Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks

From: Edgecombe, Rick P
Date: Mon Oct 02 2023 - 17:43:35 EST

Next message: Phillip Potter: "Re: [PATCH v2 01/15] cdrom: Remove now superfluous sentinel element from ctl_table array"
Previous message: Nick Child: "Re: [net-next PATCH 3/4] netdev: replace napi_reschedule with napi_schedule"
In reply to: Mark Brown: "Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks"
Next in thread: Mark Brown: "Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2023-10-02 at 20:49 +0100, Mark Brown wrote:
> On Thu, Sep 28, 2023 at 05:59:25PM +0100, Szabolcs Nagy wrote:
> > The 08/23/2023 14:11, Catalin Marinas wrote:
>
> > > > and there is user code doing raw clone threads (such threads
> > > > are
> > > > technically not allowed to call into libc) it's not immediately
> > > > clear to me if having gcs in those threads is better or worse.
>
> > i think raw clone / clone3 users may be relevant so we need a
> > solution such that they don't fail when gcs args are missing.
>
> Are we sure about that? Old binaries shouldn't be affected since
> they
> won't turn GCS so we're just talking about new binaries here - are
> there
> really so many of them that we won't be able to get them all
> converted
> over to clone3() and GCS in the timescales we're talking about for
> GCS
> deployment? I obviously don't particularly mind having the default
> size
> logic but if we allow clone() then that's keeping the existing
> behaviour
> and layering allocation via clone3() on top of it which Catalin
> didn't
> want.

On the x86 side, there have been a lot of binaries generated that have
been blindly marked as supporting shadow stack. So even if they are not
old, there may still be mismarked ones using clone().

In general there are a lot of tradeoffs with shadow stack between
security, compatibility and performance. Szabolcs had previously
discussed some ideas around all three:
- compatibility (automatic sigaltstack())
- performance/utility (creating a new libc API for makecontext())
- security (token schemes to guarantee only one user of a shadow
stack at a time)

On the x86 kernel side, we had our hands tied a bit by the existing
userspace, and kind of ended up with a mix. I imagined that we might
see demand along one of those axes after some real world use. At which
point we could add some opt-in ABI tweaks to help.

If ARM is thinking of doing things differently than x86, you might
think about how you weight those tradeoffs. Like, it might be silly to
worry about clone() support if something else ends up breaking
compatibility majorly. But, it might be worthwhile it you end up going
to the proposed extremes around signal alt stacks, to maximize
compatibility

Also then maybe x86 could copy the ARM ABI some day, if it ends up
chasing the tradeoff people prefer. It probably goes without saying
that the closer these features behave from the app developer
perspective, the better. So a different ABI than x86 that also targets
a mix would be a bit unfortunate. (not the end of the world though)

Anyway, just wanted to share some perspective there. Sorry for joining
this thread so late.

Next message: Phillip Potter: "Re: [PATCH v2 01/15] cdrom: Remove now superfluous sentinel element from ctl_table array"
Previous message: Nick Child: "Re: [net-next PATCH 3/4] netdev: replace napi_reschedule with napi_schedule"
In reply to: Mark Brown: "Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks"
Next in thread: Mark Brown: "Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]