Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp827583rwb; Tue, 4 Oct 2022 11:10:00 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5G3CsBnQrgQLb1s3rxJm8YG7XTpaM1UnKkd7Ov0gfIEV0OGcANOaFxbER1wz2CDT58/344 X-Received: by 2002:a17:907:7248:b0:78d:1cb2:41ac with SMTP id ds8-20020a170907724800b0078d1cb241acmr2935048ejc.283.1664907000586; Tue, 04 Oct 2022 11:10:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664907000; cv=none; d=google.com; s=arc-20160816; b=W+/BT+H0Ns7+nJ+viBtfgxlUgGX9k6uVpQo/a/Kf6n3GP8QDNGmuUxDmocuQlE5wdv OzigJqT8s8QEHN/aQSaNpN84p/gPF1KLkbInY+J5+8E3pmL7uz2MSY92bB2mtSPydVfl Uc22WaqQVAwqcJxjdrV3SwEv4ZXvGQpWh60P+wJM1jfSUmo3zVx+MH3UKX7NG0ZHbMoe 7hAX/bHzU9MrZrWK0sPUz36Z3LENnBNKfVjmRAjTpqe87a+4GJT0SWYCF4b603/956tT 535dkpDV+KWLyt3cKQd8MownWo+sEc/9hSPOexo72Gs2M1Ilk2zUpSclBOVKLhsYyk3z +3eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:feedback-id:dkim-signature; bh=CHgiTsPxDByi2IuviJGK1BnZNfruPQX+If05YZEVzVg=; b=dveCUgOt567bPVJ+OdsOaFqYosluk6h7hJMFK0DxazLU81GlaWhOH2CkUutBYR1xmi aWZk83nJC59y99drPSAGwUv/AkBTzdee7Zx354CLtIkmYaFyt9oG8oluepsAWPolmQ/d oGDCMUuuKk5wD7AcCNxYESc2vVipqlqYN4QSURJAIQX1AnhaNYp9x6hPMAHzs4jrXsvu qGidP5Ek5j7DRlk+Gf8PbbUl0eswYTSofLZtNCUT1HiMp6FbMMhXDdvaik7g3qab7piu b/gtNScOi3mSSCmMAd+nlRyk2PUj8BBk6+QBovwPr1ah5y3kMeWB7cEJ0j04ciQwZ5TR AMxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SGf0EWib; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp4-20020a1709073e0400b00787b30fb920si13092102ejc.868.2022.10.04.11.09.35; Tue, 04 Oct 2022 11:10:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SGf0EWib; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229505AbiJDRqw (ORCPT + 99 others); Tue, 4 Oct 2022 13:46:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbiJDRqt (ORCPT ); Tue, 4 Oct 2022 13:46:49 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ED195E657; Tue, 4 Oct 2022 10:46:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 3D4C3CE105F; Tue, 4 Oct 2022 17:46:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93DECC433B5; Tue, 4 Oct 2022 17:46:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1664905600; bh=4BSaUvrlCCPRQCV8MWBWOtBwSsI5CjjkAG/AXZX56MU=; h=In-Reply-To:References:Date:From:To:Subject:From; b=SGf0EWibQKd5xseEVZSOIQNbMlfPxpuaxGhlSm7+MiNxEPuiTTIXSqX06DQtPXxTH TkvPTmDI5gIohVbp4uQ4K1qZos6sI5CC6/3cTAIKBH0aYmpaC1CaAxNDXqeJEiFaLK YJaL1wzVqg4exvfneJ6g7810QrUBZqz7FnZ8clzzBMC+VPngZt+Jf8nqVXuq7WfgZk L/vf7N4RgAbaGPJO6EReUAwmE4xKcsQ8A0BTMynuu+nMb8z9RywnY2FCexRJLVpLrb uQOyN4qxVolohpUCuTOWhbg8OYBA0ZNYgXmSqKJUxrvPPbejbX/v6MrgjqTK5mXJ+O FFLcj6AF4iGVw== Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailauth.nyi.internal (Postfix) with ESMTP id 665E827C0054; Tue, 4 Oct 2022 13:46:38 -0400 (EDT) Received: from imap48 ([10.202.2.98]) by compute2.internal (MEProxy); Tue, 04 Oct 2022 13:46:38 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeeiuddguddujecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedftehn ugihucfnuhhtohhmihhrshhkihdfuceolhhuthhosehkvghrnhgvlhdrohhrgheqnecugg ftrfgrthhtvghrnheptdfhheettddvtedvtedugfeuuefhtddugedvleevleefvdetleff gfefvdekgeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homheprghnugihodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiudek heeifedvqddvieefudeiiedtkedqlhhuthhopeepkhgvrhhnvghlrdhorhhgsehlihhnuh igrdhluhhtohdruhhs X-ME-Proxy: Feedback-ID: ieff94742:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id B662E31A0062; Tue, 4 Oct 2022 13:46:37 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.7.0-alpha0-1015-gaf7d526680-fm-20220929.001-gaf7d5266 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20220929222936.14584-1-rick.p.edgecombe@intel.com> <20220929222936.14584-40-rick.p.edgecombe@intel.com> Date: Tue, 04 Oct 2022 10:46:17 -0700 From: "Andy Lutomirski" To: "Rick P Edgecombe" , "Balbir Singh" , "H. Peter Anvin" , "Eugene Syromiatnikov" , "Peter Zijlstra (Intel)" , "Randy Dunlap" , "Kees Cook" , "Dave Hansen" , "Kirill A. Shutemov" , "Eranian, Stephane" , "linux-mm@kvack.org" , "Florian Weimer" , "Nadav Amit" , "Jann Horn" , "dethoma@microsoft.com" , "linux-arch@vger.kernel.org" , "kcc@google.com" , "Borislav Petkov" , "Oleg Nesterov" , "H.J. Lu" , "Weijiang Yang" , "Pavel Machek" , "Arnd Bergmann" , "Moreira, Joao" , "Thomas Gleixner" , "Mike Kravetz" , "the arch/x86 maintainers" , "linux-doc@vger.kernel.org" , "jamorris@linux.microsoft.com" , "john.allen@amd.com" , "Mike Rapoport" , "Ingo Molnar" , "Shankar, Ravi V" , "Jonathan Corbet" , "Linux Kernel Mailing List" , "Linux API" , "Cyrill Gorcunov" Subject: Re: [OPTIONAL/RFC v2 39/39] x86: Add alt shadow stack support Content-Type: text/plain X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 4, 2022, at 9:12 AM, Edgecombe, Rick P wrote: > On Mon, 2022-10-03 at 16:21 -0700, Andy Lutomirski wrote: >> On 9/29/22 15:29, Rick Edgecombe wrote: >> > To handle stack overflows, applications can register a separate >> > signal alt >> > stack to use for the stack to handle signals. To handle shadow >> > stack >> > overflows the kernel can similarly provide the ability to have an >> > alt >> > shadow stack. >> >> >> The overall SHSTK mechanism has a concept of a shadow stack that is >> valid and not in use and a shadow stack that is in use. This is >> used, >> for example, by RSTORSSP. I would like to imagine that this serves >> a >> real purpose (presumably preventing two different threads from using >> the >> same shadow stack and thus corrupting each others' state). >> >> So maybe altshstk should use exactly the same mechanism. Either >> signal >> delivery should do the atomic very-and-mark-busy routine or >> registering >> the stack as an altstack should do it. >> >> I think your patch has this maybe 1/3 implemented > > I'm not following how it breaks down into 3 parts, so hopefully I'm not > missing something. We could do a software busy bit for the token at the > end of alt shstk though. It seems like a good idea. I didn't mean there were three parts. I just wild @&! guessed the amount of code written versus needed :) > > The busy-like bit in the RSTORSSP-type token is not called out as a > busy bit, but instead defined as reserved (must be 0) in some states. > (Note, it is different than the supervisor shadow stack format). Yea, > we could just probably use it like RSTORSSP does for this operation. > > Or just invent another new token format and stay away from bits marked > reserved. Then it wouldn't have to be atomic either, since userspace > couldn't use it. But userspace *can* use it by delivering a signal. I consider the scenario where two user threads set up the same altshstk and take signals concurrently to be about as dangerous and about as likely (under accidental or malicious conditions) as two user threads doing RSTORSSP at the same time. Someone at Intel thought the latter was a big deal, so maybe we should match its behavior.