lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Jul 2023 17:45:01 +0000
From:   "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To:     "corbet@....net" <corbet@....net>,
        "ardb@...nel.org" <ardb@...nel.org>,
        "maz@...nel.org" <maz@...nel.org>,
        "shuah@...nel.org" <shuah@...nel.org>,
        "Szabolcs.Nagy@....com" <Szabolcs.Nagy@....com>,
        "keescook@...omium.org" <keescook@...omium.org>,
        "james.morse@....com" <james.morse@....com>,
        "debug@...osinc.com" <debug@...osinc.com>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "catalin.marinas@....com" <catalin.marinas@....com>,
        "oleg@...hat.com" <oleg@...hat.com>,
        "arnd@...db.de" <arnd@...db.de>,
        "ebiederm@...ssion.com" <ebiederm@...ssion.com>,
        "will@...nel.org" <will@...nel.org>,
        "suzuki.poulose@....com" <suzuki.poulose@....com>,
        "oliver.upton@...ux.dev" <oliver.upton@...ux.dev>,
        "broonie@...nel.org" <broonie@...nel.org>
CC:     "hjl.tools@...il.com" <hjl.tools@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-riscv@...ts.infradead.org" <linux-riscv@...ts.infradead.org>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "paul.walmsley@...ive.com" <paul.walmsley@...ive.com>,
        "aou@...s.berkeley.edu" <aou@...s.berkeley.edu>,
        "palmer@...belt.com" <palmer@...belt.com>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        "kvmarm@...ts.linux.dev" <kvmarm@...ts.linux.dev>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>
Subject: Re: [PATCH 01/35] prctl: arch-agnostic prctl for shadow stack

On Sun, 2023-07-16 at 22:50 +0100, Mark Brown wrote:
> From: Deepak Gupta <debug@...osinc.com>
> 
> Three architectures (x86, aarch64, riscv) have announced support for
> shadow stack.  This patch adds arch-agnostic prtcl support to enable
> /disable/get/set status of shadow stack and forward control (landing
> pad)
> flow cfi statuses.

What is this about forward control flow? Seems to be just about shadow
stack.

> 
> New prctls are
>       - PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS
> 
> Signed-off-by: Deepak Gupta <debug@...osinc.com>
> [Rebased onto current kernels, renumbering to track other allocations
>  already upstream, dropping indirect LP, updating to pass arg to set
>   by value, fix missing prototypes for weak functions and update
> title.
>   -- broonie]
> Signed-off-by: Mark Brown <broonie@...nel.org>

This is similar to the arch_prctl() thing x86 does, but I actually see
a fair amount of differences:

1. PR_SET_SHADOW_STACK_STATUS seems like a strange name for the thing
actually doing the whole enabling of the feature which involves
allocating memory, etc. And in the future a growing array of different
things (enabling push, write, etc).

2. x86 only allows one enabling/disabling operation at a time. So you
can't enable shadow stack AND WRSS with one syscall, for example. This
is to make it so it's clear which operation failed. Also, since some
features depend on others (WRSS), there would need to be some ordering
and rollback logic. There was some discussion about a batch enabling
arch_prctl() that could report failures independently, but it was
deemed premature optimization.

3. It only allows you to lock the whole feature, and not individual
subfeatures. For things like WRSS, it came up that there might be an
elf bit, like the shadow stack one, but that works a bit different.
Instead of only enabling shadow stack when ALL DSOs support the
feature, it would want to be enabled if ANY DSOs require it. So
userspace might want to do something like lock shadow stack, but leave
WRSS unlocked in case a dlopen() call came across a WRSS-requiring DSO.

4. To support CRIU, there needed to be a ptrace-only unlock feature.
The arch_prctl() has a special ptrace route to enforce that this unlock
is only coming from ptrace. Is there some way to do this with a regular
prctl()?

5. I see in the next patch there is hinted support for write and push
as well (although I can't find the implementation in the patches, am I
missing it?). X86 has something close enough to write, but not push.
What is the idea for when the features don't exactly match?

I think when Deepak originally brought up this unified prctl-based
interface, it seemed far away before we could tell if it *could* be
unified. Do either of you have any thoughts on whether the above points
could be incorporated?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ