Re: [PATCH v2 29/39] x86/cet/shstk: Support wrss for userspace
From: Kees Cook <hidden>
Date: 2022-10-06 03:12:25
Also in:
linux-arch, linux-doc, linux-mm, lkml
On Thu, Oct 06, 2022 at 12:38:06AM +0000, Edgecombe, Rick P wrote:
On Mon, 2022-10-03 at 21:37 -0700, Kees Cook wrote:quoted
On Mon, Oct 03, 2022 at 04:00:36PM -0700, Andy Lutomirski wrote:quoted
On 10/3/22 15:28, Kees Cook wrote:quoted
On Thu, Sep 29, 2022 at 03:29:26PM -0700, Rick Edgecombe wrote:quoted
For the current shadow stack implementation, shadow stacks contents easily be arbitrarily provisioned with data.I can't parse this sentence.quoted
This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security.Is anything using this right now? Wouldn't thing be safer without WRSS? (Why can't we skip this patch?)So that people don't write programs that need either (shstk off) or (shstk on and WRSS on) and crash or otherwise fail on kernels that support shstk but don't support WRSS, perhaps?Right, yes. I meant more "what programs currently need WRSS to operate under shstk? (And what is it that they are doing that needs it?)" All is see currently is compiler self-tests and emulators using it?https://codesearch.debian.net/search?q=%5Cb%28wrss%7CWRSS%29%5Cb&literal=0&perpkg=1 Most apps that weren't just automatically compiled haven't had implementation effort yet. (of course glibc has had a bunch) I hope we would see more of that when we finally get it upstream. So I think a better question is, how many apps will need WRSS when they go to enable shadow stack. I'm thinking the answer must be some and it could be nice to catch them when they first investigate enabling it. But yes, except for Mike's CRIU branch, there aren't any programs that use it today, and we could drop it for a first implementation. I don't see it as something that would only make things less safe though. It just lets apps that can't easily work within the stricter shadow stack environment, at least get access to a weaker but still beneficial one. Kees, did you catch that it can be locked off while enabling shadow stack?
Yup, saw that! Looks good. Thanks. :) -- Kees Cook