| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABe3_aE4+06Um2x3e1D=M6Z1uX4wX8OjdcT48FueXRp+=KD=-w@mail.gmail.com> Date: Fri, 26 Sep 2025 16:28:58 -0400 From: Charles Mirabile <cmirabil@...hat.com> To: Deepak Gupta <debug@...osinc.com> Cc: pjw@...nel.org, Liam.Howlett@...cle.com, a.hindborg@...nel.org, akpm@...ux-foundation.org, alex.gaynor@...il.com, alexghiti@...osinc.com, aliceryhl@...gle.com, alistair.francis@....com, andybnac@...il.com, aou@...s.berkeley.edu, arnd@...db.de, atishp@...osinc.com, bjorn3_gh@...tonmail.com, boqun.feng@...il.com, bp@...en8.de, brauner@...nel.org, broonie@...nel.org, charlie@...osinc.com, cleger@...osinc.com, conor+dt@...nel.org, conor@...nel.org, corbet@....net, dave.hansen@...ux.intel.com, david@...hat.com, devicetree@...r.kernel.org, ebiederm@...ssion.com, evan@...osinc.com, gary@...yguo.net, hpa@...or.com, jannh@...gle.com, jim.shu@...ive.com, kees@...nel.org, kito.cheng@...ive.com, krzk+dt@...nel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-mm@...ck.org, linux-riscv@...ts.infradead.org, lorenzo.stoakes@...cle.com, lossin@...nel.org, mingo@...hat.com, ojeda@...nel.org, oleg@...hat.com, palmer@...belt.com, paul.walmsley@...ive.com, peterz@...radead.org, richard.henderson@...aro.org, rick.p.edgecombe@...el.com, robh@...nel.org, rust-for-linux@...r.kernel.org, samitolvanen@...gle.com, shuah@...nel.org, tglx@...utronix.de, tmgross@...ch.edu, vbabka@...e.cz, x86@...nel.org, zong.li@...ive.com Subject: Re: [PATCH v19 00/27] riscv control-flow integrity for usermode Hi Deepak - On Fri, Sep 26, 2025 at 3:57 PM Deepak Gupta <debug@...osinc.com> wrote: > > Hi Charles, > > Thanks for response. Rest inline > > On Fri, Sep 26, 2025 at 03:29:19PM -0400, Charles Mirabile wrote: > >Hi - > > > >Hoping that I got everything right with git-send-email so that this is > >delivered alright... > > > >Wanted to jump in to head off a potential talking past one another / > >miscommunication situation I see here. > > > >On Wed, Sep 24, 2025 at 08:36:11AM -0600, Paul Walmsley wrote: > >> Hi, > >> > >> On Thu, 31 Jul 2025, Deepak Gupta wrote: > >> > >> [ ... ] > >> > >> > vDSO related Opens (in the flux) > >> > ================================= > >> > > >> > I am listing these opens for laying out plan and what to expect in future > >> > patch sets. And of course for the sake of discussion. > >> > > >> > >> [ ... ] > >> > >> > How many vDSOs > >> > --------------- > >> > Shadow stack instructions are carved out of zimop (may be operations) and if CPU > >> > doesn't implement zimop, they're illegal instructions. Kernel could be running on > >> > a CPU which may or may not implement zimop. And thus kernel will have to carry 2 > >> > different vDSOs and expose the appropriate one depending on whether CPU implements > >> > zimop or not. > >> > >> If we merge this series without this, then when CFI is enabled in the > >> Kconfig, we'll wind up with a non-portable kernel that won't run on older > >> hardware. We go to great lengths to enable kernel binary portability > >> across the presence or absence of other RISC-V extensions, and I think > >> these CFI extensions should be no different. > > > >That is not true, this series does not contain the VDSO changes so it can > >be merged as is. > > Look at patch 23/27. It does have vDSO change. Although shadow stack > instruction are inserted as compiled flag for vDSO only when cfi config is > selected by user. Right now default is "No". So it won't impact anyone unles > user explicitly says "Yes". Yes sorry I caught that after hitting send and replied to my own email (but then I said 19/27 instead of 23/27 *facepalm*) > > > > >> > >> So before considering this for merging, I'd like to see at least an > >> attempt to implement the dual-vDSO approach (or something equivalent) > >> where the same kernel binary with CFI enabled can run on both pre-Zimop > >> and post-Zimop hardware, with the existing userspaces that are common > >> today. > > > >I agree that when the VDSO patches are submitted for inclusion they should > >be written in a way that avoids limiting the entire kernel to either > >pre-Zimop or post-Zimop hardware based on the config, but I think it > >should be quite possible to perform e.g. runtime patching of the VDSO > >to replace the Zimop instructions with nops if the config is enabled but > >the hardware does not support Zimop. > > Why kernel need to do this extra work of carry two binaries and patching it > runtime? > > If for instance we do this, and then this allow this kernel to be taken to > pre-Zimop hardware, it is assumed that entire userspace for such hardware > was compiled without shadow stack (thus no zimop). In that case, kernel > should have been compiled without CFI option. You raise a good point, it just breaks the tradition of runtime detection and backwards compat that has been the standard for riscv extensions in the kernel so far. It would be nice if a kernel could be built that would run on both pre-Zimop and post-Zimop hardware and be able to offer CFI to userspace when running on hardware with Zimop (and Zicfiss / Zicfilp) but agree that it is a burden. > > Just for sake of thought exercise, let's say Fedora 43 is first release with > RVA23 compatiblity (zimop and shadow stack), there is no way this and future > release will be able to run on pre-zimop hardware. Unless redhat is going to > start two different binary distribution. One for pre-zimop and one for > post-zimop. If that would be the case, then compiling two different kernel for > such two different hardware would be least of the worry. It would be one thing if there were hardware supporting Zimop/Zicfiss/Zicfilp readily available, but I am not aware of any platform other than qemu to test this code. Since it breaks compatibility with hardware I am not sure anyone will be able to do anything with this config option and it moves the burden on to each distro to go in and specifically enabling it vs just making things work to get important security improvements if the hardware has support and not if it doesn't in a backwards compatible way. > > Only other usecase is of a seasoned kernel developer or build your own stuff > in embedded environment, those users can anyways are advanced users. But it > forces complexity on rest of kernel. There will be more extensions taking zimop > encodings in future, we will end up patching vDSO and keep this complexity > while rest of the userspace will not be patched and will be separate binary > distribution (if OS distros endup distributing multiple binaries per release) > > > > >However, that concern should not hold up this patch series. Raise it again > >when the VDSO patches are posted. > > As I said earlier, these changes default cfi config to No. So whenever this > is selected "Yes" by a distro, they can drive such patches (if there is a real > need) If we did the patching we could make this config default to yes to that you are building a kernel that is set up to be able to offer CFI when running on hardware which supports it as long as you have a toolchain that recognizes the extensions which I think would be good for moving this important security feature forward. > > > > >> > >> thanks Deepak, > >> > >> - Paul > > > >Best - Charlie > > > Sorry for stirring the pot on this. I really appreciate your work on this patch series. I agree that this is a difficult call, and I could see it going either way but I lean towards trying to maintain the backwards compatibility because the hardware doesn't exist yet. Best - Charlie
Powered by blists - more mailing lists