Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2425449pxb; Wed, 9 Feb 2022 19:09:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRkLMLl1lem92lVdB4uN+lpduly45VORvy8msrgD7D1kcUs/XjAg6wBDn0CfKQEnAZ9E2C X-Received: by 2002:a17:906:748c:: with SMTP id e12mr3790141ejl.242.1644462563635; Wed, 09 Feb 2022 19:09:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644462563; cv=none; d=google.com; s=arc-20160816; b=gMwDJVEsTa+f6UUusmhhCVjc4MgEtviUlFHSv0YLzqvc1iHQRcrGdu740A95fubGKs yEJEVl4+EgTBm94AKXNcKhu+iL4qTvUyJrCoVpbtTvT8xKkB9SOpRU7S3CxFQvvdIq3w lKKn1HltopfjBelBiF68vOKBK/OaZCCX6j2fojHtTbIUSqg3kr9FjSc2zO5zrW7qdeAu JPheElI5HVPrg70rkjA9ckNOTCTn03FCujLwLPfl8jWMrjXpG/N9SAmJhiBT/+UNhurp yoaQ7ct9z1JMVx8Oi1LHV2rXsanPxEhM3KEdveA6CoULhnLxtirOLqHlVfU7nFuE/4Vi //Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=LYtzFa4ASuB/belwk4SpigACGs97QFCNc+YA+b4+Pu8=; b=nWn9/EvjnB9BNx61N8CG5xkMPnhT1+74Ic8avzobkwYGTXMkeLLHIvyW0Xs8IiEFBz 1X+DJGvjwAxJuxiSGIF4DyhBpjOVy8xdw9IGvf4k1gOCku6xtOmYZ/7+xCXUCtc5N8z7 Bt2nuVO+QDJNZv5seDUu/cPxrxmV1zqUFi4dimBn/SYAq/Ke6QVFteyD5OiMamfFTHLZ hY3tGwquMBcXlTYGn3ne5rbGs35qBz20YpzQjvJjYKuUI26eptMq3EYGkAbu15JwlGJ+ vv951O+IVRDeQVaI2opAB5Vmkm416F1VSoTwofLTyZsXoXvc6gg6KJKhWKUE45BGRR60 Rrlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ooyOBN7r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v3si5180895edc.280.2022.02.09.19.08.59; Wed, 09 Feb 2022 19:09:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ooyOBN7r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231738AbiBJCyO (ORCPT + 99 others); Wed, 9 Feb 2022 21:54:14 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:57582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230136AbiBJCyK (ORCPT ); Wed, 9 Feb 2022 21:54:10 -0500 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CBB12409C; Wed, 9 Feb 2022 18:54:12 -0800 (PST) Received: by mail-pj1-x1032.google.com with SMTP id c5-20020a17090a1d0500b001b904a7046dso5581711pjd.1; Wed, 09 Feb 2022 18:54:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LYtzFa4ASuB/belwk4SpigACGs97QFCNc+YA+b4+Pu8=; b=ooyOBN7rERkODAn/O7i91EVsu/B8py9/9Ax69BwNB/kc8twYaVRYQbpcJLPfemS8hb HkZrVDMhaV95LcunHTo0tXcqRJZORHlOHEddL00vfE0PK8esTG7SYwyfiB500tCWC5ri l6pU4DRAUF2bgKokxVocV+eyMRJSuUiaChrZncXI+PVNYsSVUld+MssdbvKffnPGzFCP /mFWpEPHIlrNEUqjbs//hj1a3I/579YtM3Jds8TxeUAfuDxW/OEsiijqam43ukxKjsH2 DVh6iBEBwC5CIYV0XcyMGIqDOrpfE98dazgVv4DXpTrUcv9pfj8LdcCQ7wiJQIrh4Oh5 3Jlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LYtzFa4ASuB/belwk4SpigACGs97QFCNc+YA+b4+Pu8=; b=uALWmATrZX74RaBe98UHtNXaO4Hi28sKD9ehr2ue7uiuMjaZ3NQA18CDPRmfozkRPB q+0wadNFhmTb3/TM7B0xzKK9+dpDvM1dYrpNeU2tg4jRqDGiCPOmOFedjqwQRR5IjxWv LOw2NYLFOcnfO8oLhRyyUP75QfWZG/ghB/uQ6bJIQgJc6GAQeLS+qUAudQmEJnKDFZTE LiM+RRRh+fGVtXxtkUk7K9tBqVG3FNPpzqZdsj80X0V4nWLFubaf0hNMyU+XT6thyJGM MDWqlXurgp/6Sve2NGtls/J+sDubocjwNa5eK2UF0Xg1pwrgeSbWcgETWOF15RCyvlOx 1obA== X-Gm-Message-State: AOAM530nZC8cGP8fB+AEg4rfvv3nPQsqbLNJGOd5A5yCHrW+XLpquTcY F0VgsjdM+eMcxlvorzJYHPUwl4a3DyCy0WezQmM= X-Received: by 2002:a17:903:2351:: with SMTP id c17mr367198plh.4.1644461651987; Wed, 09 Feb 2022 18:54:11 -0800 (PST) MIME-Version: 1.0 References: <20220130211838.8382-1-rick.p.edgecombe@intel.com> <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com> <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com> <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com> <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org> In-Reply-To: <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org> From: "H.J. Lu" Date: Wed, 9 Feb 2022 18:53:35 -0800 Message-ID: Subject: Re: [PATCH 00/35] Shadow stacks for userspace To: Andy Lutomirski , Felix Willgerodt Cc: "Edgecombe, Rick P" , "gorcunov@gmail.com" , "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "0x7f454c46@gmail.com" <0x7f454c46@gmail.com>, "dave.hansen@linux.intel.com" , "kirill.shutemov@linux.intel.com" , "Eranian, Stephane" , "linux-mm@kvack.org" , "adrian@lisas.de" , "fweimer@redhat.com" , "nadav.amit@gmail.com" , "jannh@google.com" , "avagin@gmail.com" , "linux-arch@vger.kernel.org" , "kcc@google.com" , "bp@alien8.de" , "oleg@redhat.com" , "pavel@ucw.cz" , "linux-doc@vger.kernel.org" , "arnd@arndb.de" , "Moreira, Joao" , "tglx@linutronix.de" , "mike.kravetz@oracle.com" , "x86@kernel.org" , "Yang, Weijiang" , "rppt@kernel.org" , "Dave.Martin@arm.com" , "john.allen@amd.com" , "mingo@redhat.com" , "Hansen, Dave" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "linux-api@vger.kernel.org" , "Shankar, Ravi V" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 9, 2022 at 6:37 PM Andy Lutomirski wrote: > > On 2/8/22 18:18, Edgecombe, Rick P wrote: > > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote: > >> On Tue, Feb 08, 2022 at 08:21:20AM -0800, Andy Lutomirski wrote: > >>>>> But such a knob will immediately reduce the security value of > >>>>> the entire > >>>>> thing, and I don't have good ideas how to deal with it :( > >>>> > >>>> Probably a kind of latch in the task_struct which would trigger > >>>> off once > >>>> returt to a different address happened, thus we would be able to > >>>> jump inside > >>>> paratite code. Of course such trigger should be available under > >>>> proper > >>>> capability only. > >>> > >>> I'm not fully in touch with how parasite, etc works. Are we > >>> talking about save or restore? > >> > >> We use parasite code in question during checkpoint phase as far as I > >> remember. > >> push addr/lret trick is used to run "injected" code (code injection > >> itself is > >> done via ptrace) in compat mode at least. Dima, Andrei, I didn't look > >> into this code > >> for years already, do we still need to support compat mode at all? > >> > >>> If it's restore, what exactly does CRIU need to do? Is it just > >>> that CRIU needs to return > >>> out from its resume code into the to-be-resumed program without > >>> tripping CET? Would it > >>> be acceptable for CRIU to require that at least one shstk slot be > >>> free at save time? > >>> Or do we need a mechanism to atomically switch to a completely full > >>> shadow stack at resume? > >>> > >>> Off the top of my head, a sigreturn (or sigreturn-like mechanism) > >>> that is intended for > >>> use for altshadowstack could safely verify a token on the > >>> altshdowstack, possibly > >>> compare to something in ucontext (or not -- this isn't clearly > >>> necessary) and switch > >>> back to the previous stack. CRIU could use that too. Obviously > >>> CRIU will need a way > >>> to populate the relevant stacks, but WRUSS can be used for that, > >>> and I think this > >>> is a fundamental requirement for CRIU -- CRIU restore absolutely > >>> needs a way to write > >>> the saved shadow stack data into the shadow stack. > > > > Still wrapping my head around the CRIU save and restore steps, but > > another general approach might be to give ptrace the ability to > > temporarily pause/resume/set CET enablement and SSP for a stopped > > thread. Then injected code doesn't need to jump through any hoops or > > possibly run into road blocks. I'm not sure how much this opens things > > up if the thread has to be stopped... > > Hmm, that's maybe not insane. > > An alternative would be to add a bona fide ptrace call-a-function > mechanism. I can think of two potentially usable variants: > > 1. Straight call. PTRACE_CALL_FUNCTION(addr) just emulates CALL addr, > shadow stack push and all. > > 2. Signal-style. PTRACE_CALL_FUNCTION_SIGFRAME injects an actual signal > frame just like a real signal is being delivered with the specified > handler. There could be a variant to opt-in to also using a specified > altstack and altshadowstack. > > 2 would be more expensive but would avoid the need for much in the way > of asm magic. The injected code could be plain C (or Rust or Zig or > whatever). > > All of this only really handles save, not restore. I don't understand > restore enough to fully understand the issue. FWIW, CET enabled GDB can call a function in a CET enabled process. Adding Felix who may know more about it. -- H.J.