On Fri 2020-09-18 14:21:10, Yu, Yu-cheng wrote:
> On 9/18/2020 2:00 PM, Pavel Machek wrote:
> > On Fri 2020-09-18 12:32:57, Dave Hansen wrote:
> > > On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
> > > > Emulation of the legacy vsyscall page is required by some programs
> > > > built before 2013.  Newer programs after 2013 don't use it.
> > > > Disable vsyscall emulation when Control-flow Enforcement (CET) is
> > > > enabled to enhance security.
> > > 
> > > How does this "enhance security"?
> > > 
> > > What is the connection between vsyscall emulation and CET?
> > 
> > Boom.
> > 
> > We don't break compatibility by default, and you should not tell
> > people to enable CET by default if you plan to do this.
> 
> I would revise the wording if there is another version.  What this patch
> does is:
> 
> If an application is compiled for CET and the system supports it, then the
> application cannot do vsyscall emulation.  Earlier we allow the emulation,
> and had a patch that fixes the shadow stack and endbr for the emulation
> code.  Since newer programs mostly do no do the emulation, we changed the
> patch do block it when attempted.
> 
> This patch would not block any legacy applications or any applications on
> older machines.

Aha, makes sense, sorry for the noise.

Best regards,
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html