From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "dietmar.eggemann@arm.com" <dietmar.eggemann@arm.com>,
"broonie@kernel.org" <broonie@kernel.org>,
"Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>,
"brauner@kernel.org" <brauner@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"mgorman@suse.de" <mgorman@suse.de>,
"vincent.guittot@linaro.org" <vincent.guittot@linaro.org>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"vschneid@redhat.com" <vschneid@redhat.com>,
"shuah@kernel.org" <shuah@kernel.org>,
"bristot@redhat.com" <bristot@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"bp@alien8.de" <bp@alien8.de>,
"bsegall@google.com" <bsegall@google.com>,
"x86@kernel.org" <x86@kernel.org>,
"juri.lelli@redhat.com" <juri.lelli@redhat.com>
Cc: "linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"jannh@google.com" <jannh@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"will@kernel.org" <will@kernel.org>,
"Pandey, Sunil K" <sunil.k.pandey@intel.com>
Subject: Re: [PATCH RFC RFT v2 5/5] kselftest/clone3: Test shadow stack support
Date: Tue, 14 Nov 2023 23:11:58 +0000 [thread overview]
Message-ID: <309927ad8bfa72ce2d084ee16cd0cd84e69fef16.camel@intel.com> (raw)
In-Reply-To: <20231114-clone3-shadow-stack-v2-5-b613f8681155@kernel.org>
On Tue, 2023-11-14 at 20:05 +0000, Mark Brown wrote:
> +static void test_shadow_stack_supported(void)
> +{
> + long shadow_stack;
> +
> + shadow_stack = syscall(__NR_map_shadow_stack, 0,
> getpagesize(), 0);
Hmm, x86 fails this call if user shadow stack is not supported in the
HW or the kernel, but doesn't care if it is enabled on the thread or
not. If shadow stack is not enabled (or not yet enabled), shadow stacks
are allowed to be mapped. Should it fail if shadow stack is not yet
enabled?
Since shadow stack is per thread, map_shadow_stack could still be
called on another thread that has it enabled. Basically I don't think
blocking it will reduce the possible states the kernel has to handle.
The traditional way to check if shadow stack is enabled on x86 is the
check for a non zero return from the _get_ssp() intrinsic:
https://gcc.gnu.org/onlinedocs/gcc-9.2.0/gcc/x86-control-flow-protection-intrinsics.html
It seems like there will be a need for some generic method of checking
if shadow stack is enabled. Maybe a more generic compiler
intrinsic/builtin or glibc API (something unrelated to SSP)?
> + {
> + .name = "Shadow stack on system with shadow stack",
> + .flags = 0,
> + .size = 0,
> + .expected = 0,
> + .e2big_valid = true,
> + .test_mode = CLONE3_ARGS_SHADOW_STACK,
> + .filter = no_shadow_stack,
> + },
> + {
> + .name = "Shadow stack on system without shadow
> stack",
> + .flags = 0,
> + .size = 0,
> + .expected = -EINVAL,
> + .e2big_valid = true,
> + .test_mode = CLONE3_ARGS_SHADOW_STACK,
> + .filter = have_shadow_stack,
> + },
> };
>
I changed x86's map_shadow_stack to return an error when shadow stack
was not enabled to make the detection logic in the test work. Also
changed the clone3 Makefile to generate the shadow stack bit in the
tests. When running the 'clone3' test with shadow stack it passed, but
there is a failure in the non-shadow stack case:
...
# Shadow stack not supported
ok 20 # SKIP Shadow stack on system with shadow stack
# Running test 'Shadow stack on system without shadow stack'
# [1333] Trying clone3() with flags 0 (size 0)
# I am the parent (1333). My child's pid is 1342
# I am the child, my PID is 1342
# [1333] clone3() with flags says: 0 expected -22
# [1333] Result (0) is different than expected (-22)
not ok 21 Shadow stack on system without shadow stack
# Totals: pass:19 fail:1 xfail:0 xpass:0 skip:1 error:0
The other tests passed in both cases. I'm going to dig into the other
parts now but can circle back if it's not obvious what's going on
there.
next prev parent reply other threads:[~2023-11-14 23:12 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-14 20:05 [PATCH RFC RFT v2 0/5] fork: Support shadow stacks in clone3() Mark Brown
2023-11-14 20:05 ` [PATCH RFC RFT v2 1/5] mm: Introduce ARCH_HAS_USER_SHADOW_STACK Mark Brown
2023-11-14 23:22 ` Edgecombe, Rick P
2023-11-15 14:55 ` Mark Brown
2023-11-15 15:12 ` David Hildenbrand
2023-11-15 15:36 ` Deepak Gupta
2023-11-14 20:05 ` [PATCH RFC RFT v2 2/5] fork: Add shadow stack support to clone3() Mark Brown
2023-11-15 0:45 ` Edgecombe, Rick P
2023-11-15 12:36 ` Mark Brown
2023-11-15 16:20 ` Szabolcs.Nagy
2023-11-15 18:43 ` Mark Brown
2023-11-16 0:52 ` Edgecombe, Rick P
2023-11-16 10:32 ` Szabolcs.Nagy
2023-11-16 12:33 ` Mark Brown
2023-11-16 13:12 ` Szabolcs.Nagy
2023-11-16 13:55 ` Szabolcs.Nagy
2023-11-16 15:35 ` Mark Brown
2023-11-16 18:11 ` Edgecombe, Rick P
2023-11-16 18:41 ` Mark Brown
2023-11-17 17:43 ` Edgecombe, Rick P
2023-11-20 16:11 ` Mark Brown
2023-11-16 18:14 ` Mark Brown
2023-11-16 18:33 ` Edgecombe, Rick P
2023-11-17 20:51 ` Deepak Gupta
2023-11-14 20:05 ` [PATCH RFC RFT v2 3/5] selftests/clone3: Factor more of main loop into test_clone3() Mark Brown
2023-11-14 20:05 ` [PATCH RFC RFT v2 4/5] selftests/clone3: Allow tests to flag if -E2BIG is a valid error code Mark Brown
2023-11-14 20:05 ` [PATCH RFC RFT v2 5/5] kselftest/clone3: Test shadow stack support Mark Brown
2023-11-14 23:11 ` Edgecombe, Rick P [this message]
2023-11-15 12:53 ` Mark Brown
2023-11-17 18:16 ` Edgecombe, Rick P
2023-11-17 21:12 ` Deepak Gupta
2023-11-20 15:47 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=309927ad8bfa72ce2d084ee16cd0cd84e69fef16.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=bristot@redhat.com \
--cc=broonie@kernel.org \
--cc=bsegall@google.com \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=debug@rivosinc.com \
--cc=dietmar.eggemann@arm.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=juri.lelli@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=shuah@kernel.org \
--cc=sunil.k.pandey@intel.com \
--cc=tglx@linutronix.de \
--cc=vincent.guittot@linaro.org \
--cc=vschneid@redhat.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox