From: "H.J. Lu" <hjl.tools@gmail.com> To: Andy Lutomirski <luto@kernel.org> Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>, LKML <linux-kernel@vger.kernel.org>, linux-doc@vger.kernel.org, Linux-MM <linux-mm@kvack.org>, linux-arch <linux-arch@vger.kernel.org>, X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, "Shanbhogue, Vedvyas" <vedvyas.shanbhogue@intel.com>, "Ravi V. Shankar" <ravi.v.shankar@intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>, Oleg Nesterov <oleg@redhat.com>, Arnd Bergmann <arnd@arndb.de>, mike.kravetz@oracle.com Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack Date: Thu, 7 Jun 2018 21:22:13 -0700 [thread overview] Message-ID: <CAMe9rOphjpPd3HnKAdU-RmG0RGj6c2oAbnq+C2Jd1srsqTA7=w@mail.gmail.com> (raw) In-Reply-To: <CAMe9rOr49V8rqRa_KVsw61PWd+crkQvPDgPKtvowazjmsfgWWQ@mail.gmail.com> On Thu, Jun 7, 2018 at 3:02 PM, H.J. Lu <hjl.tools@gmail.com> wrote: > On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski <luto@kernel.org> wrote: >> On Thu, Jun 7, 2018 at 1:33 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >>> >>> On Thu, 2018-06-07 at 11:48 -0700, Andy Lutomirski wrote: >>> > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >>> > > >>> > > The following operations are provided. >>> > > >>> > > ARCH_CET_STATUS: >>> > > return the current CET status >>> > > >>> > > ARCH_CET_DISABLE: >>> > > disable CET features >>> > > >>> > > ARCH_CET_LOCK: >>> > > lock out CET features >>> > > >>> > > ARCH_CET_EXEC: >>> > > set CET features for exec() >>> > > >>> > > ARCH_CET_ALLOC_SHSTK: >>> > > allocate a new shadow stack >>> > > >>> > > ARCH_CET_PUSH_SHSTK: >>> > > put a return address on shadow stack >>> > > >> And why do we need ARCH_CET_EXEC? >> >> For background, I really really dislike adding new state that persists >> across exec(). It's nice to get as close to a clean slate as possible >> after exec() so that programs can run in a predictable environment. >> exec() is also a security boundary, and anything a task can do to >> affect itself after exec() needs to have its security implications >> considered very carefully. (As a trivial example, you should not be >> able to use cetcmd ... sudo [malicious options here] to cause sudo to >> run with CET off and then try to exploit it via the malicious options. >> >> If a shutoff is needed for testing, how about teaching ld.so to parse >> LD_CET=no or similar and protect it the same way as LD_PRELOAD is >> protected. Or just do LD_PRELOAD=/lib/libdoesntsupportcet.so. >> > > I will take a look. We can use LD_CET to turn off CET. Since most of legacy binaries are compatible with shadow stack, ARCH_CET_EXEC can be used to turn on shadow stack on legacy binaries: [hjl@gnu-cet-1 glibc]$ readelf -n /bin/ls| head -10 Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0 Properties: x86 ISA used: [hjl@gnu-cet-1 glibc]$ cetcmd --on -- /bin/ls / Segmentation fault [hjl@gnu-cet-1 glibc]$ cetcmd --on -f shstk -- /bin/ls / bin dev export lib libx32 media mnt opt root sbin sys usr boot etc home lib64 lost+found misc net proc run srv tmp var [hjl@gnu-cet-1 glibc]$ cetcmd --on -f ibt -- /bin/ls / Segmentation fault [hjl@gnu-cet-1 glibc]$ -- H.J.
WARNING: multiple messages have this Message-ID (diff)
From: "H.J. Lu" <hjl.tools@gmail.com> To: Andy Lutomirski <luto@kernel.org> Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>, LKML <linux-kernel@vger.kernel.org>, linux-doc@vger.kernel.org, Linux-MM <linux-mm@kvack.org>, linux-arch <linux-arch@vger.kernel.org>, X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, "Shanbhogue, Vedvyas" <vedvyas.shanbhogue@intel.com>, "Ravi V. Shankar" <ravi.v.shankar@intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>, Oleg Nesterov <oleg@redhat.com>, Arnd Bergmann <arnd@arndb.de>, mike.kravetz@oracle.com Subject: Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack Date: Thu, 7 Jun 2018 21:22:13 -0700 [thread overview] Message-ID: <CAMe9rOphjpPd3HnKAdU-RmG0RGj6c2oAbnq+C2Jd1srsqTA7=w@mail.gmail.com> (raw) In-Reply-To: <CAMe9rOr49V8rqRa_KVsw61PWd+crkQvPDgPKtvowazjmsfgWWQ@mail.gmail.com> On Thu, Jun 7, 2018 at 3:02 PM, H.J. Lu <hjl.tools@gmail.com> wrote: > On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski <luto@kernel.org> wrote: >> On Thu, Jun 7, 2018 at 1:33 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >>> >>> On Thu, 2018-06-07 at 11:48 -0700, Andy Lutomirski wrote: >>> > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >>> > > >>> > > The following operations are provided. >>> > > >>> > > ARCH_CET_STATUS: >>> > > return the current CET status >>> > > >>> > > ARCH_CET_DISABLE: >>> > > disable CET features >>> > > >>> > > ARCH_CET_LOCK: >>> > > lock out CET features >>> > > >>> > > ARCH_CET_EXEC: >>> > > set CET features for exec() >>> > > >>> > > ARCH_CET_ALLOC_SHSTK: >>> > > allocate a new shadow stack >>> > > >>> > > ARCH_CET_PUSH_SHSTK: >>> > > put a return address on shadow stack >>> > > >> And why do we need ARCH_CET_EXEC? >> >> For background, I really really dislike adding new state that persists >> across exec(). It's nice to get as close to a clean slate as possible >> after exec() so that programs can run in a predictable environment. >> exec() is also a security boundary, and anything a task can do to >> affect itself after exec() needs to have its security implications >> considered very carefully. (As a trivial example, you should not be >> able to use cetcmd ... sudo [malicious options here] to cause sudo to >> run with CET off and then try to exploit it via the malicious options. >> >> If a shutoff is needed for testing, how about teaching ld.so to parse >> LD_CET=no or similar and protect it the same way as LD_PRELOAD is >> protected. Or just do LD_PRELOAD=/lib/libdoesntsupportcet.so. >> > > I will take a look. We can use LD_CET to turn off CET. Since most of legacy binaries are compatible with shadow stack, ARCH_CET_EXEC can be used to turn on shadow stack on legacy binaries: [hjl@gnu-cet-1 glibc]$ readelf -n /bin/ls| head -10 Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0 Properties: x86 ISA used: [hjl@gnu-cet-1 glibc]$ cetcmd --on -- /bin/ls / Segmentation fault [hjl@gnu-cet-1 glibc]$ cetcmd --on -f shstk -- /bin/ls / bin dev export lib libx32 media mnt opt root sbin sys usr boot etc home lib64 lost+found misc net proc run srv tmp var [hjl@gnu-cet-1 glibc]$ cetcmd --on -f ibt -- /bin/ls / Segmentation fault [hjl@gnu-cet-1 glibc]$ -- H.J. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-06-08 4:22 UTC|newest] Thread overview: 205+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-06-07 14:37 [PATCH 00/10] Control Flow Enforcement - Part (3) Yu-cheng Yu 2018-06-07 14:37 ` Yu-cheng Yu 2018-06-07 14:37 ` [PATCH 01/10] x86/cet: User-mode shadow stack support Yu-cheng Yu 2018-06-07 14:37 ` Yu-cheng Yu 2018-06-07 16:37 ` Andy Lutomirski 2018-06-07 16:37 ` Andy Lutomirski 2018-06-07 17:46 ` Yu-cheng Yu 2018-06-07 17:46 ` Yu-cheng Yu 2018-06-07 17:55 ` Dave Hansen 2018-06-07 17:55 ` Dave Hansen 2018-06-07 18:23 ` Andy Lutomirski 2018-06-07 18:23 ` Andy Lutomirski 2018-06-12 11:56 ` Balbir Singh 2018-06-12 11:56 ` Balbir Singh 2018-06-12 15:03 ` Yu-cheng Yu 2018-06-12 15:03 ` Yu-cheng Yu 2018-06-07 14:37 ` [PATCH 02/10] x86/cet: Introduce WRUSS instruction Yu-cheng Yu 2018-06-07 14:37 ` Yu-cheng Yu 2018-06-07 16:40 ` Andy Lutomirski 2018-06-07 16:40 ` Andy Lutomirski 2018-06-07 16:51 ` Yu-cheng Yu 2018-06-07 16:51 ` Yu-cheng Yu 2018-06-07 18:41 ` Peter Zijlstra 2018-06-07 18:41 ` Peter Zijlstra 2018-06-07 20:31 ` Yu-cheng Yu 2018-06-07 20:31 ` Yu-cheng Yu 2018-06-11 8:17 ` Peter Zijlstra 2018-06-11 8:17 ` Peter Zijlstra 2018-06-11 15:02 ` Yu-cheng Yu 2018-06-11 15:02 ` Yu-cheng Yu 2018-06-14 1:30 ` Balbir Singh 2018-06-14 1:30 ` Balbir Singh 2018-06-14 14:43 ` Yu-cheng Yu 2018-06-14 14:43 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 03/10] x86/cet: Signal handling for shadow stack Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:30 ` Andy Lutomirski 2018-06-07 18:30 ` Andy Lutomirski 2018-06-07 18:58 ` Florian Weimer 2018-06-07 18:58 ` Florian Weimer 2018-06-07 19:51 ` Yu-cheng Yu 2018-06-07 19:51 ` Yu-cheng Yu 2018-06-07 20:07 ` Cyrill Gorcunov 2018-06-07 20:07 ` Cyrill Gorcunov 2018-06-07 20:57 ` Andy Lutomirski 2018-06-07 20:57 ` Andy Lutomirski 2018-06-08 12:07 ` Cyrill Gorcunov 2018-06-08 12:07 ` Cyrill Gorcunov 2018-06-07 20:12 ` Yu-cheng Yu 2018-06-07 20:12 ` Yu-cheng Yu 2018-06-07 20:17 ` Dave Hansen 2018-06-07 20:17 ` Dave Hansen 2018-06-07 14:38 ` [PATCH 04/10] x86/cet: Handle thread " Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:21 ` Andy Lutomirski 2018-06-07 18:21 ` Andy Lutomirski 2018-06-07 19:47 ` Florian Weimer 2018-06-07 19:47 ` Florian Weimer 2018-06-07 19:47 ` Florian Weimer 2018-06-07 20:53 ` Andy Lutomirski 2018-06-07 20:53 ` Andy Lutomirski 2018-06-08 14:53 ` Florian Weimer 2018-06-08 14:53 ` Florian Weimer 2018-06-08 14:53 ` Florian Weimer 2018-06-08 15:01 ` Andy Lutomirski 2018-06-08 15:01 ` Andy Lutomirski 2018-06-08 15:50 ` Yu-cheng Yu 2018-06-08 15:50 ` Yu-cheng Yu 2018-06-08 15:50 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 05/10] x86/cet: ELF header parsing of Control Flow Enforcement Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:38 ` Andy Lutomirski 2018-06-07 18:38 ` Andy Lutomirski 2018-06-07 20:40 ` Yu-cheng Yu 2018-06-07 20:40 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:48 ` Andy Lutomirski 2018-06-07 18:48 ` Andy Lutomirski 2018-06-07 20:30 ` Yu-cheng Yu 2018-06-07 20:30 ` Yu-cheng Yu 2018-06-07 21:01 ` Andy Lutomirski 2018-06-07 21:01 ` Andy Lutomirski 2018-06-07 22:02 ` H.J. Lu 2018-06-07 22:02 ` H.J. Lu 2018-06-07 23:01 ` Andy Lutomirski 2018-06-07 23:01 ` Andy Lutomirski 2018-06-08 4:09 ` H.J. Lu 2018-06-08 4:09 ` H.J. Lu 2018-06-08 4:38 ` Andy Lutomirski 2018-06-08 4:38 ` Andy Lutomirski 2018-06-08 12:24 ` H.J. Lu 2018-06-08 12:24 ` H.J. Lu 2018-06-08 14:57 ` Andy Lutomirski 2018-06-08 14:57 ` Andy Lutomirski 2018-06-08 15:52 ` Cyrill Gorcunov 2018-06-08 15:52 ` Cyrill Gorcunov 2018-06-08 4:22 ` H.J. Lu [this message] 2018-06-08 4:22 ` H.J. Lu 2018-06-08 4:35 ` Andy Lutomirski 2018-06-08 4:35 ` Andy Lutomirski 2018-06-08 12:17 ` H.J. Lu 2018-06-08 12:17 ` H.J. Lu 2018-06-12 10:03 ` Thomas Gleixner 2018-06-12 10:03 ` Thomas Gleixner 2018-06-12 11:43 ` H.J. Lu 2018-06-12 11:43 ` H.J. Lu 2018-06-12 16:01 ` Andy Lutomirski 2018-06-12 16:01 ` Andy Lutomirski 2018-06-12 16:05 ` H.J. Lu 2018-06-12 16:05 ` H.J. Lu 2018-06-12 16:34 ` Andy Lutomirski 2018-06-12 16:34 ` Andy Lutomirski 2018-06-12 16:51 ` H.J. Lu 2018-06-12 16:51 ` H.J. Lu 2018-06-12 18:59 ` Thomas Gleixner 2018-06-12 18:59 ` Thomas Gleixner 2018-06-12 19:34 ` H.J. Lu 2018-06-12 19:34 ` H.J. Lu 2018-06-18 22:03 ` Andy Lutomirski 2018-06-18 22:03 ` Andy Lutomirski 2018-06-19 0:52 ` Kees Cook 2018-06-19 0:52 ` Kees Cook 2018-06-19 6:40 ` Florian Weimer 2018-06-19 6:40 ` Florian Weimer 2018-06-19 14:50 ` Andy Lutomirski 2018-06-19 14:50 ` Andy Lutomirski 2018-06-19 16:44 ` Kees Cook 2018-06-19 16:44 ` Kees Cook 2018-06-19 16:59 ` Yu-cheng Yu 2018-06-19 16:59 ` Yu-cheng Yu 2018-06-19 16:59 ` Yu-cheng Yu 2018-06-19 17:07 ` Kees Cook 2018-06-19 17:07 ` Kees Cook 2018-06-19 17:20 ` Andy Lutomirski 2018-06-19 17:20 ` Andy Lutomirski 2018-06-19 20:12 ` Kees Cook 2018-06-19 20:12 ` Kees Cook 2018-06-19 20:47 ` Andy Lutomirski 2018-06-19 20:47 ` Andy Lutomirski 2018-06-19 22:38 ` Yu-cheng Yu 2018-06-19 22:38 ` Yu-cheng Yu 2018-06-19 22:38 ` Yu-cheng Yu 2018-06-20 0:50 ` Andy Lutomirski 2018-06-20 0:50 ` Andy Lutomirski 2018-06-21 23:07 ` Yu-cheng Yu 2018-06-21 23:07 ` Yu-cheng Yu 2018-06-21 23:07 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 07/10] mm: Prevent mprotect from changing " Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 08/10] mm: Prevent mremap of " Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:48 ` Andy Lutomirski 2018-06-07 18:48 ` Andy Lutomirski 2018-06-07 20:18 ` Yu-cheng Yu 2018-06-07 20:18 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 09/10] mm: Prevent madvise from changing " Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 20:54 ` Andy Lutomirski 2018-06-07 20:54 ` Andy Lutomirski 2018-06-07 21:09 ` Nadav Amit 2018-06-07 21:09 ` Nadav Amit 2018-06-07 21:18 ` Yu-cheng Yu 2018-06-07 21:18 ` Yu-cheng Yu 2018-06-07 21:18 ` Yu-cheng Yu 2018-06-07 14:38 ` [PATCH 10/10] mm: Prevent munmap and remap_file_pages of " Yu-cheng Yu 2018-06-07 14:38 ` Yu-cheng Yu 2018-06-07 18:50 ` Andy Lutomirski 2018-06-07 18:50 ` Andy Lutomirski 2018-06-07 20:15 ` Yu-cheng Yu 2018-06-07 20:15 ` Yu-cheng Yu 2018-06-12 10:56 ` [PATCH 00/10] Control Flow Enforcement - Part (3) Balbir Singh 2018-06-12 10:56 ` Balbir Singh 2018-06-12 15:03 ` Yu-cheng Yu 2018-06-12 15:03 ` Yu-cheng Yu 2018-06-12 16:00 ` Andy Lutomirski 2018-06-12 16:00 ` Andy Lutomirski 2018-06-12 16:21 ` Yu-cheng Yu 2018-06-12 16:21 ` Yu-cheng Yu 2018-06-12 16:31 ` Andy Lutomirski 2018-06-12 16:31 ` Andy Lutomirski 2018-06-12 17:24 ` Yu-cheng Yu 2018-06-12 17:24 ` Yu-cheng Yu 2018-06-12 20:15 ` Yu-cheng Yu 2018-06-12 20:15 ` Yu-cheng Yu 2018-06-14 1:07 ` Balbir Singh 2018-06-14 1:07 ` Balbir Singh 2018-06-14 14:56 ` Yu-cheng Yu 2018-06-14 14:56 ` Yu-cheng Yu 2018-06-17 3:16 ` Balbir Singh 2018-06-17 3:16 ` Balbir Singh 2018-06-18 21:44 ` Andy Lutomirski 2018-06-18 21:44 ` Andy Lutomirski 2018-06-19 8:52 ` Balbir Singh 2018-06-19 8:52 ` Balbir Singh 2018-06-26 2:46 ` Jann Horn 2018-06-26 2:46 ` Jann Horn 2018-06-26 14:56 ` Yu-cheng Yu 2018-06-26 14:56 ` Yu-cheng Yu 2018-06-26 14:56 ` Yu-cheng Yu 2018-06-26 5:26 ` Andy Lutomirski 2018-06-26 5:26 ` Andy Lutomirski 2018-06-26 14:56 ` Yu-cheng Yu 2018-06-26 14:56 ` Yu-cheng Yu 2018-06-26 14:56 ` Yu-cheng Yu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAMe9rOphjpPd3HnKAdU-RmG0RGj6c2oAbnq+C2Jd1srsqTA7=w@mail.gmail.com' \ --to=hjl.tools@gmail.com \ --cc=arnd@arndb.de \ --cc=corbet@lwn.net \ --cc=dave.hansen@linux.intel.com \ --cc=hpa@zytor.com \ --cc=linux-arch@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mike.kravetz@oracle.com \ --cc=mingo@redhat.com \ --cc=oleg@redhat.com \ --cc=ravi.v.shankar@intel.com \ --cc=tglx@linutronix.de \ --cc=vedvyas.shanbhogue@intel.com \ --cc=x86@kernel.org \ --cc=yu-cheng.yu@intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.