Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3171529pxm; Mon, 28 Feb 2022 13:40:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJwXRRstZA8wd7Tj4j3ipIhhd44Vy6MLNeoeS+aaPiD30DMsaGy/kLZ6eBce+wa34wrmJI4R X-Received: by 2002:a17:907:213b:b0:6cf:9c02:8964 with SMTP id qo27-20020a170907213b00b006cf9c028964mr16514623ejb.432.1646084403858; Mon, 28 Feb 2022 13:40:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646084403; cv=none; d=google.com; s=arc-20160816; b=kZhMk4371l13Qpz7kt1ISdO5/TE+9sh7k8uqtK3SVq29l/9pgx0+SRrzA0yfIZSSzq xCfdVZcXxT55qjft5xA+DJgr7QolNZq1NG7tGZreup9eVqPxUKKE+qqc5GF7ohm1Kn2z Wrjwb3zzWr4gKSA1ySXSbyuSX5bZHMLKODN0anPSPd0Jb1av0FrkjFvjEManWw5xwlZp LQkaun40/zlpomi4PG1uKSO+vg0R9yaBNU2AvBDY1u8acOzyHHGtuARGnk6wc+9jT8dx vkZZNvmM8evYXezyTFjDoZIf8T5zGZKfWed8NNYNt/9q4d9gvlCnXPSGqVn7kZyZKYq3 9QzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=SJzxxl0HMh3MjtNxiP2mHM1MyGRnzDx8nYQoNVC/pKE=; b=Q6G6f0kzzFIqjTBVZtTvsXq0ofumFxleL0wGhTnJGYK9zyG9IGSJRWVlkvtwfHyvbg CXkn//XWHpoYNN4BehuaTnp6bd27kvSOF0m7IvtnM3EgAfZVwJR+AjPcU95PA3aPLvI1 FgB8/RZdC5QBSLK0Q8Ce3nHCKG3hpPAf/vO7f9Z5hJ9XlUwRc4KDETbN5xaMNQ++An8P lyd1hLeaIydkjREeCAGnNkcMXsNbIJC+dt+okTDxXaZKOlGVsW7TdN3Gapet36H53I3K UsXfsgxeMtuOrw1xUush/PCnfQPr8U75I7LVRrjFIOsGD2NunFmzxrKAfabxVY8rhnsL jhnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GnBVmgo4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ca2-20020a170906a3c200b006d056071cb3si6898238ejb.504.2022.02.28.13.39.40; Mon, 28 Feb 2022 13:40:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GnBVmgo4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230228AbiB1Vb2 (ORCPT + 99 others); Mon, 28 Feb 2022 16:31:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229836AbiB1Vb1 (ORCPT ); Mon, 28 Feb 2022 16:31:27 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB16112F156; Mon, 28 Feb 2022 13:30:47 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 793BF61178; Mon, 28 Feb 2022 21:30:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D9E4CC340F1; Mon, 28 Feb 2022 21:30:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1646083846; bh=AM6TeTTQzrvCkefOt+QPZqOwQUTdBvNLhJX5phHONLQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=GnBVmgo4+8bhttIsNW4CIKc/50E3eVPyAU3WPHvIbZFh526BGoJDDPu9euSQBUDKD Hqa0yD2zHl/5viZcYelhCVWRM+sSGX89helGbR2G+NGXJYs+5igCjCAg21SlRAQtDZ rLmwcFj0dsqhceZW4/xjGYZ2S/n/ZUup7B9zx22+H49wHPnutO4iwea5ckkuIJwsjj eXXNOQyW7txN+VuS5I09mUcPBI3iQcBIYWr/TRup9fbPGQxbfZB3wEiDs98vDtZ3Qb ucimmN+ZslCHwheAq1x9BrTHx3oXb0uPUMNIhWsbl1SNq+6FwFrtl+Y726NXn/lDXz 3V9QuTESvr1aA== Date: Mon, 28 Feb 2022 23:30:29 +0200 From: Mike Rapoport To: Andy Lutomirski Cc: Rick P Edgecombe , Cyrill Gorcunov , Balbir Singh , "H. Peter Anvin" , Eugene Syromiatnikov , "Peter Zijlstra (Intel)" , Randy Dunlap , Kees Cook , Dmitry Safonov <0x7f454c46@gmail.com>, Dave Hansen , "Kirill A. Shutemov" , "Eranian, Stephane" , "linux-mm@kvack.org" , Adrian Reber , Florian Weimer , Nadav Amit , Jann Horn , Andrei Vagin , "linux-arch@vger.kernel.org" , "kcc@google.com" , Borislav Petkov , Oleg Nesterov , "H.J. Lu" , Pavel Machek , "linux-doc@vger.kernel.org" , Arnd Bergmann , "Moreira, Joao" , Thomas Gleixner , Mike Kravetz , the arch/x86 maintainers , Weijiang Yang , Dave Martin , "john.allen@amd.com" , Ingo Molnar , Dave Hansen , Jonathan Corbet , Linux Kernel Mailing List , Linux API , "Shankar, Ravi V" Subject: Re: [PATCH 00/35] Shadow stacks for userspace Message-ID: References: <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com> <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com> <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com> <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org> <5a792e77-0072-4ded-9f89-e7fcc7f7a1d6@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5a792e77-0072-4ded-9f89-e7fcc7f7a1d6@www.fastmail.com> X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 28, 2022 at 12:30:41PM -0800, Andy Lutomirski wrote: > > > On Mon, Feb 28, 2022, at 12:27 PM, Mike Rapoport wrote: > > On Wed, Feb 09, 2022 at 06:37:53PM -0800, Andy Lutomirski wrote: > >> On 2/8/22 18:18, Edgecombe, Rick P wrote: > >> > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote: > >> > > > > > Even with the current shadow stack interface Rick proposed, CRIU can restore > > the victim using ptrace without any additional knobs, but we loose an > > important ability to "self-cure" the victim from the parasite in case > > anything goes wrong with criu control process. > > > > Moreover, the issue with backward compatibility is not with ptrace but with > > sigreturn and it seems that criu is not its only user. > > So we need an ability for a tracer to cause the tracee to call a function > and to return successfully. Apparently a gdb branch can already do this > with shstk, and my PTRACE_CALL_FUNCTION_SIGFRAME should also do the > trick. I don't see why we need a sigretur-but-dont-verify -- we just > need this mechanism to create a frame such that sigreturn actually works. If I understand correctly, PTRACE_CALL_FUNCTION_SIGFRAME() injects a frame into the tracee and makes the tracee call sigreturn. I.e. the tracee is stopped and this is used pretty much as PTRACE_CONT or PTRACE_SYSCALL. In such case this defeats the purpose of sigreturn in CRIU because it is called asynchronously by the tracee when the tracer is about to detach or even already detached. For synchronous use-case PTRACE_SETREGSET will be enough, the rest of the sigframe can be restored by other means. And with 'criu restore' there may be even no tracer by the time sigreturn is called. > --Andy -- Sincerely yours, Mike.