Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp14085rdh; Wed, 22 Nov 2023 16:20:11 -0800 (PST) X-Google-Smtp-Source: AGHT+IFjnYZAr8B+3salXqi0jfeTdvZcGucOeR5d8zlFqA29uirGpyplDjGprkXSxvFmJ9vEjw0h X-Received: by 2002:a17:90b:3014:b0:27d:dc9:c67d with SMTP id hg20-20020a17090b301400b0027d0dc9c67dmr4028874pjb.36.1700698810985; Wed, 22 Nov 2023 16:20:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700698810; cv=none; d=google.com; s=arc-20160816; b=se8YPwnHkfI+b1NtsMyVtcpUjQYyzfOzxtMP1V2hRtFs2JkKduo2DK8+9/rw3y1uAN Dj35zl1nlrZzgvzrZYzVcMIGAq2kJMOE4fftbCC/wod4IUaDHCJEHgc28ZWj7fDGcpDg cbcc4/jj2k/slDIuBjxmohqKQDlPYHYi+YQ85oNaXRJlPod97m92YOZgWCaxe4lspu0P IwkUKvhaYTYFbBd2OT8uT9ttgFjhB0LNhQhfQHI3JORdTLehFfAmRqwx4CAsLFFr1JWO ZRi+SrOjZ1Q9w/4wQYw7Za6Z5Lg7ii/mFU6mn6fSKNTs7vCsn8fj8s0Cf91/+ArqyVvR hQ9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=57/CYGuuC1Jp62J8XUITJ0fJw251XS6cutEtxQsqThw=; fh=Ao5Y6yKtmtC4LYMipjm0GY5gwxy7qEGzHWjiB0AChCA=; b=Ynmu27BKxehZofpdtqRKTx7U6y0knVUcEcAqKMMaywgMApYHbOjby8H+Z8fE3Uvlq+ GRB23a68wV+COlMV4gaR3CkAd+E0cSTr3P3TMXrNrScthLWcr5j0CZ2JXqQqAUQIZthI aaD/jo2K2U6UkJn5stqW944O8WlutR5IeNFOMTTn4z/LDm7lLNUV4HyP9xWHmIAh4IED 5JaGHbK0JBrj3MU3zZUXq5rhRMjtXOTOCRegd3YXcnj4LZGpnY5QLiDHwVQBggTrYgM/ XLS99gQAxMWm/XZnUR1eBUExPCKsgWlQQefKISgnq1P7dNdTy5r6Xoil9sP6yUsGTAmn liEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=Ez3ikaSN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id i2-20020a17090aa90200b00283e07a6d3esi190509pjq.79.2023.11.22.16.20.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 16:20:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=Ez3ikaSN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 68B2382958BD; Wed, 22 Nov 2023 16:20:09 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229513AbjKWAUJ (ORCPT + 99 others); Wed, 22 Nov 2023 19:20:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbjKWAUI (ORCPT ); Wed, 22 Nov 2023 19:20:08 -0500 Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EBB3189 for ; Wed, 22 Nov 2023 16:20:04 -0800 (PST) Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-db37c6a4d48so359144276.2 for ; Wed, 22 Nov 2023 16:20:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1700698803; x=1701303603; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=57/CYGuuC1Jp62J8XUITJ0fJw251XS6cutEtxQsqThw=; b=Ez3ikaSNhhEb5i2bJyoviC0tKVu5nN+hGs7OwTRM5ZNsW3Iqt0WW1ylC5XA/TkV3f2 kCjmyk5s4tJKp8gS1EiizGdQ6U5MP22qh4Zy5l+D3UolWrUnwvEGCuU3x8vFGaVW7mjv FgidpDUM1mVGbu+Ih/TB1sPvkrrDbFje/uMvOS9CzwsQi4si3V8xe10B3UQmgsXdppcN 3FVA8DU4/5lZmbRX+jiwOZUfsmWLTEUA4SrnLai7JQn39trC1yQdQkXiFRAkvGNeugke Po+bL2AWxF+VQL7wCfjHLtlLadQjmfMa62+d1f+YBZQh79hbZjll2yNuncLzxKxd6jsZ snsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700698803; x=1701303603; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=57/CYGuuC1Jp62J8XUITJ0fJw251XS6cutEtxQsqThw=; b=QEXZZdWPA5Pdv3xJiaWkTJOMMNFPypgGSciL37y9nhLbIyThq6CZJE4o7H4gdXFNbM hvFXWIihMuzVuqW8SKcbSNoBPbrndy4rCyfZ6byP5PFPmYryg7M8bP/L7zhbGxm6yYPV cMokfz1Ir4S2uaNYwnmVZsdFyaeXKGHXGjFhTGH+iOwuVrR8vRBqrvzD/S6GLMqaq56W KbjfbZJ+EA26shAdOg0ai9XLTNBxHZIpDJ+jLsFDKsCgtSAHt5rH4jDQXt7YFetA06lg Z491Ru9mcK2E5tvO+N2xl+0Nbas04GBjgVAOgOt2X9/3mz/Cjnn8us6D0HvlcZ42RztV ZCFQ== X-Gm-Message-State: AOJu0YwRe5NeHB390FZGLbsdFNhp9ZGUq/+DTJ5rwH5BcRxNmfw3zYM8 urY/hZHRgbbfrK7vas6b4chDX5O//xaBc9yzWnK7xQ== X-Received: by 2002:a25:77c4:0:b0:daf:bf76:f5c0 with SMTP id s187-20020a2577c4000000b00dafbf76f5c0mr3843424ybc.48.1700698803371; Wed, 22 Nov 2023 16:20:03 -0800 (PST) MIME-Version: 1.0 From: Deepak Gupta Date: Wed, 22 Nov 2023 16:19:51 -0800 Message-ID: Subject: Shadow stack enabling from dynamic loader v/s kernel on exec To: Rick Edgecombe , Mark Brown , Szabolcs Nagy , "H . J . Lu" , Kees Cook , Kito Cheng Cc: linux-kernel@vger.kernel.org, libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 22 Nov 2023 16:20:09 -0800 (PST) I don't want to divert focus from patch specific comments on shadow stack patches that're being discussed in the mailing list. And that's starting this separate thread about enabling the shadow stack in the dynamic loader v/s kernel. I've put relevant folks in "To" and "kernel" and "libc" in CC. We've beaten this record many times but I think this is the first time I am getting into weeds. Per this https://lore.kernel.org/all/20220130211838.8382-1-rick.p.edgecombe@intel.com/, all the binaries that were marked with shadow stack are ready to break as soon as new kernel enables shadow stack by default based on ELF bit. And thus the reason to let it be decided up in user mode and making the kernel oblivious about this decision making during exec. It looks like it was done because libc changes landed in userspace binaries from major distros before the kernel changes could be merged and kernel-user interface changed as kernel changes matured. Such an issue doesn't exist for non-x86 (at least risc-v because that's what I am focussing on). And have been wondering that if doing below would be a better choice: - On `exec`, the kernel looks at the ELF bit and sets up a shadow stack - Dynamic loader (or statically built binary) starts life with shadow stack - Dynamic loader can disable shadow stack if it wants if it sees some compat issues [This last step of figuring out compat issues, anyways dynamic loader is performing today] This has many advantages - dynamic loaders (and static binary) are protected from loader specific ROP attack in a small window - stack and shadow stack are always balanced One disadvantage I can see is that enabling the shadow stack is split but I really don't see it as a big disadvantage. Please note that enable/disable/get status prctls can still exist. And thus user space still has all the enabling / disabling control with itself depending on configuration. Larger question and opinion / input that I am seeking here is that (from kernel / libc community) "Was there any other reason other than supporting ELF binaries that went ahead of kernel changes that led to decision of delegating of shadow stack enabling in dynamic loader" If there are other complications that can happen due to kernel enabling of shadow stack based on ELF bits, I would like to know about them. -Deepak