n\t"