Re: [PATCH 06/10] x86/cet: Add arch_prctl functions for shadow stack
From: Andy Lutomirski
Date: Tue Jun 12 2018 - 12:34:41 EST
On Tue, Jun 12, 2018 at 9:05 AM H.J. Lu <hjl.tools@xxxxxxxxx> wrote:
> On Tue, Jun 12, 2018 at 9:01 AM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> > On Tue, Jun 12, 2018 at 4:43 AM H.J. Lu <hjl.tools@xxxxxxxxx> wrote:
> >> On Tue, Jun 12, 2018 at 3:03 AM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
> >> > On Thu, 7 Jun 2018, H.J. Lu wrote:
> >> >> On Thu, Jun 7, 2018 at 2:01 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> >> >> > Why is the lockout necessary? If user code enables CET and tries to
> >> >> > run code that doesn't support CET, it will crash. I don't see why we
> >> >> > need special code in the kernel to prevent a user program from calling
> >> >> > arch_prctl() and crashing itself. There are already plenty of ways to
> >> >> > do that :)
> >> >>
> >> >> On CET enabled machine, not all programs nor shared libraries are
> >> >> CET enabled. But since ld.so is CET enabled, all programs start
> >> >> as CET enabled. ld.so will disable CET if a program or any of its shared
> >> >> libraries aren't CET enabled. ld.so will lock up CET once it is done CET
> >> >> checking so that CET can't no longer be disabled afterwards.
> >> >
> >> > That works for stuff which loads all libraries at start time, but what
> >> > happens if the program uses dlopen() later on? If CET is force locked and
> >> > the library is not CET enabled, it will fail.
> >> That is to prevent disabling CET by dlopening a legacy shared library.
> >> > I don't see the point of trying to support CET by magic. It adds complexity
> >> > and you'll never be able to handle all corner cases correctly. dlopen() is
> >> > not even a corner case.
> >> That is a price we pay for security. To enable CET, especially shadow
> >> shack, the program and all of shared libraries it uses should be CET
> >> enabled. Most of programs can be enabled with CET by compiling them
> >> with -fcf-protection.
> > If you charge too high a price for security, people may turn it off.
> > I think we're going to need a mode where a program says "I want to use
> > the CET, but turn it off if I dlopen an unsupported library". There
> > are programs that load binary-only plugins.
> You can do
> # export GLIBC_TUNABLES=glibc.tune.hwcaps=-SHSTK
> which turns off shadow stack.
Which exactly illustrates my point. By making your security story too
absolute, you'll force people to turn it off when they don't need to.
If I'm using a fully CET-ified distro and I'm using a CET-aware
program that loads binary plugins, and I may or may not have an old
(binary-only, perhaps) plugin that doesn't support CET, then the
behavior I want is for CET to be on until I dlopen() a program that
doesn't support it. Unless there's some ABI reason why that can't be
done, but I don't think there is.
I'm concerned that the entire concept of locking CET is there to solve
a security problem that doesn't actually exist.