Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp151706ybh; Mon, 9 Mar 2020 18:21:51 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsc6kFMPSNrY4IoG6cWriwIDaR6L47x4YHSS5lIyUSV34Iu6328zQWN2Kl8lBalZFD0ZLZi X-Received: by 2002:a05:6830:104a:: with SMTP id b10mr15329137otp.63.1583803311393; Mon, 09 Mar 2020 18:21:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583803311; cv=none; d=google.com; s=arc-20160816; b=DPKcMv/YurcbZZiilyy0an8qw+0MM5UDvO3aYAfVRbtHlpRMWdJ/GlaxWuqwRWt25P /0V031UR6+vDwrIn5V/JqQ2dPX5LGdhO3ZHLKusKWBqekLy3FAxIlY4PjBqzq/gs3S4i U9P7t0gbwTXCmUkgyzxYhGskq/z5P8gIQh2ex/qm4vkH1jWJp4JQa7lOV0RrTLTH+xPN KVIP37CXIWvaX+tPGNU9Wr86D4ipzFybZzatKLhY+A0M6XoWifGqGnoE5ZmV9J6cq5lo bVBehMg7jK2UNwp67OH04BKXPX+7IIizVzM7RH+813VSUpaXsUArF7OMGYlNtcn0Lz7A wR0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id:date:cc :in-reply-to:from:subject:mime-version:content-transfer-encoding :dkim-signature; bh=mrUxxgNRy+5E4bEZVXAZNOiHka9AVVm3vCKbU9l6fA4=; b=rphBEi5pr9z+2RQu15MBJGHbi4/mDezNz25RzKnB+nU8PyxSfx+2BmjuTgY+/JsGiy H50fuceTCJ49NIwOODbeR8z4YEJ1gWcbqA2I3lG+T3bUKiqHp4Wt+UW8ab3/MaaY4oti fCT/trM3XlKjai6aDrBdeGhwGk53i88eGaGegD49AF+JbBbd7LOMomNssNjIIcg+ypti +aSOd9elrKjFS79fn5cUGw7em0gvv6flRxbW+SpxhdIYlkOtzFmXZM7KVRVROgpXP/G5 hXQbPDUxnyeKKL4ZfcPZHphojVClWF6CpGR2XGUtcq3O9adg/7z2bTmdQ3XWM5qMVFCg w2mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="g/iv7CpG"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j68si7091051otj.56.2020.03.09.18.21.38; Mon, 09 Mar 2020 18:21:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="g/iv7CpG"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726368AbgCJBVF (ORCPT + 99 others); Mon, 9 Mar 2020 21:21:05 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:32797 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726202AbgCJBVF (ORCPT ); Mon, 9 Mar 2020 21:21:05 -0400 Received: by mail-pl1-f195.google.com with SMTP id ay11so4743870plb.0 for ; Mon, 09 Mar 2020 18:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:mime-version:subject:from:in-reply-to:cc :date:message-id:references:to; bh=mrUxxgNRy+5E4bEZVXAZNOiHka9AVVm3vCKbU9l6fA4=; b=g/iv7CpG8/DiYA4NA/mKsrAq67vf66xkLwrtr0OnzjXecbrlOk01TyaasjqzOJ/cy6 jkjE+yfOHqhIEodGUnCwDH2I67yhqD/opVoCRpcoVgu+agPVZLyJsNAcnfduPxpLnSIY FWAJ7VcA1vbAbasZjJHBV3szxpyaw/IjVhpRpaZZAzmlolgnoqTrx5PFTbyFCLsWL/hh e+FHgrtXApyn35w6Vpk1Rs7+FEhw6F26iHRoXV7X8YTvuouFOniMH3ge0MiWbLs+nVG7 4yVzA5v9uxjBTgJSNciJkl25N5hFus4/aSfLvMtEJHuvytjNWQXk1EtEGjXwJI8TsJ8b Lf5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:cc:date:message-id:references:to; bh=mrUxxgNRy+5E4bEZVXAZNOiHka9AVVm3vCKbU9l6fA4=; b=NmJvOuTUqQaWSCX80MuW6wnnBI2gzADQdeAf1tdnMK65a+XrDmQGA3i4RASh7zn9Xc z6WrdKtl6EK8z5osWsiBEdqiNbaUTASws5u2ZfD8AvWJXMMf/YsNPEg6FSfJ2n1uoCZZ wVsn7jXFvRmXXq40lZQP4fQAS6sx2PuoYLrAGabMQte8aD6dpqQ/HkzZCo7U3NUj0Lci T+5xKkeNjx9U/S4efhpUaoAVBILaneHUXkBBBiJZFK+HRpqPlEArUjo/1ZBGas3ejtoj yn/HZ+Ziq6QMpoG2TjEq6UzrAR4sb0ZODgnYUWimD/5d5q0Mm0z1+4DghFh2uN9WmChA F1CQ== X-Gm-Message-State: ANhLgQ3Tv1fwkVbhuG8PGiemGiHjdslM6ScrPDULVqnG6RSWz7SvA2KG GJG7d0gkp7adI8jJLY83lD4wBg== X-Received: by 2002:a17:902:8a8f:: with SMTP id p15mr14339433plo.45.1583803264156; Mon, 09 Mar 2020 18:21:04 -0700 (PDT) Received: from ?IPv6:2600:1010:b047:6b2c:4878:83f4:4223:51c6? ([2600:1010:b047:6b2c:4878:83f4:4223:51c6]) by smtp.gmail.com with ESMTPSA id 17sm14250924pfu.166.2020.03.09.18.21.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 09 Mar 2020 18:21:03 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: [RFC PATCH v9 01/27] Documentation/x86: Add CET description From: Andy Lutomirski In-Reply-To: Cc: Dave Hansen , Yu-cheng Yu , the arch/x86 maintainers , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , x86-patch-review@intel.com Date: Mon, 9 Mar 2020 18:21:01 -0700 Message-Id: References: To: "H.J. Lu" X-Mailer: iPhone Mail (17D50) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I am baffled by this discussion. >> On Mar 9, 2020, at 5:09 PM, H.J. Lu wrote: >>=20 >> =EF=BB=BFOn Mon, Mar 9, 2020 at 4:59 PM Andy Lutomirski wrote: >=20 >>>> . >> This could presumably have been fixed by having libpcre or sljit >> disable IBT before calling into JIT code or by running the JIT code in >> another thread. In the other direction, a non-CET libpcre build could >> build IBT-capable JITted code and enable JIT (by syscall if we allow >> that or by creating a thread?) when calling it. And IBT has this >=20 > This is not how thread in user space works. void create_cet_thread(void (*func)(), unsigned int cet_flags); I could implement this using clone() if the kernel provides the requisite su= pport. Sure, creating threads behind libc=E2=80=99s back like this is perilo= us, but it can be done. >=20 >> fancy legacy bitmap to allow non-instrumented code to run with IBT on, >> although SHSTK doesn't have hardware support for a similar feature. >=20 > All these changes are called CET enabing. What does that mean? If program A loads library B, and library B very caref= ully loads CET-mismatched code, program A may be blissfully unaware. >=20 >> So, sure, the glibc-linked ELF ecosystem needs some degree of CET >> coordination, but it is absolutely not the case that a process MUST >> have all CET or no CET. Let's please support the complicated cases in >> the kernel and the ABI too. If glibc wants to make it annoying to do >> complicated things, so be it. People work behind glibc's back all the >> time. >=20 > CET is no different from NX in this regard. NX is in the page tables, and CET, mostly, is not. Also, we seriously flubb= ed READ_IMPLIES_EXEC and made it affect far more mappings than ever should h= ave been affected. If a legacy program (non-NX-aware) loads a newer library, and the library op= ens a device node and mmaps it PROT_READ, it gets RX. This is not a good de= sign. In fact, it=E2=80=99s actively problematic. Let us please not take Linux=E2=80=99s NX legacy support as an example of go= od design.=