Re: [PATCH RFC/RFT 3/3] kernel: converge common shadow stack flow agnostic to arch
From: Mark Brown
Date: Sat Oct 12 2024 - 04:50:07 EST
On Fri, Oct 11, 2024 at 10:05:50AM -0700, Deepak Gupta wrote:
> On Fri, Oct 11, 2024 at 01:33:05PM +0100, Mark Brown wrote:
> > On Thu, Oct 10, 2024 at 05:32:05PM -0700, Deepak Gupta wrote:
> > > +unsigned long alloc_shstk(unsigned long addr, unsigned long size,
> > > + unsigned long token_offset, bool set_res_tok);
> > > +int shstk_setup(void);
> > > +int create_rstor_token(unsigned long ssp, unsigned long *token_addr);
> > > +bool cpu_supports_shadow_stack(void);
> > The cpu_ naming is confusing in an arm64 context, we use cpu_ for
> > functions that report if a feature is supported on the current CPU and
> > system_ for functions that report if a feature is enabled on the system.
> hmm...
> Curious. What's the difference between cpu and system?
Like I say above cpu_ is for the current CPU and system_ is for the
system as a whole. On a big.LITTLE system it's common to have a mix of
implementations which don't have consistent feature sets.
> We can ditch both cpu and system and call it
> `user_shstk_supported()`. Again not a great name but all we are looking for
> is whether user shadow stack is supported or not.
That avoids the confusion so works for me.
> > > +void set_thread_shstk_status(bool enable);
> >
> > It might be better if this took the flags that the prctl() takes? It
> > feels like
> hmm we can do that. But I imagine it might get invoked from other flow as well.
I'd expect that any other contexts would be either copying an existing
set of flags or disabling either of which should be managable.
> Although instead of `bool`, we can take `unsigned long` here. It would work for now
> for `prctl` and future users get options to chisel around it.
> I'll do that.
Sounds good.
> > > +void set_thread_shstk_status(bool enable)
> > > +{
> > > + arch_set_thread_shstk_status(enable);
> > > +}
> > arm64 can return an error here, we reject a bunch of conditions like 32
> > bit threads and locked enable status.
> Ok.
> You would like this error to be `bool` or an `int`?
An int seems safer (eg, differentiating not supported, invalid arguments
and permission failures).
> > > + unsigned long addr, size;
> > > + /* Already enabled */
> > > + if (is_shstk_enabled(current))
> > > + return 0;
> > > + /* Also not supported for 32 bit */
> > > + if (!cpu_supports_shadow_stack() ||
> > > + (IS_ENABLED(CONFIG_X86_64) && in_ia32_syscall()))
> > > + return -EOPNOTSUPP;
> > We probably need a thread_supports_shstk(),
> `is_shstk_enabled(current)` doesn't work?
No, we just checked that immediately above - this is checking we're not
trying to enable shadow stack on a 32 bit task so it's a per task
property separate to the task already being enabled.
Attachment:
signature.asc
Description: PGP signature