Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1675230pxb;
        Wed, 9 Feb 2022 01:53:44 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyXUeG8De9Wje7TxEPT1PRLmn4H/wndNfPPIvyynzRTpEIqF8Rc6IlezYrZ4cHup7qbnqNC
X-Received: by 2002:a17:902:c944:: with SMTP id i4mr1318524pla.1.1644400424099;
        Wed, 09 Feb 2022 01:53:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644400424; cv=none;
        d=google.com; s=arc-20160816;
        b=zI74VDyEnZECWl4dVXCoECp1thI6vIJoKaYE8pTp3EZqYHFZhfCcD87FuKnJmcDaS/
         JW5bOQqNPhDqPlrboaD2uHoM20qiH7T7y6nDER1h0LDtp6adHRnO2OI6H611zy1ES4n8
         YZz7VoLXsavJkIpc/mxALZhN4E/o/UBfSGkaoWeRsg0WTK20xWJ4CdbZ561kP81UwYdQ
         5l6QqVW7ofTCC9TVXt+222AAL5UU8dDCx3XlMHkh/oxUqx/KENJLwVWscYBO9Bry7P/z
         A0mVkFxTlHz0t7RC1F5e7MQtw3RkYRnVyJguwCczTQpYcpZkncfkTsc3VXXS+7O270gK
         Gh3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to
         :message-id:mime-version:user-agent:dkim-signature;
        bh=S666cZZ3uSRg4U5QAjH6v6QRC3C5cJ9NMXdtCuxy4no=;
        b=vYPkuWmCU4t+rfD7+YP/doDefxjR79WWdLD5zNA1c7MGOyxKiZFO8mKur1s++CMp0U
         tSpGxcK5gv/Edm3IYh3NcHd2WRyMvwziR56Ln5tBkGjVmSwhSaElXcu671dgs69AHSUM
         hoPM9ytnccv8W/qpmFfOLL/VQUCMLpFdwmxm+wVIWT6mVd1pEHNAIzi6OT9gt4vd63um
         YDYiAcX5g67nt7ZsO/ZUwNxHlyFMJFyS4zncXOnwn33fmGcdHIjFCYr1KsX6Jupwbbze
         8RnduuAn9DFkBjGPO+gReQz1PLpl/XwIaHUexqYxOv6u5ofDzLsfILU34alJQ/Pm3vxJ
         5PDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SYdXu170;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id d21si15357367pfl.97.2022.02.09.01.53.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 09 Feb 2022 01:53:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SYdXu170;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id C764CE03C041;
	Wed,  9 Feb 2022 01:09:44 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1383045AbiBHQVw (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Tue, 8 Feb 2022 11:21:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50868 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229597AbiBHQVs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Feb 2022 11:21:48 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F66BC061576
        for <linux-kernel@vger.kernel.org>; Tue,  8 Feb 2022 08:21:47 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 387F5B81C10
        for <linux-kernel@vger.kernel.org>; Tue,  8 Feb 2022 16:21:46 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C75A4C004E1;
        Tue,  8 Feb 2022 16:21:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1644337305;
        bh=cUXMYwV3FsUsTmiMnq+uhwE47soE1KcN2fh5D+proTA=;
        h=In-Reply-To:References:Date:From:To:Cc:Subject:From;
        b=SYdXu170xBHHUjtWDtgioa8Qvsdmh617pUIz2hpTg+v6xiUUBB9OVj4a8ioygzGSP
         5md+IpahrD5rW14xK8o5ixxtIgMCX9w5yp3ahVR5Xkp0ecGeXEWikrYFsV3WYAdPFa
         fWZpnU0b6YOjzCvjmMfapyOY1UFOnmLynludGChjdJwdDn/ueLf7pVoF0f3VJA+hb3
         B04vO1/hRv36Sc0EGyp5VQyCrQXaMEbYHOk6eMIm0ewlX27cUByN14msoA5tJqGFcN
         B3CWrkbNnSd4NCxzzPk6sd/ksgmuWlhv+BkH8LYcbuBfNY1FL9hJlYse+7Rpcsfbjh
         GvHiWrTP8wwMA==
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
        by mailauth.nyi.internal (Postfix) with ESMTP id 73F7B27C005A;
        Tue,  8 Feb 2022 11:21:42 -0500 (EST)
Received: from imap48 ([10.202.2.98])
  by compute5.internal (MEProxy); Tue, 08 Feb 2022 11:21:42 -0500
X-ME-Sender: <xms:lJgCYuxKfDWChEaal5BYkheUS1FMr5Zalegy-cHkFrKbX9myLqpgvg>
    <xme:lJgCYqQKwnJmO8SJ6Tg6BxGcGM0X_j92vMPhWjkCJvXd3vJ1c1jf8zqrtzIatfbl0
    wSwrozruZNxZ2_yjoU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheejgdekgecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedftehnugih
    ucfnuhhtohhmihhrshhkihdfuceolhhuthhosehkvghrnhgvlhdrohhrgheqnecuggftrf
    grthhtvghrnheptdfhheettddvtedvtedugfeuuefhtddugedvleevleefvdetleffgfef
    vdekgeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh
    eprghnugihodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiudekheei
    fedvqddvieefudeiiedtkedqlhhuthhopeepkhgvrhhnvghlrdhorhhgsehlihhnuhigrd
    hluhhtohdruhhs
X-ME-Proxy: <xmx:lJgCYgU4vjA3ZAA_WNzaYnPPRn3GmXWb2rbCJKp5lA5YpH3NxN07HQ>
    <xmx:lJgCYkjE0eZ1DeQ4F8MK696KnkhBc29Txd5euZvkV-rECWFeXYkQBw>
    <xmx:lJgCYgAHTVwqjBqtEu2RiC6G1dsIUiS06sRPbyV9V7iOWKDZqB1L2w>
    <xmx:lpgCYq1Dw6pfcBEJcespJI4yxf_B2SmD0TIFNqBZNzC-qjIxaolZWzGYIFo>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
        id D580121E0073; Tue,  8 Feb 2022 11:21:40 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4748-g31a5b5f50e-fm-cal2020-20220204.001-g31a5b5f5
Mime-Version: 1.0
Message-Id: <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com>
In-Reply-To: <YgI37n+3JfLSNQCQ@grain>
References: <20220130211838.8382-1-rick.p.edgecombe@intel.com>
 <YgAWVSGQg8FPCeba@kernel.org> <YgDIIpCm3UITk896@lisas.de>
 <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com>
 <YgI1A0CtfmT7GMIp@kernel.org> <YgI37n+3JfLSNQCQ@grain>
Date:   Tue, 08 Feb 2022 08:21:20 -0800
From:   "Andy Lutomirski" <luto@kernel.org>
To:     "Cyrill Gorcunov" <gorcunov@gmail.com>,
        "Mike Rapoport" <rppt@kernel.org>
Cc:     "Dave Hansen" <dave.hansen@intel.com>,
        "Adrian Reber" <adrian@lisas.de>,
        "Rick P Edgecombe" <rick.p.edgecombe@intel.com>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        "Thomas Gleixner" <tglx@linutronix.de>,
        "Ingo Molnar" <mingo@redhat.com>,
        "Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
        linux-doc@vger.kernel.org, linux-mm@kvack.org,
        linux-arch@vger.kernel.org,
        "Linux API" <linux-api@vger.kernel.org>,
        "Arnd Bergmann" <arnd@arndb.de>,
        "Balbir Singh" <bsingharora@gmail.com>,
        "Borislav Petkov" <bp@alien8.de>,
        "Dave Hansen" <dave.hansen@linux.intel.com>,
        "Eugene Syromiatnikov" <esyr@redhat.com>,
        "Florian Weimer" <fweimer@redhat.com>,
        "H.J. Lu" <hjl.tools@gmail.com>, "Jann Horn" <jannh@google.com>,
        "Jonathan Corbet" <corbet@lwn.net>,
        "Kees Cook" <keescook@chromium.org>,
        "Mike Kravetz" <mike.kravetz@oracle.com>,
        "Nadav Amit" <nadav.amit@gmail.com>,
        "Oleg Nesterov" <oleg@redhat.com>, "Pavel Machek" <pavel@ucw.cz>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        "Randy Dunlap" <rdunlap@infradead.org>,
        "Shankar, Ravi V" <ravi.v.shankar@intel.com>,
        "Dave Martin" <Dave.Martin@arm.com>,
        "Weijiang Yang" <weijiang.yang@intel.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        "Moreira, Joao" <joao.moreira@intel.com>,
        "john.allen@amd.com" <john.allen@amd.com>,
        "kcc@google.com" <kcc@google.com>,
        "Eranian, Stephane" <eranian@google.com>,
        "Andrei Vagin" <avagin@gmail.com>,
        "Dmitry Safonov" <0x7f454c46@gmail.com>
Subject: Re: [PATCH 00/35] Shadow stacks for userspace
Content-Type: text/plain
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On Tue, Feb 8, 2022, at 1:29 AM, Cyrill Gorcunov wrote:
> On Tue, Feb 08, 2022 at 11:16:51AM +0200, Mike Rapoport wrote:
>>  
>> > Any thoughts on how you would _like_ to see this resolved?
>> 
>> Ideally, CRIU will need a knob that will tell the kernel/CET machinery
>> where the next RET will jump, along the lines of
>> restore_signal_shadow_stack() AFAIU.
>> 
>> But such a knob will immediately reduce the security value of the entire
>> thing, and I don't have good ideas how to deal with it :(
>
> Probably a kind of latch in the task_struct which would trigger off once
> returt to a different address happened, thus we would be able to jump inside
> paratite code. Of course such trigger should be available under proper
> capability only.

I'm not fully in touch with how parasite, etc works.  Are we talking about save or restore?  If it's restore, what exactly does CRIU need to do?  Is it just that CRIU needs to return out from its resume code into the to-be-resumed program without tripping CET?  Would it be acceptable for CRIU to require that at least one shstk slot be free at save time?  Or do we need a mechanism to atomically switch to a completely full shadow stack at resume?

Off the top of my head, a sigreturn (or sigreturn-like mechanism) that is intended for use for altshadowstack could safely verify a token on the altshdowstack, possibly compare to something in ucontext (or not -- this isn't clearly necessary) and switch back to the previous stack.  CRIU could use that too.  Obviously CRIU will need a way to populate the relevant stacks, but WRUSS can be used for that, and I think this is a fundamental requirement for CRIU -- CRIU restore absolutely needs a way to write the saved shadow stack data into the shadow stack.

So I think the only special capability that CRIU really needs is WRUSS, and we need to wire that up anyway.