Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5546168rdb; Wed, 13 Dec 2023 11:44:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IF9+W8Ucx6j3bcg1isaVlSFmjsFaU+tEH3bgMVHUxp3ntDD+ycT1sjeguwOyPrmOwP0A0Vc X-Received: by 2002:a05:6a00:3107:b0:6ce:2731:c254 with SMTP id bi7-20020a056a00310700b006ce2731c254mr3582232pfb.67.1702496659069; Wed, 13 Dec 2023 11:44:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702496659; cv=none; d=google.com; s=arc-20160816; b=krf6IOnrDImzgTQULcaxcl2hrWGAXInDSbrm4HwrBs57WrzLoRCmZzxsHsbqVu4jZ3 OUdykddt6dEfDmI/Uj5IWGSnhJbhC6TL7Idxp/d7VyHirh1I/jY+f9PvcssCLAYCRldW aLkSfmpTBGVACd1wvypTyrrvwKckuopEBHgWz6cm95tNeXw7AU3I/PfyKY5LtKGOR+N8 J9mbpkj02Asb3pJhGlW1T0dUTrv9781dBxgD+CD11LEcd4HhArBjnJEKz8VKIE8CVjK8 Y19Uvxgphf0JMOFEE0fLz7NAL7jiHM1Gp6aa4rND1rN+Z5QDt1WlX3TZ+Cske82nBnmB PzjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; fh=txQbuk242FAPPEhu1HwwgZJLRYSPZEMBV0FwN7E4ncU=; b=JuPzx7Q5t9g1TT1R9O91LJaFz6dfeW6UR2lyn3GzSxI8BC6Ybiiuoudtw2Yt1EjEwG FyzvDF+t5vTwJJcU5hnukDeOui+3X/okBVZIe8KK7CXcgCU81DwBRz1kNhXKJin3r2EE u0BndP8UydjuT7KZX21TcyonEpsaEaUK8XMAy/yPfz41aBUAQ5NgO/n5n15KDWoHvake zAf+M1xjxbRrabS+uCkkXVjeeLfwymhkIt1pvG5qqpB4ShMPECw0WhCqHSMU/hA58As8 Ru0LWD0An8k1VAS/RhOORxA9tcf+MwDF91YEfqrUjfefoGg0rdsqsZKxIZS/OCIUpqlY HIoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=YEamIdU7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id u6-20020a63df06000000b005c6045987a1si9848424pgg.7.2023.12.13.11.44.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 11:44:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=YEamIdU7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 9C1868032366; Wed, 13 Dec 2023 11:44:11 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229938AbjLMTn6 (ORCPT + 99 others); Wed, 13 Dec 2023 14:43:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229811AbjLMTn5 (ORCPT ); Wed, 13 Dec 2023 14:43:57 -0500 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15E26DD for ; Wed, 13 Dec 2023 11:44:02 -0800 (PST) Received: by mail-yb1-xb2d.google.com with SMTP id 3f1490d57ef6-dbcc63b7c68so1675205276.1 for ; Wed, 13 Dec 2023 11:44:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1702496641; x=1703101441; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; b=YEamIdU7C239wWPhqUHdM5mUnEJHCDsS6mV07MZk3u2h4XsRiQFtYsKTRzDqF0SWvz 8xo+oS9bCU9hLMZjmxNcqhlYARs7r1jd0M/EmCgne2ivcV9Jwg41OYIK08nVin/QqOKP WRHp6VQRqdsdWCZMf5ig8td+pC8U6YnOfKYU4+BaqmyWYC3uGP+34m4+wxeI2Ccw32AQ 8miGZdidSEs2mBdcowgm7+DNQSD2Y8clzNrR9t+tmgLM0J8MLFDJhbjT/Q4ZhzS6GQoQ dTbInR8BqVr0ts7LZpq7jntHS13SHrK82556ERAkjzACnvr3uLp8mJvvHkrucMbHcMAi Viig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702496641; x=1703101441; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; b=opagfUPbGB6FAY02pcdKeEtfyX6xVegy+s/WNy+hB+bY6HLJHg4i8XtF0bCkSBuBqq fIj1WRTPIt8++JZLbRMB/Fo4adtlyCvPpi0kblqjtJZtwoeAmHf+dNLPKPoSb2xUPSJg pDZ2zkPZZOH2Ekknx77q682YRlQaCLl+MyBFxdhN/j4yJ9XyGA8uzacec3hpL8iG4EyS 2uzZ2QhGOH/HPEz2LtM7m0EpUaeNl7eBuTdjhZJIx2ruCwSljoy3HoRg6/d+C6kQ1ack yqXNW1Z6qr+1P3a4b3QUsGzIFRbFnFeeFSI/iCKHoQxH+WQ8IBeEOqrtKqQ1hdDp2Ycw pOXg== X-Gm-Message-State: AOJu0YyUOVbBhBwIkkoBDkwHe/rElZY5zHeIizeSLoaTaOUEwraKFPTF xNqALBaFuZCjRGc96iP2rTwlLOioTjC3S5sdeD0ciw== X-Received: by 2002:a25:8c91:0:b0:db7:dacf:59de with SMTP id m17-20020a258c91000000b00db7dacf59demr4990232ybl.82.1702496641231; Wed, 13 Dec 2023 11:44:01 -0800 (PST) MIME-Version: 1.0 References: <20231122-arm64-gcs-v7-0-201c483bd775@kernel.org> <20231122-arm64-gcs-v7-2-201c483bd775@kernel.org> <0d0d8802-09e3-4ea5-a0b4-b3a08c8a282e@sirena.org.uk> In-Reply-To: <0d0d8802-09e3-4ea5-a0b4-b3a08c8a282e@sirena.org.uk> From: Deepak Gupta Date: Wed, 13 Dec 2023 11:43:49 -0800 Message-ID: Subject: Re: [PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack To: Mark Brown Cc: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Ard Biesheuvel , Szabolcs Nagy , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 13 Dec 2023 11:44:11 -0800 (PST) On Wed, Dec 13, 2023 at 5:37=E2=80=AFAM Mark Brown wro= te: > > On Tue, Dec 12, 2023 at 04:50:38PM -0800, Deepak Gupta wrote: > > > A theoretical scenario (no current workloads should've this case > > because no shadow stack) > > > - User mode did _ENABLE on the main thread. Shadow stack was allocated > > for the current > > thread. > > - User mode created a bunch worker threads to run untrusted contained > > code. They shadow > > stack too. > > - main thread had to do dlopen and now need to disable shadow stack on > > itself due to > > incompatibility of incoming object in address space. > > - main thread controls worker threads and knows they're contained and > > should still be running > > with a shadow stack. Although once in a while the main thread needs > > to perform writes to a shadow > > stack of worker threads for some fixup (in the same addr space). > > main thread doesn't want to delegate > > this responsibility of ss writes to worker threads because they're un= trusted. > > > How will it do that (currently _ENABLE is married to _WRITE and _PUSH) = ? > > That's feeling moderately firmly into "don't do that" territory to be > honest, the problems of trying to modify the stack of another running > thread while it's active just don't seem worth it - if you're > coordinating enough to do the modifications it's probably possible to > just ask the thread who's stack is being modified to do the modification > itself and having an unprotected thread writing into shadow stack memory > doesn't feel great. > Yeah no leanings on my side. Just wanted to articulate this scenario. Since this is new ground, we can define what's appropriate. Let's keep it this way where a thread can write to shadow stack mappings only when it itself has shadow stack enabled.