Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1500877pxk; Fri, 18 Sep 2020 14:24:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsbsA143r0TcS6n/r+JwMvrVNnMgq+rqd9GsZyYGU4V/RaA0ZVv0xYEceNtr7T6BiXPQfj X-Received: by 2002:a17:907:72c5:: with SMTP id du5mr39534662ejc.469.1600464270797; Fri, 18 Sep 2020 14:24:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600464270; cv=none; d=google.com; s=arc-20160816; b=csi90cmb3W66A+Omy/GBXD0YmxnAjY0AsTV8ygtEr/Fnpvx9sjQv7UfePjSoFB7nIx Xl970GvIREvMDUuKduWa63J4VUMHsoALGNc2N6az9LeIT7R+F4/+WQeuJtfKp0NWg0HB Hjs1EvBdjCYQZWgh9trGNuYJASdZRSea9J3+Xf05jO1YUCI0a5CA+6AWlXZB4Da5x38O 4+MIA5mIX+9+0ts0gwY3pM28+swlvcbVDV3AmX+pBe6drEGbfQJ9+PQbiVDSbTgvwsnc zA7C/83BXLJcn9ui3q3ieoDHv1OaYkP1xak+QBsVgCCRylVzuz5bxPgYjK7e+uUeHiaL 6+Zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=5j2OeQ+/rFXfzHuhh9VMI4eRtBkixLzXSxWShQrcuD8=; b=O1izX9IpA7XwF4GU86Yggx3DcLkhHA+84o1gb6vf6iCyyLwBZIgY9Gm13DA1gokuwb FzfEM0dQFvX4HxFG23DicP1gjor0AL+0ac/eFYvUoqOq5Zbx5dNfQ2yAORCwAxf60FTF jL9h8kAkjdHXyh/EFZZqvbfRxRTy0Bj9OfXD2QXStqmvwhKRLvF1gS3dNAUI9Giy7BW3 7S+2v/IImEjKNHUeBoC+184lG14aa/9bwXIPsxoniWkfgbrp4egRyLd3Bevr/58hP7K/ Wtv7bzNP18dj8EPp9EOAnktSa1+no5xMV2KLN7EDmRk52cDAsylrBpawvB8emLvzqsN7 TfIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dd25si2988355ejb.177.2020.09.18.14.24.06; Fri, 18 Sep 2020 14:24:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726236AbgIRVXC (ORCPT + 99 others); Fri, 18 Sep 2020 17:23:02 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:34998 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726118AbgIRVXC (ORCPT ); Fri, 18 Sep 2020 17:23:02 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 0590D1C0B78; Fri, 18 Sep 2020 23:22:59 +0200 (CEST) Date: Fri, 18 Sep 2020 23:22:58 +0200 From: Pavel Machek To: "Yu, Yu-cheng" Cc: Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang Subject: Re: [PATCH v12 8/8] x86: Disallow vsyscall emulation when CET is enabled Message-ID: <20200918212258.GD4304@duo.ucw.cz> References: <20200918192312.25978-1-yu-cheng.yu@intel.com> <20200918192312.25978-9-yu-cheng.yu@intel.com> <20200918210026.GC4304@duo.ucw.cz> <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NklN7DEeGtkPCoo3" Content-Disposition: inline In-Reply-To: <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --NklN7DEeGtkPCoo3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri 2020-09-18 14:21:10, Yu, Yu-cheng wrote: > On 9/18/2020 2:00 PM, Pavel Machek wrote: > > On Fri 2020-09-18 12:32:57, Dave Hansen wrote: > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > > Emulation of the legacy vsyscall page is required by some programs > > > > built before 2013. Newer programs after 2013 don't use it. > > > > Disable vsyscall emulation when Control-flow Enforcement (CET) is > > > > enabled to enhance security. > > >=20 > > > How does this "enhance security"? > > >=20 > > > What is the connection between vsyscall emulation and CET? > >=20 > > Boom. > >=20 > > We don't break compatibility by default, and you should not tell > > people to enable CET by default if you plan to do this. >=20 > I would revise the wording if there is another version. What this patch > does is: >=20 > If an application is compiled for CET and the system supports it, then the > application cannot do vsyscall emulation. Earlier we allow the emulation, > and had a patch that fixes the shadow stack and endbr for the emulation > code. Since newer programs mostly do no do the emulation, we changed the > patch do block it when attempted. >=20 > This patch would not block any legacy applications or any applications on > older machines. Aha, makes sense, sorry for the noise. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --NklN7DEeGtkPCoo3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX2UlMgAKCRAw5/Bqldv6 8vVFAJ41iKxZD+QTSRHZvYWU+1CsdoJREgCcCLoiJeApvT43KAk2xvBWtw06jWU= =Yah9 -----END PGP SIGNATURE----- --NklN7DEeGtkPCoo3--