Re: [PATCH v7 28/41] x86: Introduce userspace API for shadow stack
From: Borislav Petkov
Date: Fri Mar 10 2023 - 06:42:18 EST
On Fri, Mar 10, 2023 at 01:13:42AM +0000, Edgecombe, Rick P wrote:
> See "x86: Expose thread features in /proc/$PID/status" for the patch.
> We could emit something in dmesg I guess? The logic would be:
dmesg is just flaky: ring buffer can get overwritten, users don't see
it, ...
> The compatibility problems are totally the mess in this whole thing.
> When you try to look at a "permissive" mode that actually works it gets
> even more complex. Joao and I have been banging our heads on that
> problem for months.
Oh yeah, I'm soo NOT jealous. :-\
> But there are some expected users of this that say: we compile and
> check our known set of binaries, we won't get any surprises. So it's
> more of a distro problem.
I'm guessing what will happen here is that distros will gradually enable
shstk and once it is ubiquitous, there will be no reason to disable it
at all.
> You mean a late loaded dlopen()ed DSO? The enabling logic can't know
> this will happen ahead of time.
No, I meant the case where you start with shstk enabled and later
disable it when some lib does not support it.
>From now on that whole process is marked as "cannot use shstk anymore"
and any other shared object that tries to use shstk simply doesn't get
it.
But meh, this makes the situation even more convoluted as the stuff that
has loaded before the first shstk-not-supporting lib, already uses
shstk.
So you have half and half.
What a mess.
> I hope non-permissive mode is the standard usage eventually.
Yah.
> I think if you trust your libc, glibc could implement this in userspace
> too. It would be useful even as as testing override.
No, you cannot trust any userspace. And there are other libc's beside
glibc.
This should be a kernel parameter. I'm not saying we should do it now
but we should do it at some point.
So that user Boris again, he installs his new shiny distro, he checks
that all the use cases and software he uses there is already
shstk-enabled and then he goes and builds the kernel with
CONFIG_X86_USER_SHADOW_STACK_STRICT=y
or supplies a cmdline param and from now on, nothing can run without
shstk. No checking, no trusting, no nothing.
We fail any thread creation which doesn't init shstk.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette