Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1124493ybg;
        Wed, 29 Jul 2020 06:30:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxEZsxfU2VdBvRW+IGLoHETr+7+w8zHRjoRk7QWM1l/0p6b+wdRn7uDLHk8gOEnskNmmasP
X-Received: by 2002:a05:6402:a5b:: with SMTP id bt27mr14984924edb.120.1596029420730;
        Wed, 29 Jul 2020 06:30:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596029420; cv=none;
        d=google.com; s=arc-20160816;
        b=k5LO+piSik8eV1YIaTWc60QoUKGR9fcFgzG4mm2dDzsRuyuGl1TYb6zqJVi9xWJacU
         KczhnBctJ6kYD0FZnWyVw2678YB3BsUA+ysWP0yWFZNovQokXEbt361U10t9OBG5Ef0j
         tMaMvX/KjrQK0/j0cjGlVDTeT248rjxJcObl5EpWfs8EX7jqziuxQU+8FOZGea16T4hN
         rbo4YSMy9HwhNQ7ybqwvHQpNy7INOAod/Y2MRAaLom5DL6+ZsSHZ2paXIfOAIWmdCeQ+
         v4tWcr+XpvZa0INZoX8IuUh/Sb7li2JT2aNQdiP/oU8v6us7QEE/b2npZfFzWZBrSSV0
         vbWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:message-id:in-reply-to:date:references:subject:cc:to
         :from:dkim-signature;
        bh=pHdy6Zb9Xi6Br1uklysJIGNGzShuC9IUN8gmmUSKfJ8=;
        b=d0/5UzcF1dh6LfZfnb1fE+KcScjls+nnpMYZzL+v7yutSwKklj8DVrjobQAA8U1BGa
         b3xc0MtZLdPenCPbpJA45/nQcXRTe4N+IqFWE4LsMs9xuFEyeMV/oOrwpnaNI9iv93Pu
         XF1G2jvJjqnMURGoUcEnHZD7VxAzUODYVe4A08GWlsz05dyZO04X+ALtN9JyDlzR8lUT
         Wp+TVhglBwXnAEDvtpc3IV5L0b5MHsSbTEj/LsacWwAf4cVWR8Zl+TcgqN9SBm225k4R
         UbnZ8Osb5GsIZFr1ZD3JiRUAdW9C+IsCkagiI3SUKPJtlO/xI1NJSp5QhJgfwzqRxH45
         KALw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aRWtLfuQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dr16si1473364ejc.502.2020.07.29.06.29.57;
        Wed, 29 Jul 2020 06:30:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aRWtLfuQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726496AbgG2N3k (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Wed, 29 Jul 2020 09:29:40 -0400
Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:30448 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726365AbgG2N3j (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Jul 2020 09:29:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1596029378;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=pHdy6Zb9Xi6Br1uklysJIGNGzShuC9IUN8gmmUSKfJ8=;
        b=aRWtLfuQT+4jdgoCsYV/8Kohq6UzLvVlKez2chiloW2tblAG/Uy0mBhIe2G+HlU+GcjQLU
        aLl1rhnwhQDuIxfbAid2URxFc6mkOAYtEIQZt41QiBfFG2vcAEEZa6XqjSyDAcyRINkOb2
        CJM7c7PBLWnkxot6U5aGSeB2RzQLc8Y=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-185-oUnvNmSeOLyVa6xnjYceCQ-1; Wed, 29 Jul 2020 09:29:36 -0400
X-MC-Unique: oUnvNmSeOLyVa6xnjYceCQ-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EE5481902EA0;
        Wed, 29 Jul 2020 13:29:34 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (ovpn-113-29.ams2.redhat.com [10.36.113.29])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id B422869327;
        Wed, 29 Jul 2020 13:29:32 +0000 (UTC)
From:   Florian Weimer <fweimer@redhat.com>
To:     Andy Lutomirski <luto@kernel.org>
Cc:     madvenka@linux.microsoft.com,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>, X86 ML <x86@kernel.org>
Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor
References: <20200728131050.24443-1-madvenka@linux.microsoft.com>
        <CALCETrVy5OMuUx04-wWk9FJbSxkrT2vMfN_kANinudrDwC4Cig@mail.gmail.com>
Date:   Wed, 29 Jul 2020 15:29:31 +0200
In-Reply-To: <CALCETrVy5OMuUx04-wWk9FJbSxkrT2vMfN_kANinudrDwC4Cig@mail.gmail.com>
        (Andy Lutomirski's message of "Tue, 28 Jul 2020 10:31:59 -0700")
Message-ID: <87pn8eo3es.fsf@oldenburg2.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

* Andy Lutomirski:

> This is quite clever, but now I=E2=80=99m wondering just how much kernel =
help
> is really needed. In your series, the trampoline is an non-executable
> page.  I can think of at least two alternative approaches, and I'd
> like to know the pros and cons.
>
> 1. Entirely userspace: a return trampoline would be something like:
>
> 1:
> pushq %rax
> pushq %rbc
> pushq %rcx
> ...
> pushq %r15
> movq %rsp, %rdi # pointer to saved regs
> leaq 1b(%rip), %rsi # pointer to the trampoline itself
> callq trampoline_handler # see below
>
> You would fill a page with a bunch of these, possibly compacted to get
> more per page, and then you would remap as many copies as needed.

libffi does something like this for iOS, I believe.

The only thing you really need is a PC-relative indirect call, with the
target address loaded from a different page.  The trampoline handler can
do all the rest because it can identify the trampoline from the stack.
Having a closure parameter loaded into a register will speed things up,
of course.

I still hope to transition libffi to this model for most Linux targets.
It really simplifies things because you don't have to deal with cache
flushes (on both the data and code aliases for SELinux support).

But the key observation is that efficient trampolines do not need
run-time code generation at all because their code is so regular.

Thanks,
Florian