Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2374117pxk;
        Mon, 14 Sep 2020 11:32:34 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyJ+FTEmIUnbphlvc5oQhauB2cBG9bqlFUqJkDxtKqqJJ13g73DSvRFXy5LXY/0D0W5ys5G
X-Received: by 2002:a17:906:cc99:: with SMTP id oq25mr4070193ejb.292.1600108354691;
        Mon, 14 Sep 2020 11:32:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600108354; cv=none;
        d=google.com; s=arc-20160816;
        b=eLX+hihJK+310lwsaUZSP29unhTAw/AqbtKjE0nfYEWNwgaPtFBBVj0iELbXkg0Zbo
         pOiR6yFqd9GPKJQ1Rp6MbCA3/twbKJqP9T8ndmW4zhKH7cx+NVWezGHz421w9gzrzMGH
         2Htaw13isjf6ppRHl3CDK8uDv8avMFb0xpseOzCRrOA5QAl75jpkix9P9fus495vJo5d
         s/kAnoCaahj0EAE72sh6/TIqe5mJtHKZnfy5znMhbaG/lKsikrYlwSXzicQ5h2ltgwnk
         O4E73z06+WkafLAu3f0xKfPXR/N0ord7Po2zBSfv2HapsF0uFNbNYTXeiDgDI53PFRtX
         /xdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=luKAhDUKqv3hT98OAF9Z4kBy2g6qPGxzl1pHpmzU/JI=;
        b=k12f4pXTG1XCMfkkcQlQ+lCmPglZBCRaA3UE4Gi0gYtW9HsOzIUv5n7fnXHIHX8Xbe
         t7MVJpTeZC5TI/aWeB33aYHzW59B8HuwXCrxnaF7lOFcFwaiLm7cvwnY2vVQ0PN2ouTh
         ZYza6ZKzuv55y0LEWcjX8ODh9H5QN5gveKteot4vDqyO1jUqvp8cgNsWKPONyCVhSMcv
         HFs95jqrYoSL5OOWLeW8d1cbD5vK03Z353yCbmQxWC/QwoP84fQj4/wTmUYimMjI5Wxv
         8DOi46IYDS5MsVttY6ibrZayxXJXFFfItXrlCSMrJraj6oFOjOcANuNVneE5jTDvlMaD
         gEUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=D4P7AEng;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bu5si7919843ejb.750.2020.09.14.11.32.11;
        Mon, 14 Sep 2020 11:32:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=D4P7AEng;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726046AbgINSbj (ORCPT <rfc822;ketanpantkp@gmail.com>
        + 99 others); Mon, 14 Sep 2020 14:31:39 -0400
Received: from mail.kernel.org ([198.145.29.99]:50046 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726019AbgINSbP (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Sep 2020 14:31:15 -0400
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 720A82193E
        for <linux-kernel@vger.kernel.org>; Mon, 14 Sep 2020 18:31:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1600108274;
        bh=TWMzqZoZNralDEd5I14l94VOUCKWS0bUz/b6Q4OWmsg=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=D4P7AEngB+S1f31yQcalYo1zCNFyveknGKD9Hj70JfD4ABuAiXlotcEedmXFm7ic5
         hyF+FdjUZ/Pv8vmvFKWoUUv8UKd7aD5CEBujLlrbWQz6oxj49Y/+V5ZJ8vRVNdjlUU
         Hf9ohxCwkyBAIRMBxwyvi8S9wNjMHJEHhe3JffZo=
Received: by mail-wr1-f47.google.com with SMTP id x14so638986wrl.12
        for <linux-kernel@vger.kernel.org>; Mon, 14 Sep 2020 11:31:14 -0700 (PDT)
X-Gm-Message-State: AOAM5302FwML59CUw14sf00HRad7Bd5z3jzceN9Kc9QdChNOJqeCdybE
        Q/m8LXG5j4iVp7Vui/JqdDfPW4oaGsl8MAR4vgkpjA==
X-Received: by 2002:a5d:5111:: with SMTP id s17mr17179124wrt.70.1600108272961;
 Mon, 14 Sep 2020 11:31:12 -0700 (PDT)
MIME-Version: 1.0
References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com>
 <CALCETrVeNA0Kt2rW0CRCVo1JE0CKaBxu9KrJiyqUA8LPraY=7g@mail.gmail.com>
 <0e9996bc-4c1b-cc99-9616-c721b546f857@intel.com> <4f2dfefc-b55e-bf73-f254-7d95f9c67e5c@intel.com>
 <CAMe9rOqt9kbqERC8U1+K-LiDyNYuuuz3TX++DChrRJwr5ajt6Q@mail.gmail.com>
 <20200901102758.GY6642@arm.com> <c91bbad8-9e45-724b-4526-fe3674310c57@intel.com>
 <CALCETrWJQgtO_tP1pEaDYYsFgkZ=fOxhyTRE50THcxYoHyTTwg@mail.gmail.com>
 <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com>
 <ed929729-4677-3d3b-6bfd-b379af9272b8@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com>
 <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <ab1a3344-60f4-9b9d-81d4-e6538fdcafcf@intel.com>
 <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <a881837d-c844-30e8-a614-8b92be814ef6@intel.com>
 <cbec8861-8722-ec31-2c02-1cfed20255eb@intel.com> <b3379d26-d8a7-deb7-59f1-c994bb297dcb@intel.com>
 <a1efc4330a3beff10671949eddbba96f8cde96da.camel@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com>
In-Reply-To: <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Mon, 14 Sep 2020 11:31:01 -0700
X-Gmail-Original-Message-ID: <CALCETrX5qJAZBe9sHL6+HFvre-bbo+us1==q9KHNCyRrzaUsjw@mail.gmail.com>
Message-ID: <CALCETrX5qJAZBe9sHL6+HFvre-bbo+us1==q9KHNCyRrzaUsjw@mail.gmail.com>
Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add
 arch_prctl functions for shadow stack
To:     Dave Hansen <dave.hansen@intel.com>
Cc:     Yu-cheng Yu <yu-cheng.yu@intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Martin <Dave.Martin@arm.com>,
        "H.J. Lu" <hjl.tools@gmail.com>,
        Florian Weimer <fweimer@redhat.com>, X86 ML <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Balbir Singh <bsingharora@gmail.com>,
        Borislav Petkov <bp@alien8.de>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Eugene Syromiatnikov <esyr@redhat.com>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Mike Kravetz <mike.kravetz@oracle.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
        Peter Zijlstra <peterz@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@intel.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
        Weijiang Yang <weijiang.yang@intel.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> On Sep 14, 2020, at 7:50 AM, Dave Hansen <dave.hansen@intel.com> wrote:
>
> =EF=BB=BFOn 9/11/20 3:59 PM, Yu-cheng Yu wrote:
> ...
>> Here are the changes if we take the mprotect(PROT_SHSTK) approach.
>> Any comments/suggestions?
>
> I still don't like it. :)
>
> I'll also be much happier when there's a proper changelog to accompany
> this which also spells out the alternatives any why they suck so much.
>

Let=E2=80=99s take a step back here. Ignoring the precise API, what exactly=
 is
a shadow stack from the perspective of a Linux user program?

The simplest answer is that it=E2=80=99s just memory that happens to have
certain protections.  This enables all kinds of shenanigans.  A
program could map a memfd twice, once as shadow stack and once as
non-shadow-stack, and change its control flow.  Similarly, a program
could mprotect its shadow stack, modify it, and mprotect it back.  In
some threat models, though could be seen as a WRSS bypass.  (Although
if an attacker can coerce a process to call mprotect(), the game is
likely mostly over anyway.)

But we could be more restrictive, or perhaps we could allow user code
to opt into more restrictions.  For example, we could have shadow
stacks be special memory that cannot be written from usermode by any
means other than ptrace() and friends, WRSS, and actual shadow stack
usage.

What is the goal?

No matter what we do, the effects of calling vfork() are going to be a
bit odd with SHSTK enabled.  I suppose we could disallow this, but
that seems likely to cause its own issues.