From: Mark Rutland <mark.rutland@arm.com>
To: Dave Martin <Dave.Martin@arm.com>
Cc: linux-arch@vger.kernel.org, arnd@arndb.de, jiong.wang@arm.com,
marc.zyngier@arm.com, catalin.marinas@arm.com, yao.qi@arm.com,
will.deacon@arm.com, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support
Date: Fri, 11 Aug 2017 12:29:23 +0100 [thread overview]
Message-ID: <20170811112922.GE12985@leverpostej> (raw)
In-Reply-To: <20170725120630.GA8116@leverpostej>
On Tue, Jul 25, 2017 at 01:06:43PM +0100, Mark Rutland wrote:
> On Fri, Jul 21, 2017 at 06:05:09PM +0100, Dave Martin wrote:
> > On Wed, Jul 19, 2017 at 05:01:21PM +0100, Mark Rutland wrote:
> > > This series adds support for the ARMv8.3 pointer authentication extension.
>
> > > Open questions
> > > ==============
> > >
> > > * Should keys be per-thread rather than per-process?
> > >
> > > My understanding is that glibc can't (currently) handle threads having
> > > different keys, but it might be that another libc would prefer per-thread
> >
> > Can you elaborate?
> >
> > It's not valid to do a function return from one thread to another.
>
> Regardless of whether it's valid per the C spec or POSIX, some people
> use {set,get}context and {set,long}jmp in this manner (IIRC, QEMU does
> this), and my understanding is that similar tricks are in use in the
> bowels of glibc.
>
> Otherwise, my preference would be to have per-thread keys from day one.
Having considered comments I've received elsewhere, I've reversed my
position here. I think per-process keys are the more
sensible default since:
* This will allow us to protect function pointers in shared
datastructures such as vtables.
* Tasks have their own stacks, and values leaked from one stack cannot
be used to spoof return addresses on another.
* If an attacker can take control of one thread, they've already gained
code execution and/or primitives that can be used to attack the
process by other means.
Thanks,
Mark.
next prev parent reply other threads:[~2017-08-11 11:30 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-19 16:01 [PATCH 00/11] ARMv8.3 pointer authentication userspace support Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [PATCH 01/11] arm64: docs: describe ELF hwcaps Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-21 17:05 ` Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-24 10:47 ` Suzuki K Poulose
2017-08-03 14:49 ` Catalin Marinas
2017-08-03 14:49 ` Catalin Marinas
2017-08-03 17:57 ` Kees Cook
2017-08-03 17:57 ` Kees Cook
2017-07-19 16:01 ` [PATCH 02/11] asm-generic: mm_hooks: allow hooks to be overridden individually Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [PATCH 03/11] arm64: add pointer authentication register bits Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [PATCH 04/11] arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-24 10:54 ` Suzuki K Poulose
2017-07-19 16:01 ` [PATCH 05/11] arm64/cpufeature: detect pointer authentication Mark Rutland
2017-07-19 16:01 ` [PATCH 06/11] arm64: Don't trap host pointer auth use to EL2 Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-24 10:37 ` Dave Martin
2017-07-19 16:01 ` [PATCH 07/11] arm64: add basic pointer authentication support Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-25 15:26 ` Dave Martin
2017-07-25 15:26 ` Dave Martin
2017-08-11 7:46 ` Yao Qi
2017-08-11 8:45 ` Dave Martin
2017-08-11 8:45 ` Dave Martin
2017-07-19 16:01 ` [PATCH 08/11] arm64: expose user PAC bit positions via ptrace Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-19 16:01 ` [PATCH 09/11] arm64/kvm: preserve host HCR_EL2 value Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-07-19 16:01 ` [PATCH 10/11] arm64/kvm: context-switch ptrauth registers Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 11:00 ` Christoffer Dall
2017-08-01 14:26 ` Mark Rutland
2017-08-01 14:32 ` Will Deacon
2017-08-01 17:02 ` Christoffer Dall
2017-07-19 16:01 ` [PATCH 11/11] arm64: docs: document pointer authentication Mark Rutland
2017-07-19 16:01 ` Mark Rutland
2017-07-21 17:05 ` [PATCH 00/11] ARMv8.3 pointer authentication userspace support Dave Martin
2017-07-21 17:05 ` Dave Martin
2017-07-25 12:06 ` Mark Rutland
2017-07-25 12:06 ` Mark Rutland
2017-07-25 14:00 ` Jiong Wang
2017-08-11 11:29 ` Mark Rutland [this message]
2017-07-24 11:52 ` Yao Qi
2017-07-25 11:32 ` Yao Qi
2017-07-25 11:32 ` Yao Qi
2017-07-25 16:01 ` Mark Rutland
2017-07-25 14:12 ` [kernel-hardening] " Li Kun
2017-07-25 14:12 ` Li Kun
2017-07-25 15:12 ` Mark Rutland
2017-07-25 15:12 ` Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170811112922.GE12985@leverpostej \
--to=mark.rutland@arm.com \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=jiong.wang@arm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=will.deacon@arm.com \
--cc=yao.qi@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).