Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description
From: Mark Brown <broonie@kernel.org>
Date: 2023-06-13 17:57:25
Also in:
linux-api, linux-arch, linux-mm, lkml
On Tue, Jun 13, 2023 at 05:11:35PM +0000, Edgecombe, Rick P wrote:
Two things that came up as far as unifying the interface were: 1. The map_shadow_stack syscall x86 shadow stack does some optional pre-populating of the shadow stack memory. And in additional not all types of memory are supported (private anonymous only). This is partly to strengthen the security (which might be a cross-arch thing) and also partly due to x86's Write=0,Dirty=1 PTE bit combination. So a new syscall fit better. Some core-mm folks were not super keen on overloading mmap() to start doing things like writing to the memory being mapped, as well.
Right, the strengthening security bits made this one look cross arch - that one wasn't worrying me.
2. The arch_prctl() interface While enable and disable might be shared, there are some arch-specific stuff for x86 like enabling the WRSS instruction.
For x86 all of the exercising of the kernel interface was in arch specific code, so unifying the kernel interface didn't save much on the user side. If there turns out to be some unification opportunities when everything is explored and decided on, we could have the option of tying x86's feature into it later.
I think the map_shadow_stack syscall had the most debate. But the arch_prctl() was mostly agreed on IIRC. The debate was mostly with glibc folks and the riscv shadow stack developer.
For arm64 we have an equivalentish thing to WRSS which lets us control if userspace can explicitly push or pop values onto the shadow stack (GCS for us) so it all maps on well - before I noticed that it was arch_prctl() I was looking at it and thinking it worked for us. At the minute I've taken the prctl() patch from the riscv series and added in a flag for writability since we just don't have an arch_prctl(), this isn't a huge deal but it just seemed like needless effort to wonder why it's different.
For my part, the thing I would really like to see unified as much as possible is at the app developer's interface (glibc/gcc). The idea would be to make it easy for app developers to know if their app supports shadow stack. There will probably be some differences, but it would be great if there was mostly the same behavior and a small list of differences. I'm thinking about the behavior of longjmp(), swapcontext(), etc.
Yes, very much so. sigaltcontext() too.
Attachments
- signature.asc [application/pgp-signature] 488 bytes