[PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack
Deepak Gupta
debug at rivosinc.com
Tue Dec 12 16:50:38 PST 2023
On Tue, Dec 12, 2023 at 11:23 AM Mark Brown <broonie at kernel.org> wrote:
>
> On Tue, Dec 12, 2023 at 11:17:11AM -0800, Deepak Gupta wrote:
> > On Wed, Nov 22, 2023 at 1:43 AM Mark Brown <broonie at kernel.org> wrote:
>
> > > +/*
> > > + * Set the current shadow stack configuration. Enabling the shadow
> > > + * stack will cause a shadow stack to be allocated for the thread.
> > > + */
> > > +#define PR_SET_SHADOW_STACK_STATUS 72
> > > +# define PR_SHADOW_STACK_ENABLE (1UL << 0)
>
> > Other architecture may require disabling shadow stack if glibc
> > tunables is set to permissive mode.
> > In permissive mode, if glibc encounters `dlopen` on an object which
> > doesn't support shadow stack,
> > glibc should be able to issue PR_SHADOW_STACK_DISABLE.
>
> > Architectures can choose to implement or not but I think arch agnostic
> > code should enumerate this.
>
> The current implementation for arm64 and therefore API for the prctl()
> is that whatever combination of flags is specified will be set, this
> means that setting the status to something that does not include _ENABLE
> will result in disabling and we don't need a separate flag for disable.
> We have use cases that make active use of disabling at runtime.
A theoretical scenario (no current workloads should've this case
because no shadow stack)
- User mode did _ENABLE on the main thread. Shadow stack was allocated
for the current
thread.
- User mode created a bunch worker threads to run untrusted contained
code. They shadow
stack too.
- main thread had to do dlopen and now need to disable shadow stack on
itself due to
incompatibility of incoming object in address space.
- main thread controls worker threads and knows they're contained and
should still be running
with a shadow stack. Although once in a while the main thread needs
to perform writes to a shadow
stack of worker threads for some fixup (in the same addr space).
main thread doesn't want to delegate
this responsibility of ss writes to worker threads because they're untrusted.
How will it do that (currently _ENABLE is married to _WRITE and _PUSH) ?
Please note that I am making up this scenario just for sake of discussion
And don't know if software would be using it in this manner.
>
> Please delete unneeded context from replies, it makes it much easier to
> find new content.
Sorry about that.
Noted.
More information about the linux-riscv
mailing list