Re: [PATCH 00/35] Shadow stacks for userspace

From: Cyrill Gorcunov
Date: Tue Feb 08 2022 - 04:29:31 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v1 6/6] i2c: npcm: Support NPCM845"
Previous message: Jarkko Sakkinen: "Re: [PATCH v10 0/8] Enroll kernel keys thru MOK"
In reply to: Mike Rapoport: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Andy Lutomirski: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 08, 2022 at 11:16:51AM +0200, Mike Rapoport wrote:
>
> > Any thoughts on how you would _like_ to see this resolved?
>
> Ideally, CRIU will need a knob that will tell the kernel/CET machinery
> where the next RET will jump, along the lines of
> restore_signal_shadow_stack() AFAIU.
>
> But such a knob will immediately reduce the security value of the entire
> thing, and I don't have good ideas how to deal with it :(

Probably a kind of latch in the task_struct which would trigger off once
returt to a different address happened, thus we would be able to jump inside
paratite code. Of course such trigger should be available under proper
capability only.

Next message: Krzysztof Kozlowski: "Re: [PATCH v1 6/6] i2c: npcm: Support NPCM845"
Previous message: Jarkko Sakkinen: "Re: [PATCH v10 0/8] Enroll kernel keys thru MOK"
In reply to: Mike Rapoport: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Andy Lutomirski: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]