Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1500877pxk;
        Fri, 18 Sep 2020 14:24:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwsbsA143r0TcS6n/r+JwMvrVNnMgq+rqd9GsZyYGU4V/RaA0ZVv0xYEceNtr7T6BiXPQfj
X-Received: by 2002:a17:907:72c5:: with SMTP id du5mr39534662ejc.469.1600464270797;
        Fri, 18 Sep 2020 14:24:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600464270; cv=none;
        d=google.com; s=arc-20160816;
        b=csi90cmb3W66A+Omy/GBXD0YmxnAjY0AsTV8ygtEr/Fnpvx9sjQv7UfePjSoFB7nIx
         Xl970GvIREvMDUuKduWa63J4VUMHsoALGNc2N6az9LeIT7R+F4/+WQeuJtfKp0NWg0HB
         Hjs1EvBdjCYQZWgh9trGNuYJASdZRSea9J3+Xf05jO1YUCI0a5CA+6AWlXZB4Da5x38O
         4+MIA5mIX+9+0ts0gwY3pM28+swlvcbVDV3AmX+pBe6drEGbfQJ9+PQbiVDSbTgvwsnc
         zA7C/83BXLJcn9ui3q3ieoDHv1OaYkP1xak+QBsVgCCRylVzuz5bxPgYjK7e+uUeHiaL
         6+Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=5j2OeQ+/rFXfzHuhh9VMI4eRtBkixLzXSxWShQrcuD8=;
        b=O1izX9IpA7XwF4GU86Yggx3DcLkhHA+84o1gb6vf6iCyyLwBZIgY9Gm13DA1gokuwb
         FzfEM0dQFvX4HxFG23DicP1gjor0AL+0ac/eFYvUoqOq5Zbx5dNfQ2yAORCwAxf60FTF
         jL9h8kAkjdHXyh/EFZZqvbfRxRTy0Bj9OfXD2QXStqmvwhKRLvF1gS3dNAUI9Giy7BW3
         7S+2v/IImEjKNHUeBoC+184lG14aa/9bwXIPsxoniWkfgbrp4egRyLd3Bevr/58hP7K/
         Wtv7bzNP18dj8EPp9EOAnktSa1+no5xMV2KLN7EDmRk52cDAsylrBpawvB8emLvzqsN7
         TfIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dd25si2988355ejb.177.2020.09.18.14.24.06;
        Fri, 18 Sep 2020 14:24:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726236AbgIRVXC (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Fri, 18 Sep 2020 17:23:02 -0400
Received: from jabberwock.ucw.cz ([46.255.230.98]:34998 "EHLO
        jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726118AbgIRVXC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Sep 2020 17:23:02 -0400
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id 0590D1C0B78; Fri, 18 Sep 2020 23:22:59 +0200 (CEST)
Date:   Fri, 18 Sep 2020 23:22:58 +0200
From:   Pavel Machek <pavel@ucw.cz>
To:     "Yu, Yu-cheng" <yu-cheng.yu@intel.com>
Cc:     Dave Hansen <dave.hansen@intel.com>, x86@kernel.org,
        "H. Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
        linux-doc@vger.kernel.org, linux-mm@kvack.org,
        linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
        Arnd Bergmann <arnd@arndb.de>,
        Andy Lutomirski <luto@kernel.org>,
        Balbir Singh <bsingharora@gmail.com>,
        Borislav Petkov <bp@alien8.de>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Eugene Syromiatnikov <esyr@redhat.com>,
        Florian Weimer <fweimer@redhat.com>,
        "H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Mike Kravetz <mike.kravetz@oracle.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@intel.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
        Dave Martin <Dave.Martin@arm.com>,
        Weijiang Yang <weijiang.yang@intel.com>
Subject: Re: [PATCH v12 8/8] x86: Disallow vsyscall emulation when CET is
 enabled
Message-ID: <20200918212258.GD4304@duo.ucw.cz>
References: <20200918192312.25978-1-yu-cheng.yu@intel.com>
 <20200918192312.25978-9-yu-cheng.yu@intel.com>
 <f02b511d-1d48-6dea-d2e6-84d58e21e6cd@intel.com>
 <20200918210026.GC4304@duo.ucw.cz>
 <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="NklN7DEeGtkPCoo3"
Content-Disposition: inline
In-Reply-To: <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--NklN7DEeGtkPCoo3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri 2020-09-18 14:21:10, Yu, Yu-cheng wrote:
> On 9/18/2020 2:00 PM, Pavel Machek wrote:
> > On Fri 2020-09-18 12:32:57, Dave Hansen wrote:
> > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > > Emulation of the legacy vsyscall page is required by some programs
> > > > built before 2013.  Newer programs after 2013 don't use it.
> > > > Disable vsyscall emulation when Control-flow Enforcement (CET) is
> > > > enabled to enhance security.
> > >=20
> > > How does this "enhance security"?
> > >=20
> > > What is the connection between vsyscall emulation and CET?
> >=20
> > Boom.
> >=20
> > We don't break compatibility by default, and you should not tell
> > people to enable CET by default if you plan to do this.
>=20
> I would revise the wording if there is another version.  What this patch
> does is:
>=20
> If an application is compiled for CET and the system supports it, then the
> application cannot do vsyscall emulation.  Earlier we allow the emulation,
> and had a patch that fixes the shadow stack and endbr for the emulation
> code.  Since newer programs mostly do no do the emulation, we changed the
> patch do block it when attempted.
>=20
> This patch would not block any legacy applications or any applications on
> older machines.

Aha, makes sense, sorry for the noise.

Best regards,
									Pavel

--=20
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo=
g.html

--NklN7DEeGtkPCoo3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX2UlMgAKCRAw5/Bqldv6
8vVFAJ41iKxZD+QTSRHZvYWU+1CsdoJREgCcCLoiJeApvT43KAk2xvBWtw06jWU=
=Yah9
-----END PGP SIGNATURE-----

--NklN7DEeGtkPCoo3--