linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
From: Dave Martin <Dave.Martin@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Brown <broonie@kernel.org>,
	linux-arch@vger.kernel.org, libc-alpha@sourceware.org,
	Szabolcs Nagy <szabolcs.nagy@arm.com>,
	Jeremy Linton <jeremy.linton@arm.com>,
	Will Deacon <will@kernel.org>,
	linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter
Date: Mon, 7 Jun 2021 12:25:38 +0100	[thread overview]
Message-ID: <20210607112536.GI4187@arm.com> (raw)
In-Reply-To: <20210603180429.GI20338@arm.com>

On Thu, Jun 03, 2021 at 07:04:31PM +0100, Catalin Marinas via Libc-alpha wrote:
> On Thu, Jun 03, 2021 at 05:51:34PM +0100, Mark Brown wrote:
> > On Thu, Jun 03, 2021 at 04:40:35PM +0100, Dave Martin wrote:
> > > Do we know how libcs will detect that they don't need to do the
> > > mprotect() calls?  Do we need a detection mechanism at all?
> > > 
> > > Ignoring certain errors from mprotect() when ld.so is trying to set
> > > PROT_BTI on the main executable's code pages is probably a reasonable,
> > > backwards-compatible compromise here, but it seems a bit wasteful.
> > 
> > I think the theory was that they would just do the mprotect() calls and
> > ignore any errors as they currently do, or declare that they depend on a
> > new enough kernel version I guess (not an option for glibc but might be
> > for others which didn't do BTI yet).
> 
> I think we discussed the possibility of an AT_FLAGS bit. Until recently,
> this field was 0 but it gained a new bit now. If we are to expose this
> to arch-specific things, it may need some reservations. Anyway, that's
> an optimisation that can be added subsequently.

I suppose so, but AT_FLAGS doesn't seem appropriate somehow.

I wonder why we suddenly start considering adding a flag to AT_FLAGS
every few months, when it had sat empty for decades.  This may say
something about the current health of the kernel ABI, but I'm not sure
exactly what.

I think having mprotect() fail in a predictable way may be preferable
for now: glibc still only needs to probe with a single call and could
cache the knowledge after that.  Code outside libc / ld.so seems quite
unlikely to care about this.

Since only the executable segment(s) of the main binary need to be
protected, this should require only a very small number of mprotect()
calls in normal situations.  Although it feels a bit cruddy as a design,
cost-wise I think that extra overhead would be swamped by other noise in
realistic scenarios.  Often, there is just a single executable segment,
so the common case would probably require just one mprotect() call.  I
don't know if it ever gets much more complicated when using the
standard linker scripts.

Any ideas on how we would document this behaviour?  The kernel and libc
behaviour are 100% clear: you _are_ allowed to twiddle PROT_BTI on
executable mappings, and there is no legitimate (or even useful) reason
to disallow this.  It's only systemd deliberately breaking the API that
causes the behaviour seem by "userspace" to vary.

Cheers
---Dave

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2021-06-07 11:28 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-21 14:46 [PATCH v1 0/2] arm64: Enable BTI for the executable as well as the interpreter Mark Brown
2021-05-21 14:46 ` [PATCH v1 1/2] elf: Allow architectures to parse properties on the main executable Mark Brown
2021-06-03 15:40   ` Dave Martin
2021-06-03 18:52     ` Mark Brown
2021-05-21 14:46 ` [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Mark Brown
2021-06-03 15:40   ` Dave Martin
2021-06-03 16:51     ` Mark Brown
2021-06-03 18:04       ` Catalin Marinas
2021-06-07 11:25         ` Dave Martin [this message]
2021-06-07 18:12           ` Catalin Marinas
2021-06-08 11:33             ` Mark Brown
2021-06-08 15:19               ` Dave Martin
2021-06-08 15:42                 ` Jeremy Linton
2021-06-10 10:33                   ` Dave Martin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210607112536.GI4187@arm.com \
    --to=dave.martin@arm.com \
    --cc=broonie@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=jeremy.linton@arm.com \
    --cc=libc-alpha@sourceware.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=szabolcs.nagy@arm.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).