Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D94B7C6FD19 for ; Thu, 16 Mar 2023 19:31:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230260AbjCPTbB (ORCPT ); Thu, 16 Mar 2023 15:31:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229812AbjCPTa6 (ORCPT ); Thu, 16 Mar 2023 15:30:58 -0400 Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70E12DFB5B for ; Thu, 16 Mar 2023 12:30:52 -0700 (PDT) Received: by mail-yb1-xb35.google.com with SMTP id u32so3222129ybi.6 for ; Thu, 16 Mar 2023 12:30:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; t=1678995051; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=OQinqcAul9N1/k6Qm0xi6TTExDZScG0p56fu1+mj3E8=; b=aZUr5Hc3SSnInpRHn4QQapVy8DLcSf4/Fsji81ynnnbmxFUbqyycyen3xS68rzw2cJ csdHHzPzn1pP4Rqhq8/jlqA8dQLTAnyjBWcvBZHm6/pvneaCtKF11X0NKVPFJ6Lwuk5o 72RVceBABLTBI+tJn+l9lpq3yxow6PgeoozRTUpTU2xzCTSQilljxyWqtox7dKLQwmVh Mt7eATOZlaYVhW8nPozAkwkhKitbs3qSfS0zDDfCSHkn4bHon39z2LN2WrpJHFl7bH+u 01CLGuTfkqCSiQaPZ34ZVbtLD9fLHpC87CEEjOYCcl/1TmRK/ccg1mJnufuIL2N997aO uUJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678995051; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OQinqcAul9N1/k6Qm0xi6TTExDZScG0p56fu1+mj3E8=; b=ge9SokLDqsDziNzLk5R756CMyNRzaBhAFw9M91PvfKeu7g53k8EM6SFgpEG/HyUc53 WpojssqOWOdhVjymxYsBhuKAFpIRKDb1DC4mlCGE7ZFkY3qtx9fq+zttXhxJmjYRQy9d aLm9sZOtAKUfCR++q0RtLAn4TtTFM/2RNzXwUrbBSa94GyhA6hk+y58juhJNKptUbcca LbGCItf831ipid/APM83zz0obH8y94XXXOBjRGkgW0kJ56yX2aUQ0O1xu30eRGa3hSRb 6l/M7nmdu6c+aAFmdpJ1qpQnZ9DRSDYIO6q13FK2kOSNi1JG00Veoux+RYKI/91nYYhL vwvA== X-Gm-Message-State: AO0yUKVK3PlosKz/TMuDeE7b1ysLPqUT1gWr0J7Cb4zj9N28lCkeDqB6 UsyoqoLnfwvPc5zsW0xQZM5nnDOA31Bx50/IDuKa8Q== X-Google-Smtp-Source: AK7set8XMy0ufUxFXEARzyZfU02oLy+VwPbPQAYSeIVhzA2hlPaXVJJxn8QbOjY2tiSVxh7zXiHiE5Y10vOoOFYvORc= X-Received: by 2002:a25:f507:0:b0:b3b:6576:b22b with SMTP id a7-20020a25f507000000b00b3b6576b22bmr10524766ybe.12.1678995051579; Thu, 16 Mar 2023 12:30:51 -0700 (PDT) MIME-Version: 1.0 References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-34-rick.p.edgecombe@intel.com> <20230309185511.GA1964069@debug.ba.rivosinc.com> In-Reply-To: From: Deepak Gupta Date: Thu, 16 Mar 2023 12:30:40 -0700 Message-ID: Subject: Re: [PATCH v7 33/41] x86/shstk: Introduce map_shadow_stack syscall To: Mike Rapoport Cc: Szabolcs Nagy , Rick Edgecombe , x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, nd@arm.com, al.grant@arm.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 14, 2023 at 12:19=E2=80=AFAM Mike Rapoport wr= ote: > > Hi, > > On Thu, Mar 09, 2023 at 10:55:11AM -0800, Deepak Gupta wrote: > > On Thu, Mar 02, 2023 at 05:22:07PM +0000, Szabolcs Nagy wrote: > > > The 02/27/2023 14:29, Rick Edgecombe wrote: > > > > Previously, a new PROT_SHADOW_STACK was attempted, > > > ... > > > > So rather than repurpose two existing syscalls (mmap, madvise) that= don't > > > > quite fit, just implement a new map_shadow_stack syscall to allow > > > > userspace to map and setup new shadow stacks in one step. While uco= ntext > > > > is the primary motivator, userspace may have other unforeseen reaso= ns to > > > > setup it's own shadow stacks using the WRSS instruction. Towards th= is > > > > provide a flag so that stacks can be optionally setup securely for = the > > > > common case of ucontext without enabling WRSS. Or potentially have = the > > > > kernel set up the shadow stack in some new way. > > > ... > > > > The following example demonstrates how to create a new shadow stack= with > > > > map_shadow_stack: > > > > void *shstk =3D map_shadow_stack(addr, stack_size, SHADOW_STACK_SET= _TOKEN); > > > > > > i think > > > > > > mmap(addr, size, PROT_READ, MAP_ANON|MAP_SHADOW_STACK, -1, 0); > > > > > > could do the same with less disruption to users (new syscalls > > > are harder to deal with than new flags). it would do the > > > guard page and initial token setup too (there is no flag for > > > it but could be squeezed in). > > > > Discussion on this topic in v6 > > https://lore.kernel.org/all/20230223000340.GB945966@debug.ba.rivosinc.c= om/ > > > > Again I know earlier CET patches had protection flag and somehow due to= pushback > > on mailing list, it was adopted to go for special syscall because no on= e else > > had shadow stack. > > > > Seeing a response from Szabolcs, I am assuming arm4 would also want to = follow > > using mmap to manufacture shadow stack. For reference RFC patches for r= isc-v shadow stack, > > use a new protection flag =3D PROT_SHADOWSTACK. > > https://lore.kernel.org/lkml/20230213045351.3945824-1-debug@rivosinc.co= m/ > > > > I know earlier discussion had been that we let this go and do a re-fact= or later as other > > arch support trickle in. But as I thought more on this and I think it m= ay just be > > messy from user mode point of view as well to have cognition of two dif= ferent ways of > > creating shadow stack. One would be special syscall (in current libc) a= nd another `mmap` > > (whenever future re-factor happens) > > > > If it's not too late, it would be more wise to take `mmap` > > approach rather than special `syscall` approach. > > I disagree. > > Having shadow stack flags for mmap() adds unnecessary complexity to the > core-mm, while having a dedicated syscall hides all the details in the > architecture specific code. Again reiterating it would've made sense if only x86 had a shadow stack. aarch64 announced support for guarded stack. risc-v spec is in development to support shadow stack. So there will be shadow stack related flow in these arches. > > Another reason to use a dedicated system call allows for better > extensibility if/when we'd need to update the way shadow stack VMA is > created. I see two valid points here - Shadow stack doesn't need conversion into different memory types (which is usually the case for address ranges created by mmap) So there is a static page permissions on shadow stack which is not mutable. - Future feature addition (if there is one needed) at the time of shadow stack creation It would avoid future tax on mmap I'll think more about this. > > As for the userspace convenience, it is anyway required to add special > code for creating the shadow stack and it wouldn't matter if that code > would use mmap(NEW_FLAG) or map_shadow_stack(). Yes *strictly* from userspace convenience, it doesn't matter which option. > > > > most of the mmap features need not be available (EINVAL) when > > > MAP_SHADOW_STACK is specified. > > > > > > the main drawback is running out of mmap flags so extension > > > is limited. (but the new syscall has limitations too). > > -- > Sincerely yours, > Mike.