Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3786116ybb;
        Mon, 23 Mar 2020 07:41:54 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvSvr3Q1Bk6W662tUFO73LzfiqyUwMz4/IT8yrw67aJ+S3ryGYFtO0MP6kBlYPGHx3WhsZL
X-Received: by 2002:aca:4843:: with SMTP id v64mr16751005oia.13.1584974513877;
        Mon, 23 Mar 2020 07:41:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584974513; cv=none;
        d=google.com; s=arc-20160816;
        b=CbfwrHGkil59M9BxRGaZo8iebOxkKAlXeiThcrS+99LqTRe+bf+ABk72qGVUXTR8nY
         xpH6ZJFlETidHUb3Wq7d+1zxxwC74b6GRFfckVtNsdfDRFNBX920mpRxOGA3KHaEi6Eo
         G5e6C1FnCg+GqaT86ek9vev5v0rfeo0yJ4qyxqlUn8BtVN1KFvh3Y4mz2b+xXhTn2FJg
         ekzQxRP0d8rsagYiaszphU6IVhcnNkQ9NCD1GxO9oChMcbY8u4b882r9OkKSDj+0YJye
         4xTMJwVsI/CRJxruNaYPII12FtDYKMDKFTRTO7+kIHSDcrqgFBpSKkFcncMDK7HdGKQs
         X4cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=ZE2ZNmb6zPIeWgbcYChixcs4drxEazbHY2/K9xIGakw=;
        b=aQlnv+4Yi1IPu5/9n6JrpX4iOkwjiUSl7jWFVBc8cJkJmfKECnvRHr4WiMNx3HkLCP
         rcT4KDkZsDK4xHwT9b0d37YN1Vj/ufWmQ6llpwHKqoR/2t4fnTULDSDS+Lw3Jg5DCuin
         dwUyWvaCmj0GIzodNvGF+4kQ5DupCkcKeEulA1rOUozKKwvtchmhzhiudmd0OvIdcNKI
         KN4vDjvVPPig5Wy1Veq8UtctyYJWGDKZNmHNMF9o0HvdMUoE/O+9jczy9Vmz4yE4lq6y
         u4tkmb89lhgc7IMGDiKK8CoQITcLbyYiYS/WM2JuO6diNxTdSI1MU+/+wh5Yno85Ahhl
         iFIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d23si7773046oig.118.2020.03.23.07.41.40;
        Mon, 23 Mar 2020 07:41:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727150AbgCWOkC (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Mon, 23 Mar 2020 10:40:02 -0400
Received: from foss.arm.com ([217.140.110.172]:50308 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725830AbgCWOkC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Mar 2020 10:40:02 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 74305FEC;
        Mon, 23 Mar 2020 07:40:01 -0700 (PDT)
Received: from mbp (unknown [172.31.20.19])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0B8773F52E;
        Mon, 23 Mar 2020 07:39:57 -0700 (PDT)
Date:   Mon, 23 Mar 2020 14:39:55 +0000
From:   Catalin Marinas <catalin.marinas@arm.com>
To:     Mark Rutland <mark.rutland@arm.com>
Cc:     Mark Brown <broonie@kernel.org>,
        Szabolcs Nagy <szabolcs.nagy@arm.com>,
        Will Deacon <will@kernel.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Paul Elliott <paul.elliott@arm.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Yu-cheng Yu <yu-cheng.yu@intel.com>,
        Amit Kachhap <amit.kachhap@arm.com>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Marc Zyngier <maz@kernel.org>,
        Eugene Syromiatnikov <esyr@redhat.com>,
        "H . J . Lu " <hjl.tools@gmail.com>,
        Andrew Jones <drjones@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Arnd Bergmann <arnd@arndb.de>, Jann Horn <jannh@google.com>,
        Richard Henderson <richard.henderson@linaro.org>,
        Kristina =?utf-8?Q?Mart=C5=A1enko?= <kristina.martsenko@arm.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Florian Weimer <fweimer@redhat.com>,
        Sudakshina Das <sudi.das@arm.com>,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        linux-arch@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        nd@arm.com
Subject: Re: [PATCH v10 00/13] arm64: Branch Target Identification support
Message-ID: <20200323143954.GC4892@mbp>
References: <20200316165055.31179-1-broonie@kernel.org>
 <20200320173945.GC27072@arm.com>
 <20200323122143.GB4892@mbp>
 <20200323132412.GD4948@sirena.org.uk>
 <20200323135722.GA3959@C02TD0UTHF1T.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200323135722.GA3959@C02TD0UTHF1T.local>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 23, 2020 at 01:57:22PM +0000, Mark Rutland wrote:
> On Mon, Mar 23, 2020 at 01:24:12PM +0000, Mark Brown wrote:
> > On Mon, Mar 23, 2020 at 12:21:44PM +0000, Catalin Marinas wrote:
> > > On Fri, Mar 20, 2020 at 05:39:46PM +0000, Szabolcs Nagy wrote:
> > 
> > > +int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state,
> > > +                        bool has_interp, bool is_interp)
> > > +{
> > > +       if (is_interp != has_interp)
> > > +               return prot;
> > > +
> > > +       if (!(state->flags & ARM64_ELF_BTI))
> > > +               return prot;
> > > +
> > > +       if (prot & PROT_EXEC)
> > > +               prot |= PROT_BTI;
> > > +
> > > +       return prot;
> > > +}
> > 
> > > At a quick look, for dynamic binaries we have has_interp == true and
> > > is_interp == false. I don't know why but, either way, the above code
> > > needs a comment with some justification.
> > 
> > I don't really know for certain either, I inherited this code as is with
> > the understanding that this was all agreed with the toolchain and libc
> > people - the actual discussion that lead to the decisions being made
> > happened before I was involved.  My understanding is that the idea was
> > that the dynamic linker would be responsible for mapping everything in
> > dynamic applications other than itself but other than consistency I
> > don't know why.  I guess it defers more decision making to userspace but
> > I'm having a hard time thinking of sensible cases where one might wish
> > to make a decision other than enabling PROT_BTI.
> 
> My understanding was this had been agreed with the toolchain folk a
> while back -- anything static loaded by the kernel (i.e. a static
> executable or the dynamic linker) would get GP set. In other cases the
> linker will mess with the permissions on the pages anyhow, and needs to
> be aware of BTI in order to do the right thing, so it was better to
> leave it to userspace consistently (e.g. as that had the least risk of
> subtle changes in behaviour leading to ABI difficulties).

So this means that the interpreter will have to mprotect(PROT_BTI) the
text section of the primary executable. For subsequent libraries, it
calls mmap() explicitly anyway but not for the main executable (IIUC).

> > I'd be perfectly happy to drop the check if that makes more sense to
> > people, otherwise I can send a patch adding a comment explaining the
> > situation.
> 
> I think it would be best to document the current behaviour, as it's a
> simple ABI that we can guarantee, and the dynamic linker will have to be
> aware of BTI in order to do the right thing anyhow.

That's a valid point. If we have an old dynamic linker and the kernel
enabled BTI automatically for the main executable, could things go wrong
(e.g. does the PLT need to be BTI-aware)?

-- 
Catalin