Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description

From: Edgecombe, Rick P
Date: Thu Jul 06 2023 - 14:25:39 EST

Next message: Jiaqi Yan: "Re: [PATCH v2 2/4] mm/hwpoison: check if a subpage of a hugetlb folio is raw HWPOISON"
Previous message: Bart Van Assche: "Re: [PATCH RFC 5/7] blk-mq: record the number of times fail to get driver tag while sharing tags"
In reply to: szabolcs.nagy@xxxxxxx: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Next in thread: szabolcs.nagy@xxxxxxx: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2023-07-06 at 14:07 +0100, szabolcs.nagy@xxxxxxx wrote:

[ snip ]
>
> instead of priority, i'd say "posix conform c apps work
> without change" is a benchmark i use to see if the design
> is sound.

This involves leaking shadow stacks for sigaltstack and makecontext,
though, right? This seems kind of wrong. It might be useful for
avoiding crashes at all costs, but probably shouldn't be the long term
solution. I thought your API updates were the right direction.

But, I'm of course not a glibc developer. HJ and friends would have to
agree to all of that.

>
> i do not have a particular workload (or distro) in mind, so
> i have to reason through the cases that make sense and the
> current linux syscall abi allows, but fail or difficult to
> support with shadow stacks.
>
> one such case is jumping back to an alt stack (i.e. inactive
> live alt stack):
>
> - with shared shadow stack this does not work in many cases.
>
> - with alt shadow stack this extends the lifetime beyond the
> point it become inactive (so it cannot be freed).
>
> if there are no inactive live alt stacks then *both* shared
> and implicit alt shadow stack works. and to me it looked
> like implicit alt shadow stack is simply better of those two
> (more alt shadow stack use-cases are supported, shadow stack
> overflow can be handled. drawback: complications due to the
> discontinous shadow stack.)
>
> on arm64 i personally don't like the idea of "deal with alt
> shadow stack later" because it likely requires a v2 abi
> affecting the unwinder and jump implementations. (later
> extensions are fine if they are bw compat and discoverable)

I think you could do it, if your signal handler can push data on the
shadow stack like x86 does. I'd start with a padded shadow stack signal
frame though, and not trust userspace to parse it.

>
> one nasty case is shadow stack overflow handling, but i
> think i have a solution for that (not the nicest thing:
> it involves setting the top bit on the last entry on the
> shadow stack instead of adding a new entry to it. + a new
> syscall that can switch to this entry. i havent convinced
> myself about this yet).

There might be some complicated thing around storing the last shadow
stack entry into the shadow stack sigframe and restoring it on
sigreturn. Then writing a token from the kernel to where the saved
frame was to live there in the meantime.

But to me this whole search, restore and INCSSP thing is suspect at
this point though. We could also increase compatibility and performance
more simply, by adding kernel help, at the expense of security.

[ snip ]

> slow longjmp is bad. (well longjmp is actually always slow
> in glibc because it sets the signalmask with a syscall, but
> there are other jump operations that don't do this and want
> to be fast so yes we want fast jump to be possible).
>
> jumping up the shadow stack is at least linear time in the
> number of frames jumped over (which already sounds significant
> slowdown however this is amortized by the fact that the stack
> frames had to be created at some point and that is actually a
> lot more expensive because it involves write operations, so a
> zero cost jump will not do any asymptotic speedup compared to
> a linear cost jump as far as i can see.).
>
> with my proposed solution the jump is still linear. (i know
> x86 incssp can jump many entries at a time and does not have
> to actually read and check the entries, but technically it's
> linear time too: you have to do at least one read per page to
> have the guardpage protection). this all looks fine to me
> even for extreme made up workloads.

Well I guess we are talking about hypothetical performance. But linear
time is still worse than O(1). And I thought longjmp() was supposed to
be an O(1) type thing.

Separate from all of this...now that all the constraints are clearer,
if you have changed your mind on whether this series is ready, could
you comment at the top of this thread something to that effect? I'm
imagining not many are reading so far down at this point.

For my part, I think we should go forward with what we have on the
kernel side, unless glibc/gcc developers would like to start by
deprecating the existing binaries. I just talked with HJ, and he has
not changed his plans around this. If anyone else in that community has
(Florian?), please speak up. But otherwise I think it's better to start
getting real world feedback and grow based on that.

Next message: Jiaqi Yan: "Re: [PATCH v2 2/4] mm/hwpoison: check if a subpage of a hugetlb folio is raw HWPOISON"
Previous message: Bart Van Assche: "Re: [PATCH RFC 5/7] blk-mq: record the number of times fail to get driver tag while sharing tags"
In reply to: szabolcs.nagy@xxxxxxx: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Next in thread: szabolcs.nagy@xxxxxxx: "Re: [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]