lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <862eef02-eba2-e13f-ed67-f915f749ebca@intel.com>
Date:   Fri, 18 Sep 2020 14:21:10 -0700
From:   "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
To:     Pavel Machek <pavel@....cz>, Dave Hansen <dave.hansen@...el.com>
Cc:     x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-mm@...ck.org,
        linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
        Arnd Bergmann <arnd@...db.de>,
        Andy Lutomirski <luto@...nel.org>,
        Balbir Singh <bsingharora@...il.com>,
        Borislav Petkov <bp@...en8.de>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Eugene Syromiatnikov <esyr@...hat.com>,
        Florian Weimer <fweimer@...hat.com>,
        "H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
        Jonathan Corbet <corbet@....net>,
        Kees Cook <keescook@...omium.org>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Randy Dunlap <rdunlap@...radead.org>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
        Dave Martin <Dave.Martin@....com>,
        Weijiang Yang <weijiang.yang@...el.com>
Subject: Re: [PATCH v12 8/8] x86: Disallow vsyscall emulation when CET is
 enabled

On 9/18/2020 2:00 PM, Pavel Machek wrote:
> On Fri 2020-09-18 12:32:57, Dave Hansen wrote:
>> On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
>>> Emulation of the legacy vsyscall page is required by some programs
>>> built before 2013.  Newer programs after 2013 don't use it.
>>> Disable vsyscall emulation when Control-flow Enforcement (CET) is
>>> enabled to enhance security.
>>
>> How does this "enhance security"?
>>
>> What is the connection between vsyscall emulation and CET?
> 
> Boom.
> 
> We don't break compatibility by default, and you should not tell
> people to enable CET by default if you plan to do this.

I would revise the wording if there is another version.  What this patch 
does is:

If an application is compiled for CET and the system supports it, then 
the application cannot do vsyscall emulation.  Earlier we allow the 
emulation, and had a patch that fixes the shadow stack and endbr for the 
emulation code.  Since newer programs mostly do no do the emulation, we 
changed the patch do block it when attempted.

This patch would not block any legacy applications or any applications 
on older machines.

Yu-cheng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ