Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2449982pxk; Mon, 14 Sep 2020 13:46:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy5BJuMR+qYr6uv19ZGFIae5hyUC9z0ZxWmtLDqvCPL4gLwSqtBoJvhhNjqBLplO3NIkrxn X-Received: by 2002:a17:906:2747:: with SMTP id a7mr16328493ejd.301.1600116389548; Mon, 14 Sep 2020 13:46:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600116389; cv=none; d=google.com; s=arc-20160816; b=q8Cw3ifQX98q4zfGw5H+eP/JEjInhYtzHMPyVYdI24q/R0nGIKBMyWk1cd3T6Yaqib Byz1QdxfoPHGasywhZb7ysWOe9fuKaYoXoCfRIzr7d9048zI/rje1nuhsVbJUdC2ScRN Of+H29bpyuMEZtolYZp+K1jpo81rts7DH8R/3ObXMfbWnFlTUI7ks51SIFc/1RgoU20u pcNpYj/yUJX5uJpTcfMsX/B9TrHTbW0Mvg7tdaGNdQ671MGmxbTgR9lCYmW71pE/E7eX pXVRlAMMaS4eZ2fj78SAODjrLEJmiz6yP1VblRMvB8CwoGhhSTdY1fwgnl6uFBBfyfIw NNWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-sdr:ironport-sdr; bh=PhbuA9IOO1WwZPKlJxwMuFpI8K+WBtrvF9kqgFx1SQA=; b=ZqVfFSAYqp1d1N/7Mj/8rXRbz3n1nOhKCKbdBBqk45hZdt+zIaZiVaEONdhcJQ6TPN 2QzDGIP0lbIkdeBNugR5UagYOz/eBI6pe0UJIwEw3tsSVPWFnLQK9IDRrr/5ohcyu9rB FROClBkYIVqa8PVT8DS4HYbn2h6NU/vPUoaWoUPcmETBoMkXTR3GhR+kYvXafNhry+Sj tFT+xRbMiwPHhl7E4Bp8Ek4Ujk0eX159P7PcmhvvubkZJIHBa6gWABk3YLKC7KKw2zPQ PI4njL4oz271MXL3/avVtMc+VRUwTGpHMhllwC8BLEc/8MmRczmjpKUKqbgulysIzuVB 2U2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p7si7777682edq.28.2020.09.14.13.46.06; Mon, 14 Sep 2020 13:46:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726013AbgINUo4 (ORCPT + 99 others); Mon, 14 Sep 2020 16:44:56 -0400 Received: from mga18.intel.com ([134.134.136.126]:37837 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725984AbgINUoz (ORCPT ); Mon, 14 Sep 2020 16:44:55 -0400 IronPort-SDR: 6nrcm9dSy+DO/jvdZmLKmHnbZys6BAG4RBu3iA68hckXf0bv8JIsargF5GyFyh7NcAW2OqeA4U NbxM7z0VeD1w== X-IronPort-AV: E=McAfee;i="6000,8403,9744"; a="146898430" X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="146898430" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:54 -0700 IronPort-SDR: AkVfmk+B+R2AS1BdaSnCKau8ZPqZEqz9QQUtghb9wnE8lfT5XErlNWR4JSyOEhO3efMA9qoWq9 vHE3455/G5aw== X-IronPort-AV: E=Sophos;i="5.76,427,1592895600"; d="scan'208";a="506491218" Received: from yyu32-mobl1.amr.corp.intel.com (HELO [10.212.244.74]) ([10.212.244.74]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Sep 2020 13:44:51 -0700 Subject: Re: [NEEDS-REVIEW] Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack To: Andy Lutomirski , Dave Hansen Cc: Dave Martin , "H.J. Lu" , Florian Weimer , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , Arnd Bergmann , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Weijiang Yang References: <086c73d8-9b06-f074-e315-9964eb666db9@intel.com> <4f2dfefc-b55e-bf73-f254-7d95f9c67e5c@intel.com> <20200901102758.GY6642@arm.com> <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com> <46dffdfd-92f8-0f05-6164-945f217b0958@intel.com> <6e1e22a5-1b7f-2783-351e-c8ed2d4893b8@intel.com> <5979c58d-a6e3-d14d-df92-72cdeb97298d@intel.com> <08c91835-8486-9da5-a7d1-75e716fc5d36@intel.com> <41aa5e8f-ad88-2934-6d10-6a78fcbe019b@intel.com> From: "Yu, Yu-cheng" Message-ID: <2d86fa40-3676-62b1-1571-90074ca65971@intel.com> Date: Mon, 14 Sep 2020 13:44:50 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/14/2020 11:31 AM, Andy Lutomirski wrote: >> On Sep 14, 2020, at 7:50 AM, Dave Hansen wrote: >> >> On 9/11/20 3:59 PM, Yu-cheng Yu wrote: >> ... >>> Here are the changes if we take the mprotect(PROT_SHSTK) approach. >>> Any comments/suggestions? >> >> I still don't like it. :) >> >> I'll also be much happier when there's a proper changelog to accompany >> this which also spells out the alternatives any why they suck so much. >> > > Let’s take a step back here. Ignoring the precise API, what exactly is > a shadow stack from the perspective of a Linux user program? > > The simplest answer is that it’s just memory that happens to have > certain protections. This enables all kinds of shenanigans. A > program could map a memfd twice, once as shadow stack and once as > non-shadow-stack, and change its control flow. Similarly, a program > could mprotect its shadow stack, modify it, and mprotect it back. In What if we do the following: - If the mapping has VM_SHARED, it cannot be turned to shadow stack. Shadow stack cannot be shared anyway. - Only allow an anonymous mapping to be converted to shadow stack, but not the other way. > some threat models, though could be seen as a WRSS bypass. (Although > if an attacker can coerce a process to call mprotect(), the game is > likely mostly over anyway.) > > But we could be more restrictive, or perhaps we could allow user code > to opt into more restrictions. For example, we could have shadow > stacks be special memory that cannot be written from usermode by any > means other than ptrace() and friends, WRSS, and actual shadow stack > usage. > > What is the goal? There primary goal is to allocate/mmap a shadow stack from user space. > > No matter what we do, the effects of calling vfork() are going to be a > bit odd with SHSTK enabled. I suppose we could disallow this, but > that seems likely to cause its own issues. > Do you mean vfork() has issues with call/return? That is taken care of in GLIBC. Or do you mean it has issues with mprotect(PROT_SHSTK)?