Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1777490pxb; Wed, 9 Feb 2022 04:23:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxgc0+Vbr04/7cuuY7mIDPhURGHH4ZoUCHYpaXUVV6aj4LWhL2f2SJ9sDsBh7WtlURfHmp1 X-Received: by 2002:a05:6a00:14c9:: with SMTP id w9mr2060043pfu.69.1644409435247; Wed, 09 Feb 2022 04:23:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644409435; cv=none; d=google.com; s=arc-20160816; b=UxuDN7PVArk6wA6JTElVpboy/6tsTnpvJEHo4xO1ulpZvCCEeiBjM2ulqJYlUPJ774 wPhFHyNCWSQ0fySOjy1IHZlsRwiFD+d2+rtJvINvuCxm78im5hA8drRUnV2wD0EjLFPg 7sZ661+QWjdzcoxzHVFfdjvtQSpRY5c1kySL5W8bXkZZmbz/1quuVxJ9dlt7T4aCUr2g 7XnbmG2BJHRZ5PLnlmTNE0Dp1/uZx3GeL05wALzo3jKxQBNI6ObSrlotcjM3eVl3XxqX ugmYi61aRPp8WKVy0diyJKndAnfzXDYUdachzwGwrGamtAL3YYd390vk4s+BeSAIYIQk oDhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=XgQXN1SYmmzASB1i9Af7yOjhlRXurMYlRe3/93fExF8=; b=IfWFoIDFYl3v4NTm67h5tY56b4xuiCHnFQI2piovnJuMZkfYBKUazoitbbSDOXSvGP DSN6qhix0X0OxRC7gJkdg6Pg+RQ+Ffel+Bp/ogW8F4E9nxWGYOYVJPp9xUuTGSwuowUb fgTNpH42bnnRxuitumKSJkFKZDxEj3tw3wizF1jiY5oT3Rz1ciVtoXVT2tgvLvO4amN8 Yak1IxoyOjp8bLT6yj7p3n+XuNqera0Tzb3Zg3301dHA5sIBk250TT3trldCq9ysCis8 QgkWCDeNTMFlzESm0sck7N/BVVQ8WvaugJ7oLPP05AplZVgsHaVqlhzRwem7fUqFRjp7 47kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=o8kvTb2T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 128si5396259pgc.166.2022.02.09.04.23.41; Wed, 09 Feb 2022 04:23:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=o8kvTb2T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231526AbiBIL4c (ORCPT + 99 others); Wed, 9 Feb 2022 06:56:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231597AbiBILz0 (ORCPT ); Wed, 9 Feb 2022 06:55:26 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 887D9C0045A9; Wed, 9 Feb 2022 02:54:10 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1527B612E7; Wed, 9 Feb 2022 10:54:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F355C340EE; Wed, 9 Feb 2022 10:53:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644404049; bh=8nfXi2bAkBkxKe4ZmVJ1McrLUR/vS+aiNoKC3c4V54c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=o8kvTb2TMbpq1whYqOyKIm1hlJzLi/Q/a7JoUpj/jGssXx7Qt2YZfBNYkEkw/hZXE oSInBQ5nuOk5Os7WPqk0FsmT5MYuYpJeH1AwVx9/sNxYghplvePkYAHWRcNnd3okRc M9krUM2hOFkqKwv1q7AvLokp6kWPbgxm4oByhL31KH+6gGAD8NURHSZGlgRPeJ34wR oKsYkioVYxJpiwc0Ji4Sp/jM+78yoZTEYYk3XHfiYOqzRm+ha7Fh2SpXMJsyh6VB8N ivZdoNTpo9Vm+5jKSaeoJXseiJK/X0ch6HI7SG9uzqs2raWQmeBW+yzpszfgW8m8ad YPv9Vixyl0Iow== Date: Wed, 9 Feb 2022 12:53:51 +0200 From: Mike Rapoport To: "Edgecombe, Rick P" Cc: "Lutomirski, Andy" , "gorcunov@gmail.com" , "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "0x7f454c46@gmail.com" <0x7f454c46@gmail.com>, "dave.hansen@linux.intel.com" , "kirill.shutemov@linux.intel.com" , "Eranian, Stephane" , "linux-mm@kvack.org" , "adrian@lisas.de" , "fweimer@redhat.com" , "nadav.amit@gmail.com" , "jannh@google.com" , "avagin@gmail.com" , "linux-arch@vger.kernel.org" , "kcc@google.com" , "bp@alien8.de" , "oleg@redhat.com" , "hjl.tools@gmail.com" , "pavel@ucw.cz" , "linux-doc@vger.kernel.org" , "arnd@arndb.de" , "Moreira, Joao" , "tglx@linutronix.de" , "mike.kravetz@oracle.com" , "x86@kernel.org" , "Yang, Weijiang" , "Dave.Martin@arm.com" , "john.allen@amd.com" , "mingo@redhat.com" , "Hansen, Dave" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "linux-api@vger.kernel.org" , "Shankar, Ravi V" Subject: Re: [PATCH 00/35] Shadow stacks for userspace Message-ID: References: <20220130211838.8382-1-rick.p.edgecombe@intel.com> <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com> <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com> <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Rick, On Wed, Feb 09, 2022 at 02:18:42AM +0000, Edgecombe, Rick P wrote: > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote: > > On Tue, Feb 08, 2022 at 08:21:20AM -0800, Andy Lutomirski wrote: > > > > > But such a knob will immediately reduce the security value of > > > > > the entire > > > > > thing, and I don't have good ideas how to deal with it :( > > > > > > > > Probably a kind of latch in the task_struct which would trigger > > > > off once > > > > returt to a different address happened, thus we would be able to > > > > jump inside > > > > paratite code. Of course such trigger should be available under > > > > proper > > > > capability only. > > > > > > I'm not fully in touch with how parasite, etc works. Are we > > > talking about save or restore? > > > > We use parasite code in question during checkpoint phase as far as I > > remember. > > push addr/lret trick is used to run "injected" code (code injection > > itself is > > done via ptrace) in compat mode at least. Dima, Andrei, I didn't look > > into this code > > for years already, do we still need to support compat mode at all? > > > > > If it's restore, what exactly does CRIU need to do? Is it just > > > that CRIU needs to return > > > out from its resume code into the to-be-resumed program without > > > tripping CET? Would it > > > be acceptable for CRIU to require that at least one shstk slot be > > > free at save time? > > > Or do we need a mechanism to atomically switch to a completely full > > > shadow stack at resume? > > > > > > Off the top of my head, a sigreturn (or sigreturn-like mechanism) > > > that is intended for > > > use for altshadowstack could safely verify a token on the > > > altshdowstack, possibly > > > compare to something in ucontext (or not -- this isn't clearly > > > necessary) and switch > > > back to the previous stack. CRIU could use that too. Obviously > > > CRIU will need a way > > > to populate the relevant stacks, but WRUSS can be used for that, > > > and I think this > > > is a fundamental requirement for CRIU -- CRIU restore absolutely > > > needs a way to write > > > the saved shadow stack data into the shadow stack. > > Still wrapping my head around the CRIU save and restore steps, but > another general approach might be to give ptrace the ability to > temporarily pause/resume/set CET enablement and SSP for a stopped > thread. Then injected code doesn't need to jump through any hoops or > possibly run into road blocks. I'm not sure how much this opens things > up if the thread has to be stopped... IIRC, criu dump does something like this: * Stop the process being dumped (victim) with ptrace * Inject parasite code and data into the victim, again with ptrace. Among other things the parasite data contains a sigreturn frame with saved victim state. * Resume the victim process, which will run parasite code now. * When parasite finishes it uses that frame to sigreturn to normal victim execution So, my feeling is that for dump side WRUSS should be enough. > Cyrill, could it fit into the CRIU pause and resume flow? What action > causes the final resuming of execution of the restored process for > checkpointing and for restore? Wondering if we could somehow make CET > re-enable exactly then. > > And I guess this also needs a way to create shadow stack allocations at > a specific address to match where they were in the dumped process. That > is missing in this series. Yes, criu restore will need to recreate shadow stack mappings. Currently, we recreate the restored process (target) address space based on /proc/pid/maps and /proc/pid/smaps. CRIU preserves the virtual addresses and VMA flags. The relevant steps of restore process can be summarised as: * Clone() the target process tree * Recreate VMAs with the needed size and flags, but not necessarily at the correct place yet * Partially populate memory data from the saved images * Move VMAs to their exact addresses * Complete restoring the data * Create a frame for sigreturn and jump to the target. Here, the stack used after sigreturn contains the data that was captured during dump and it entirely different from what shadow stack will contain. There are several points when the target threads are stopped, so pausing/resuming CET may help. > > > So I think the only special capability that CRIU really needs is > > > WRUSS, and > > > we need to wire that up anyway. > > > > Thanks for these notes, Andy! I can't provide any sane answer here > > since didn't > > read tech spec for this feature yet :-) > > > > -- Sincerely yours, Mike.