lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZWHcBq0bJ+15eeKs@finisterre.sirena.org.uk>
Date:   Sat, 25 Nov 2023 11:35:34 +0000
From:   Mark Brown <broonie@...nel.org>
To:     Deepak Gupta <debug@...osinc.com>
Cc:     Rick Edgecombe <rick.p.edgecombe@...el.com>,
        Szabolcs Nagy <szabolcs.nagy@....com>,
        "H . J . Lu" <hjl.tools@...il.com>,
        Kees Cook <keescook@...omium.org>,
        Kito Cheng <kito.cheng@...ive.com>,
        linux-kernel@...r.kernel.org, libc-alpha@...rceware.org
Subject: Re: Shadow stack enabling from dynamic loader v/s kernel on exec

On Wed, Nov 22, 2023 at 04:19:51PM -0800, Deepak Gupta wrote:

> "Was there any other reason other than supporting ELF binaries that
> went ahead of kernel changes that
> led to decision of delegating of shadow stack enabling in dynamic loader"

> If there are other complications that can happen due to kernel
> enabling of shadow stack based on ELF bits,
> I would like to know about them.

This wouldn't play nicely with security policies that prevent disabling
the shadow stacks - it would be fine with the prctl() based locking but
something imposed externally with seccomp or similar would be there from
process start.

I'll also note that for arm64 BTI where we're less concerned with
compatibility (since the protection is per page we only need to make
sure that each ELF image is BTI enabled when we map it, we don't need to
worry about any further code that might be mapped/loaded) we only
enforce BTI for the dynamic loader, we still leave it to the dynamic
loader to remap the main executable as BTI.  The architecture
maintainers have a strong preference for delegating as much as possible
to userspace in order to reduce the potential for being locked into an
unwanted policy or having difficulty in working around breakage.  The
issues on x86 are an example of the sort of situation people are worried
about seeing in future.  I personally would be OK with directly
interpreting the ELF markings there but it wasn't the consensus.

On arm64 there would be the potential for disrupting some limited and
theoretical use cases where GCS is enabled even though some libraries do
not support it, we don't allow GCS to be reenabled for a thread after it
has been disabled in order to avoid dealing with the issues around
reinitiating the GCS for something that's a corner case.  x86 does allow
reenabling so wouldn't have that issue.

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ