From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "broonie@kernel.org" <broonie@kernel.org>
Cc: "adhemerval.zanella@linaro.org" <adhemerval.zanella@linaro.org>,
"nsz@port70.net" <nsz@port70.net>,
"brauner@kernel.org" <brauner@kernel.org>,
"shuah@kernel.org" <shuah@kernel.org>,
"debug@rivosinc.com" <debug@rivosinc.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"dalias@libc.org" <dalias@libc.org>,
"jeffxu@google.com" <jeffxu@google.com>,
"will@kernel.org" <will@kernel.org>,
"yury.khrustalev@arm.com" <yury.khrustalev@arm.com>,
"wilco.dijkstra@arm.com" <wilco.dijkstra@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"codonell@redhat.com" <codonell@redhat.com>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH RFC 0/3] arm64/gcs: Allow reuse of user managed shadow stacks
Date: Fri, 26 Sep 2025 15:46:26 +0000 [thread overview]
Message-ID: <eab692794cbc82080b708c581efd5973b6004be0.camel@intel.com> (raw)
In-Reply-To: <604190c7-5931-4e74-a1c9-467e52d3001b@sirena.org.uk>
On Fri, 2025-09-26 at 01:44 +0100, Mark Brown wrote:
> > I don't know about substantial, but I'd love to hear some offensive
> > security persons analysis. There definitely was a school of thought
> > though, that shadow stack should be turned on as widely as
> > possible. If we need WRSS to make that happen in a sane way, you
> > could argue there is sort of a security at scale
> > benefit.
>
> I agree it seems clearly better from a security point of view to have
> writable shadow stacks than none at all, I don't think there's much
> argument there other than the concerns about the memory consumption
> and performance tradeoffs.
IIRC the WRSS equivalent works the same for ARM where you need to use a
special instruction, right? So we are not talking about full writable
shadow stacks that could get attacked from any overflow, rather,
limited spots that have the WRSS (or similar) instruction. In the
presence of forward edge CFI, we might be able to worry less about
attackers being able to actually reach it? Still not quite as locked
down as having it disabled, but maybe not such a huge gap compared to
the mmap/munmap() stuff that is the alternative we are weighing.
>
> > > > But for automatic thread created shadow stacks, there is no
> > > > need to allow userspace to unmap a shadow stack, so the
> > > > automatically created stacks could simply be msealed on
> > > > creation and unmapped from the kernel. For a lot of apps
> > > > (most?) this would work perfectly fine.
>
> > > Indeed, we should be able to just do that if we're mseal()ing
> > > system mappings I think - most likely anything that has a problem
> > > with it probably already has a problem the existing mseal()
> > > stuff. Yet another reason we should be factoring more of this
> > > code out into the generic code, like I say I'll try to look at
> > > that.
>
> > Agree. But for the mseal stuff, I think you would want to have
> > map_shadow_stack not available.
>
> That seems like something userspace could enforce with existing
> security mechanisms? I can imagine a system might want different
> policies for different programs.
Yes, you could already do it with seccomp or something. Not sure if it
will work for the distro-wide enabling schemes or not though.
next prev parent reply other threads:[~2025-09-26 15:46 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-21 13:21 [PATCH RFC 0/3] arm64/gcs: Allow reuse of user managed shadow stacks Mark Brown
2025-09-21 13:21 ` [PATCH RFC 1/3] arm64/gcs: Support reuse of GCS for exited threads Mark Brown
2025-09-25 16:46 ` Catalin Marinas
2025-09-25 17:01 ` Mark Brown
2025-09-25 18:36 ` Catalin Marinas
2025-09-25 19:00 ` Mark Brown
2025-09-26 11:14 ` Catalin Marinas
2025-09-26 11:37 ` Mark Brown
2025-09-21 13:21 ` [PATCH RFC 2/3] kselftest/arm64: Validate PR_SHADOW_STACK_EXIT_TOKEN in basic-gcs Mark Brown
2025-09-21 13:21 ` [PATCH RFC 3/3] kselftest/arm64: Add PR_SHADOW_STACK_EXIT_TOKEN to gcs-locking Mark Brown
2025-09-25 20:40 ` [PATCH RFC 0/3] arm64/gcs: Allow reuse of user managed shadow stacks Edgecombe, Rick P
2025-09-25 23:22 ` Mark Brown
2025-09-25 23:58 ` Edgecombe, Rick P
2025-09-26 0:44 ` Mark Brown
2025-09-26 15:46 ` Edgecombe, Rick P [this message]
2025-09-26 16:09 ` Mark Brown
2025-09-29 18:37 ` Deepak Gupta
2025-09-26 15:07 ` Yury Khrustalev
2025-09-26 15:39 ` Edgecombe, Rick P
2025-09-26 16:03 ` Mark Brown
2025-09-26 19:17 ` Edgecombe, Rick P
2025-09-29 15:47 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eab692794cbc82080b708c581efd5973b6004be0.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=adhemerval.zanella@linaro.org \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=codonell@redhat.com \
--cc=dalias@libc.org \
--cc=debug@rivosinc.com \
--cc=fweimer@redhat.com \
--cc=jeffxu@google.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=nsz@port70.net \
--cc=shuah@kernel.org \
--cc=wilco.dijkstra@arm.com \
--cc=will@kernel.org \
--cc=yury.khrustalev@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox