| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aNbxpVddsTXL7F6T@debug.ba.rivosinc.com> Date: Fri, 26 Sep 2025 13:03:49 -0700 From: Deepak Gupta <debug@...osinc.com> To: Charles Mirabile <cmirabil@...hat.com> Cc: Liam.Howlett@...cle.com, a.hindborg@...nel.org, akpm@...ux-foundation.org, alex.gaynor@...il.com, alexghiti@...osinc.com, aliceryhl@...gle.com, alistair.francis@....com, andybnac@...il.com, aou@...s.berkeley.edu, arnd@...db.de, atishp@...osinc.com, bjorn3_gh@...tonmail.com, boqun.feng@...il.com, bp@...en8.de, brauner@...nel.org, broonie@...nel.org, charlie@...osinc.com, cleger@...osinc.com, conor+dt@...nel.org, conor@...nel.org, corbet@....net, dave.hansen@...ux.intel.com, david@...hat.com, devicetree@...r.kernel.org, ebiederm@...ssion.com, evan@...osinc.com, gary@...yguo.net, hpa@...or.com, jannh@...gle.com, jim.shu@...ive.com, kees@...nel.org, kito.cheng@...ive.com, krzk+dt@...nel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-mm@...ck.org, linux-riscv@...ts.infradead.org, lorenzo.stoakes@...cle.com, lossin@...nel.org, mingo@...hat.com, ojeda@...nel.org, oleg@...hat.com, palmer@...belt.com, paul.walmsley@...ive.com, peterz@...radead.org, pjw@...nel.org, richard.henderson@...aro.org, rick.p.edgecombe@...el.com, robh@...nel.org, rust-for-linux@...r.kernel.org, samitolvanen@...gle.com, shuah@...nel.org, tglx@...utronix.de, tmgross@...ch.edu, vbabka@...e.cz, x86@...nel.org, zong.li@...ive.com Subject: Re: [PATCH v19 00/27] riscv control-flow integrity for usermode On Fri, Sep 26, 2025 at 03:52:24PM -0400, Charles Mirabile wrote: >Hi - > >Sorry for my previous email, I realized I was mistaken... > >On Fri, Sep 26, 2025 at 03:29:19PM -0400, Charles Mirabile wrote: >> Hi - >> >> Hoping that I got everything right with git-send-email so that this is >> delivered alright... >> >> Wanted to jump in to head off a potential talking past one another / >> miscommunication situation I see here. >> >> On Wed, Sep 24, 2025 at 08:36:11AM -0600, Paul Walmsley wrote: >> > Hi, >> > >> > On Thu, 31 Jul 2025, Deepak Gupta wrote: >> > >> > [ ... ] >> > >> > > vDSO related Opens (in the flux) >> > > ================================= >> > > >> > > I am listing these opens for laying out plan and what to expect in future >> > > patch sets. And of course for the sake of discussion. >> > > >> > >> > [ ... ] >> > >> > > How many vDSOs >> > > --------------- >> > > Shadow stack instructions are carved out of zimop (may be operations) and if CPU >> > > doesn't implement zimop, they're illegal instructions. Kernel could be running on >> > > a CPU which may or may not implement zimop. And thus kernel will have to carry 2 >> > > different vDSOs and expose the appropriate one depending on whether CPU implements >> > > zimop or not. >> > >> > If we merge this series without this, then when CFI is enabled in the >> > Kconfig, we'll wind up with a non-portable kernel that won't run on older >> > hardware. We go to great lengths to enable kernel binary portability >> > across the presence or absence of other RISC-V extensions, and I think >> > these CFI extensions should be no different. >> >> That is not true, this series does not contain the VDSO changes so it can >> be merged as is. > >Oops... no sorry, it looks like it does. See 19/27. I was misled by the >cover letter which said to pick that patch separately. I completely agree >that that needs to not be included if this is to be merged. Yes I sent another email. > >> >> > >> > So before considering this for merging, I'd like to see at least an >> > attempt to implement the dual-vDSO approach (or something equivalent) >> > where the same kernel binary with CFI enabled can run on both pre-Zimop >> > and post-Zimop hardware, with the existing userspaces that are common >> > today. >> >> I agree that when the VDSO patches are submitted for inclusion they should >> be written in a way that avoids limiting the entire kernel to either >> pre-Zimop or post-Zimop hardware based on the config, but I think it >> should be quite possible to perform e.g. runtime patching of the VDSO >> to replace the Zimop instructions with nops if the config is enabled but >> the hardware does not support Zimop. >> >> However, that concern should not hold up this patch series. Raise it again >> when the VDSO patches are posted. > >@Deepak, would it be possible to just resend this without the VDSO patch? No we can't do that because if cfi is opted yes and user enables it then an indirect jump to vDSO function will result in a trap to supervisor and then SIGSEGV. We can compile vDSO without shadow stack option. That leaves vDSO as the only object in address space of program open to code re-use gadgets because return path is not protected with shadow stack (thus dilutes security properties) > >Or to rework as I had alluded to to check for the presense of the extension >and remove the instructions from the VDSO at boot if it is not found? I have responded to your earlier e-mail on this. TLDR is If kernel is required to carry two different libraries with a need of patching it in runtime, while rest of the userspace can't be patched in runtime. Is it worth the complexity to enforce on kernel? Because we then will be doing this for every future extension which takes encodings form zimop space while rest of the userspace really can't do that. > >> >> > >> > thanks Deepak, >> > >> > - Paul >> >> Best - Charlie >> > >Best - Charlie >
Powered by blists - more mailing lists