From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7AB9EC433EF
	for <linux-mm@archiver.kernel.org>; Thu, 10 Feb 2022 02:54:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 06A3F6B0074; Wed,  9 Feb 2022 21:54:14 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 01AB36B0075; Wed,  9 Feb 2022 21:54:13 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DAED36B007B; Wed,  9 Feb 2022 21:54:13 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0173.hostedemail.com [216.40.44.173])
	by kanga.kvack.org (Postfix) with ESMTP id CAC276B0074
	for <linux-mm@kvack.org>; Wed,  9 Feb 2022 21:54:13 -0500 (EST)
Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 82FB898C30
	for <linux-mm@kvack.org>; Thu, 10 Feb 2022 02:54:13 +0000 (UTC)
X-FDA: 79125351186.19.31F6061
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46])
	by imf09.hostedemail.com (Postfix) with ESMTP id 2A898140008
	for <linux-mm@kvack.org>; Thu, 10 Feb 2022 02:54:13 +0000 (UTC)
Received: by mail-pj1-f46.google.com with SMTP id a11-20020a17090a740b00b001b8b506c42fso7220111pjg.0
        for <linux-mm@kvack.org>; Wed, 09 Feb 2022 18:54:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=LYtzFa4ASuB/belwk4SpigACGs97QFCNc+YA+b4+Pu8=;
        b=ooyOBN7rERkODAn/O7i91EVsu/B8py9/9Ax69BwNB/kc8twYaVRYQbpcJLPfemS8hb
         HkZrVDMhaV95LcunHTo0tXcqRJZORHlOHEddL00vfE0PK8esTG7SYwyfiB500tCWC5ri
         l6pU4DRAUF2bgKokxVocV+eyMRJSuUiaChrZncXI+PVNYsSVUld+MssdbvKffnPGzFCP
         /mFWpEPHIlrNEUqjbs//hj1a3I/579YtM3Jds8TxeUAfuDxW/OEsiijqam43ukxKjsH2
         DVh6iBEBwC5CIYV0XcyMGIqDOrpfE98dazgVv4DXpTrUcv9pfj8LdcCQ7wiJQIrh4Oh5
         3Jlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=LYtzFa4ASuB/belwk4SpigACGs97QFCNc+YA+b4+Pu8=;
        b=sNfB4zL7rnpTAfVrTgjusz1PhUI2FHwKsR4z31gyP8Ui4cNGiOgViLPnrp4QHvJnYN
         4hurzXlCz79LhJfzm/ZgjGWyLLbdQqeQj2m0W5cHnXcd+v5Vm1Qbs905tDoewKGG99WS
         6Rwrom6E+qk6BsZyAmmu2XvvyNrQH8Lvx/Vv6Leg/n2OYT2k1aE82qIHHdYZ/wIlsoy6
         0e+NnCJe57R5OEWL6iC9FCWAbdGmJh7rGdoQRop/gfrf2szZplldrYgnyE55wyZ6P4qU
         jSDg7mNyxhf8ODiBJ2aSTQAPj/DAm02HIKeBoh0N9CB53RaYvoZrbSMh8a3qFGE19gdt
         jWfg==
X-Gm-Message-State: AOAM533BGYgIo+xuTc5BgPQL6A7TFmAfi0pYsxTGQRFslw+QauehewGn
	psmPtF2mPgfAov52iegdeOAOkM7ye+IUdXQ5Czo=
X-Google-Smtp-Source: ABdhPJzYBhEkkbttuvOrcTM53VUGSP9oL8rWSIPgIMmpLUpLM1VPVkR+SLhvmLHyyTITlBZxB9qfd23OzJjqo7RcYHM=
X-Received: by 2002:a17:903:2351:: with SMTP id c17mr367198plh.4.1644461651987;
 Wed, 09 Feb 2022 18:54:11 -0800 (PST)
MIME-Version: 1.0
References: <20220130211838.8382-1-rick.p.edgecombe@intel.com>
 <YgAWVSGQg8FPCeba@kernel.org> <YgDIIpCm3UITk896@lisas.de> <8f96c2a6-9c03-f97a-df52-73ffc1d87957@intel.com>
 <YgI1A0CtfmT7GMIp@kernel.org> <YgI37n+3JfLSNQCQ@grain> <357664de-b089-4617-99d1-de5098953c80@www.fastmail.com>
 <YgKiKEcsNt7mpMHN@grain> <8e36f20723ca175db49ed3cc73e42e8aa28d2615.camel@intel.com>
 <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org>
In-Reply-To: <9d664c91-2116-42cc-ef8d-e6d236de43d0@kernel.org>
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 9 Feb 2022 18:53:35 -0800
Message-ID: <CAMe9rOo+RbmK5GyFKe2q3GGFP4Oi3o16x9xVpD7HpoEn=v0mfQ@mail.gmail.com>
Subject: Re: [PATCH 00/35] Shadow stacks for userspace
To: Andy Lutomirski <luto@kernel.org>, Felix Willgerodt <felix.willgerodt@intel.com>
Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>, "gorcunov@gmail.com" <gorcunov@gmail.com>, 
	"bsingharora@gmail.com" <bsingharora@gmail.com>, "hpa@zytor.com" <hpa@zytor.com>, 
	"Syromiatnikov, Eugene" <esyr@redhat.com>, "peterz@infradead.org" <peterz@infradead.org>, 
	"rdunlap@infradead.org" <rdunlap@infradead.org>, "keescook@chromium.org" <keescook@chromium.org>, 
	"0x7f454c46@gmail.com" <0x7f454c46@gmail.com>, 
	"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>, 
	"kirill.shutemov@linux.intel.com" <kirill.shutemov@linux.intel.com>, "Eranian, Stephane" <eranian@google.com>, 
	"linux-mm@kvack.org" <linux-mm@kvack.org>, "adrian@lisas.de" <adrian@lisas.de>, 
	"fweimer@redhat.com" <fweimer@redhat.com>, "nadav.amit@gmail.com" <nadav.amit@gmail.com>, 
	"jannh@google.com" <jannh@google.com>, "avagin@gmail.com" <avagin@gmail.com>, 
	"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>, "kcc@google.com" <kcc@google.com>, 
	"bp@alien8.de" <bp@alien8.de>, "oleg@redhat.com" <oleg@redhat.com>, "pavel@ucw.cz" <pavel@ucw.cz>, 
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>, "arnd@arndb.de" <arnd@arndb.de>, 
	"Moreira, Joao" <joao.moreira@intel.com>, "tglx@linutronix.de" <tglx@linutronix.de>, 
	"mike.kravetz@oracle.com" <mike.kravetz@oracle.com>, "x86@kernel.org" <x86@kernel.org>, 
	"Yang, Weijiang" <weijiang.yang@intel.com>, "rppt@kernel.org" <rppt@kernel.org>, 
	"Dave.Martin@arm.com" <Dave.Martin@arm.com>, "john.allen@amd.com" <john.allen@amd.com>, 
	"mingo@redhat.com" <mingo@redhat.com>, "Hansen, Dave" <dave.hansen@intel.com>, 
	"corbet@lwn.net" <corbet@lwn.net>, 
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, 
	"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>, "Shankar, Ravi V" <ravi.v.shankar@intel.com>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: 4g8cs1rd9mj8x4q4ht99sxz8ayx1hwqs
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=ooyOBN7r;
	spf=pass (imf09.hostedemail.com: domain of hjl.tools@gmail.com designates 209.85.216.46 as permitted sender) smtp.mailfrom=hjl.tools@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
X-Rspam-User: 
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 2A898140008
X-HE-Tag: 1644461653-355957
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Feb 9, 2022 at 6:37 PM Andy Lutomirski <luto@kernel.org> wrote:
>
> On 2/8/22 18:18, Edgecombe, Rick P wrote:
> > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote:
> >> On Tue, Feb 08, 2022 at 08:21:20AM -0800, Andy Lutomirski wrote:
> >>>>> But such a knob will immediately reduce the security value of
> >>>>> the entire
> >>>>> thing, and I don't have good ideas how to deal with it :(
> >>>>
> >>>> Probably a kind of latch in the task_struct which would trigger
> >>>> off once
> >>>> returt to a different address happened, thus we would be able to
> >>>> jump inside
> >>>> paratite code. Of course such trigger should be available under
> >>>> proper
> >>>> capability only.
> >>>
> >>> I'm not fully in touch with how parasite, etc works.  Are we
> >>> talking about save or restore?
> >>
> >> We use parasite code in question during checkpoint phase as far as I
> >> remember.
> >> push addr/lret trick is used to run "injected" code (code injection
> >> itself is
> >> done via ptrace) in compat mode at least. Dima, Andrei, I didn't look
> >> into this code
> >> for years already, do we still need to support compat mode at all?
> >>
> >>> If it's restore, what exactly does CRIU need to do?  Is it just
> >>> that CRIU needs to return
> >>> out from its resume code into the to-be-resumed program without
> >>> tripping CET?  Would it
> >>> be acceptable for CRIU to require that at least one shstk slot be
> >>> free at save time?
> >>> Or do we need a mechanism to atomically switch to a completely full
> >>> shadow stack at resume?
> >>>
> >>> Off the top of my head, a sigreturn (or sigreturn-like mechanism)
> >>> that is intended for
> >>> use for altshadowstack could safely verify a token on the
> >>> altshdowstack, possibly
> >>> compare to something in ucontext (or not -- this isn't clearly
> >>> necessary) and switch
> >>> back to the previous stack.  CRIU could use that too.  Obviously
> >>> CRIU will need a way
> >>> to populate the relevant stacks, but WRUSS can be used for that,
> >>> and I think this
> >>> is a fundamental requirement for CRIU -- CRIU restore absolutely
> >>> needs a way to write
> >>> the saved shadow stack data into the shadow stack.
> >
> > Still wrapping my head around the CRIU save and restore steps, but
> > another general approach might be to give ptrace the ability to
> > temporarily pause/resume/set CET enablement and SSP for a stopped
> > thread. Then injected code doesn't need to jump through any hoops or
> > possibly run into road blocks. I'm not sure how much this opens things
> > up if the thread has to be stopped...
>
> Hmm, that's maybe not insane.
>
> An alternative would be to add a bona fide ptrace call-a-function
> mechanism.  I can think of two potentially usable variants:
>
> 1. Straight call.  PTRACE_CALL_FUNCTION(addr) just emulates CALL addr,
> shadow stack push and all.
>
> 2. Signal-style.  PTRACE_CALL_FUNCTION_SIGFRAME injects an actual signal
> frame just like a real signal is being delivered with the specified
> handler.  There could be a variant to opt-in to also using a specified
> altstack and altshadowstack.
>
> 2 would be more expensive but would avoid the need for much in the way
> of asm magic.  The injected code could be plain C (or Rust or Zig or
> whatever).
>
> All of this only really handles save, not restore.  I don't understand
> restore enough to fully understand the issue.

FWIW, CET enabled GDB can call a function in a CET enabled process.
Adding Felix who may know more about it.


-- 
H.J.