On 2/2/21 4:05 AM, Mark Rutland wrote:

quoted

quoted

I think at this point, we haven't gained anything from using a shadow
stack, and I'd much rather we used objtool to gather any metadata needed
to make unwinding reliable without mandating a shadow stack.

I think we have gained something. Pushing the return addresses on the shadow stack
and using them to unwind means that objtool does not have to decode every single
instruction and track the changes to the stack and frame state.

I think that practically speaking it's necessary to track all potential
paths through functions that may alter the shadow stack or the shadow
stack pointer to ensure that the manipulation is well-balanced and that
the shadow stack pointer isn't corrupted.

Practically speaking, this requires decoding a significant number of
instructions, and tracing through all potential paths a function may
take.

I am not sure why the shadow stack should be modified by any function.
It is a shadow stack. Functions are not supposed to be aware of it
(except for the prolog and epilog).

For C functions, the compiler would reserve the shadow stack pointer
register and not use it for anything other than prolog and epilog.

If the worry is that some kernel developer may unknowingly use the register
in assembly code and we need to catch this during kernel build, we can do it
using grep. The only code that is allowed to modify it is the macros that we
define for prolog and epilog. This can be done using a simple script.

Madhavan

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel