Re: [PATCH v2 29/39] x86/cet/shstk: Support wrss for userspace
From: Edgecombe, Rick P
Date: Wed Oct 05 2022 - 20:38:20 EST
On Mon, 2022-10-03 at 21:37 -0700, Kees Cook wrote:
> On Mon, Oct 03, 2022 at 04:00:36PM -0700, Andy Lutomirski wrote:
> > On 10/3/22 15:28, Kees Cook wrote:
> > > On Thu, Sep 29, 2022 at 03:29:26PM -0700, Rick Edgecombe wrote:
> > > > For the current shadow stack implementation, shadow stacks
> > > > contents easily
> > > > be arbitrarily provisioned with data.
> > >
> > > I can't parse this sentence.
> > >
> > > > This property helps apps protect
> > > > themselves better, but also restricts any potential apps that
> > > > may want to
> > > > do exotic things at the expense of a little security.
> > >
> > > Is anything using this right now? Wouldn't thing be safer without
> > > WRSS?
> > > (Why can't we skip this patch?)
> > >
> > So that people don't write programs that need either (shstk off) or
> > (shstk
> > on and WRSS on) and crash or otherwise fail on kernels that support
> > shstk
> > but don't support WRSS, perhaps?
> Right, yes. I meant more "what programs currently need WRSS to
> under shstk? (And what is it that they are doing that needs it?)"
> All is see currently is compiler self-tests and emulators using it?
Most apps that weren't just automatically compiled haven't had
implementation effort yet. (of course glibc has had a bunch) I hope we
would see more of that when we finally get it upstream. So I think a
better question is, how many apps will need WRSS when they go to enable
shadow stack. I'm thinking the answer must be some and it could be nice
to catch them when they first investigate enabling it.
But yes, except for Mike's CRIU branch, there aren't any programs that
use it today, and we could drop it for a first implementation. I don't
see it as something that would only make things less safe though. It
just lets apps that can't easily work within the stricter shadow stack
environment, at least get access to a weaker but still beneficial one.
Kees, did you catch that it can be locked off while enabling shadow