Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp1798299rdh; Sat, 25 Nov 2023 03:37:29 -0800 (PST) X-Google-Smtp-Source: AGHT+IHOZL1NCBQssLNm+3ClP9xwX4sN+rsA4iVNm0S5/ksab+8IK49yOtxgsf3BAop75PlWeePm X-Received: by 2002:a05:6a00:3018:b0:6cb:6a4d:3a80 with SMTP id ay24-20020a056a00301800b006cb6a4d3a80mr7587031pfb.5.1700912249348; Sat, 25 Nov 2023 03:37:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700912249; cv=none; d=google.com; s=arc-20160816; b=G2qIQD2w30SGbflAvAelcC6pwRJYWkG2XotNQvYDeNegrLZCluAef9uF+Vyl5/5IcQ B1V8H1PMwXFeLKoGyZ+SSlDFt4YG8nb6YbxM4uYel1dAkGUmZsQ5MOo1+AHqln1TsJyF q7UR/pr1lA6Xhmz/k6Vme9gO30OuQIH/d4eZd4ChTVknMxrx+t+XmqFamOWskdiV4vZJ WDIE7BKcTI973aXS6U881HHH08c0EfgG1LxlBIu2Uzi0PkVIHPcWIjfxVtlelzcOhAnd 4VD2BcAjsHlmcglKQuaKn4KsLUkznA1o8tGCZQ+oZKWgTTMe2kzUWGOXl7wEVwOPn5mK dfmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=PYNg9rROBiSj/t4nM4JLVscgsMLC18UqP1KjBeOgCks=; fh=yiObILcldk7Fdc1QALmxmpsCsCuY3JlLwono+NRbjIE=; b=A03GkmudEcUJUj4kWazbavgd4s6XiYjf7jbo9Z4igfxuv4iV6HlLaBg+CXZt2ptkTV zsVLvVUZ/CFIXH4gjXuqL6+hhnWOr20qy3/xiIQseQGQ2OwAYP58Wj3SVp0wQkGcBrEI yTnnzNdzfap/pGVvWOTnIc/qbbTS70eIOIElcVcTv+MNRZrMFU29L9OA6+G4C06ySmDx CUeUUXyKXocvMPScBYd+ci9ARQdEMC86pcAXnMPhD9YcJIvlvtKmedK3lckVip3AlIp/ BZCXAHoGDwmuDtLSLW/1/xkei3/BtFHYdo7aHBy6+vccHdlXlsc0DLDnFT+9h2OHix21 PNbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qS2NwS0a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id t3-20020a63d243000000b005c1b313a127si5519193pgi.660.2023.11.25.03.37.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Nov 2023 03:37:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qS2NwS0a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 1477180A0DF1; Sat, 25 Nov 2023 03:36:38 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231887AbjKYLfc (ORCPT + 99 others); Sat, 25 Nov 2023 06:35:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229483AbjKYLfb (ORCPT ); Sat, 25 Nov 2023 06:35:31 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6989A10E4 for ; Sat, 25 Nov 2023 03:35:38 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76BCEC433C7; Sat, 25 Nov 2023 11:35:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1700912138; bh=fA5dBqvkCMbY/gU4EAds281Y/nW5/ZDX5cOERLsbkCY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qS2NwS0a5ccoxX0CL6+LZ+PU7wiySilJz1iYpjvQ7MXn9ha91eQ4jUjU8OblikCP3 eU6UaQ7qM/AkRcG6QIkhjUxS9KeKzyQUYDj1cw2ElG3dSWkv+hgtIvufc9iAUKBSoC fdVi/E2PYdLubhALFFfI6XzaLgrgRbIlVzgl9fAE1YfKzKT9X3Xs0ipVDub/X0L6XW olYogTuAjrGAHJ1Ji04N6iyG1/QRfEJCD5+M8BBAfGNqKAgp7i9a3vONQ2gdUBuQqX eFUbz0hBXyRAC/qyr7uN+m8zyu+Dx2KJ/LY6V/gMPrCNChFfpcNX/YkyQw2VXxF7hh t1g5CzzKKF7ag== Date: Sat, 25 Nov 2023 11:35:34 +0000 From: Mark Brown To: Deepak Gupta Cc: Rick Edgecombe , Szabolcs Nagy , "H . J . Lu" , Kees Cook , Kito Cheng , linux-kernel@vger.kernel.org, libc-alpha@sourceware.org Subject: Re: Shadow stack enabling from dynamic loader v/s kernel on exec Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cOFv5Mas7bXm7EYN" Content-Disposition: inline In-Reply-To: X-Cookie: Slow day. Practice crawling. X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Sat, 25 Nov 2023 03:36:38 -0800 (PST) --cOFv5Mas7bXm7EYN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 22, 2023 at 04:19:51PM -0800, Deepak Gupta wrote: > "Was there any other reason other than supporting ELF binaries that > went ahead of kernel changes that > led to decision of delegating of shadow stack enabling in dynamic loader" > If there are other complications that can happen due to kernel > enabling of shadow stack based on ELF bits, > I would like to know about them. This wouldn't play nicely with security policies that prevent disabling the shadow stacks - it would be fine with the prctl() based locking but something imposed externally with seccomp or similar would be there from process start. I'll also note that for arm64 BTI where we're less concerned with compatibility (since the protection is per page we only need to make sure that each ELF image is BTI enabled when we map it, we don't need to worry about any further code that might be mapped/loaded) we only enforce BTI for the dynamic loader, we still leave it to the dynamic loader to remap the main executable as BTI. The architecture maintainers have a strong preference for delegating as much as possible to userspace in order to reduce the potential for being locked into an unwanted policy or having difficulty in working around breakage. The issues on x86 are an example of the sort of situation people are worried about seeing in future. I personally would be OK with directly interpreting the ELF markings there but it wasn't the consensus. On arm64 there would be the potential for disrupting some limited and theoretical use cases where GCS is enabled even though some libraries do not support it, we don't allow GCS to be reenabled for a thread after it has been disabled in order to avoid dealing with the issues around reinitiating the GCS for something that's a corner case. x86 does allow reenabling so wouldn't have that issue. --cOFv5Mas7bXm7EYN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmVh3AMACgkQJNaLcl1U h9B0+wf/ez1q5D2F/q8K/4aw5Tf2OGifwUFS9unYNHBCLooaSWoKmk0gTmuMvWlq C73e4lqshdfB+NrAAnTfpCNdrAs1am3mtMaxa9C+5I6rGp47y+9xfiI2y/e+6fHL UfvM9J632yj20O/t8CKCpqKs1eY0yIQLAOcLXdEM8Fyd/w5euTcaexxfd74bnJEu gIwaokQms3p84h96do8fCCNL/TZEaoHCkGPrPaGb+XRqrY0/tGcYvfhbaaJZbMAB ToeUwVFDbnZLw/aGycrou7rWnt5F//mSZ6jtyHB0zAaUYM6cIaWcYiYxqfv1/d1a dFfpGYJLVP4StiKTu8rFdVRJqchAPw== =/BR4 -----END PGP SIGNATURE----- --cOFv5Mas7bXm7EYN--