From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40B1AC4332F for ; Wed, 13 Dec 2023 19:44:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6E2606B0534; Wed, 13 Dec 2023 14:44:04 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 692376B0535; Wed, 13 Dec 2023 14:44:04 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55A476B0536; Wed, 13 Dec 2023 14:44:04 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 472226B0534 for ; Wed, 13 Dec 2023 14:44:04 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 12FF640307 for ; Wed, 13 Dec 2023 19:44:04 +0000 (UTC) X-FDA: 81562820808.20.CFB61E8 Received: from mail-yb1-f177.google.com (mail-yb1-f177.google.com [209.85.219.177]) by imf23.hostedemail.com (Postfix) with ESMTP id 4A8E3140006 for ; Wed, 13 Dec 2023 19:44:02 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=bSqi1lyt; spf=pass (imf23.hostedemail.com: domain of debug@rivosinc.com designates 209.85.219.177 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702496642; a=rsa-sha256; cv=none; b=aYXUnRia+iywZjgAtNEp3j1fWB9FYk/vq9fMUr/xl859TFvSe13M6xXsYffjcMe98AEIjS R6Wjbs7UwncZbXUlqIBYW5kwEquFGT+lxxqDXjlVpdsKbSDHWMDcAAYxCDH7JFyyBLGPHC 9QfdvxdvbdavFB39zpctfhGGoiAwTuY= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=bSqi1lyt; spf=pass (imf23.hostedemail.com: domain of debug@rivosinc.com designates 209.85.219.177 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1702496642; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; b=07KwFGuPXDPHUuZB1Zz6kqkv/ZMSYqCGsuslRZXILIJu1RF8o8EhNVgZOEYirekFgp+kYf HVTwCP3uUFxto6pVXQIlhw+L4g9jDoJTg9VPxQSykYRhrRwGIMhVgCwE23gFhYOSrlhGcn UmJ6KySRW957+C6+UuP6yHD1JpDJjn0= Received: by mail-yb1-f177.google.com with SMTP id 3f1490d57ef6-db537948ea0so7191981276.2 for ; Wed, 13 Dec 2023 11:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1702496641; x=1703101441; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; b=bSqi1lyt67HLtGvkOxNQA+EyWRYyXRgrSWHaD0ifKmuflzfcw1oLMajxfVifE7Lm2r OC8RBJINhVmmpNyLABAswIitjVNYB9fNZFu7WKSN0epXZb5QCaBBNjY6FB59WBXFc7mv uejtmdBuJy29JCcjTFPVIhTXoSacbFe6jq2Q7EHO7Xk7P3J5d9REoZj6M23fKRnQfein oUwR+Mumnbd45epOo2XuR1K+8kYo0fgOLd5whaSme50IOdJOeLZ8nkU9AI3f5LkI5Wzp gqy/OPXMWJ7wt0JDwJ6vBwk8mFZywvwyerNeqnzLejsjtaFYMBsFxgvI7Ei1k02nbvJE u+Vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702496641; x=1703101441; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7KwJmg/AmRci9oth6e0vim63G1m84y3oNQcN/OKV3e0=; b=nf6xScznSgPBtOu7ApOrzkG1/BY0P0RKJilTEqtioAYrFLA427kSNbVuxseg9jYUDj wEGPrEZTQBMxZgCUV/HzTaLVZ2RW/gK/S69a5D4xWMjrMBoxnneLVkTUd9Jk5oCnDrhq O03chNeJxu8Pbs77T3iIYb8YuL0CII5yyIkj6C9im4F2KX0DFjyKYF8JdsFo6CILCK1F +sICNK/VmC+uVjPy4/Wq/D7+DOgW2RR4LZ3zuiXiX3Y0UPTKTndcn5Av2IvHxXdQ3OIu x+xEcchtnhvu0w0D2H6Kj7bL2PW5QquzJd8ivTi7MfjwxhQZePX+K6fmh86+oAYzEuJF sAVg== X-Gm-Message-State: AOJu0YyEIc4rUPqLKinOVF5i8JoK2e3b/GdhTVxVPYR+BcNsyqxv3RPm k99bQfGCG15yCbAHB0hSAJ+xm/J0gvqJ1/KPhXX9Ig== X-Google-Smtp-Source: AGHT+IFSmPxfZTBIe3gumpwK2nVwVDcDb9+yDl2yaVi4US6Ez2/rKUahNn9IJ0xE08iqlW2A2FfQ7xQQ2M/z/jnykQ4= X-Received: by 2002:a25:8c91:0:b0:db7:dacf:59de with SMTP id m17-20020a258c91000000b00db7dacf59demr4990232ybl.82.1702496641231; Wed, 13 Dec 2023 11:44:01 -0800 (PST) MIME-Version: 1.0 References: <20231122-arm64-gcs-v7-0-201c483bd775@kernel.org> <20231122-arm64-gcs-v7-2-201c483bd775@kernel.org> <0d0d8802-09e3-4ea5-a0b4-b3a08c8a282e@sirena.org.uk> In-Reply-To: <0d0d8802-09e3-4ea5-a0b4-b3a08c8a282e@sirena.org.uk> From: Deepak Gupta Date: Wed, 13 Dec 2023 11:43:49 -0800 Message-ID: Subject: Re: [PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack To: Mark Brown Cc: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Ard Biesheuvel , Szabolcs Nagy , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 4A8E3140006 X-Stat-Signature: hhqbbjj98puzrsbuyw7hpu8xt4nmkpoo X-Rspam-User: X-HE-Tag: 1702496642-709652 X-HE-Meta: U2FsdGVkX1915pqGU3vPQKD5DTd4zpbvDxZ3JLKPwfnC8x4RmvZ6zKA48vninGya4T/d4SePgUlePU01paR4r94umJOBI41voS3a2fD2c6aDQ8ltUZ11tLWFUNf9KXaBHncyRazAaczTzTkd0g1QJNPUOYlCoyWZ9MlebNKa9MZxH9DajcBpRdvrcQvQKKsindJNmLdfAzQjF8T9zqGgkbV5n/FMvygeqphkl3r9roMXUtj2x/1UWW12YOB/WdSMm4XZS7T8PVQ5xjia63Jz1HxA6QgS0gycnaHUKPCHmTBPFPTfIC/BZLspERJNO+0VHbEt3Y2HgMiaFWqgmywhVCTOYOsrbaAsPcAkvEUoZvQWmCmj7ZUKme5qBIbokeaLZH1FXnY7q4Ht9hBm2aZwaje68xsocZQMwR9xuifb1zsYqUN9IRmbxsq8sKSu0TtVy19wwbGVghsIVq7DuIust5Z08TOfmPWhgkazR4bQSXqLCe5oBqQH4ms7G1XSp8L00+1n81NihhkdioU3qeFFG4A36QUsOVEGOuDqN4s6WHEJws070wOXAHUHVx07r3qPTB8U8Q4fCSqqeAmAjoUlrx+YY4Ul/hLIPAflsy0rWT3A35AHIEiM6cB0BdeeIuUsdX87f36U+nqK4UpFFiRbOHFtj+zz8A7f5XMM3E7bYDuKu4A1T8LMtHSdzvHXvxvW6q6RFVNZtOVySTd59We16B2NKVuAPBgh8ALaqFV79gHpM8IvfVRIdH2U9USDpO0VtbpRH7qkJx0vaFIND5wDE0ml5oS2UEhLZbeelEjZSNoTQdVpQ/11I1bjMisYjqNf0hsA169+mCcvQ6WNnXbewCUPYJw/96WiduUZzxoN4wRJ922MWTW+rBmB2yQ0LTwOBUwxDf+a3U/LZiL9ZnkAyZfrO3gFbdTE3CX60cc4UkTH7hjEePjRlbQdZXvZ1/ndhNde24dFh9uohpVUnq+ z5fVvKoP UG2VrJ47zl8nKV20OTuE8SGbGdNCcdvUDz4mGb1BikL6HBpElcelllo94voCexLxUpcoYHDZLSJKzkd7c6SED6zEGto1ZeJdWzTU3FxrkKbXGCkZZaB47m/9sR2AtiToNT8vq0BPHV4B1rtDZYvQi9jSTFxmlnRF2HV7CFY9dP85zrvakN5Yxu6tc9zB+kOlRUhlEQwAXY0KXzCTAQ+xOOFMeK/RO9DxGjez1DPJ5d6bvhnu2uXv2MI9Zgm97SZq0RbbowENELlR3cHHnAIwlxbldzzgRSrM/Rs4u6EHGxEN9uzwF0RraeKaeZACBVgshd7eKVI6EpEuLxovZpOwghzUlfgAsZgZ1aubSLP3BNmrhbL6KnLQ8m6ay0cz4Uusw5oSQL9lVGHpmLTRUzzPm2BOdj6hJ6Hy8IcSxWF5xKCdLco8XOa+aYnpTVcSQnKDKegad X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Dec 13, 2023 at 5:37=E2=80=AFAM Mark Brown wro= te: > > On Tue, Dec 12, 2023 at 04:50:38PM -0800, Deepak Gupta wrote: > > > A theoretical scenario (no current workloads should've this case > > because no shadow stack) > > > - User mode did _ENABLE on the main thread. Shadow stack was allocated > > for the current > > thread. > > - User mode created a bunch worker threads to run untrusted contained > > code. They shadow > > stack too. > > - main thread had to do dlopen and now need to disable shadow stack on > > itself due to > > incompatibility of incoming object in address space. > > - main thread controls worker threads and knows they're contained and > > should still be running > > with a shadow stack. Although once in a while the main thread needs > > to perform writes to a shadow > > stack of worker threads for some fixup (in the same addr space). > > main thread doesn't want to delegate > > this responsibility of ss writes to worker threads because they're un= trusted. > > > How will it do that (currently _ENABLE is married to _WRITE and _PUSH) = ? > > That's feeling moderately firmly into "don't do that" territory to be > honest, the problems of trying to modify the stack of another running > thread while it's active just don't seem worth it - if you're > coordinating enough to do the modifications it's probably possible to > just ask the thread who's stack is being modified to do the modification > itself and having an unprotected thread writing into shadow stack memory > doesn't feel great. > Yeah no leanings on my side. Just wanted to articulate this scenario. Since this is new ground, we can define what's appropriate. Let's keep it this way where a thread can write to shadow stack mappings only when it itself has shadow stack enabled.