| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 Feb 2022 08:21:20 -0800
From: "Andy Lutomirski" <luto@...nel.org>
To: "Cyrill Gorcunov" <gorcunov@...il.com>,
"Mike Rapoport" <rppt@...nel.org>
Cc: "Dave Hansen" <dave.hansen@...el.com>,
"Adrian Reber" <adrian@...as.de>,
"Rick P Edgecombe" <rick.p.edgecombe@...el.com>,
"the arch/x86 maintainers" <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
"Thomas Gleixner" <tglx@...utronix.de>,
"Ingo Molnar" <mingo@...hat.com>,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-arch@...r.kernel.org,
"Linux API" <linux-api@...r.kernel.org>,
"Arnd Bergmann" <arnd@...db.de>,
"Balbir Singh" <bsingharora@...il.com>,
"Borislav Petkov" <bp@...en8.de>,
"Dave Hansen" <dave.hansen@...ux.intel.com>,
"Eugene Syromiatnikov" <esyr@...hat.com>,
"Florian Weimer" <fweimer@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, "Jann Horn" <jannh@...gle.com>,
"Jonathan Corbet" <corbet@....net>,
"Kees Cook" <keescook@...omium.org>,
"Mike Kravetz" <mike.kravetz@...cle.com>,
"Nadav Amit" <nadav.amit@...il.com>,
"Oleg Nesterov" <oleg@...hat.com>, "Pavel Machek" <pavel@....cz>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
"Randy Dunlap" <rdunlap@...radead.org>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>,
"Dave Martin" <Dave.Martin@....com>,
"Weijiang Yang" <weijiang.yang@...el.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
"Moreira, Joao" <joao.moreira@...el.com>,
"john.allen@....com" <john.allen@....com>,
"kcc@...gle.com" <kcc@...gle.com>,
"Eranian, Stephane" <eranian@...gle.com>,
"Andrei Vagin" <avagin@...il.com>,
"Dmitry Safonov" <0x7f454c46@...il.com>
Subject: Re: [PATCH 00/35] Shadow stacks for userspace
On Tue, Feb 8, 2022, at 1:29 AM, Cyrill Gorcunov wrote:
> On Tue, Feb 08, 2022 at 11:16:51AM +0200, Mike Rapoport wrote:
>>
>> > Any thoughts on how you would _like_ to see this resolved?
>>
>> Ideally, CRIU will need a knob that will tell the kernel/CET machinery
>> where the next RET will jump, along the lines of
>> restore_signal_shadow_stack() AFAIU.
>>
>> But such a knob will immediately reduce the security value of the entire
>> thing, and I don't have good ideas how to deal with it :(
>
> Probably a kind of latch in the task_struct which would trigger off once
> returt to a different address happened, thus we would be able to jump inside
> paratite code. Of course such trigger should be available under proper
> capability only.
I'm not fully in touch with how parasite, etc works. Are we talking about save or restore? If it's restore, what exactly does CRIU need to do? Is it just that CRIU needs to return out from its resume code into the to-be-resumed program without tripping CET? Would it be acceptable for CRIU to require that at least one shstk slot be free at save time? Or do we need a mechanism to atomically switch to a completely full shadow stack at resume?
Off the top of my head, a sigreturn (or sigreturn-like mechanism) that is intended for use for altshadowstack could safely verify a token on the altshdowstack, possibly compare to something in ucontext (or not -- this isn't clearly necessary) and switch back to the previous stack. CRIU could use that too. Obviously CRIU will need a way to populate the relevant stacks, but WRUSS can be used for that, and I think this is a fundamental requirement for CRIU -- CRIU restore absolutely needs a way to write the saved shadow stack data into the shadow stack.
So I think the only special capability that CRIU really needs is WRUSS, and we need to wire that up anyway.
Powered by blists - more mailing lists