Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5318877rdb; Wed, 13 Dec 2023 05:37:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IEBQGQeE5WcMraV8cFwKv7Y/uDaYGTlZ0tkfW7EQXxG0kjMLmbrUio7zc3yc5Vmez7k3tSh X-Received: by 2002:a17:903:1d0:b0:1d0:96bc:fc21 with SMTP id e16-20020a17090301d000b001d096bcfc21mr5078254plh.6.1702474677929; Wed, 13 Dec 2023 05:37:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702474677; cv=none; d=google.com; s=arc-20160816; b=yFrKRjpqFbxoGbuWtZDkgwIy/m3eLZjucTDXFiR+OjZn3W2ubJU5lD4mKjmbKlC0Qx jejUKE7olxpi9o3FI6GIYlUOHprCyFTj3yZTsM33vZdCX52RSr04bwomZog4FC7M5KYC Z2qysDMXRwMcEOXKhGd5WyiYzTJW9eVZr+9sbCz0lXBdHEmXXoXJ3pLk0XI3zPUQOAMa MjZpNorggZWI/MTcGhe6GDghYJnknEz6YGorddEtQl8equKaN8UuZpXnIZis1Q+aM1vN 5x9nPMqTvHIIR3n3XYDEq5aThBlpY8miu3DvFvotBQ8kuD4tbr5ba+mi86jRCsq0Hin1 vhnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8TAEWA0aIptvReNGQSXMH0+RPFVkI2xAbFaDyyFLKo4=; fh=TqIALBV+Tmb9k/Zsv4pmxeoKpbOidJWOboBFUCRDhig=; b=Ivzgcwe1nkHuI4qpirJvGjVKuxQS5hYk9WpxImv685FjyprX4xh7vW905H1fFfqpsn iCy7WUSiM+kFsDO0WY0KbNd83rJPMtrngfY9LKbNiGxafZsnefMoZywZmzR2baH2/XqA mXD9eMnGEMFZc22wwNh3rlwarJohM1fShDsl9ayOO8EM2EWExDQdIQhkjWHylawtYPl5 AclRhLArgl64L3gAu/baWrxmcCgd2YTDcBI3wA/hiVC0ApFTnIvKuMLsfNar1J3FCcdx z3fUqm/4eYQ5i60Wo3rYDUMafQQYAnzijCJOgjD/9CKkBwoNiK4JFMuAjMHymul2Ltwi ux8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dU6A6nqf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id l4-20020a170903244400b001d09278b856si9876809pls.347.2023.12.13.05.37.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 05:37:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dU6A6nqf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 967F68039EFD; Wed, 13 Dec 2023 05:37:55 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379263AbjLMNhi (ORCPT + 99 others); Wed, 13 Dec 2023 08:37:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379275AbjLMNhg (ORCPT ); Wed, 13 Dec 2023 08:37:36 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B07CEB for ; Wed, 13 Dec 2023 05:37:42 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3FCFAC433C8; Wed, 13 Dec 2023 13:37:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702474661; bh=8D28zVA3/D34uSBC1WEJ8ykZpQrL4Gv4bA1SewGPSEQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dU6A6nqfPwdapBIE6N5MQX1pPgpiei2rY3w1Dun0KrZbDxbcB1dhzPyz1J2EGaTQj UPKZzVa039jVPJ33WfaTofzmcvZFSA/sLBnrGvxr16zaGokjdOl0SKR/ib2Xhd4pc3 SeyCrYIvK1T7imXgRQXe3wDjMIqDoeMuXfobvB10h24nt3i0W5VNcMCs1A+EjSLVk5 f5bcJfQFA0CN8h3S3SdylU7dYmBC9Cd6O+XAZDg7IVkEU8ruiejVfPviMrjE77eEXR A5aDJUCFKs/hXAy8O8flLE5igxpFsClxETJo/OA439A7sHSLT3d8ZylWdGK4KyBm0k t9qtTI5q/WF8g== Date: Wed, 13 Dec 2023 13:37:32 +0000 From: Mark Brown To: Deepak Gupta Cc: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Ard Biesheuvel , Szabolcs Nagy , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Subject: Re: [PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack Message-ID: <0d0d8802-09e3-4ea5-a0b4-b3a08c8a282e@sirena.org.uk> References: <20231122-arm64-gcs-v7-0-201c483bd775@kernel.org> <20231122-arm64-gcs-v7-2-201c483bd775@kernel.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jOCIbEw8Unb2aajd" Content-Disposition: inline In-Reply-To: X-Cookie: One size fits all. X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 13 Dec 2023 05:37:55 -0800 (PST) --jOCIbEw8Unb2aajd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Dec 12, 2023 at 04:50:38PM -0800, Deepak Gupta wrote: > A theoretical scenario (no current workloads should've this case > because no shadow stack) > - User mode did _ENABLE on the main thread. Shadow stack was allocated > for the current > thread. > - User mode created a bunch worker threads to run untrusted contained > code. They shadow > stack too. > - main thread had to do dlopen and now need to disable shadow stack on > itself due to > incompatibility of incoming object in address space. > - main thread controls worker threads and knows they're contained and > should still be running > with a shadow stack. Although once in a while the main thread needs > to perform writes to a shadow > stack of worker threads for some fixup (in the same addr space). > main thread doesn't want to delegate > this responsibility of ss writes to worker threads because they're untrusted. > How will it do that (currently _ENABLE is married to _WRITE and _PUSH) ? That's feeling moderately firmly into "don't do that" territory to be honest, the problems of trying to modify the stack of another running thread while it's active just don't seem worth it - if you're coordinating enough to do the modifications it's probably possible to just ask the thread who's stack is being modified to do the modification itself and having an unprotected thread writing into shadow stack memory doesn't feel great. That said in terms of the API there would be nothing stopping us saying that _WRITE by itself is a valid combination of flags, in which case the thread would have permission to write to any shadow stack memory it could get to. For arm64 I think we can implement that, I'm not sure about x86. _PUSH without _ENABLE is a lot less clear, you would at the very least at some point have had a stack enabled to have a stack pointer. --jOCIbEw8Unb2aajd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmV5s5sACgkQJNaLcl1U h9Av7gf+KhSSwAMSrKGbuD6mcS24/uKiaBK6VJvANYNhzxAxCIsGTekSDBnn5rx5 JlxvhNT7TTqtigEvZs5VwVjBivsip6vCjdwW3bWOP1hBY1vThXm5vDpp6+hC/Xyq 1dBwZcHedqhHVCH5AfwYiFDtW37k7rKggU19mKapXAMMLHcqniPH9vA8JNfwjvRk IZAXnqu2sqKKqhm79iZyFDFo2+8bZYgiZ2FaFCUSA853dm4ujBY2+W9uL4me61jV gAwO2vLgmoypMv3xyz83VV6rVoAP3icyuBVYgjuko58Xs74dY4FtD+Xyth9g93qO A5biKwps6ME8omCBijyTFUn4Ug8G4A== =M047 -----END PGP SIGNATURE----- --jOCIbEw8Unb2aajd--