Re: [PATCH v4 03/36] arm64/gcs: Document the ABI for Guarded Control Stacks
From: Mark Brown
Date: Wed Aug 30 2023 - 14:46:23 EST
On Wed, Aug 30, 2023 at 01:37:33PM +0100, Szabolcs Nagy wrote:
> The 08/24/2023 16:43, Catalin Marinas wrote:
> > Is there a use-case for the unlocked configuration to allow disabling
> > the GCS implicitly via a clone syscall?
> how would you handle clone or clone3 without gcs specified?
> (in the cases when clone creates a new thread with new stack)
> (1) fail.
> (2) allocate gcs.
> (3) disable gcs.
...
> problem with (2) is that the size policy and lifetime management
> is in the kernel then. (since only special cases are affected i
> guess that is ok, but i assumed we want to avoid this by moving
> to clone3 and user managed gcs).
Right, it seems like if we go with this then we may as well just allow
plain clone() too.
> the problem with (3) is escaping the security measure, however
> it only applies to very special threads that can always decide
> to opt-in to gcs, so i don't see this as such a bad option and
> at least bw compat with existing code. (in my threat model the
> attacker cannot hijack clone syscalls as that seems stronger
> than hijacking return addresses.)
It doesn't seem great to have a feature which is to a large extent a
security feature where we provide a fairly straightforward mechanism for
disabling the feature and actively expect things to be using it.
Given the timescales until this gets practically deployed on arm64 I
would be inclined to go with making things fail and forcing updates in
the users, though obviously that's less helpful for x86 where the
hardware is in user hands already so it's more of a pressing issue (and
there's already what is effectively option 2 in the code). We could
have the architectures diverge, as you say the effect is likely to be
mainly in very low level code rather than general software.
Attachment:
signature.asc
Description: PGP signature