On Mon, 2021-09-20 at 09:48 -0700, Andy Lutomirski wrote:

My general opinion here (take this with a grain of salt -- I haven't
paged back in every single detail) is that the kernel should make it
straightforward for a libc to do the right thing without nasty races,
cross-thread coordination, or unnecessary permission to write to the
stack.  I *also* think that it should be possible for userspace to
manage its own shadow stack allocation if it wants to, since I'm sure
there will be JIT or green thread or other use cases that want to do
crazy things that we fail to anticipate with in-kernel magic.

So perhaps we should keep the explicit allocation and free
operations, have a way to opt-in to WRSS being flipped on, but also
do our best to have API that handle the known cases well.

Does that make sense?  Can we have both approaches work in the same
kernel?

I think so. I'll take a look at adding a prctl to enable WRSS. Since
there already is ARCH_X86_CET_DISABLE to disable CET, it doesn't seem
like it should escalate anything. And ARCH_X86_CET_LOCK can prevent
turning it on if desired.

Thanks,

Rick