From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58549C43464 for ; Fri, 18 Sep 2020 21:23:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E9FBD22208 for ; Fri, 18 Sep 2020 21:23:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E9FBD22208 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ucw.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 5F5F96B0096; Fri, 18 Sep 2020 17:23:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 57EFF6B0098; Fri, 18 Sep 2020 17:23:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 46E826B0099; Fri, 18 Sep 2020 17:23:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0143.hostedemail.com [216.40.44.143]) by kanga.kvack.org (Postfix) with ESMTP id 2CA436B0096 for ; Fri, 18 Sep 2020 17:23:03 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id E77168249980 for ; Fri, 18 Sep 2020 21:23:02 +0000 (UTC) X-FDA: 77277457404.12.fear78_3015d892712e Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin12.hostedemail.com (Postfix) with ESMTP id C442618012026 for ; Fri, 18 Sep 2020 21:23:02 +0000 (UTC) X-HE-Tag: fear78_3015d892712e X-Filterd-Recvd-Size: 4148 Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by imf38.hostedemail.com (Postfix) with ESMTP for ; Fri, 18 Sep 2020 21:23:02 +0000 (UTC) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 0590D1C0B78; Fri, 18 Sep 2020 23:22:59 +0200 (CEST) Date: Fri, 18 Sep 2020 23:22:58 +0200 From: Pavel Machek To: "Yu, Yu-cheng" Cc: Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang Subject: Re: [PATCH v12 8/8] x86: Disallow vsyscall emulation when CET is enabled Message-ID: <20200918212258.GD4304@duo.ucw.cz> References: <20200918192312.25978-1-yu-cheng.yu@intel.com> <20200918192312.25978-9-yu-cheng.yu@intel.com> <20200918210026.GC4304@duo.ucw.cz> <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NklN7DEeGtkPCoo3" Content-Disposition: inline In-Reply-To: <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --NklN7DEeGtkPCoo3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri 2020-09-18 14:21:10, Yu, Yu-cheng wrote: > On 9/18/2020 2:00 PM, Pavel Machek wrote: > > On Fri 2020-09-18 12:32:57, Dave Hansen wrote: > > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote: > > > > Emulation of the legacy vsyscall page is required by some programs > > > > built before 2013. Newer programs after 2013 don't use it. > > > > Disable vsyscall emulation when Control-flow Enforcement (CET) is > > > > enabled to enhance security. > > >=20 > > > How does this "enhance security"? > > >=20 > > > What is the connection between vsyscall emulation and CET? > >=20 > > Boom. > >=20 > > We don't break compatibility by default, and you should not tell > > people to enable CET by default if you plan to do this. >=20 > I would revise the wording if there is another version. What this patch > does is: >=20 > If an application is compiled for CET and the system supports it, then the > application cannot do vsyscall emulation. Earlier we allow the emulation, > and had a patch that fixes the shadow stack and endbr for the emulation > code. Since newer programs mostly do no do the emulation, we changed the > patch do block it when attempted. >=20 > This patch would not block any legacy applications or any applications on > older machines. Aha, makes sense, sorry for the noise. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --NklN7DEeGtkPCoo3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX2UlMgAKCRAw5/Bqldv6 8vVFAJ41iKxZD+QTSRHZvYWU+1CsdoJREgCcCLoiJeApvT43KAk2xvBWtw06jWU= =Yah9 -----END PGP SIGNATURE----- --NklN7DEeGtkPCoo3--