Received: by 2002:a05:7412:1703:b0:e2:908c:2ebd with SMTP id dm3csp3988085rdb; Wed, 30 Aug 2023 11:53:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEoXbflGhey6wZjJBXJi2NWIBJws5P5VwqaegmLwuoQJ84lWGXDPCgkl+riSbW4UG3t05vT X-Received: by 2002:a05:6830:1193:b0:6b5:6b95:5876 with SMTP id u19-20020a056830119300b006b56b955876mr3175634otq.25.1693421619962; Wed, 30 Aug 2023 11:53:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693421619; cv=none; d=google.com; s=arc-20160816; b=QKloR+ZM4YVtsdF1pa/CNYJD9uBajjGFt1JaHrYjPViJTlE8uV7X1XwJtUdUzwztmN nU+g8kxuCAOjUtQfnNes0CVBGGXe1PWsihLNVYT+mICjNtRROBhR7jwKUs7dmHCTU0Qc CGPPNKWzi3b4AU/XgJ6+HbwGG2DrZn0kcZ6pXuB3YqibSBFBTS2BtnZDJFBHMfTuWnQk HevPsSqm4gO8kPa8kkxBiVsIhB2fqQfjcF/DPnur209e87vhm7bT0NZHAykIC9DzrP2v XKKvy6uWzRINmzrMN5PXplH9u9Cd3lvmZhlomxJoOYIbsRh9nUOkXpvmnMv79M/2owZC HNHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=KYq/2/A883aKPPwJMN5T9z1EYPVWML+N3Wh1FX3hzWk=; fh=oOLr+n7Zwasjdvc8adg9RVTtdSQPcIDVNx1+AMNjpGY=; b=aUgt+OZXJNHdfsKQMfnNYPZdQCtSx+rsIQs0ZdZCoRqzexM0Y9ZuzBPRgp1qRNz1p8 jJQaJi16YDp1yzThpSPqgbR3Igzp/KZRq4OvjTpxkKwlMIuK+ulZLaG17q4wYNaelzFN UbokLPKhgYMzfGS8yvLttili2dwULib0rHBPSjeW0dsjCxRCJ40cUpY1SxYrr5c0GqpI mGMkiIFf6UEluqxVq70WIA4a5iHzkjGwJd1mKmaGKf4Z2rB5DIteTdTTz6O7aGgmIrmG agagnhVfWFwx2tig9jvdB/cz9PGuGhHZ8WEDT82lKoTVMRDtkhpx+FuuyJJpf4SxV8Jc jvDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VjbX4CCw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u17-20020a634711000000b0056f7f18bc11si4905288pga.505.2023.08.30.11.53.22; Wed, 30 Aug 2023 11:53:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VjbX4CCw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242922AbjH3SpM (ORCPT + 99 others); Wed, 30 Aug 2023 14:45:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343718AbjH3Qmk (ORCPT ); Wed, 30 Aug 2023 12:42:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5FEA19A; Wed, 30 Aug 2023 09:42:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 81AD762119; Wed, 30 Aug 2023 16:42:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F379C433C7; Wed, 30 Aug 2023 16:42:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1693413751; bh=+cegdjpC7G5umSHFHbrmT1BIlMdov4rtt+v2oJEk1tM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VjbX4CCwh2T7VRmcGdTip7u/f/TaIxuYGePqe7e+D4VSLmbiZHbmccKJEensZqdYd /SkVtQoHfFek1l/akYZpl6ne+8eKdaeb9A2TuvGKtHgX54qQvFDVWxI1azmcGgWe2A TCS6C1oK4Z9Yi4kRDMDic1bnoquUGBouKD5MDQ3AY/kt+9FcjbvW5qvdsxbxoapCQj m6CelcYTizHCgj7uEUvmooKRW1IDpuIbzMXpLTY63MW/y+bD0wODuEHfxQZ27KwMGs UK+r1H9fjVVo3zf7MJOTbhSZBfN9GnYmDVX/HSF7zUQGGf3T2s6/zw2yHd96jP9gqw cyxOybFWimvpA== Date: Wed, 30 Aug 2023 17:42:18 +0100 From: Mark Brown To: Szabolcs Nagy Cc: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Subject: Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks Message-ID: <9992beaf-f57d-41f8-9dbb-8044c783ddf4@sirena.org.uk> References: <43ec219d-bf20-47b8-a5f8-32bc3b64d487@sirena.org.uk> <227e6552-353c-40a9-86c1-280587a40e3c@sirena.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="K/vjy3MP44rS/waF" Content-Disposition: inline In-Reply-To: X-Cookie: Immanuel doesn't pun, he Kant. X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --K/vjy3MP44rS/waF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 30, 2023 at 01:37:33PM +0100, Szabolcs Nagy wrote: > The 08/24/2023 16:43, Catalin Marinas wrote: > > Is there a use-case for the unlocked configuration to allow disabling > > the GCS implicitly via a clone syscall? > how would you handle clone or clone3 without gcs specified? > (in the cases when clone creates a new thread with new stack) > (1) fail. > (2) allocate gcs. > (3) disable gcs. ... > problem with (2) is that the size policy and lifetime management > is in the kernel then. (since only special cases are affected i > guess that is ok, but i assumed we want to avoid this by moving > to clone3 and user managed gcs). Right, it seems like if we go with this then we may as well just allow plain clone() too. > the problem with (3) is escaping the security measure, however > it only applies to very special threads that can always decide > to opt-in to gcs, so i don't see this as such a bad option and > at least bw compat with existing code. (in my threat model the > attacker cannot hijack clone syscalls as that seems stronger > than hijacking return addresses.) It doesn't seem great to have a feature which is to a large extent a security feature where we provide a fairly straightforward mechanism for disabling the feature and actively expect things to be using it. Given the timescales until this gets practically deployed on arm64 I would be inclined to go with making things fail and forcing updates in the users, though obviously that's less helpful for x86 where the hardware is in user hands already so it's more of a pressing issue (and there's already what is effectively option 2 in the code). We could have the architectures diverge, as you say the effect is likely to be mainly in very low level code rather than general software. --K/vjy3MP44rS/waF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmTvcWkACgkQJNaLcl1U h9BrNwf/ZAr2lf9jr/JbNkYpu9zm6Fga4tZrLQoMWCDnP9PGxphhBn9iAMWz6X+F 0X05x9pIN7D4g7qLffjEzsFOpfukbLwIQ4wH/AdjNW7MvFpuH+4kt7iWwiDparY/ wliRfw6VyCf8lMA40bSac+jlTEJowbBmX+nh1z+EI924BOUXDONu/PGGfoVtn9U0 mOVw+DFx3lACf5cjCPKSE9JfYf74s+y9cH8fk9x1/D6jHuJuX5IOafLld3PytL/v Yxbc/C9XY0Qa9If9yV/NWPb7irX1i7vTMOcHJ8AAzwzHV7LjOOk2cBgRj0IJ2TBI 1fuiPsv3RNuj2GUC01Od5Md0pPjifQ== =qSdV -----END PGP SIGNATURE----- --K/vjy3MP44rS/waF--