From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9C6AAC61DA4
	for <linux-mm@archiver.kernel.org>; Mon,  6 Mar 2023 18:57:40 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9F4236B0071; Mon,  6 Mar 2023 13:57:39 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 97CEB280001; Mon,  6 Mar 2023 13:57:39 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 81D8E6B0073; Mon,  6 Mar 2023 13:57:39 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 6C87D6B0071
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 13:57:39 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 2FE12120B6F
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 18:57:39 +0000 (UTC)
X-FDA: 80539382238.25.01B6D19
Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55])
	by imf29.hostedemail.com (Postfix) with ESMTP id 65D29120018
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 18:57:36 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=oTQSZEZg;
	spf=pass (imf29.hostedemail.com: domain of luto@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=luto@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1678129057;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=03P9vBOZZNXmPx0HLnw54wVZTfH25kJx4oCPz5Oi0nw=;
	b=NQxpbfcXIJplEVPQ0kEBPjgyBOaIedmjONvlZAfkzRg1jX+RbFhSFSlALzxpw+7Xb9bWhk
	XYWz3+YEBxO4sX3rI5av4o7RXHYAt7p0KLk9o5wi5IMNtblWg03omNNS9avjVYnfU2fX//
	wbWsrXJe7kCVlGMgDeOy434neNIN52M=
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=oTQSZEZg;
	spf=pass (imf29.hostedemail.com: domain of luto@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=luto@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678129057; a=rsa-sha256;
	cv=none;
	b=Wsc3YYoz+ofZRxgmoc7uI8QhV0sHIV5MqwG9mI6zMK6GFz0GEeWSvoFwECLSILduSbUsB3
	VtV6qU4k1UVsTnK1Jmj8EmXMqAxxy/MOpt1ENOTd9+YpICZOvTGZUSJfjyQ0eSxbxXzbWQ
	lezkzg9y9wTWVpHGy7xmdiW4jKk8nFc=
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sin.source.kernel.org (Postfix) with ESMTPS id 6CCE7CE1724;
	Mon,  6 Mar 2023 18:57:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93735C4339E;
	Mon,  6 Mar 2023 18:57:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1678129050;
	bh=6vXrvt7y3pSV5UzVc45cU2dXI063yro0+EDdwbCQfnU=;
	h=In-Reply-To:References:Date:From:To:Cc:Subject:From;
	b=oTQSZEZgHcfYMEKuFyrO+0WbZv9W+W+iIfSFWSVUsjZRI1P86YeZim1S3X6MRab5s
	 8WMGKLgSS2Jf7xVMkKCMcYYWq0BMvdT+LvXeDKxwENDftxflzdjx55Ebwh6Thqr5Mk
	 vqA1twovNE7Khq55t/YdVKVGl1PiCEjLiaufAVGp8FSdXulPlnV4Hh/ic9KfLtW8C2
	 TUHB0U7rb/UH0AMb2QdnQuZgd9Lf0uAlyvMNbFsgAkMzXFS97lURf0X4wZ1lHWjdtQ
	 qFmfHv8UaF5rZXrLqgcsxCdZ+VCRxvY8SSUqBrWGUoz16tXpgW7pZLVBqeZIqRXXjJ
	 9ZXbyKKGvRg0Q==
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailauth.nyi.internal (Postfix) with ESMTP id 7654827C0054;
	Mon,  6 Mar 2023 13:57:28 -0500 (EST)
Received: from imap48 ([10.202.2.98])
  by compute3.internal (MEProxy); Mon, 06 Mar 2023 13:57:28 -0500
X-ME-Sender: <xms:ljcGZHkD9Azx8CnjaQr1OAMo85lvkMQHnS1OGc59t2xI0LLFXIo6zg>
    <xme:ljcGZK1Mhih9tBQOYsihBve47qe1Vfw6QVvj8fACKCnj3hIQap92OIHngSL3G5P42
    PhZgYfEsU9oGsOKScI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtkedgleduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdet
    nhguhicunfhuthhomhhirhhskhhifdcuoehluhhtoheskhgvrhhnvghlrdhorhhgqeenuc
    ggtffrrghtthgvrhhnpeeiteejleegjeekleegveeujeejvdehjeekveegudduudffueek
    jefffeeujeekhfenucffohhmrghinhepkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrh
    fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghnugihodhmvghsmhhtphgr
    uhhthhhpvghrshhonhgrlhhithihqdduudeiudekheeifedvqddvieefudeiiedtkedqlh
    huthhopeepkhgvrhhnvghlrdhorhhgsehlihhnuhigrdhluhhtohdruhhs
X-ME-Proxy: <xmx:ljcGZNpr7paDnSHmMFH-Gj7F5-y8Q53JTvKn0-UVV-q1eqD20cRBGw>
    <xmx:ljcGZPkzRTZmNcOa42iXgmYIyyT4fDqxGJeyrciMCneH3DJfV2_ziA>
    <xmx:ljcGZF2b-Ft6PTPRgbxnlmFOjAEg7Dj5aeKcE6lKu48F4KVEEadXDg>
    <xmx:mDcGZA55iif505_2sp6shY1Ep30GOjTS-AaJfQpumw6W_iDd0bNPWw>
Feedback-ID: ieff94742:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id B80BE31A0063; Mon,  6 Mar 2023 13:57:26 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-206-g57c8fdedf8-fm-20230227.001-g57c8fded
Mime-Version: 1.0
Message-Id: <2361d4e2-c8c9-4dc4-b925-ab6543ba3404@app.fastmail.com>
In-Reply-To: <c3e21d54fdc025c8e09f90b57dd3de0751cefbfd.camel@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
 <20230227222957.24501-25-rick.p.edgecombe@intel.com>
 <ZAXmOZYcoR3hq/CH@zn.tnic>
 <CALCETrViDpTbuBk+9wQa-PNzKZerwk=4MmKMXw2v3Ysxuv2k3A@mail.gmail.com>
 <c3e21d54fdc025c8e09f90b57dd3de0751cefbfd.camel@intel.com>
Date: Mon, 06 Mar 2023 10:57:06 -0800
From: "Andy Lutomirski" <luto@kernel.org>
To: "Rick P Edgecombe" <rick.p.edgecombe@intel.com>,
 "Borislav Petkov" <bp@alien8.de>
Cc: "David Hildenbrand" <david@redhat.com>,
 "Balbir Singh" <bsingharora@gmail.com>, "H. Peter Anvin" <hpa@zytor.com>,
 "Eugene Syromiatnikov" <esyr@redhat.com>,
 "Peter Zijlstra (Intel)" <peterz@infradead.org>,
 "Randy Dunlap" <rdunlap@infradead.org>,
 "Kees Cook" <keescook@chromium.org>,
 "Dave Hansen" <dave.hansen@linux.intel.com>,
 "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, "Eranian,
 Stephane" <eranian@google.com>,
 "linux-mm@kvack.org" <linux-mm@kvack.org>,
 "Florian Weimer" <fweimer@redhat.com>,
 "Nadav Amit" <nadav.amit@gmail.com>, "Jann Horn" <jannh@google.com>,
 "dethoma@microsoft.com" <dethoma@microsoft.com>,
 "kcc@google.com" <kcc@google.com>,
 "linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
 "Pavel Machek" <pavel@ucw.cz>, "Oleg Nesterov" <oleg@redhat.com>,
 "H.J. Lu" <hjl.tools@gmail.com>,
 "Weijiang Yang" <weijiang.yang@intel.com>,
 "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
 "Arnd Bergmann" <arnd@arndb.de>,
 "jamorris@linux.microsoft.com" <jamorris@linux.microsoft.com>,
 "Thomas Gleixner" <tglx@linutronix.de>, "Schimpe,
 Christina" <christina.schimpe@intel.com>,
 "Mike Kravetz" <mike.kravetz@oracle.com>,
 "the arch/x86 maintainers" <x86@kernel.org>,
 "Andrew Morton" <akpm@linux-foundation.org>,
 "debug@rivosinc.com" <debug@rivosinc.com>,
 "Andrew Cooper" <andrew.cooper3@citrix.com>,
 "Mike Rapoport" <rppt@kernel.org>,
 "john.allen@amd.com" <john.allen@amd.com>,
 "Ingo Molnar" <mingo@redhat.com>, "Jonathan Corbet" <corbet@lwn.net>,
 "Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
 "Linux API" <linux-api@vger.kernel.org>,
 "Cyrill Gorcunov" <gorcunov@gmail.com>
Subject: Re: [PATCH v7 24/41] mm: Don't allow write GUPs to shadow stack memory
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Stat-Signature: wat7apkg5d4rh8iwdpoh9uguip7k89xr
X-Rspamd-Queue-Id: 65D29120018
X-HE-Tag: 1678129056-651725
X-HE-Meta: U2FsdGVkX19U1ym7DM8DBa3uhKsNo8utEZtBTg/ngVujl4/ozrc84R5US5lIypKGoM7tqNE38bkqjbdTnJ+AbQHQLAHRmn7Eenc6gsjCaM3VXLq8VAoKYp4ut4Y4XQmfMgRcrUm0gLMyP2j725t+hIXi3C5Yq847nKk2QOFgyHQ/LDcXgo1BYqexd32GVcICbeXjfl9120Z3c7wTLRWLazb1j1mlGvMdLkvRPtfS/ptxZ/+IBBdRCTYdu1jIcoT1eFvqCKIvhnWU+x5TH7SI6Re3Ah5C3TVrNp/wmQODH+Zl/vVNkUJ/ACHzfgdSoY5sF8pX1sPb0EEzOyik0HrVYP4oIFMRN6FfkjzgwBnLa+SRQ+Sixf+kdkzuzi646r6iu+vNO2FyMEpEe0se7WT467sE29DAkhNrfM57TL6yUSxGlRMhHKSskIApDwmWjgP4xgprn/l/MQ/iyQaPFPuV1dsXKflCecpgOvc0YIXbsbqu8804VrPJSXbBloYo7MnGn7YZWEZmEo2ef2XHQz9uS39WrobGyuhyjBBj+HMcqyXHxaRlyqgVPKb7ejjEUOGZjj0ZgvZlep4p9FMW2R2zMfDUwKRkKiwFEtQRWdLVZIygVyR+xAsmFdt4S7wTTXxvngdJnM0BQAe9y6aoiPM5JNNEs5Edq/qp423JZk2FjzNKYGZqX+vPrVXjPrMYnUrpG3pt22XmD/aYKvdOfQXTL9vOwEL6A2+rzfrGIOOERLbALM2sIA4wD4wmB9Fe/8hNPXU7OWk/U2qQiAPon5ea/BMkCPsuJEdEGn4AOQjmoNddLAj6D4aXkQPxRbOLRznFJB3y7BnP7yeELGBK2RKrHDY0lTXKCPIUuQyKkrgFliB+56zcKLtPE6sxetP7aA12Uo2fKSVPAlll3xsRVklkZlyrkbCIZh2z/g1qTmDBYLIjajVYWHsiAn4/0SSYWHNDZYrLAb0pGtewaRXgJda
 PjkX+Eaq
 M0VqEVasMaJoHI+IRvPa00GSgeChlUYzitXgb8cuCL0b4J4HRS5z36cLUHaLnOmMRqDi4WsmDDUX708BpjXL8C+U9H3X/v8OqXc3+KNXrJdDVQtsNHoK/L2sQeE3DsoV17e6FotsuXGLd8n+rxzl6rBBAXuxgUqroMGsApBtH4VMz6yz6snFhOOIrEgZk7H7UW0nAY52tsLSmX3YjKiKxjteie9DPJX8K6N+yqZe0qxKWxod244Eo9gl4vn85ftlCugCGKh5tio1YvydLSyruV0qV+/SF6Uci5WV0KY2kzGeTkyrcGWZPxOnI2nZEbYH9jbgkfdMaYT4Bu/vJkJX5/UMwpio2uXGISAJiMoRrG6HrnH8GLzXcRlH3aILYcbIZ2kRB3uzb7t5/BdxTtzW8IQE4F034TzSAQktuLpAMcH922HXZnJSvShQ/mjgoWvu1a5LQR5F+mpL1r61WOTpcQ99on4LgG2ufIKKF3RNQM6hrE0VOEbAvoMdP+7nd4Dn/qkcfxfEqkCxm/k0=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Mar 6, 2023, at 10:33 AM, Edgecombe, Rick P wrote:
> On Mon, 2023-03-06 at 10:15 -0800, Andy Lutomirski wrote:
>> On Mon, Mar 6, 2023 at 5:10=E2=80=AFAM Borislav Petkov <bp@alien8.de>=
 wrote:
>> >=20
>> > On Mon, Feb 27, 2023 at 02:29:40PM -0800, Rick Edgecombe wrote:
>> > > The x86 Control-flow Enforcement Technology (CET) feature
>> > > includes a new
>> > > type of memory called shadow stack. This shadow stack memory has
>> > > some
>> > > unusual properties, which requires some core mm changes to
>> > > function
>> > > properly.
>> > >=20
>> > > Shadow stack memory is writable only in very specific, controlled
>> > > ways.
>> > > However, since it is writable, the kernel treats it as such. As a
>> > > result
>> >=20
>> >                                                                   =20
>> >         ^
>> >                                                                   =20
>> >         ,
>> >=20
>> > > there remain many ways for userspace to trigger the kernel to
>> > > write to
>> > > shadow stack's via get_user_pages(, FOLL_WRITE) operations. To
>> > > make this a
>>=20
>> Is there an alternate mechanism, or do we still want to allow
>> FOLL_FORCE so that debuggers can write it?
>
> Yes, GDB shadow stack support uses it via both ptrace poke and
> /proc/pid/mem apparently. So some ability to write through is needed
> for debuggers. But not CRIU actually. It uses WRSS.
>
> There was also some discussion[0] previously about how apps might
> prefer to block /proc/self/mem for general security reasons. Blocking
> shadow stack writes while you allow text writes is probably not that
> impactful security-wise. So I thought it would be better to leave the
> logic simpler. Then when /proc/self/mem could be locked down per the
> discussion, shadow stack can be locked down the same way.

Ah, I am guilty of reading your changelog but not the code.

You said:

Shadow stack memory is writable only in very specific, controlled ways.
However, since it is writable, the kernel treats it as such. As a result
there remain many ways for userspace to trigger the kernel to write to
shadow stack's via get_user_pages(, FOLL_WRITE) operations. To make this=
 a
little less exposed, block writable GUPs for shadow stack VMAs.

I read that as *denying* FOLL_FORCE.  Maybe clarify the changelog?

>
> [0]=20
> https://lore.kernel.org/lkml/E857CF98-EEB2-4F83-8305-0A52B463A661@kern=
el.org/