On Thu, Jul 06, 2023 at 04:59:45PM +0000, Edgecombe, Rick P wrote:

On Thu, 2023-07-06 at 15:24 +0100, Mark Brown wrote:

quoted

szabolcs.nagy@arm.com wrote:

quoted

The 07/05/2023 20:29, Mark Brown wrote:

quoted

quoted

gcspopm is always available (esentially *ssp++, this is used
for longjmp).

quoted

Ah, sorry - I misremembered there.  You're right, it's only push that
we
have control over.

FWIW the confusion there was some of the hypervisor features which do
tie some of the push and pop instructions together.

Ah, ok! So if you are not planning to enable the push mode then the
features are pretty well aligned, except:
 - On x86 it is possible to switch stacks without leaving a token 
   behind.
 - The GCSPOPM/INCSSP looping may require longer loops on ARM 
   because it only pops one at at time.

If you are not going to use GCSPUSHM by default, then I think we
*should* be able to have some unified set of rules for developers for
glibc behaviors at least.

Yes, the only case where I am aware of conciously diverging in any
substantial way is that we do not free the GCS when GCS is disabled by
userspace, we just disable the updates and checks, and reenabling after
disabling is not supported.  We have demand for disabling at runtime so
we want to keep the stack around for things like a running unwinder but
we don't see a practical use for reenabling so didn't worry about
figuring out what would make sense for userspace.  glibc isn't going to
be using that though.