Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1675230pxb; Wed, 9 Feb 2022 01:53:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJyXUeG8De9Wje7TxEPT1PRLmn4H/wndNfPPIvyynzRTpEIqF8Rc6IlezYrZ4cHup7qbnqNC X-Received: by 2002:a17:902:c944:: with SMTP id i4mr1318524pla.1.1644400424099; Wed, 09 Feb 2022 01:53:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644400424; cv=none; d=google.com; s=arc-20160816; b=zI74VDyEnZECWl4dVXCoECp1thI6vIJoKaYE8pTp3EZqYHFZhfCcD87FuKnJmcDaS/ JW5bOQqNPhDqPlrboaD2uHoM20qiH7T7y6nDER1h0LDtp6adHRnO2OI6H611zy1ES4n8 YZz7VoLXsavJkIpc/mxALZhN4E/o/UBfSGkaoWeRsg0WTK20xWJ4CdbZ561kP81UwYdQ 5l6QqVW7ofTCC9TVXt+222AAL5UU8dDCx3XlMHkh/oxUqx/KENJLwVWscYBO9Bry7P/z A0mVkFxTlHz0t7RC1F5e7MQtw3RkYRnVyJguwCczTQpYcpZkncfkTsc3VXXS+7O270gK Gh3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:dkim-signature; bh=S666cZZ3uSRg4U5QAjH6v6QRC3C5cJ9NMXdtCuxy4no=; b=vYPkuWmCU4t+rfD7+YP/doDefxjR79WWdLD5zNA1c7MGOyxKiZFO8mKur1s++CMp0U tSpGxcK5gv/Edm3IYh3NcHd2WRyMvwziR56Ln5tBkGjVmSwhSaElXcu671dgs69AHSUM hoPM9ytnccv8W/qpmFfOLL/VQUCMLpFdwmxm+wVIWT6mVd1pEHNAIzi6OT9gt4vd63um YDYiAcX5g67nt7ZsO/ZUwNxHlyFMJFyS4zncXOnwn33fmGcdHIjFCYr1KsX6Jupwbbze 8RnduuAn9DFkBjGPO+gReQz1PLpl/XwIaHUexqYxOv6u5ofDzLsfILU34alJQ/Pm3vxJ 5PDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SYdXu170; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id d21si15357367pfl.97.2022.02.09.01.53.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 01:53:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SYdXu170; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C764CE03C041; Wed, 9 Feb 2022 01:09:44 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1383045AbiBHQVw (ORCPT + 99 others); Tue, 8 Feb 2022 11:21:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229597AbiBHQVs (ORCPT ); Tue, 8 Feb 2022 11:21:48 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F66BC061576 for ; Tue, 8 Feb 2022 08:21:47 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 387F5B81C10 for ; Tue, 8 Feb 2022 16:21:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C75A4C004E1; Tue, 8 Feb 2022 16:21:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644337305; bh=cUXMYwV3FsUsTmiMnq+uhwE47soE1KcN2fh5D+proTA=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=SYdXu170xBHHUjtWDtgioa8Qvsdmh617pUIz2hpTg+v6xiUUBB9OVj4a8ioygzGSP 5md+IpahrD5rW14xK8o5ixxtIgMCX9w5yp3ahVR5Xkp0ecGeXEWikrYFsV3WYAdPFa fWZpnU0b6YOjzCvjmMfapyOY1UFOnmLynludGChjdJwdDn/ueLf7pVoF0f3VJA+hb3 B04vO1/hRv36Sc0EGyp5VQyCrQXaMEbYHOk6eMIm0ewlX27cUByN14msoA5tJqGFcN B3CWrkbNnSd4NCxzzPk6sd/ksgmuWlhv+BkH8LYcbuBfNY1FL9hJlYse+7Rpcsfbjh GvHiWrTP8wwMA== Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailauth.nyi.internal (Postfix) with ESMTP id 73F7B27C005A; Tue, 8 Feb 2022 11:21:42 -0500 (EST) Received: from imap48 ([10.202.2.98]) by compute5.internal (MEProxy); Tue, 08 Feb 2022 11:21:42 -0500 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheejgdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedftehnugih ucfnuhhtohhmihhrshhkihdfuceolhhuthhosehkvghrnhgvlhdrohhrgheqnecuggftrf grthhtvghrnheptdfhheettddvtedvtedugfeuuefhtddugedvleevleefvdetleffgfef vdekgeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh eprghnugihodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiudekheei fedvqddvieefudeiiedtkedqlhhuthhopeepkhgvrhhnvghlrdhorhhgsehlihhnuhigrd hluhhtohdruhhs X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id D580121E0073; Tue, 8 Feb 2022 11:21:40 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-4748-g31a5b5f50e-fm-cal2020-20220204.001-g31a5b5f5 Mime-Version: 1.0 Message-Id: <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com> In-Reply-To: References: <20220130211838.8382-1-rick.p.edgecombe@intel.com> <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com> Date: Tue, 08 Feb 2022 08:21:20 -0800 From: "Andy Lutomirski" To: "Cyrill Gorcunov" , "Mike Rapoport" Cc: "Dave Hansen" , "Adrian Reber" , "Rick P Edgecombe" , "the arch/x86 maintainers" , "H. Peter Anvin" , "Thomas Gleixner" , "Ingo Molnar" , "Linux Kernel Mailing List" , linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, "Linux API" , "Arnd Bergmann" , "Balbir Singh" , "Borislav Petkov" , "Dave Hansen" , "Eugene Syromiatnikov" , "Florian Weimer" , "H.J. Lu" , "Jann Horn" , "Jonathan Corbet" , "Kees Cook" , "Mike Kravetz" , "Nadav Amit" , "Oleg Nesterov" , "Pavel Machek" , "Peter Zijlstra (Intel)" , "Randy Dunlap" , "Shankar, Ravi V" , "Dave Martin" , "Weijiang Yang" , "Kirill A. Shutemov" , "Moreira, Joao" , "john.allen@amd.com" , "kcc@google.com" , "Eranian, Stephane" , "Andrei Vagin" , "Dmitry Safonov" <0x7f454c46@gmail.com> Subject: Re: [PATCH 00/35] Shadow stacks for userspace Content-Type: text/plain X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 8, 2022, at 1:29 AM, Cyrill Gorcunov wrote: > On Tue, Feb 08, 2022 at 11:16:51AM +0200, Mike Rapoport wrote: >> >> > Any thoughts on how you would _like_ to see this resolved? >> >> Ideally, CRIU will need a knob that will tell the kernel/CET machinery >> where the next RET will jump, along the lines of >> restore_signal_shadow_stack() AFAIU. >> >> But such a knob will immediately reduce the security value of the entire >> thing, and I don't have good ideas how to deal with it :( > > Probably a kind of latch in the task_struct which would trigger off once > returt to a different address happened, thus we would be able to jump inside > paratite code. Of course such trigger should be available under proper > capability only. I'm not fully in touch with how parasite, etc works. Are we talking about save or restore? If it's restore, what exactly does CRIU need to do? Is it just that CRIU needs to return out from its resume code into the to-be-resumed program without tripping CET? Would it be acceptable for CRIU to require that at least one shstk slot be free at save time? Or do we need a mechanism to atomically switch to a completely full shadow stack at resume? Off the top of my head, a sigreturn (or sigreturn-like mechanism) that is intended for use for altshadowstack could safely verify a token on the altshdowstack, possibly compare to something in ucontext (or not -- this isn't clearly necessary) and switch back to the previous stack. CRIU could use that too. Obviously CRIU will need a way to populate the relevant stacks, but WRUSS can be used for that, and I think this is a fundamental requirement for CRIU -- CRIU restore absolutely needs a way to write the saved shadow stack data into the shadow stack. So I think the only special capability that CRIU really needs is WRUSS, and we need to wire that up anyway.