Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2160537pxa; Mon, 3 Aug 2020 08:57:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsaVHcN/Js8gMaSmQhjDLnq8lsgM0iAA5sBGCYaHuLar6wqvw4r7+nWJLj55jZR3GfcKyy X-Received: by 2002:a50:d51e:: with SMTP id u30mr13919123edi.296.1596470266171; Mon, 03 Aug 2020 08:57:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596470266; cv=none; d=google.com; s=arc-20160816; b=zaSMoi9/y+x77WIcSESLNTrvpuxjZhXlVFif73ikmuKqHXlI3f52Jz3hhHPckIq1t3 vnEawRo60H1qWJvMBfB6sb34pcsM1RkhYoQ5PfK8QJ82gVpMCzE/+ibqRsHIF2boJFvW daYCt9WhmQ3d3QWOTJJ9P+Vyt+hDaW26QM/XXRx0suGCLW+yN1LzSWvlPUkkgtsSAY3M nS2mmsb7sKiP9cf9uFv7GvOW3tSlLOAXhh3T9pTvNCVqdZ4bktY5jwZu0Oa36xqdMLsE QkruHtYkXFPRQ8xXVNYrPaWAsGpEeXoMOust5DdnkjxxAtjUQ5zIOLXEwOL08g6brIXM 8aag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=B84BScSs7K0//hJ9cYUzqCUYQtbCiiAWgLTuQ5Ph+RQ=; b=xoWrtPhJzSIeAMONURhtBuK/Qiu5CCpV0Xrlv6gWQYmUjl97Cu9VPgSQz/iLKgiYzP 6wt4sntJ8viAPK4kOt1QKyqBvOeUoyq22+aohpBmGfqUOzr8VaQyuznLxL6oygYX6h2X cj2ItWm1qLptp+qOPDoF2SoV5uEff4V4leT3ltxJbg7BjUjpJQVLYcs9Q0GFWLSk264U Mb4oPOOr7xOXXhgmBtSXrIbTCv6FSjdk3SbD+84iHB07tzYljMFLbgpPf+UPIlrn0bj4 tEDNGROSsxbVh0rccwBXKvmcEX2ZhGigRcmmwsJlLnyX5ZWE58uRNkibGUUD5+AFPWnE u/wA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=GJf0dTtz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j2si8555200edt.577.2020.08.03.08.57.23; Mon, 03 Aug 2020 08:57:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=GJf0dTtz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727923AbgHCP5O (ORCPT + 99 others); Mon, 3 Aug 2020 11:57:14 -0400 Received: from linux.microsoft.com ([13.77.154.182]:42848 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgHCP5O (ORCPT ); Mon, 3 Aug 2020 11:57:14 -0400 Received: from [192.168.254.32] (unknown [47.187.206.220]) by linux.microsoft.com (Postfix) with ESMTPSA id CC1CC20B4908; Mon, 3 Aug 2020 08:57:12 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com CC1CC20B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596470233; bh=B84BScSs7K0//hJ9cYUzqCUYQtbCiiAWgLTuQ5Ph+RQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=GJf0dTtzCa8o8nzBmlcmO+m4jvGBEduNpvn6rNHY16DZPJb8hqSD/6aHy2OPigkFd evDzXsdzFZk3yChasnyS7SjYhR4fSIf5geRNzZvB4V4J1D4UB/gYfSQTzo2+RbNkDd w7n1jOQ1OCcqAgvwmAvXOwhZDHKSoOh+5vCEa2n0= Subject: Re: [PATCH v1 0/4] [RFC] Implement Trampoline File Descriptor To: David Laight , 'Pavel Machek' Cc: 'Andy Lutomirski' , Kernel Hardening , Linux API , linux-arm-kernel , Linux FS Devel , linux-integrity , LKML , LSM List , Oleg Nesterov , X86 ML References: <20200728131050.24443-1-madvenka@linux.microsoft.com> <20200802115600.GB1162@bug> From: "Madhavan T. Venkataraman" Message-ID: <06e4cfc7-f1d5-5311-2e1c-603cf408c9f7@linux.microsoft.com> Date: Mon, 3 Aug 2020 10:57:12 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/3/20 3:08 AM, David Laight wrote: > From: Pavel Machek >> Sent: 02 August 2020 12:56 >> Hi! >> >>>> This is quite clever, but now I???m wondering just how much kernel help >>>> is really needed. In your series, the trampoline is an non-executable >>>> page. I can think of at least two alternative approaches, and I'd >>>> like to know the pros and cons. >>>> >>>> 1. Entirely userspace: a return trampoline would be something like: >>>> >>>> 1: >>>> pushq %rax >>>> pushq %rbc >>>> pushq %rcx >>>> ... >>>> pushq %r15 >>>> movq %rsp, %rdi # pointer to saved regs >>>> leaq 1b(%rip), %rsi # pointer to the trampoline itself >>>> callq trampoline_handler # see below >>> For nested calls (where the trampoline needs to pass the >>> original stack frame to the nested function) I think you >>> just need a page full of: >>> mov $0, scratch_reg; jmp trampoline_handler >> I believe you could do with mov %pc, scratch_reg; jmp ... >> >> That has advantage of being able to share single physical >> page across multiple virtual pages... > A lot of architecture don't let you copy %pc that way so you would > have to use 'call' - but that trashes the return address cache. > It also needs the trampoline handler to know the addresses > of the trampolines. Do you which ones don't allow you to copy %pc? Some of the architctures do not have PC-relative data references. If they do not allow you to copy the PC into a general purpose register, then there is no way to implement the statically defined trampoline that has been discussed so far. In these cases, the trampoline has to be generate at runtime. Thanks. Madhavan