Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp5867188ioo; Wed, 1 Jun 2022 14:28:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyxA9BXx8ihBA6Qp8FSwDvBNL5vVGda6E5j5cjaGAVk1vtJdYBDWKoIUsVXn0vs6+iKiTL3 X-Received: by 2002:aa7:8081:0:b0:518:26c4:ea42 with SMTP id v1-20020aa78081000000b0051826c4ea42mr1575619pff.7.1654118934744; Wed, 01 Jun 2022 14:28:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654118934; cv=none; d=google.com; s=arc-20160816; b=RD7VviYUikLFzG5EGhZ5h63AhkBgSsNO3E8jb5FZ2r7zXyMDZuqJsbeIRI12N1AihR dR4bgy9BcWJFd+jcgSK1074kLLHKg6xGed2r+1cRcsc9cmr0+CYQ8Ed11u1jOKwibT75 UerIXdZtB8kMLE17CfWg7j03qO5s+7pIpME7JKe/yExifF9XlFrmYLK4LlMWjnBSUqOD dBhsF2WpYVO9TdsjPAlnbA39fDJWizM4BLAkmpFRU8CenKN/3dB7w22i7+CLgQNpsgH9 k0VwZP5fqkr7NNfY3vQq+skxL0VCIJpd672gxwugqClNJAlZIKougkJqNHKp/qm95lJI j3vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=BbUxo4yAz2zldbWEi0GluCNfOnin3cth9gUswEAqzU8=; b=KCMqCmD64VkMs1nK+NPPAkz9BxalDd24lkc67FmDkfvXjiB2dQ+1hH73OlzzWE1oZT pctwhRQDiELZKo15Gc//olEEg8Gb6/LNwR4CVqcfJA40pO0vjoNGvbCWh398uz1ZBao9 qCc3DiKjrSbAIYgp0eJU1xDdlS+vmAw/9U7v0Yu0dLuaW1/TDrP+vQalZi8D1QZQUdyT hiNuEN5fKpL4JUa/cVzNS1HftzdBnr8ORyvs6dJKLdU/pTbsviS6FO5+D46ZEkKuiOKR ZXhuR5ZL2gDjzxeBk7rL5BGVr8Qg61uPHG9/U4k443RRTZmGXisfa9O0MnBds3yuI1yJ TgcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hynBTbzO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id 6-20020a630f46000000b003fb10da6298si3585131pgp.446.2022.06.01.14.28.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jun 2022 14:28:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hynBTbzO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D3F4330D936; Wed, 1 Jun 2022 13:18:44 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346763AbiEaSAu (ORCPT + 99 others); Tue, 31 May 2022 14:00:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237702AbiEaSAr (ORCPT ); Tue, 31 May 2022 14:00:47 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6AF38AE68; Tue, 31 May 2022 11:00:46 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id f4so13507422pgf.4; Tue, 31 May 2022 11:00:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BbUxo4yAz2zldbWEi0GluCNfOnin3cth9gUswEAqzU8=; b=hynBTbzO9rYY0qHxLkPOCSAV7PkFkMuKMQVwaYDYARYuWnM9o4kW+6rxRIYdspG+DS J/rTMUxu4nnsZKopHh7CclvjRd+Z/b82662SEdMCD65Cd39uYVAGCiz7JRhBmcVVzQPI QDeGJ+IBQiVFYn6Kzx7UMnvT4azS4kAVvyImB+arcqQ6/pihcplCHDY3QyiTllbucoFN s+tofLkTZcKnWf2Wl+ZXzM76fOuLvkSS7kcLWWcadnYm+2q0cNkQYAh+4VhLz/wHaBTx Ih6Bha6yH+VQl9q2yp7SlKX2ZvfKv5svKSOuMRR/wSv5RH2t4xvwUmZLACrz2ZwjXtqJ w9IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BbUxo4yAz2zldbWEi0GluCNfOnin3cth9gUswEAqzU8=; b=OxTvBpXQK2b2q4lqUFeCZ3BUEs8VOTMJm1+29sMYqcy7iZOSehVvrWfI3cdNrlkGFO VwW7rXoGVR7e2QvVHtTx6zPqpp4JWRPkH4XDWT1R/5+aUVaKj61oLnCV8bgz2Uyg6LYx s+LAlLrvU8XfxixokoxOwQHcEzFwCyxw7LmDHBRymJZ/ACm2JML6Sewd5vgIruEzsVhZ bwFujBGYwMZltKXhj0c38s+uy+CC4/3gHRhGijXjXVdFrSAlsIblzo+Qi7aKvxCf/zMp apV4kqnP+3jPxBVy7cbZCtheVfdSduTsIvl4+y2yieKW0/90QhOFYcJ3WdFiVHUmqUp3 SlHg== X-Gm-Message-State: AOAM5302ifVDr+/pa46HJf4xUH4JALRZsvWkn6QJ2Cxcpf1MJEA1crSk /XsBOdDsyeKmFXXmNfZnhLAEM9JQ2Xx+psXId8U= X-Received: by 2002:a63:2ad6:0:b0:3f9:d9fa:2713 with SMTP id q205-20020a632ad6000000b003f9d9fa2713mr44235809pgq.512.1654020046159; Tue, 31 May 2022 11:00:46 -0700 (PDT) MIME-Version: 1.0 References: <05df964f-552e-402e-981c-a8bea11c555c@www.fastmail.com> <40a3500c-835a-60b0-15bf-40c6622ad013@kernel.org> <7c637f729e14f03d0df744568800fc986542e33d.camel@intel.com> In-Reply-To: <7c637f729e14f03d0df744568800fc986542e33d.camel@intel.com> From: "H.J. Lu" Date: Tue, 31 May 2022 11:00:10 -0700 Message-ID: Subject: Re: [PATCH 00/35] Shadow stacks for userspace To: "Edgecombe, Rick P" Cc: "rppt@kernel.org" , "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "0x7f454c46@gmail.com" <0x7f454c46@gmail.com>, "Eranian, Stephane" , "kirill.shutemov@linux.intel.com" , "dave.hansen@linux.intel.com" , "linux-mm@kvack.org" , "adrian@lisas.de" , "fweimer@redhat.com" , "nadav.amit@gmail.com" , "jannh@google.com" , "avagin@gmail.com" , "kcc@google.com" , "linux-arch@vger.kernel.org" , "pavel@ucw.cz" , "oleg@redhat.com" , "bp@alien8.de" , "Lutomirski, Andy" , "Yang, Weijiang" , "arnd@arndb.de" , "Moreira, Joao" , "tglx@linutronix.de" , "x86@kernel.org" , "mike.kravetz@oracle.com" , "linux-doc@vger.kernel.org" , "john.allen@amd.com" , "dave.martin@arm.com" , "mingo@redhat.com" , "Hansen, Dave" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "gorcunov@gmail.com" , "Shankar, Ravi V" , "linux-api@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 31, 2022 at 10:34 AM Edgecombe, Rick P wrote: > > On Tue, 2022-05-31 at 19:36 +0300, Mike Rapoport wrote: > > > WRSS is a feature where you would usually want to lock it as > > > disabled, > > > but WRSS cannot be enabled if shadow stack is not enabled. Locking > > > shadow stack and WRSS off together doesn't have any security > > > benefits > > > in theory. so I'm thinking glibc doesn't need to do this. The > > > kernel > > > could even refuse to lock WRSS without shadow stack being enabled. > > > Could we avoid the extra ptrace functionality then? > > > > What I see for is that a program can support shadow stack, glibc > > enables > > shadow stack, does not enable WRSS and than calls > > > > arch_prctl(ARCH_X86_FEATURE_LOCK, > > LINUX_X86_FEATURE_SHSTK | LINUX_X86_FEATURE_WRSS); > > I see the logic is glibc will lock SHSTK|IBT if either is enabled in > the elf header. I guess that is why I didn't see the locking happening > for me, because my manual enablement test doesn't have either set in > the header. > > It can't see where that glibc knows about WRSS though... > > The glibc logic seems wrong to me also, because shadow stack or IBT > could be force-disabled via glibc tunables. I don't see why the elf > header bit should exclusively control the feature locking. Or why both > should be locked if only one is in the header. glibc locks SHSTK and IBT only if they are enabled at run-time. It doesn't enable/disable/lock WRSS at the moment. If WRSS can be enabled via arch_prctl at any time, we can't lock it. If WRSS should be locked early, how should it be enabled in application? Also can WRSS be enabled from a dlopened object? > > > > so that WRSS cannot be re-enabled. > > > > For the programs that do not support shadow stack, both SHSTK and > > WRSS are > > disabled, but still there is the same call to > > arch_prctl(ARCH_X86_FEATURE_LOCK, ...) and then neither shadow stack > > nor > > WRSS can be enabled. > > > > My original plan was to run CRIU with no shadow stack, enable shadow > > stack > > and WRSS in the restored tasks using arch_prct() and after the shadow > > stack > > contents is restored disable WRSS. > > > > Obviously, this didn't work with glibc I have :) > > Were you disabling shadow stack via glibc tunnable? Or was the elf > header marked for IBT? If it was a plain old binary, the code looks to > me like it should not lock any features. > > > > > On the bright side, having a ptrace call to unlock shadow stack and > > wrss > > allows running CRIU itself with shadow stack. > > > > Yea, having something working is really great. My only hesitancy is > that, per a discussion on the LAM patchset, we are going to make this > enabling API CET only (same semantics for though). I suppose the > locking API arch_prctl() could still be support other arch features, > but it might be a second CET only regset. It's not the end of the > world. > > I guess the other consideration is tieing CRIU to glibc peculiarities. > Like even if we fix glibc, then CRIU may not work with some other libc > or app that force disables for some weird reason. Is it supposed to be > libc-agnostic? > -- H.J.