Re: [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection

From: Yu-cheng Yu
Date: Thu Mar 05 2020 - 15:38:18 EST

Next message: Jens Axboe: "Re: [PATCH v2] blktrace: fix dereference after null check"
Previous message: David Howells: "Re: [RFC][PATCH] Mark AT_* path flags as deprecated and add missing RESOLVE_ flags"
Next in thread: Yu-cheng Yu: "Re: [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2020-02-26 at 09:03 -0800, Dave Hansen wrote:
> On 2/5/20 10:19 AM, Yu-cheng Yu wrote:
> > Introduce Kconfig option: X86_INTEL_SHADOW_STACK_USER.
> >
> > Shadow Stack (SHSTK) provides protection against function return address
> > corruption. It is active when the kernel has this feature enabled, and
> > both the processor and the application support it. When this feature is
> > enabled, legacy non-SHSTK applications continue to work, but without SHSTK
> > protection.
> >
> > The user-mode SHSTK protection is only implemented for the 64-bit kernel.
> > IA32 applications are supported under the compatibility mode.
>
> I think what you're trying to say here is that the hardware supports
> shadow stacks with 32-bit kernels. However, this series does not
> include that support and we have no plans to add it.
>
> Right?

Yes.

>
> I'll let others weigh in, but I rather dislike the use of acronyms here.
> I'd much rather see the english "shadow stack" everywhere than SHSTK.

I will change to shadow stack.

>
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 5e8949953660..6c34b701c588 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -1974,6 +1974,28 @@ config X86_INTEL_TSX_MODE_AUTO
> > side channel attacks- equals the tsx=auto command line parameter.
> > endchoice
> >
> > +config X86_INTEL_CET
> > + def_bool n
> > +
> > +config ARCH_HAS_SHSTK
> > + def_bool n
> > +
> > +config X86_INTEL_SHADOW_STACK_USER
> > + prompt "Intel Shadow Stack for user-mode"
>
> Nit: this whole thing is to support more than a single stack. I'd make
> this plural at least in the text: "shadow stacks".

OK.

>
> > + def_bool n
> > + depends on CPU_SUP_INTEL && X86_64
> > + select ARCH_USES_HIGH_VMA_FLAGS
> > + select X86_INTEL_CET
> > + select ARCH_HAS_SHSTK
> > + ---help---
> > + Shadow Stack (SHSTK) provides protection against program
> > + stack corruption. It is active when the kernel has this
> > + feature enabled, and the processor and the application
> > + support it. When this feature is enabled, legacy non-SHSTK
> > + applications continue to work, but without SHSTK protection.
> > +
> > + If unsure, say y.
>
> This is missing a *lot* of information.
>
> What matters to someone turning this on?
>
> 1. It's a hardware feature. This only matters if you have the right
> hardware
> 2. It's a security hardening feature. You dance around this, but need
> to come out and say it.
> 3. Apps must be enabled to use it. You get no protection "for free" on
> old userspace.
> 4. The hardware supports user and kernel, but this option is for
> userspace only.

I will update the help text.

Yu-cheng

Next message: Jens Axboe: "Re: [PATCH v2] blktrace: fix dereference after null check"
Previous message: David Howells: "Re: [RFC][PATCH] Mark AT_* path flags as deprecated and add missing RESOLVE_ flags"
Next in thread: Yu-cheng Yu: "Re: [RFC PATCH v9 05/27] x86/cet/shstk: Add Kconfig option for user-mode Shadow Stack protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]