From: Mark Rutland <mark.rutland@arm.com>
To: Dave Martin <Dave.Martin@arm.com>
Cc: linux-arch@vger.kernel.org, arnd@arndb.de, jiong.wang@arm.com,
marc.zyngier@arm.com, catalin.marinas@arm.com, yao.qi@arm.com,
will.deacon@arm.com, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: [kernel-hardening] Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support
Date: Fri, 11 Aug 2017 12:29:23 +0100 [thread overview]
Message-ID: <20170811112922.GE12985@leverpostej> (raw)
In-Reply-To: <20170725120630.GA8116@leverpostej>
On Tue, Jul 25, 2017 at 01:06:43PM +0100, Mark Rutland wrote:
> On Fri, Jul 21, 2017 at 06:05:09PM +0100, Dave Martin wrote:
> > On Wed, Jul 19, 2017 at 05:01:21PM +0100, Mark Rutland wrote:
> > > This series adds support for the ARMv8.3 pointer authentication extension.
>
> > > Open questions
> > > ==============
> > >
> > > * Should keys be per-thread rather than per-process?
> > >
> > > My understanding is that glibc can't (currently) handle threads having
> > > different keys, but it might be that another libc would prefer per-thread
> >
> > Can you elaborate?
> >
> > It's not valid to do a function return from one thread to another.
>
> Regardless of whether it's valid per the C spec or POSIX, some people
> use {set,get}context and {set,long}jmp in this manner (IIRC, QEMU does
> this), and my understanding is that similar tricks are in use in the
> bowels of glibc.
>
> Otherwise, my preference would be to have per-thread keys from day one.
Having considered comments I've received elsewhere, I've reversed my
position here. I think per-process keys are the more
sensible default since:
* This will allow us to protect function pointers in shared
datastructures such as vtables.
* Tasks have their own stacks, and values leaked from one stack cannot
be used to spoof return addresses on another.
* If an attacker can take control of one thread, they've already gained
code execution and/or primitives that can be used to attack the
process by other means.
Thanks,
Mark.
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Dave Martin <Dave.Martin@arm.com>
Cc: linux-arch@vger.kernel.org, arnd@arndb.de, jiong.wang@arm.com,
marc.zyngier@arm.com, catalin.marinas@arm.com, yao.qi@arm.com,
will.deacon@arm.com, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support
Date: Fri, 11 Aug 2017 12:29:23 +0100 [thread overview]
Message-ID: <20170811112922.GE12985@leverpostej> (raw)
In-Reply-To: <20170725120630.GA8116@leverpostej>
On Tue, Jul 25, 2017 at 01:06:43PM +0100, Mark Rutland wrote:
> On Fri, Jul 21, 2017 at 06:05:09PM +0100, Dave Martin wrote:
> > On Wed, Jul 19, 2017 at 05:01:21PM +0100, Mark Rutland wrote:
> > > This series adds support for the ARMv8.3 pointer authentication extension.
>
> > > Open questions
> > > ==============
> > >
> > > * Should keys be per-thread rather than per-process?
> > >
> > > My understanding is that glibc can't (currently) handle threads having
> > > different keys, but it might be that another libc would prefer per-thread
> >
> > Can you elaborate?
> >
> > It's not valid to do a function return from one thread to another.
>
> Regardless of whether it's valid per the C spec or POSIX, some people
> use {set,get}context and {set,long}jmp in this manner (IIRC, QEMU does
> this), and my understanding is that similar tricks are in use in the
> bowels of glibc.
>
> Otherwise, my preference would be to have per-thread keys from day one.
Having considered comments I've received elsewhere, I've reversed my
position here. I think per-process keys are the more
sensible default since:
* This will allow us to protect function pointers in shared
datastructures such as vtables.
* Tasks have their own stacks, and values leaked from one stack cannot
be used to spoof return addresses on another.
* If an attacker can take control of one thread, they've already gained
code execution and/or primitives that can be used to attack the
process by other means.
Thanks,
Mark.
WARNING: multiple messages have this Message-ID (diff)
From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 00/11] ARMv8.3 pointer authentication userspace support
Date: Fri, 11 Aug 2017 12:29:23 +0100 [thread overview]
Message-ID: <20170811112922.GE12985@leverpostej> (raw)
In-Reply-To: <20170725120630.GA8116@leverpostej>
On Tue, Jul 25, 2017 at 01:06:43PM +0100, Mark Rutland wrote:
> On Fri, Jul 21, 2017 at 06:05:09PM +0100, Dave Martin wrote:
> > On Wed, Jul 19, 2017 at 05:01:21PM +0100, Mark Rutland wrote:
> > > This series adds support for the ARMv8.3 pointer authentication extension.
>
> > > Open questions
> > > ==============
> > >
> > > * Should keys be per-thread rather than per-process?
> > >
> > > My understanding is that glibc can't (currently) handle threads having
> > > different keys, but it might be that another libc would prefer per-thread
> >
> > Can you elaborate?
> >
> > It's not valid to do a function return from one thread to another.
>
> Regardless of whether it's valid per the C spec or POSIX, some people
> use {set,get}context and {set,long}jmp in this manner (IIRC, QEMU does
> this), and my understanding is that similar tricks are in use in the
> bowels of glibc.
>
> Otherwise, my preference would be to have per-thread keys from day one.
Having considered comments I've received elsewhere, I've reversed my
position here. I think per-process keys are the more
sensible default since:
* This will allow us to protect function pointers in shared
datastructures such as vtables.
* Tasks have their own stacks, and values leaked from one stack cannot
be used to spoof return addresses on another.
* If an attacker can take control of one thread, they've already gained
code execution and/or primitives that can be used to attack the
process by other means.
Thanks,
Mark.
next prev parent reply other threads:[~2017-08-11 11:29 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-19 16:01 [kernel-hardening] [PATCH 00/11] ARMv8.3 pointer authentication userspace support Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [kernel-hardening] [PATCH 01/11] arm64: docs: describe ELF hwcaps Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-21 17:05 ` [kernel-hardening] " Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-24 10:47 ` [kernel-hardening] " Suzuki K Poulose
2017-07-24 10:47 ` Suzuki K Poulose
2017-07-24 10:47 ` Suzuki K Poulose
2017-08-03 14:49 ` [kernel-hardening] " Catalin Marinas
2017-08-03 14:49 ` Catalin Marinas
2017-08-03 14:49 ` Catalin Marinas
2017-08-03 17:57 ` [kernel-hardening] " Kees Cook
2017-08-03 17:57 ` Kees Cook
2017-08-03 17:57 ` Kees Cook
2017-07-19 16:01 ` [kernel-hardening] [PATCH 02/11] asm-generic: mm_hooks: allow hooks to be overridden individually Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [kernel-hardening] [PATCH 03/11] arm64: add pointer authentication register bits Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [kernel-hardening] [PATCH 04/11] arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-24 10:54 ` [kernel-hardening] " Suzuki K Poulose
2017-07-24 10:54 ` Suzuki K Poulose
2017-07-24 10:54 ` Suzuki K Poulose
2017-07-19 16:01 ` [kernel-hardening] [PATCH 05/11] arm64/cpufeature: detect pointer authentication Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [kernel-hardening] [PATCH 06/11] arm64: Don't trap host pointer auth use to EL2 Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-24 10:37 ` [kernel-hardening] " Dave Martin
2017-07-24 10:37 ` Dave Martin
2017-07-24 10:37 ` Dave Martin
2017-07-19 16:01 ` [kernel-hardening] [PATCH 07/11] arm64: add basic pointer authentication support Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-25 15:26 ` [kernel-hardening] " Dave Martin
2017-07-25 15:26 ` Dave Martin
2017-07-25 15:26 ` Dave Martin
2017-07-25 15:26 ` Dave Martin
2017-08-11 7:46 ` [kernel-hardening] " Yao Qi
2017-08-11 7:46 ` Yao Qi
2017-08-11 7:46 ` Yao Qi
2017-08-11 8:45 ` [kernel-hardening] " Dave Martin
2017-08-11 8:45 ` Dave Martin
2017-08-11 8:45 ` Dave Martin
2017-08-11 8:45 ` Dave Martin
2017-07-19 16:01 ` [kernel-hardening] [PATCH 08/11] arm64: expose user PAC bit positions via ptrace Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [kernel-hardening] [PATCH 09/11] arm64/kvm: preserve host HCR_EL2 value Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-08-01 11:00 ` [kernel-hardening] " Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-07-19 16:01 ` [kernel-hardening] [PATCH 10/11] arm64/kvm: context-switch ptrauth registers Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-08-01 11:00 ` [kernel-hardening] " Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 14:26 ` [kernel-hardening] " Mark Rutland
2017-08-01 14:26 ` Mark Rutland
2017-08-01 14:26 ` Mark Rutland
2017-08-01 14:32 ` [kernel-hardening] " Will Deacon
2017-08-01 14:32 ` Will Deacon
2017-08-01 14:32 ` Will Deacon
2017-08-01 17:02 ` [kernel-hardening] " Christoffer Dall
2017-08-01 17:02 ` Christoffer Dall
2017-08-01 17:02 ` Christoffer Dall
2017-07-19 16:01 ` [kernel-hardening] [PATCH 11/11] arm64: docs: document pointer authentication Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-21 17:05 ` [kernel-hardening] Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-25 12:06 ` [kernel-hardening] " Mark Rutland
2017-07-25 12:06 ` Mark Rutland
2017-07-25 12:06 ` Mark Rutland
2017-07-25 14:00 ` [kernel-hardening] " Jiong Wang
2017-07-25 14:00 ` Jiong Wang
2017-07-25 14:00 ` Jiong Wang
2017-08-11 11:29 ` Mark Rutland [this message]
2017-08-11 11:29 ` Mark Rutland
2017-08-11 11:29 ` Mark Rutland
2017-07-24 11:52 ` [kernel-hardening] " Yao Qi
2017-07-24 11:52 ` Yao Qi
2017-07-24 11:52 ` Yao Qi
2017-07-25 11:32 ` [kernel-hardening] " Yao Qi
2017-07-25 11:32 ` Yao Qi
2017-07-25 11:32 ` Yao Qi
2017-07-25 16:01 ` [kernel-hardening] " Mark Rutland
2017-07-25 16:01 ` Mark Rutland
2017-07-25 16:01 ` Mark Rutland
2017-07-25 14:12 ` [kernel-hardening] " Li Kun
2017-07-25 14:12 ` Li Kun
2017-07-25 14:12 ` Li Kun
2017-07-25 14:12 ` Li Kun
2017-07-25 15:12 ` Mark Rutland
2017-07-25 15:12 ` Mark Rutland
2017-07-25 15:12 ` Mark Rutland
2017-07-25 15:12 ` Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170811112922.GE12985@leverpostej \
--to=mark.rutland@arm.com \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=jiong.wang@arm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=will.deacon@arm.com \
--cc=yao.qi@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.