Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6880765ybi;
        Wed, 31 Jul 2019 23:37:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyXucwau1I1z/qtbpGlUiNqkwRbcVa1N6LHLCT76loecR5I7GeiuPCftyFCPa+dtzCbEzc5
X-Received: by 2002:a63:e5a:: with SMTP id 26mr113183621pgo.3.1564641420898;
        Wed, 31 Jul 2019 23:37:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564641420; cv=none;
        d=google.com; s=arc-20160816;
        b=K1LoSrk2PqFYalnT0C9Uncb/eu8RIVxeofRdBnO3kL+zNrVhM9IXmUJMw9Cd4LfFID
         21xp5xt8G/MxSD6X0s6Zf8a896rsu8ElgRcSlcMMmH1bpSn3uwOQqAlS8R7NaZZ/Vsdn
         9Cex8cgLUxBSP8lnvJiLvQvWE7XddOSdgwatb5UWNfDF6RwZSkE+dwO2IXhO9kfDH5aa
         GmRgru+BTjwzQNX+GKeERaSHQZHSRciMEJthgtLMmDIkqjwhuknaB266bSdtsYFkel8f
         vVXjndC72upBNZyh98uK3Q/OrxKMzzuRJOJ0No2mRPyEqyUM0p+QWB66uSPifhMISuW/
         vGJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :dlp-reaction:dlp-version:dlp-product:content-language
         :accept-language:in-reply-to:references:message-id:date:thread-index
         :thread-topic:subject:cc:to:from;
        bh=7BP24UqVR4QaL2csuzYelBUyOY1OpkXGuXVZFdKXrOU=;
        b=l8gEtol2gC7uV76R0l+AFO8kUeIVvYuOvOss4dhO0cTCwj4lEfD73R6rbQQWf4oiGQ
         0ZGIk2z2Ber3smfuQQfCd8b2dMOKq5KWGBjFVkbaGoyc5EYahSg8Nsd6fww3VDof+u5N
         LtSK/pzbIMwk2AzcjBgrMXgwnmcujZFocgqe5A3A5fJ5jm+GanFHp8R3AOeJeSfX63t/
         /vcd4KHJCxy0URuyG0h12N33A42GxngsyX57jAntkhU+UVNlrD1DZGukeNqCL+3jH5DF
         uwGdA9WyF2YTKTb3d12pq/a2PI8vIB3xagD+fs5hUpqgXkyW2X4EHtIk4GGyYK269wm3
         iIOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f18si33936996pfq.169.2019.07.31.23.36.45;
        Wed, 31 Jul 2019 23:37:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729657AbfHAGfw convert rfc822-to-8bit (ORCPT
        <rfc822;ablacktshirt@gmail.com> + 99 others);
        Thu, 1 Aug 2019 02:35:52 -0400
Received: from mga05.intel.com ([192.55.52.43]:52715 "EHLO mga05.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728884AbfHAGfw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Aug 2019 02:35:52 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jul 2019 23:35:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,333,1559545200"; 
   d="scan'208";a="371909439"
Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75])
  by fmsmga005.fm.intel.com with ESMTP; 31 Jul 2019 23:35:48 -0700
Received: from irsmsx102.ger.corp.intel.com ([169.254.2.59]) by
 IRSMSX153.ger.corp.intel.com ([169.254.9.166]) with mapi id 14.03.0439.000;
 Thu, 1 Aug 2019 07:35:47 +0100
From:   "Reshetova, Elena" <elena.reshetova@intel.com>
To:     'Kees Cook' <keescook@chromium.org>,
        'Ingo Molnar' <mingo@kernel.org>,
        'Andy Lutomirski' <luto@kernel.org>
CC:     'Theodore Ts'o' <tytso@mit.edu>,
        'David Laight' <David.Laight@aculab.com>,
        'Eric Biggers' <ebiggers3@gmail.com>,
        "'ebiggers@google.com'" <ebiggers@google.com>,
        "'herbert@gondor.apana.org.au'" <herbert@gondor.apana.org.au>,
        'Peter Zijlstra' <peterz@infradead.org>,
        'Daniel Borkmann' <daniel@iogearbox.net>,
        "'linux-kernel@vger.kernel.org'" <linux-kernel@vger.kernel.org>,
        "'jpoimboe@redhat.com'" <jpoimboe@redhat.com>,
        "'jannh@google.com'" <jannh@google.com>,
        "Perla, Enrico" <enrico.perla@intel.com>,
        "'mingo@redhat.com'" <mingo@redhat.com>,
        "'bp@alien8.de'" <bp@alien8.de>,
        "'tglx@linutronix.de'" <tglx@linutronix.de>,
        "'gregkh@linuxfoundation.org'" <gregkh@linuxfoundation.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
        'Linus Torvalds' <torvalds@linux-foundation.org>,
        'Peter Zijlstra' <a.p.zijlstra@chello.nl>
Subject: RE: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Thread-Topic: [PATCH] x86/entry/64: randomize kernel stack offset upon
 syscall
Thread-Index: AQHU81HQwzT9MH4dM0y/JZXnSwiYT6Y8wW2AgAAdM1CAAXexAIAANZ3ggAAW1gCAAApRgIAAMeKAgAAd+PCAAQuGgIAAYQuAgAAKhwCACsPi4IADJTwAgAAcagCAAExngIAEBbGAgACIbACAAbyQ8IAA626AgAGZfXCAAARpgIAAWpuAgAAF74CAABf/AIAAAvkAgAGZnrD///dzgIAHjbaA///31ICAAC4VAIABBxmAgAAfuaCAAA5FAIAED8OAgAAYaYCAAINWgIAAbRaAgBjvMfCAACWEgIABZK1ggACCc4CAX3oCYIAEYVlA
Date:   Thu, 1 Aug 2019 06:35:47 +0000
Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4D530F0@IRSMSX102.ger.corp.intel.com>
References: <20190509055915.GA58462@gmail.com>
 <2236FBA76BA1254E88B949DDB74E612BA4C7741F@IRSMSX102.ger.corp.intel.com>
 <20190509084352.GA96236@gmail.com>
 <CALCETrV1067Es=KEjkz=CtdoT79a2EJg4dJDae6oGDiTaubL1A@mail.gmail.com>
 <201905111703.5998DF5F@keescook> <20190512080245.GA7827@gmail.com>
 <201905120705.4F27DF3244@keescook>
 <2236FBA76BA1254E88B949DDB74E612BA4CA8DBF@IRSMSX102.ger.corp.intel.com>
 <20190528133347.GD19149@mit.edu>
 <2236FBA76BA1254E88B949DDB74E612BA4CABA56@IRSMSX102.ger.corp.intel.com>
 <201905291136.FD61FF42@keescook>
 <2236FBA76BA1254E88B949DDB74E612BA4D4BFCA@IRSMSX102.ger.corp.intel.com>
In-Reply-To: <2236FBA76BA1254E88B949DDB74E612BA4D4BFCA@IRSMSX102.ger.corp.intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [163.33.239.181]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

>> The in-stack randomization is really a very small change both code wise and
>> logic wise.
>> It does not affect real workloads and does not require enablement of other
>> features (such as GCC plugins).
>> So, I think we should really reconsider its inclusion.

>I'd agree: the code is tiny and while the benefit can't point to a
>specific issue, it does point to the general weakness of the stack
>offset being predictable which has been a core observation for many
>stack-based attacks.

>If we're going to save state between syscalls (like the 4096 random
>bytes pool), how about instead we just use a single per-CPU long mixed
>with rdtsc saved at syscall exit. That should be a reasonable balance
>between all the considerations and make it trivial for the feature to
>be a boot flag without the extra page of storage, etc.

Sounds like a viable compromise for me. 
Ingo, Andy? 

Best Regards,
Elena.