Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3861630rdh; Tue, 28 Nov 2023 06:01:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IEeN7oSvEejtE9Q3teU/XnswWS+AJrC3r6k4zZ2AQKSFsrYGclu4+iOtk1ZEn9UueCBkWE+ X-Received: by 2002:a05:6808:168d:b0:3b8:41d1:7310 with SMTP id bb13-20020a056808168d00b003b841d17310mr19193605oib.5.1701180065279; Tue, 28 Nov 2023 06:01:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701180065; cv=none; d=google.com; s=arc-20160816; b=ZHbxrAlny9y0y9ek2+fyWtIMf2PaOS08ZdsWHaWL2VOnMsqNzDgOuk7eMvePBQ5n2F CMraO4N8B/P6o6wX6agV/kSA9eqDuYsZHQ5XlslCAlu54RdtjKLTcztstlqG9AfBoxrY N4erohdP3GJ/f7lwK81ZX37YEM6OfJhJH1dJJ2OoswUV/GJCiSq1sJHVCGhLPhpjUPmo uNO6YMFERELNVqk9wvnV1eC9WwpYCIn82uy7lBspBD9CdqGzv9v6WPdevfsyFJse0kLp XL2gN2s5nvSXlYsO8maKSq9hGpJek33gwJen23fZtIDwN4frEAVUGv8l0Qrwlx33H960 zeGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=y4aIzpMzBDQ3ifatBjcbMH8BHiBCDcE9R0G0Uh4eOCk=; fh=06xrKKpWJ/ISM2bedzCjjVZkjjVkzJBQ6zrN55903GM=; b=Vkz4ufk25vsPnHfeiHzb//gLqna0r1T0H+5MH7BLMR8NN+xbhlM5vICruUMQ7zAgPQ MVmB35GZXy/Og1tBYAg7XrjxuI+8iqkCrPLt93U1b1jSy7O/9Sym5RSdfm1Pvmnv7KHv FCpLOM5o5b2Y/Ub7+H4uYRnrjEnCDJZJa7DnDbWmwwCONHOtDM2tugd5s/xqBoVO0Sno 7WQ/Q54LEev+kOLjgGHKeAkGnInJMiK0bP8V1kYqzrCucU1IoeEE26hEX8Ru89RBXoKy /uRlTQFRB5sNxebrOBh7jLRrGDJN4H0Tz7HeSG2USyv43ClfxIjpNFvxOQKAYOLpMhkY O1/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KLzSKVhX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id gn4-20020a0568082dc400b003a9c7640b89si5087997oib.120.2023.11.28.06.01.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 06:01:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KLzSKVhX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 893A58072A3E; Tue, 28 Nov 2023 06:00:58 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344792AbjK1OAp (ORCPT + 99 others); Tue, 28 Nov 2023 09:00:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345480AbjK1Nzq (ORCPT ); Tue, 28 Nov 2023 08:55:46 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30CFEB5 for ; Tue, 28 Nov 2023 05:55:53 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5BFA6C433C7; Tue, 28 Nov 2023 13:55:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701179752; bh=lFIEgWDg6ujlYIK15c4mSDxbSIcEHaZgX85DXfe9QGA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KLzSKVhXkLTg7AQ9TpKMI2z9nmc3YqIzV83md6KCBEuHklxpnZWradeRC1PKSkX5R r8tBhqET9GhRVQxrlYxBTQ3+diBm4t6hXOFFPcx63yswQKRUFYFqNV9iY8BLDb7gzy LJm1WRtwyrYXPOmBLSd5MjocUqZpBSNrEeXDrNn0PLr4vuekk3Bj9eUG0AbtmrCe3G kx3fqKgLAbOfHmqJNCAkTe4pg9ZIWFcd7YXeOLoP5ZJaSCzJfloEs8hiTk4AHGiOOP ZWhPHaGiHpNsRADieRWYOajseQJ2Wl2NG4WhUMpaP5UFnTgltkof4OCSqdQ6YNNl8z z52r+DJmYbxww== Date: Tue, 28 Nov 2023 13:55:49 +0000 From: Mark Brown To: "Edgecombe, Rick P" Cc: "debug@rivosinc.com" , "keescook@chromium.org" , "libc-alpha@sourceware.org" , "Pandey, Sunil K" , "szabolcs.nagy@arm.com" , "linux-kernel@vger.kernel.org" , "hjl.tools@gmail.com" , "kito.cheng@sifive.com" Subject: Re: Shadow stack enabling from dynamic loader v/s kernel on exec Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="RHQr7V8m/3wCdFHK" Content-Disposition: inline In-Reply-To: X-Cookie: Slow day. Practice crawling. X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 28 Nov 2023 06:00:58 -0800 (PST) --RHQr7V8m/3wCdFHK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 27, 2023 at 05:32:24PM +0000, Edgecombe, Rick P wrote: > security focused runtime environment. So a seccomp mode starts to seem > like a separate enabling mode with it's own rules, in which case it > could be left for the future. My understanding is that seccomp is generic enough to allow you to write filters without any specific shadow stack support, though I'm not sure about handling for arch_prctl() so perhaps it's harder on x86. > I don't think doing exec based enabling will impact the app developers > expectations, because it should be confined to the loader. So it's fine > either way from my perspective. Yes, I don't think there's an issue for apps either way - it's more an issue for people doing system level security. > > On arm64 there would be the potential for disrupting some limited and > > theoretical use cases where GCS is enabled even though some libraries > > do > > not support it > On x86 we see this case already in testing. Why do you think it is > theoretical? Right, it's fairly easy to add something not flagged as GCS compatible at runtime through dlopen(). I think I was thinking of the case where the program is not marked as supporting GCS but enables GCS usage selectively at runtime, it wouldn't be able to do that for the main thread since we don't allow reenabling. --RHQr7V8m/3wCdFHK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmVl8WQACgkQJNaLcl1U h9AyFAf5AfIg+BaZjkXaiSmsN4zgQJ5QAmBA/ntx6Z7SGGIRRRLSfISISp7SLGcW +KbkP9KTgt1G9Aku7ycNS6tckK26J+cJLw5n+7Q1Vzdr88dLMQ+a5Jsnznb9J4EC 8FbqdGBj+biihnELtiQJ4xTW00nH3XDRDZyYdZDZuLx1YfWBRojSn6rvazJCAiMH Hw80cAZAoNLOvrdbLKbmoif0JTfWj1LSCm+M4FnvOBD75W+eWgwDhnW5DHqtJ7Ov f8U9Gb3yhJBL1sVjZq/bzygUiPb92/e1OBz5K37iAscmjs1CMeR5ALXJhgW2Wsb0 1OAcbg9DTrAjMOeW/83EQGmvdLtmGA== =9qsU -----END PGP SIGNATURE----- --RHQr7V8m/3wCdFHK--