From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 442E3C6FD1C for ; Thu, 9 Mar 2023 23:52:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 761046B0072; Thu, 9 Mar 2023 18:52:01 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6EA216B0074; Thu, 9 Mar 2023 18:52:01 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 58AE6280001; Thu, 9 Mar 2023 18:52:01 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 4538F6B0072 for ; Thu, 9 Mar 2023 18:52:01 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id ED572808EC for ; Thu, 9 Mar 2023 23:52:00 +0000 (UTC) X-FDA: 80551010400.08.B129008 Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by imf29.hostedemail.com (Postfix) with ESMTP id 20635120007 for ; Thu, 9 Mar 2023 23:51:58 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=alien8.de header.s=dkim header.b=sNT2LjHr; spf=pass (imf29.hostedemail.com: domain of bp@alien8.de designates 5.9.137.197 as permitted sender) smtp.mailfrom=bp@alien8.de; dmarc=pass (policy=none) header.from=alien8.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678405919; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2DAEMT8RlTvZl2+BqR845kghr2jrP8dvdCHxG77kors=; b=7KNxrsWQcURT91gVip8/2IyNp53W62Yvr/8ZdUxPfp7AdKW6OlsVUT0TGVjGlca8137I++ 4AqvIB/YxyywXHWzrBvmDV+ZpG19O8ZPQfiyng744QERK9Z4FK/BUN/Pt2zAFCgUk2qf5N QK7wP0w1b5ljilWbD4UUSLshpOc4mEs= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=alien8.de header.s=dkim header.b=sNT2LjHr; spf=pass (imf29.hostedemail.com: domain of bp@alien8.de designates 5.9.137.197 as permitted sender) smtp.mailfrom=bp@alien8.de; dmarc=pass (policy=none) header.from=alien8.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678405919; a=rsa-sha256; cv=none; b=jvD/Pb35dQLf4KbwMfr7m5wP42jBH6Web/N6dXz7vaOlMradFl1PfUmJlbZ1ipubRSF+uW Y5hiOWtS6E1dudnpIgAI/WfB4xBfPHG24ploekE9uQ2pSnjED9kZXiGAYrsp5ILElViGS2 pXSAbdodqWY1VkwaykmmUMVNSNutaxE= Received: from zn.tnic (p5de8e9fe.dip0.t-ipconnect.de [93.232.233.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 7096C1EC01CE; Fri, 10 Mar 2023 00:51:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1678405917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=2DAEMT8RlTvZl2+BqR845kghr2jrP8dvdCHxG77kors=; b=sNT2LjHr1xLCN8Hf+/O17MPOKXi8ykZLPI6+jeKeL8xBpnmXy8pmPgMKial0vCUmOIZ4Wn bykEQ5qA2QURxyKkcsl6dKoxr1bpvbycgolJ7SH8Jb81EfLPGAYWA9fSWN7qB6lmEiYVoi gUxgyBMJWKuf708XZCKlWUw/EPvJaAM= Date: Fri, 10 Mar 2023 00:51:52 +0100 From: Borislav Petkov To: "Edgecombe, Rick P" Cc: "david@redhat.com" , "bsingharora@gmail.com" , "hpa@zytor.com" , "Syromiatnikov, Eugene" , "peterz@infradead.org" , "rdunlap@infradead.org" , "keescook@chromium.org" , "Eranian, Stephane" , "kirill.shutemov@linux.intel.com" , "dave.hansen@linux.intel.com" , "linux-mm@kvack.org" , "fweimer@redhat.com" , "nadav.amit@gmail.com" , "jannh@google.com" , "dethoma@microsoft.com" , "kcc@google.com" , "linux-arch@vger.kernel.org" , "pavel@ucw.cz" , "oleg@redhat.com" , "hjl.tools@gmail.com" , "akpm@linux-foundation.org" , "Yang, Weijiang" , "Lutomirski, Andy" , "jamorris@linux.microsoft.com" , "arnd@arndb.de" , "tglx@linutronix.de" , "Schimpe, Christina" , "mike.kravetz@oracle.com" , "debug@rivosinc.com" , "linux-doc@vger.kernel.org" , "x86@kernel.org" , "andrew.cooper3@citrix.com" , "john.allen@amd.com" , "rppt@kernel.org" , "mingo@redhat.com" , "corbet@lwn.net" , "linux-kernel@vger.kernel.org" , "linux-api@vger.kernel.org" , "gorcunov@gmail.com" Subject: Re: [PATCH v7 28/41] x86: Introduce userspace API for shadow stack Message-ID: <20230309235152.GBZApxGNnXLvkGXCet@fat_crate.local> References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-29-rick.p.edgecombe@intel.com> <9e00b2a3d988f7b24d274a108d31f5f0096eeaae.camel@intel.com> <20230309125739.GCZAnXw5T1dfzwtqh8@fat_crate.local> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 20635120007 X-Stat-Signature: zo91rjs84qam5pdd9kahoxj117j8q7dj X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1678405918-707203 X-HE-Meta: U2FsdGVkX192o1fctAHQUpojgOYIEcqCIv5mNUu9R5SzW74ASQkp9QDSR4LJrVmmSx7VmOmgErAwkn4jCW0Z/OcDc+1SMAV5152WnVFsG470e4W65+nezERfm+z4NvJTFxKzMYWl9JKqPYWwD/cZ1pgwFPNhcjb9G8xcPVJ5xtOQkfotjJyJtQNQFxH9xpMvAXq0HVN3xVV8ssTFpNmhDlYGUCwHLCkGKfm55TjZkcSMStjNwKoXAizwfInUqvdRk9N7Lrb2etIg2+K+rbx//bysJKeim7On2TU+IyOih8CETeNTKmKW49PsBcw21ubrRI0a+4Ii5v7oq3K3EVIIwObp+QM4ZWSNW5gZzXaUT6z9f7okNN5edMv8lpsSo1mGJG7leFJWklXdIIWLV07Ww9GOm02J3WS0VBALylI8G633ulEGU/o7fcs4Kdh4dUNfbGoKMn5vY6FYg9pddDqoSLaxzW5DHAS+hVRkpt1RkA6M6kL2n0LUg7xDz8JdcB/mc9dZOAjvdrjqSjXyppkzZ+oKQI3wckafBmKXLCXnf9/IB4o23FWhQQD+4C53cFWwHJXPYzgSkorQ2xRbISCvz6eC5IYPA2s/6aZpuFmtXzilmtltPuMcvBAblSKrw6nOAad299IS2s/1S9XmrYa8mvSTDbpsEEtWoSrz+EKFTwFVqv8uzFsFJqS5S3ZIjE991a6E9ngnaZ1wqS39/wINTgrcakL+rgE8MfoHlsR2uxWugZPCth6mOZAi7WWppQt9Y5opdQSeGulxG4oCkGV187EjjlNXFj6nT9ZQxqZb0WzypkJceh1Bu9nA78wlhkpsXUfAnpItocgd9QNG841HRoFVjWgauBlV7cDozOQXIPgcGZjAAL/24dPaf/URJKCMg0FQAlTHPpTXgk/r+p/aI5fBm1dD/bKB6t0/PHbSTUJesG7eLNxz3j+WxgrOR7IPThnctZc+gqLmPt8TBks 6kj20+41 7YBuuXNm+XRvnqpeN9ULY87x7wGGOzXjQdmgu2VEF+W9xRN8jgdROzuULlkYUNDDzecTknUs603Og0HqJXOQOw2xp0gW//LUiETzvmX1AlIeLCeMF9C2jHGOjHIu+/oxsMyYSeIsEaCamP4IPnGT0+6JZp23367Cy5az3O8IBkjEycMmNJd4CVJIhSFMjM1NLMot9Pcp8+L+CmGGNVV+GKI3Z7tbJwBmZBshHC7GIDTDSWQYi+ybzXqi4PocXlUoGioHL2lfSs69Llkq1tnTmxayGox8U94Y/giePVV+pEI2bEC5UXpYTto4yfj3tB5rOcgKt X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Mar 09, 2023 at 04:56:37PM +0000, Edgecombe, Rick P wrote: > There is a proc that shows if shadow stack is enabled in a thread. It > does indeed come later in the series. Not good enough: 1. buried somewhere in proc where no one knows about it 2. it is per thread so user needs to grep *all* > ... We previously tried to add some batch operations to improve the > performance, but tglx had suggested to start with something simple. > So we end up with this simple composable API. I agree with starting simple and thanks for explaining this in detail. TBH, though, it already sounds like a mess to me. I guess a mess we'll have to deal with because there will always be this case of some shared object/lib not being enabled for shstk because of raisins. And TBH #2, I would've done it even simpler: if some shared object can't do shadow stack, we disable it for the whole process. I mean, what's the point? Only some of the stack is shadowed so an attacker could find a way to keep the process perhaps run this shstk-unsupporting shared object more/longer and ROP its way around the system. But I tend to oversimplify things sometimes so... What I'd like to have, though, is a kernel cmdline param which disables permissive mode and userspace can't do anything about it. So that once you boot your kernel, you can know that everything that runs on the machine has shstk and is properly protected. Also, it'll allow for faster fixing of all those shared objects to use shstk by way of political pressure. Thx. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette