Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp2554681rdb; Wed, 21 Feb 2024 11:10:36 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVDQVv8FqsBhcz1Ku3oONY+YP0o0xUUv1glFPa6DOGO6AyMXAthPSLnWC7S6aj/NKzpdFkYo1ZO/d/tZF5SgF9r3D1jyq6Ni4iwDjMg5w== X-Google-Smtp-Source: AGHT+IFrlbrxjr6nR5QpbUuudd6W+tbmI968Va2boiWsDGjVS5DcX9PSAVUXXhbbF0Dt3hNQnEaW X-Received: by 2002:aa7:cb52:0:b0:564:776f:f8a8 with SMTP id w18-20020aa7cb52000000b00564776ff8a8mr371010edt.2.1708542635911; Wed, 21 Feb 2024 11:10:35 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708542635; cv=pass; d=google.com; s=arc-20160816; b=qjKjQ/967gbTjVSl8cIFzCgMbkKrGNqp+8eNV1+2vUkbrpmiJ1C9jDnCmb3v/o9uMi RGc7Q2qMv6Mds/UlGN6JwKDL5N4oYKt0LydQK8RpYuLUeyj6mmdE8opGe7/qKr+IMn0r pFO1XUlm0Q9iaSY4sVwz4fjWppnglm80TiLWUoqhdqjwQf3ZIXEYJ58pPbZb3mA5cjB3 3FGPGLU71BUW/bNcqAmrIt89aXJUZquSASRqaeBZYU2DBowGnP5vPJOP32O9sKFcEMem kkgvCflBZKRFa5T/rq2opRP1K0aNTwSBeLNp/PrtDj+vKQmi+uE8zFhwNRQ8PwZXTP6x 0ERw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date; bh=+XF0TcJsSAYgKYdVZf6dYi9NrJJgZ31O5GnfQIaNHMY=; fh=h66ctbSzkMNhsY77BYxeoc13/7gQM34x4dIrYIml524=; b=rrVCF67Bq9LaCqebb/VWc1R3j7PBS6SYGb7trji854XSJFs/Va0uEHyiF0fR7Ofzkk Um58QJKY5fLfNE5nkJPc5WON5LpON06JBQeDHJgsjdeodhnJmTlnWZMZe/vyJNMSQV8A 7CfAmBPH58zLXRXKsAn0gmWGhcFFfBFu4Nxx8InhCRwYXmoaG/S1w6+cmWuT2klXQrC8 GnbvxyxOKoroP2OJ1INZSbItA0dFARDmN8UaPl9ormGbHHG5ywS2eZPEkxZ/8QsSwX9E ebvvHYuIgsbmzttILZcpxJV1DS/1DFPYtfVFDvwpe7mokM7NiLEsYaQ1Fgo9v1NWL20u MnRA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=libc.org); spf=pass (google.com: domain of linux-kernel+bounces-75345-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-75345-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id dz19-20020a0564021d5300b005643d9b6d0csi4019875edb.485.2024.02.21.11.10.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 11:10:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-75345-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=libc.org); spf=pass (google.com: domain of linux-kernel+bounces-75345-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-75345-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A83981F27188 for ; Wed, 21 Feb 2024 19:10:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1D0C285C58; Wed, 21 Feb 2024 19:10:26 +0000 (UTC) Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [104.156.224.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EFDFF8563B for ; Wed, 21 Feb 2024 19:10:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=104.156.224.86 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708542625; cv=none; b=OIVoBxzZ5VcDMiY1p6HG6RIfhfeVvD01YCHcWn6qVEdHjzMN24wv86burkaJrFfe2GSpHZ6fzTawCm8wyhI7hvSFYqhUrR047Ay9WB4kS7BhlxzthzpbkSVj8zlJRe+HOWRWqMkJcYfggIPJOgLoQIh9QwKPBi0j0jPPQuFAtz4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708542625; c=relaxed/simple; bh=AgMVTJXzONHGG61D+D+o9DyLBW2kW1yf8Ip12DuoGAI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=W93nx5QmJtWwFoVsredQgjQ27HcRmQb4t2M7Vl1Os2jOFQz9sRM4joeqNt2vRc785Lfcw1R9qY5L/0Oidfx1PvfSPF5uxEvj1sovC0dvktBTAT2mD7+6tIkPts0L/Ej78Y3i+2S8JRJFwuvhd7sp4yus9BkSBvFfRYqUFY76FGE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=libc.org; spf=pass smtp.mailfrom=libc.org; arc=none smtp.client-ip=104.156.224.86 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=libc.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=libc.org Date: Wed, 21 Feb 2024 14:10:39 -0500 From: "dalias@libc.org" To: Mark Brown Cc: "Edgecombe, Rick P" , "linux-arch@vger.kernel.org" , "suzuki.poulose@arm.com" , "Szabolcs.Nagy@arm.com" , "musl@lists.openwall.com" , "linux-fsdevel@vger.kernel.org" , "linux-riscv@lists.infradead.org" , "kvmarm@lists.linux.dev" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "catalin.marinas@arm.com" , "oliver.upton@linux.dev" , "palmer@dabbelt.com" , "debug@rivosinc.com" , "aou@eecs.berkeley.edu" , "shuah@kernel.org" , "arnd@arndb.de" , "maz@kernel.org" , "oleg@redhat.com" , "fweimer@redhat.com" , "keescook@chromium.org" , "james.morse@arm.com" , "ebiederm@xmission.com" , "will@kernel.org" , "brauner@kernel.org" , "hjl.tools@gmail.com" , "linux-kselftest@vger.kernel.org" , "paul.walmsley@sifive.com" , "ardb@kernel.org" , "linux-arm-kernel@lists.infradead.org" , "linux-mm@kvack.org" , "thiago.bauermann@linaro.org" , "akpm@linux-foundation.org" , "sorear@fastmail.com" , "linux-doc@vger.kernel.org" Subject: Re: [musl] Re: [PATCH v8 00/38] arm64/gcs: Provide support for GCS in userspace Message-ID: <20240221191039.GV4163@brightrain.aerifal.cx> References: <20240220185714.GO4163@brightrain.aerifal.cx> <9fc9c45ff6e14df80ad023e66ff7a978bd4ec91c.camel@intel.com> <20240220235415.GP4163@brightrain.aerifal.cx> <20240221012736.GQ4163@brightrain.aerifal.cx> <20240221145800.GR4163@brightrain.aerifal.cx> <4a3809e8-61b2-4341-a868-292ba6e64e8a@sirena.org.uk> <20240221175717.GS4163@brightrain.aerifal.cx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) On Wed, Feb 21, 2024 at 06:32:20PM +0000, Mark Brown wrote: > On Wed, Feb 21, 2024 at 12:57:19PM -0500, dalias@libc.org wrote: > > On Wed, Feb 21, 2024 at 05:36:12PM +0000, Mark Brown wrote: > > > > This feels like it's getting complicated and I fear it may be an uphill > > > struggle to get such code merged, at least for arm64. My instinct is > > > that it's going to be much more robust and generally tractable to let > > > things run to some suitable synchronisation point and then disable > > > there, but if we're going to do that then userspace can hopefully > > > arrange to do the disabling itself through the standard disable > > > interface anyway. Presumably it'll want to notice things being disabled > > > at some point anyway? TBH that's been how all the prior proposals for > > > process wide disable I've seen were done. > > > If it's possible to disable per-thread rather than per-process, some > > things are easier. Disabling on account of using alt stacks only needs > > Both x86 and arm64 currently track shadow stack enablement per thread, > not per process, so it's not just possible to do per thread it's the > only thing we're currently implementing. I think the same is true for > RISC-V but I didn't look as closely at that yet. That's nice! It allows still keeping part of the benefit of SS in programs which have some threads running with custom stacks. We do however need a global-disable option for dlopen. In musl this could be done via the same mechanism ("synccall") used for set*id -- it's basically userspace IPI. But just having a native operation would be nicer, and would probably help glibc where I don't think they abstracted their set*id mechanism to do other things like this. > > If folks on the kernel side are not going to be amenable to doing the > > things that are easy for the kernel to make it work without breaking > > compatibility with existing interfaces, but that are impossible or > > near-impossible for userspace to do, this seems like a dead-end. And I > > suspect an operation to "disable shadow stack, but without making > > threads still in SS-critical sections crash" is going to be > > necessary.. > > Could you be more specific as to the easy things that you're referencing > here? Basically the ARCH_SHSTK_SUPPRESS_UD proposal. Rich