Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp10106566rwd; Wed, 21 Jun 2023 16:45:43 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6KRYRbDrFJoZq0+mLPFIesRnvdcoM3vdXHgAU82ZPCDDsADUd03fZHupKOw/JqAhK1ei2j X-Received: by 2002:a17:90a:f83:b0:25b:f66c:35a9 with SMTP id 3-20020a17090a0f8300b0025bf66c35a9mr14482015pjz.48.1687391143510; Wed, 21 Jun 2023 16:45:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687391143; cv=none; d=google.com; s=arc-20160816; b=aCwFzwcH0dWfOeRnVU5UZDKTPrYA6q6s8Ltc4wb8KF1a+mTh42nuMjqItdViS6Thoc NEH+wGZTdrM1+ngAJLQ4O/rVTPfuR6sPQeBpOQl+bpmU4DfoEmbXrSfp1jiT53bk9pht kS6bxYJBegf2cpTulB0ZBmbke9NCLYX6M1YqxWBkdzXRuz4r19gfUthwoF3otcTV7wuP 4MaM0Fyqh65KctfFP77qHIThtUilCeOgGud1J/gp2yPMJec5unFJi/qf3W8b6AfJ/WoM PBiSQChrAq1oP9NjTbFt/hjhZboOV/S95bgpxDph0Yhdr5RGJ6wg19SFfxfoshfp52pq o6XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=6XDtB2HXrkctzeKU+qZH+wPpskqfD4hoPJ8GizdXePk=; b=ztv2ihNy+KITitv6+DKyzSkdwJYP2DINGebCnUCHvmDE+zJcPsWXqcqWLSXX4FCkDo GB/5kG+0PIuhlL6ayw7RCwCBIoBFxhWH6NC6eT65xh35+Mvt1ONLe2YQWUY4/BhfMt4o 4risuY8/3IeMmsi0gi4f2SA8FAXF+BzfH34RxYq1BvIE9FS/D+A23YxT2iF/iKUd4xOz aLZqMXBboSwuOd0Xhzfv4Smrub4UkpL8gm+zK5c7LSLZ7JhhhssGIrTMZD9KqDJ8dqWK sAOcoCbpnJI/MakJHWF7O3QLOJdpBDXVZzweVqO8DKvif4ZzMSbaUs/ZGpIOGZ0Fs+AI FEww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=hN+GOsPk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x5-20020a17090abc8500b0025546028cbesi5238466pjr.31.2023.06.21.16.45.31; Wed, 21 Jun 2023 16:45:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=hN+GOsPk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230166AbjFUXGB (ORCPT + 99 others); Wed, 21 Jun 2023 19:06:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229602AbjFUXGA (ORCPT ); Wed, 21 Jun 2023 19:06:00 -0400 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E865D1988; Wed, 21 Jun 2023 16:05:58 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-763d86856fdso88822885a.3; Wed, 21 Jun 2023 16:05:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687388758; x=1689980758; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6XDtB2HXrkctzeKU+qZH+wPpskqfD4hoPJ8GizdXePk=; b=hN+GOsPk2ssjB6RukkBFAN0V6IKJuYAybWWSoSooirwqwFIszSIi1jqg22yAlKuhOh mGCy043EKVyyJzo8Jn+sFY6EXX0yu59Qouh2gm5aJDSexy026ZZ9oZGuOVtPvB3Yx4gq zVpWfXUNQrEotUyZZILRQg18m7NYz6/Rie2NVO24Rss1uoxlnI+H9XtkbdQGd5F7t9Im Prm1POz9pLrSIDpkvwN1Ce3yM77W57zbLhwaV/AO4xP7U73vIhZzWkANihfQwtAopnSD 2tZHGp7KCuLdkXzPiVAtJtMK7p1NJ82CCzaCKP7TxaHG8yWro2rWBvd9MYXbIYD506Nh 5/6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687388758; x=1689980758; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6XDtB2HXrkctzeKU+qZH+wPpskqfD4hoPJ8GizdXePk=; b=aEQVqbDoZZwAj/pgju74eh93W/dwDeuqTG+KOfVRadmQuaeinJzDVEDi0ltR6Qs/Zl Eq0KvY0J+rPxdPM9wRMrTu4ljc/Ea7rp3c6oYiwbySdC3ManAMmTplvTLAzofzW9q0AW MIVEVLq2MvxM5qsVzcWF1H5qBzunZnEky4Jtw2JXCoKJSNZdo5q5Rv2fKREzxKnbWoAL keTrsv8PUVdkmuqPFI3ngOzPPTmxx319SiTheoY7HfZ3ztp1RsZsgRn7EulDLvLZNc6M OeG42lhdiO2TNc1EQPDgfcSFaEverY949JrC5aZHjqCIOrMpH3k5YoT9lAPdYl2KAhZd s0sA== X-Gm-Message-State: AC+VfDxpBRSNHI/A2iTHaiaskb0JSv6XIpCwGglFbfb00pP01yvgZMPy Pu/LTHxMVs1FhbhWMqohEcn2NruXKDXZHpgNECQ= X-Received: by 2002:a05:620a:3f49:b0:763:9560:c830 with SMTP id ty9-20020a05620a3f4900b007639560c830mr9544641qkn.11.1687388757753; Wed, 21 Jun 2023 16:05:57 -0700 (PDT) MIME-Version: 1.0 References: <1f04fa59-6ca9-4f18-b138-6c33e164b6c2@sirena.org.uk> <49eabafa97032dec8ace7361bccae72c6ecf3860.camel@intel.com> <64837d2af3ae39bafd025b3141a04f04f4323205.camel@intel.com> <5794e4024a01e9c25f0951a7386cac69310dbd0f.camel@intel.com> <5ae619e03ab5bd3189e606e844648f66bfc03b8f.camel@intel.com> In-Reply-To: <5ae619e03ab5bd3189e606e844648f66bfc03b8f.camel@intel.com> From: "H.J. Lu" Date: Wed, 21 Jun 2023 16:05:21 -0700 Message-ID: Subject: Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description To: "Edgecombe, Rick P" Cc: "broonie@kernel.org" , "szabolcs.nagy@arm.com" , "Xu, Pengfei" , "tglx@linutronix.de" , "linux-arch@vger.kernel.org" , "kcc@google.com" , "Lutomirski, Andy" , "nadav.amit@gmail.com" , "kirill.shutemov@linux.intel.com" , "david@redhat.com" , "Schimpe, Christina" , "linux-doc@vger.kernel.org" , "peterz@infradead.org" , "corbet@lwn.net" , "nd@arm.com" , "dethoma@microsoft.com" , "jannh@google.com" , "linux-kernel@vger.kernel.org" , "debug@rivosinc.com" , "pavel@ucw.cz" , "bp@alien8.de" , "mike.kravetz@oracle.com" , "linux-api@vger.kernel.org" , "rppt@kernel.org" , "jamorris@linux.microsoft.com" , "arnd@arndb.de" , "john.allen@amd.com" , "rdunlap@infradead.org" , "bsingharora@gmail.com" , "oleg@redhat.com" , "andrew.cooper3@citrix.com" , "keescook@chromium.org" , "x86@kernel.org" , "gorcunov@gmail.com" , "Yu, Yu-cheng" , "fweimer@redhat.com" , "hpa@zytor.com" , "mingo@redhat.com" , "linux-mm@kvack.org" , "Syromiatnikov, Eugene" , "Torvalds, Linus" , "akpm@linux-foundation.org" , "dave.hansen@linux.intel.com" , "Yang, Weijiang" , "Eranian, Stephane" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 21, 2023 at 3:23=E2=80=AFPM Edgecombe, Rick P wrote: > > On Wed, 2023-06-21 at 11:54 -0700, Rick Edgecombe wrote: > > > > > > > > there is no magic, longjmp should be implemented as: > > > > > > > > > > > > > > > > target_ssp =3D read from jmpbuf; > > > > > > > > current_ssp =3D read ssp; > > > > > > > > for (p =3D target_ssp; p !=3D current_ssp; p--) { > > > > > > > > if (*p =3D=3D restore-token) { > > > > > > > > // target_ssp is on a different > > > > > > > > shstk. > > > > > > > > switch_shstk_to(p); > > > > > > > > break; > > > > > > > > } > > > > > > > > } > > > > > > > > for (; p !=3D target_ssp; p++) > > > > > > > > // ssp is now on the same shstk as > > > > > > > > target. > > > > > > > > inc_ssp(); > > > > > > > > > > > > > > > > this is what setcontext is doing and longjmp can do the > > > > > > > > same: > > > > > > > > for programs that always longjmp within the same shstk > > > > > > > > the > > > > > > > > first > > > > > > > > loop is just p =3D current_ssp, but it also works when > > > > > > > > longjmp > > > > > > > > target is on a different shstk assuming nothing is > > > > > > > > running > > > > > > > > on > > > > > > > > that shstk, which is only possible if there is a restore > > > > > > > > token > > > > > > > > on top. > > > > > > > > > > > > > > > > this implies if the kernel switches shstk on signal entry > > > > > > > > it has > > > > > > > > to add a restore-token on the switched away shstk. > > Wait a second, the claim is that the kernel should add a restore token > on the current shadow stack before handling a signal, to allow to > unwind from an alt shadow stack, right? But in this series there is not > an alt shadow stack, so signal will be handled on the current shadow > stack. If the user stays on the current shadow stack, the existing > simple INCSSP based solution will work. > > If the user swapcontext()'s away while handling a signal (which *is* > currently supported) they will leave their own restore token on the old > stack. Hypothetically glibc could unwind back through a series of > ucontext stacks by pivoting, if it kept some metadata somewhere about > where to restore to. So there are actually already enough tokens to > make it back in this case, glibc just doesn't do this. > > But how does the proposed token placed by the kernel on the original > stack help this problem? The longjmp() would have to be able to find > the location of the restore tokens somehow, which would not necessarily > be near the setjmp() point. The signal token could even be on a > different shadow stack. > > So I think the above is short of a design for a universally compatible > longjmp(). > > Which makes me think if we did want to make a more compatible longjmp() > a better the way to do it might be an arch_prctl that emits a token at > the current SSP. This would be loosening up the security somewhat (have > to be an opt-in), but less so then enabling WRSS. But it would also be > way simpler, work for all cases (I think), and be faster (maybe?) than > INCSSPing through a bunch of stacks. Since longjmp isn't required to be called after setjmp, leaving a restore token doesn't work when longjmp isn't called. > I'm also not sure leaving a token on signal doesn't weaken the security > it it's own way as well. Any thread could then swap to that token. > Where as the shadow stack signal frame ssp pointer can only be used > from the shadow stack the signal was handled on. > > So I think, in addition to blocking the shadow stack overflow use case > in the future, leaving a token behind on signal will not really help > longjmp(). (or at least I'm not following) > --=20 H.J.