From: Dave Martin <Dave.Martin@arm.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>,
"Yu, Yu-cheng" <yu-cheng.yu@intel.com>,
"H.J. Lu" <hjl.tools@gmail.com>,
Florian Weimer <fweimer@redhat.com>, X86 ML <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@intel.com>,
Weijiang Yang <weijiang.yang@intel.com>
Subject: Re: [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for shadow stack
Date: Wed, 2 Sep 2020 14:58:35 +0100 [thread overview]
Message-ID: <20200902135832.GD6642@arm.com> (raw)
In-Reply-To: <32005d57-e51a-7c7f-4e86-612c2ff067f3@intel.com>
On Tue, Sep 01, 2020 at 11:11:37AM -0700, Dave Hansen wrote:
> On 9/1/20 10:45 AM, Andy Lutomirski wrote:
> >>> For arm64 (and sparc etc.) we continue to use the regular mmap/mprotect
> >>> family of calls. One or two additional arch-specific mmap flags are
> >>> sufficient for now.
> >>>
> >>> Is x86 definitely not going to fit within those calls?
> >> That can work for x86. Andy, what if we create PROT_SHSTK, which can
> >> been seen only from the user. Once in kernel, it is translated to
> >> VM_SHSTK. One question for mremap/mprotect is, do we allow a normal
> >> data area to become shadow stack?
> > I'm unconvinced that we want to use a somewhat precious PROT_ or VM_
> > bit for this. Using a flag bit makes sense if we expect anyone to
> > ever map an fd or similar as a shadow stack, but that seems a bit odd
> > in the first place. To me, it seems more logical for a shadow stack
> > to be a special sort of mapping with a special vm_ops, not a normal
> > mapping with a special flag set. Although I realize that we want
> > shadow stacks to work like anonymous memory with respect to fork().
> > Dave?
>
> I actually don't like the idea of *creating* mappings much.
>
> I think the pkey model has worked out pretty well where we separate
> creating the mapping from doing something *to* it, like changing
> protections. For instance, it would be nice if we could preserve things
> like using hugetlbfs or heck even doing KSM for shadow stacks.
>
> If we're *creating* mappings, we've pretty much ruled out things like
> hugetlbfs.
>
> Something like mprotect_shstk() would allow an implementation today that
> only works on anonymous memory *and* sets up a special vm_ops. But, the
> same exact ABI could do wonky stuff in the future if we decided we
> wanted to do shadow stacks on DAX or hugetlbfs or whatever.
>
> I don't really like the idea of PROT_SHSTK those are plumbed into a
> bunch of interfaces. But, I also can't deny that it seems to be working
> fine for the arm64 folks.
Note, there are some rough edges, such as what happens when someone
calls mprotect() on memory marked with PROT_BTI. Unless the caller
knows whether PROT_BTI should be set for that page, the flag may get
unintentionally cleared. Since the flag only applies to text pages
though, it's not _that_ much of a concern. Software that deals with
writable text pages is also usually involved in generating the code and
so will know about PROT_BTI. That's was the theory anyway.
In the longer term, it might be preferable to have a mprotect2() that
can leave some flags unmodified, and that doesn't silently ignore
unknown flags (at least one of mmap or mprotect does; I don't recall
which). We attempt didn't go this far, for now.
For arm64 it seemed fairly natural for the BTI flag to be a PROT_ flag,
but I don't know enough detail about x86 shstk to know whether it's a
natural fit there.
Cheers
---Dave
next prev parent reply other threads:[~2020-09-02 14:11 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-25 0:25 [PATCH v11 00/25] Control-flow Enforcement: Shadow Stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 01/25] Documentation/x86: Add CET description Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 02/25] x86/cpufeatures: Add CET CPU feature flags for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 03/25] x86/fpu/xstate: Introduce CET MSR XSAVES supervisor states Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 04/25] x86/cet: Add control-protection fault handler Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 05/25] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 06/25] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 07/25] x86/mm: Remove _PAGE_DIRTY_HW from kernel RO pages Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 08/25] x86/mm: Introduce _PAGE_COW Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 09/25] drm/i915/gvt: Change _PAGE_DIRTY to _PAGE_DIRTY_BITS Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 10/25] x86/mm: Update pte_modify for _PAGE_COW Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 11/25] x86/mm: Update ptep_set_wrprotect() and pmdp_set_wrprotect() for transition from _PAGE_DIRTY_HW to _PAGE_COW Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 12/25] mm: Introduce VM_SHSTK for shadow stack memory Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 13/25] x86/mm: Shadow Stack page fault error checking Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 14/25] x86/mm: Update maybe_mkwrite() for shadow stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 15/25] mm: Fixup places that call pte_mkwrite() directly Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 16/25] mm: Add guard pages around a shadow stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 17/25] mm/mmap: Add shadow stack pages to memory accounting Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 18/25] mm: Update can_follow_write_pte() for shadow stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 19/25] mm: Re-introduce do_mmap_pgoff() Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 20/25] x86/cet/shstk: User-mode shadow stack support Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 21/25] x86/cet/shstk: Handle signals for shadow stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 22/25] binfmt_elf: Define GNU_PROPERTY_X86_FEATURE_1_AND properties Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 23/25] ELF: Introduce arch_setup_elf_property() Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 24/25] x86/cet/shstk: Handle thread shadow stack Yu-cheng Yu
2020-08-25 0:25 ` [PATCH v11 25/25] x86/cet/shstk: Add arch_prctl functions for " Yu-cheng Yu
2020-08-25 0:36 ` Andy Lutomirski
2020-08-25 0:36 ` Andy Lutomirski
2020-08-25 18:43 ` Yu, Yu-cheng
2020-08-25 19:19 ` Dave Hansen
2020-08-25 21:04 ` Yu, Yu-cheng
2020-08-25 23:20 ` Dave Hansen
2020-08-25 23:34 ` Yu, Yu-cheng
2020-08-26 16:46 ` Dave Martin
2020-08-26 16:51 ` Florian Weimer
2020-08-26 16:51 ` Florian Weimer
2020-08-26 17:04 ` Andy Lutomirski
2020-08-26 17:04 ` Andy Lutomirski
2020-08-26 18:49 ` Yu, Yu-cheng
2020-08-26 19:43 ` H.J. Lu
2020-08-26 19:43 ` H.J. Lu
2020-08-26 19:57 ` Dave Hansen
2020-08-27 13:26 ` H.J. Lu
2020-08-27 13:26 ` H.J. Lu
2020-09-01 10:28 ` Dave Martin
2020-09-01 17:23 ` Yu, Yu-cheng
2020-09-01 17:45 ` Andy Lutomirski
2020-09-01 17:45 ` Andy Lutomirski
2020-09-01 18:11 ` Dave Hansen
2020-09-02 13:58 ` Dave Martin [this message]
2020-09-08 17:50 ` Yu, Yu-cheng
2020-09-08 17:57 ` Dave Hansen
2020-09-08 18:25 ` Yu, Yu-cheng
2020-09-09 22:08 ` Yu, Yu-cheng
2020-09-09 22:59 ` Dave Hansen
2020-09-09 23:07 ` Yu, Yu-cheng
2020-09-09 23:11 ` Dave Hansen
2020-09-09 23:25 ` Yu, Yu-cheng
2020-09-09 23:29 ` Dave Hansen
2020-09-09 23:45 ` Yu, Yu-cheng
2020-09-11 22:59 ` Yu-cheng Yu
2020-09-11 22:59 ` Yu-cheng Yu
2020-09-14 14:50 ` [NEEDS-REVIEW] " Dave Hansen
2020-09-14 18:31 ` Andy Lutomirski
2020-09-14 18:31 ` Andy Lutomirski
2020-09-14 20:44 ` Yu, Yu-cheng
2020-09-14 21:14 ` Dave Hansen
2020-09-16 13:52 ` Andy Lutomirski
2020-09-16 13:52 ` Andy Lutomirski
2020-09-16 19:25 ` Yu, Yu-cheng
2021-09-14 1:33 ` [NEEDS-REVIEW] " Edgecombe, Rick P
2021-09-14 9:53 ` Borislav Petkov
2021-09-20 16:48 ` Andy Lutomirski
2021-09-23 23:32 ` Edgecombe, Rick P
2020-09-15 0:12 ` Yu, Yu-cheng
2020-09-15 19:08 ` Yu-cheng Yu
2020-09-15 19:08 ` Yu-cheng Yu
2020-09-15 19:24 ` Dave Hansen
2020-09-15 20:16 ` Yu, Yu-cheng
2020-08-26 17:08 ` Dave Martin
2020-08-27 13:18 ` Florian Weimer
2020-08-27 13:18 ` Florian Weimer
2020-08-27 13:28 ` H.J. Lu
2020-08-27 13:28 ` H.J. Lu
2020-08-27 13:36 ` Florian Weimer
2020-08-27 13:36 ` Florian Weimer
2020-08-27 14:07 ` H.J. Lu
2020-08-27 14:07 ` H.J. Lu
2020-08-27 14:08 ` H.J. Lu
2020-08-27 14:08 ` H.J. Lu
2020-09-01 17:49 ` Yu, Yu-cheng
2020-09-01 17:50 ` Florian Weimer
2020-09-01 17:50 ` Florian Weimer
2020-09-01 17:58 ` Yu, Yu-cheng
2020-09-01 18:17 ` Florian Weimer
2020-09-01 18:17 ` Florian Weimer
2020-09-01 18:19 ` H.J. Lu
2020-09-01 18:19 ` H.J. Lu
2020-09-01 18:24 ` Yu, Yu-cheng
2020-08-27 18:13 ` Yu, Yu-cheng
2020-08-27 18:56 ` Andy Lutomirski
2020-08-27 19:33 ` Yu, Yu-cheng
2020-08-27 19:37 ` H.J. Lu
2020-08-27 19:37 ` H.J. Lu
2020-08-28 1:35 ` Andy Lutomirski
2020-08-28 1:35 ` Andy Lutomirski
2020-08-28 1:44 ` H.J. Lu
2020-08-28 1:44 ` H.J. Lu
2020-08-28 6:23 ` Florian Weimer
2020-08-28 6:23 ` Florian Weimer
2020-08-28 11:37 ` H.J. Lu
2020-08-28 11:37 ` H.J. Lu
2020-08-28 17:39 ` Andy Lutomirski
2020-08-28 17:39 ` Andy Lutomirski
2020-08-28 17:45 ` H.J. Lu
2020-08-28 17:45 ` H.J. Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200902135832.GD6642@arm.com \
--to=dave.martin@arm.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=rdunlap@infradead.org \
--cc=tglx@linutronix.de \
--cc=vedvyas.shanbhogue@intel.com \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.