lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 23 Jan 2024 17:54:17 +0000
From: Dave Martin <Dave.Martin@....com>
To: Mark Brown <broonie@...nel.org>
Cc: Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>, Jonathan Corbet <corbet@....net>,
	linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Edmund Grimley-Evans <edmund.grimley-evans@....com>
Subject: Re: [PATCH 1/4] arm64/sve: Remove bitrotted comment about syscall
 behaviour

On Tue, Jan 23, 2024 at 05:31:58PM +0000, Mark Brown wrote:
> On Tue, Jan 23, 2024 at 03:44:23PM +0000, Dave Martin wrote:
> > On Mon, Jan 22, 2024 at 08:41:51PM +0000, Mark Brown wrote:
> > > When we documented that we always clear state not shared with FPSIMD we
> 
> > Where / when?
> 
> In the document that is being modified when it was written.

Ah, right, I see this:

d09ee410a3c3 ("arm64/sve: Document our actual ABI for clearing registers on syscall")

where the zeroing is made explicit.

> 
> > > -* In practice the affected registers/bits will be preserved or will be replaced
> > > -  with zeros on return from a syscall, but userspace should not make
> > > -  assumptions about this.  The kernel behaviour may vary on a case-by-case
> > > -  basis.
> 
> > This was originally an intentionally conservative statement, to allow
> > the kernel the flexibility to relax the register zeroing behaviour in
> > the future.  It would have permitted not always disabling a task's SVE
> > across a syscall, for example.  There were some concerns about security
> > and testability that meant that we didn't use this flexibility to begin
> > with.
> 
> > If we are making an irrevocable commitment not to use this flexibility
> > ever, then this comment can go, but if we're not totally sure then I
> > think it would be harmless to keep it (?)
> 
> I think everyone except for Catalin had felt that the original
> discussion had concluded that there was a commitment to always clear the
> non-shared bits and was disappointed to learn that the documentation
> said otherwise.  When I tried to take advantage of this as part of
> optimising the system call overhead for SVE there were eventually
> complaints.
> 
> > (Feel free to point me to the relevant past discussion that I may have
> > missed.)
> 
> See the discussion on my syscall optimisation series:
> 
>     https://lore.kernel.org/all/20220620124158.482039-8-broonie@kernel.org/


I think my excuse would be that this was consciously left unresolved
when SVE originally went upstream: the kernel played safe by always
zeroing the bits, while userspace was told not to rely on this always
happening in future.

If the decision has effectively now been made to close the door
permanently those optimisations, then I guess it makes sense to clean
up the documentation to be as consistent as possible.


I still feel that it is iffy practice for userspace to rely on the
extra bits being zeroed -- I think the architecture hides this
guarantee anyway whenever you go through a function call confirming to
the regular procedure call standard (including the syscall wrappers).
But there may not be a lot of point trying to put people off if we
can't force them not to rely on it.

Cheers
---Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ