Received: by 2002:a05:7412:f690:b0:e2:908c:2ebd with SMTP id ej16csp218266rdb; Thu, 19 Oct 2023 02:17:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFnQXXKCGwYX1JNBciJdZW0OrN0KiwawdugULfLlNIZKru5uU8BokGhmuJ+RjeZpAWcL/pg X-Received: by 2002:a17:90a:ca91:b0:27c:f715:144 with SMTP id y17-20020a17090aca9100b0027cf7150144mr1561297pjt.19.1697707050533; Thu, 19 Oct 2023 02:17:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697707050; cv=none; d=google.com; s=arc-20160816; b=bunfFVlo1a91hAbrfPmeYZxi4rV+u+5OaDr0yXvksOejapmxAjmRXreCwI8GOmmB9d cpLO4uIqwAkFbOIc4O0j98WQNhMvcqtBG6U3FjcDkdc9ISn754osp/DCWCtjaLO0yng8 5Sn20r6tSSz43riOGl3GiV8TV+p8qiZaOnf66XzOpCRqMtuILAJucHvAXzD1ELseWhtR f/Qy7/EgqXlcvuNwWGdFXW+5a2aBpZJb/0RL0lInA1iVRmCy43aYecWvs8IjuSBLePSr fBjaCjfksLC+tUygP5NJAWNNhwaWFQMax1GOm+i8QXvfUY9hAR8G6GCJ378soERUltEH 3gag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=ZprsuHZTxDGGvkpD70ElLcVpDjdCC6AMdVMYjcnRnhI=; fh=zn/ttSXdaoU/N+d/DW1vXqA79/r02ygBYJu6Kk0mmLs=; b=VQV3jrTf8pWpc1/a9AJmogK2SFrm7M1AQ7gOPJ1h1tc4StHOAdhv1PkBIm9QYli23V n4l1IcMFwPffteqd+WLbhsxjwtiQfs6KUr75K7NDIX4ITwTefYBQ6DHkofsiGdvI5foM es5zIskzkRwbIMpmFNPXbPSr6JoCUKDkd4+ZU7gmXHxbtIj15mfggZcEbWpifIElcU9Y FjLAz9t/txElensxb3smdS2JV16VbuNfatKtVMxZSRHZyOWr31c2jZa3gql7bmYloNRQ nIzCJkx98WC6hee8R6Fp39bexKzsSHOh9Fr0uSGviA9pkQgFwZ49edShuWJtOKHuw5Ua VEhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=T3uCxO2R; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id q11-20020a65684b000000b005859b1b34f7si4122668pgt.862.2023.10.19.02.17.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 02:17:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=T3uCxO2R; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id DDB3C8135D72; Thu, 19 Oct 2023 02:17:27 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345035AbjJSJRP (ORCPT + 99 others); Thu, 19 Oct 2023 05:17:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235216AbjJSJRE (ORCPT ); Thu, 19 Oct 2023 05:17:04 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F013131 for ; Thu, 19 Oct 2023 02:17:02 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id C2E181FD91; Thu, 19 Oct 2023 09:17:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1697707020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZprsuHZTxDGGvkpD70ElLcVpDjdCC6AMdVMYjcnRnhI=; b=T3uCxO2RX/VCsAwxswLlNr9T+uYeTq/jP11mL2rPUI0bgMoLC6tcgB19uGJ2vIlGaQZvGj 8p3OAOwqbC9uNSCAb5RK6CSDQmXAdoUep708lm9AG7UHPwDyygvH4jDPHFWfh87GunwdZp ucopG1IAHQatVTODx1g9tpU3TuSHUzI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1697707020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZprsuHZTxDGGvkpD70ElLcVpDjdCC6AMdVMYjcnRnhI=; b=5/lVFspdxsQdL4g7iVg/loSdldfyf99T75JLfM6IkwsaXbmGy4vM+InrlM9AkwCh6SdiE+ QdXqORzJDw894UDA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id ACDF7139C2; Thu, 19 Oct 2023 09:17:00 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id TQPCKAz0MGW9VQAAMHmgww (envelope-from ); Thu, 19 Oct 2023 09:17:00 +0000 Date: Thu, 19 Oct 2023 11:17:00 +0200 From: Andrea della Porta To: Will Deacon Cc: Andrea della Porta , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, nik.borisov@suse.com, arnd@arndb.de, keescook@chromium.org Subject: Re: [PATCH 0/4] arm64: Make Aarch32 compatibility enablement optional at boot Message-ID: Mail-Followup-To: Will Deacon , Andrea della Porta , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, nik.borisov@suse.com, arnd@arndb.de, keescook@chromium.org References: <20231018122729.GA18556@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231018122729.GA18556@willie-the-truck> Authentication-Results: smtp-out2.suse.de; none X-Spam-Level: X-Spam-Score: -7.61 X-Spamd-Result: default: False [-7.61 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-3.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_SEVEN(0.00)[8]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-0.01)[51.25%] X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 19 Oct 2023 02:17:28 -0700 (PDT) On 13:27 Wed 18 Oct , Will Deacon wrote: > Hi, > > On Wed, Oct 18, 2023 at 01:13:18PM +0200, Andrea della Porta wrote: > > Aarch32 compatibility mode is enabled at compile time through > > CONFIG_COMPAT Kconfig option. This patchset lets 32-bit support > > (for both processes and syscalls) be enabled at boot time using > > a kernel parameter. Also, it provides a mean for distributions > > to set their own default without sacrificing compatibility support, > > that is users can override default behaviour through the kernel > > parameter. > > I proposed something similar in the past: > > https://lkml.kernel.org/linux-fsdevel/20210916131816.8841-1-will@kernel.org/ > > bu the conclusion there (see the reply from Kees) was that it was better > to either use existing seccomp mechanisms or add something to control > which binfmts can be loaded. > > Will I see. Seccomp sounds like a really good idea, since just blocking the compat binfmt would not avoid the call to 32-bit syscalls per se: it's true that ARM64 enforce the transition from A64 to A32 only on exception return and PSTATE.nRW flag can change only from EL1, maybe though some exploitation may arise in the future to do just that (I'm not aware of any or come up with a proof off the top of my head, but I can't exclude it either). So, assuming by absurd a switch to A32 is feasible, the further step of embedding A32 instruction in a A64 ELF executable is a breeze. Hence blocking the syscall (and not only the binfmt loading) could prove necessary. I know all of this is higly speculative right now, maybe it's worth thinking nonetheless. Andrea