From: Mark Brown <broonie@kernel.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "fweimer@redhat.com" <fweimer@redhat.com>,
"sroettger@google.com" <sroettger@google.com>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
"ross.burton@arm.com" <ross.burton@arm.com>,
"suzuki.poulose@arm.com" <suzuki.poulose@arm.com>,
"Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"Schimpe, Christina" <christina.schimpe@intel.com>,
"kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
"corbet@lwn.net" <corbet@lwn.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"kees@kernel.org" <kees@kernel.org>,
"oliver.upton@linux.dev" <oliver.upton@linux.dev>,
"palmer@dabbelt.com" <palmer@dabbelt.com>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"aou@eecs.berkeley.edu" <aou@eecs.berkeley.edu>,
"shuah@kernel.org" <shuah@kernel.org>,
"arnd@arndb.de" <arnd@arndb.de>,
"maz@kernel.org" <maz@kernel.org>,
"oleg@redhat.com" <oleg@redhat.com>,
"thiago.bauermann@linaro.org" <thiago.bauermann@linaro.org>,
"Pandey, Sunil K" <sunil.k.pandey@intel.com>,
"james.morse@arm.com" <james.morse@arm.com>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
"brauner@kernel.org" <brauner@kernel.org>,
"will@kernel.org" <will@kernel.org>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"paul.walmsley@sifive.com" <paul.walmsley@sifive.com>,
"ardb@kernel.org" <ardb@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>
Subject: Re: [PATCH v9 05/39] arm64/gcs: Document the ABI for Guarded Control Stacks
Date: Wed, 17 Jul 2024 16:28:27 +0100 [thread overview]
Message-ID: <dbc210a3-7653-444a-9dcc-b8d4ea92bd9b@sirena.org.uk> (raw)
In-Reply-To: <2fb80876e286b4db8f9ef36bcce04bbf02af0de2.camel@intel.com>
[-- Attachment #1: Type: text/plain, Size: 2013 bytes --]
On Tue, Jul 16, 2024 at 06:50:12PM +0000, Edgecombe, Rick P wrote:
> On Wed, 2024-07-10 at 19:27 +0100, Mark Brown wrote:
> > On Wed, Jul 10, 2024 at 12:36:21PM +0200, Florian Weimer wrote:
> > > We also have a gap on x86-64 for backtrace generation because the
> > > interrupted instruction address does not end up on the shadow stack.
> > > This address is potentially quite interesting for backtrace generation.
> > > I assume it's currently missing because the kernel does not resume
> > > execution using a regular return instruction. It would be really useful
> > > if it could be pushed to the shadow stack, or recoverable from the
> > > shadow stack in some other way (e.g., the address of the signal context
> > > could be pushed instead). That would need some form of marker as well.
> > Right, we'd have to manually consume any extra address we put on the
> > GCS. I'm not seeing any gagetisation issues with writing an extra value
> > there that isn't a valid stack cap at the minute but I'll need to think
> > it through properly - don't know if anyone else has thoughts here?
> Shadow stack has one main usage (security) and another less proven, but
> interesting usage for backtracing. I'm wary of adding things to the shadow stack
> as they come up in an ad-hoc fashion, especially for the fuzzier usage. Do you
> have a handle on everything the tracing usage would need?
Yeah, the current instruction pointer seems fairly straightforward to
idiomatically fit in there but going beyond that gets tricker.
> But besides that I've wondered if there could be a security benefit to adding
> some fields of the sigframe (RIP being the prime one) to the shadow stack, or a
> cryptographic hash of the sigframe.
One trick with trying to actually validate anything extra we put in
there from the sigframe would be that one of the things a signal handler
can do is modify the signal context - for the specific case of RIP
that'd be an issue for rseq for example.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2024-07-17 15:29 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-25 14:57 [PATCH v9 00/39] arm64/gcs: Provide support for GCS in userspace Mark Brown
2024-06-25 14:57 ` [PATCH v9 01/39] arm64/mm: Restructure arch_validate_flags() for extensibility Mark Brown
2024-06-25 14:57 ` [PATCH v9 02/39] prctl: arch-agnostic prctl for shadow stack Mark Brown
2024-06-25 14:57 ` [PATCH v9 03/39] mman: Add map_shadow_stack() flags Mark Brown
2024-06-25 14:57 ` [PATCH v9 04/39] arm64: Document boot requirements for Guarded Control Stacks Mark Brown
2024-06-25 14:57 ` [PATCH v9 05/39] arm64/gcs: Document the ABI " Mark Brown
2024-06-25 22:51 ` Randy Dunlap
2024-07-10 10:36 ` Florian Weimer
2024-07-10 18:27 ` Mark Brown
2024-07-16 18:50 ` Edgecombe, Rick P
2024-07-17 15:28 ` Mark Brown [this message]
2024-07-17 1:21 ` Thiago Jung Bauermann
2024-06-25 14:57 ` [PATCH v9 06/39] arm64/sysreg: Add definitions for architected GCS caps Mark Brown
2024-06-25 14:57 ` [PATCH v9 07/39] arm64/gcs: Add manual encodings of GCS instructions Mark Brown
2024-06-25 14:57 ` [PATCH v9 08/39] arm64/gcs: Provide put_user_gcs() Mark Brown
2024-06-25 14:57 ` [PATCH v9 09/39] arm64/cpufeature: Runtime detection of Guarded Control Stack (GCS) Mark Brown
2024-06-25 14:57 ` [PATCH v9 10/39] arm64/mm: Allocate PIE slots for EL0 guarded control stack Mark Brown
2024-06-25 14:57 ` [PATCH v9 11/39] mm: Define VM_SHADOW_STACK for arm64 when we support GCS Mark Brown
2024-06-25 14:57 ` [PATCH v9 12/39] arm64/mm: Map pages for guarded control stack Mark Brown
2024-06-25 14:57 ` [PATCH v9 13/39] KVM: arm64: Manage GCS registers for guests Mark Brown
2024-07-10 15:17 ` Marc Zyngier
2024-07-10 17:16 ` Mark Brown
2024-07-10 18:28 ` Marc Zyngier
2024-07-10 22:05 ` Mark Brown
2024-06-25 14:57 ` [PATCH v9 14/39] arm64/gcs: Allow GCS usage at EL0 and EL1 Mark Brown
2024-06-25 14:57 ` [PATCH v9 15/39] arm64/idreg: Add overrride for GCS Mark Brown
2024-06-25 14:57 ` [PATCH v9 16/39] arm64/hwcap: Add hwcap " Mark Brown
2024-06-25 14:57 ` [PATCH v9 17/39] arm64/traps: Handle GCS exceptions Mark Brown
2024-06-25 14:57 ` [PATCH v9 18/39] arm64/mm: Handle GCS data aborts Mark Brown
2024-06-25 14:57 ` [PATCH v9 19/39] arm64/gcs: Context switch GCS state for EL0 Mark Brown
2024-06-25 14:57 ` [PATCH v9 20/39] arm64/gcs: Ensure that new threads have a GCS Mark Brown
2024-07-17 2:05 ` Thiago Jung Bauermann
2024-06-25 14:57 ` [PATCH v9 21/39] arm64/gcs: Implement shadow stack prctl() interface Mark Brown
2024-06-25 14:57 ` [PATCH v9 22/39] arm64/mm: Implement map_shadow_stack() Mark Brown
2024-06-25 14:57 ` [PATCH v9 23/39] arm64/signal: Set up and restore the GCS context for signal handlers Mark Brown
2024-06-25 14:57 ` [PATCH v9 24/39] arm64/signal: Expose GCS state in signal frames Mark Brown
2024-06-25 14:57 ` [PATCH v9 25/39] arm64/ptrace: Expose GCS via ptrace and core files Mark Brown
2024-06-25 14:57 ` [PATCH v9 26/39] arm64: Add Kconfig for Guarded Control Stack (GCS) Mark Brown
2024-06-25 14:57 ` [PATCH v9 27/39] kselftest/arm64: Verify the GCS hwcap Mark Brown
2024-06-25 14:57 ` [PATCH v9 28/39] kselftest: Provide shadow stack enable helpers for arm64 Mark Brown
2024-06-25 14:57 ` [PATCH v9 29/39] selftests/clone3: Enable arm64 shadow stack testing Mark Brown
2024-06-25 14:57 ` [PATCH v9 30/39] kselftest/arm64: Add GCS as a detected feature in the signal tests Mark Brown
2024-06-25 14:57 ` [PATCH v9 31/39] kselftest/arm64: Add framework support for GCS to signal handling tests Mark Brown
2024-06-25 14:58 ` [PATCH v9 32/39] kselftest/arm64: Allow signals tests to specify an expected si_code Mark Brown
2024-06-25 14:58 ` [PATCH v9 33/39] kselftest/arm64: Always run signals tests with GCS enabled Mark Brown
2024-06-25 14:58 ` [PATCH v9 34/39] kselftest/arm64: Add very basic GCS test program Mark Brown
2024-06-25 14:58 ` [PATCH v9 35/39] kselftest/arm64: Add a GCS test program built with the system libc Mark Brown
2024-07-18 16:14 ` Thiago Jung Bauermann
2024-07-18 16:16 ` Mark Brown
2024-07-18 22:28 ` Thiago Jung Bauermann
2024-07-22 8:57 ` Mark Brown
2024-06-25 14:58 ` [PATCH v9 36/39] kselftest/arm64: Add test coverage for GCS mode locking Mark Brown
2024-06-25 14:58 ` [PATCH v9 37/39] kselftest/arm64: Add GCS signal tests Mark Brown
2024-07-18 23:03 ` Thiago Jung Bauermann
2024-06-25 14:58 ` [PATCH v9 38/39] kselftest/arm64: Add a GCS stress test Mark Brown
2024-07-18 23:34 ` Thiago Jung Bauermann
2024-07-18 23:47 ` Thiago Jung Bauermann
2024-07-22 10:08 ` Mark Brown
2024-07-22 14:31 ` Mark Brown
2024-06-25 14:58 ` [PATCH v9 39/39] kselftest/arm64: Enable GCS for the FP stress tests Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dbc210a3-7653-444a-9dcc-b8d4ea92bd9b@sirena.org.uk \
--to=broonie@kernel.org \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christina.schimpe@intel.com \
--cc=corbet@lwn.net \
--cc=debug@rivosinc.com \
--cc=ebiederm@xmission.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=james.morse@arm.com \
--cc=kees@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=maz@kernel.org \
--cc=oleg@redhat.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rick.p.edgecombe@intel.com \
--cc=ross.burton@arm.com \
--cc=shuah@kernel.org \
--cc=sroettger@google.com \
--cc=sunil.k.pandey@intel.com \
--cc=suzuki.poulose@arm.com \
--cc=thiago.bauermann@linaro.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox