Message ID | 20210316151054.5405-1-yu-cheng.yu@intel.com (mailing list archive) |
---|---|
Headers | show |
Series | Control-flow Enforcement: Shadow Stack | expand |
On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: > Control-flow Enforcement (CET) is a new Intel processor feature that blocks > return/jump-oriented programming attacks. Details are in "Intel 64 and > IA-32 Architectures Software Developer's Manual" [1]. > > CET can protect applications and the kernel. This series enables only > application-level protection, and has three parts: > > - Shadow stack [2], > - Indirect branch tracking [3], and > - Selftests [4]. CET is marketing; afaict SS and IBT are 100% independent and there's no reason what so ever to have them share any code, let alone a Kconfig knob. In fact, I think all of this would improve is you remove the CET name from all of this entirely. Put this series under CONFIG_X86_SHSTK (or _SS) and use CONFIG_X86_IBT for the other one. Similarly with the .c file. All this CET business is just pure confusion.
On 3/16/2021 2:15 PM, Peter Zijlstra wrote: > On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: >> Control-flow Enforcement (CET) is a new Intel processor feature that blocks >> return/jump-oriented programming attacks. Details are in "Intel 64 and >> IA-32 Architectures Software Developer's Manual" [1]. >> >> CET can protect applications and the kernel. This series enables only >> application-level protection, and has three parts: >> >> - Shadow stack [2], >> - Indirect branch tracking [3], and >> - Selftests [4]. > > CET is marketing; afaict SS and IBT are 100% independent and there's no > reason what so ever to have them share any code, let alone a Kconfig > knob. We used to have shadow stack and ibt under separate Kconfig options, but in a few places they actually share same code path, such as the XSAVES supervisor states and ELF header for example. Anyways I will be happy to make changes again if there is agreement. > > In fact, I think all of this would improve is you remove the CET name > from all of this entirely. Put this series under CONFIG_X86_SHSTK (or > _SS) and use CONFIG_X86_IBT for the other one. > > Similarly with the .c file. > > All this CET business is just pure confusion. >
* Yu, Yu-cheng <yu-cheng.yu@intel.com> wrote: > On 3/16/2021 2:15 PM, Peter Zijlstra wrote: > > On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: > > > Control-flow Enforcement (CET) is a new Intel processor feature that blocks > > > return/jump-oriented programming attacks. Details are in "Intel 64 and > > > IA-32 Architectures Software Developer's Manual" [1]. > > > > > > CET can protect applications and the kernel. This series enables only > > > application-level protection, and has three parts: > > > > > > - Shadow stack [2], > > > - Indirect branch tracking [3], and > > > - Selftests [4]. > > > > CET is marketing; afaict SS and IBT are 100% independent and there's no > > reason what so ever to have them share any code, let alone a Kconfig > > knob. > > We used to have shadow stack and ibt under separate Kconfig options, but in > a few places they actually share same code path, such as the XSAVES > supervisor states and ELF header for example. Anyways I will be happy to > make changes again if there is agreement. I was look at: x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states didn't see any IBT logic - it's essentially all shadow stack state. Which is not surprising, forward call edge integrity protection (IBT) requires very little state, does it? With IBT there's no nesting, no stack - the IBT state machine basically requires the next instruction to be and ENDBR instruction, and that's essentially it, right? Thanks, Ingo
On Wed, Mar 17, 2021 at 10:18:00AM +0100, Ingo Molnar wrote: > > * Yu, Yu-cheng <yu-cheng.yu@intel.com> wrote: > > > On 3/16/2021 2:15 PM, Peter Zijlstra wrote: > > > On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: > > > > Control-flow Enforcement (CET) is a new Intel processor feature that blocks > > > > return/jump-oriented programming attacks. Details are in "Intel 64 and > > > > IA-32 Architectures Software Developer's Manual" [1]. > > > > > > > > CET can protect applications and the kernel. This series enables only > > > > application-level protection, and has three parts: > > > > > > > > - Shadow stack [2], > > > > - Indirect branch tracking [3], and > > > > - Selftests [4]. > > > > > > CET is marketing; afaict SS and IBT are 100% independent and there's no > > > reason what so ever to have them share any code, let alone a Kconfig > > > knob. > > > > We used to have shadow stack and ibt under separate Kconfig options, but in > > a few places they actually share same code path, such as the XSAVES > > supervisor states and ELF header for example. Anyways I will be happy to > > make changes again if there is agreement. > > I was look at: > > x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states > > didn't see any IBT logic - it's essentially all shadow stack state. > > Which is not surprising, forward call edge integrity protection (IBT) > requires very little state, does it? They hid the IBT enable bit in the U_CET MSR, which is in the XSAVE thing.
On 3/17/2021 2:18 AM, Ingo Molnar wrote: > > * Yu, Yu-cheng <yu-cheng.yu@intel.com> wrote: > >> On 3/16/2021 2:15 PM, Peter Zijlstra wrote: >>> On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: >>>> Control-flow Enforcement (CET) is a new Intel processor feature that blocks >>>> return/jump-oriented programming attacks. Details are in "Intel 64 and >>>> IA-32 Architectures Software Developer's Manual" [1]. >>>> >>>> CET can protect applications and the kernel. This series enables only >>>> application-level protection, and has three parts: >>>> >>>> - Shadow stack [2], >>>> - Indirect branch tracking [3], and >>>> - Selftests [4]. >>> >>> CET is marketing; afaict SS and IBT are 100% independent and there's no >>> reason what so ever to have them share any code, let alone a Kconfig >>> knob. >> >> We used to have shadow stack and ibt under separate Kconfig options, but in >> a few places they actually share same code path, such as the XSAVES >> supervisor states and ELF header for example. Anyways I will be happy to >> make changes again if there is agreement. > > I was look at: > > x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states > > didn't see any IBT logic - it's essentially all shadow stack state. > > Which is not surprising, forward call edge integrity protection (IBT) > requires very little state, does it? > > With IBT there's no nesting, no stack - the IBT state machine > basically requires the next instruction to be and ENDBR instruction, > and that's essentially it, right? > > Thanks, > > Ingo > Yes, that is it. The CET_WAIT_ENDBR bit is the status of IBT state machine. There are a few bits in MSR_IA32_U_CET controlling how IBT works, but those are not status. Yu-cheng
On 3/16/2021 2:15 PM, Peter Zijlstra wrote: > On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: >> Control-flow Enforcement (CET) is a new Intel processor feature that blocks >> return/jump-oriented programming attacks. Details are in "Intel 64 and >> IA-32 Architectures Software Developer's Manual" [1]. >> >> CET can protect applications and the kernel. This series enables only >> application-level protection, and has three parts: >> >> - Shadow stack [2], >> - Indirect branch tracking [3], and >> - Selftests [4]. > > CET is marketing; afaict SS and IBT are 100% independent and there's no > reason what so ever to have them share any code, let alone a Kconfig > knob. > > In fact, I think all of this would improve is you remove the CET name > from all of this entirely. Put this series under CONFIG_X86_SHSTK (or > _SS) and use CONFIG_X86_IBT for the other one. > > Similarly with the .c file. > > All this CET business is just pure confusion. > What about this, we bring back CONFIG_X86_SHSTK and CONFIG_X86_IBT. For the CET name itself, can we change it to CFE (Control Flow Enforcement), or just CF? In signal handling, ELF header parsing and arch_prctl(), shadow stack and IBT pretty much share the same code. It is better not to split them into two sets of files. Thanks, Yu-cheng
On Fri, Mar 19, 2021 at 02:43:04PM -0700, Yu, Yu-cheng wrote: > On 3/16/2021 2:15 PM, Peter Zijlstra wrote: > > On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: > > > Control-flow Enforcement (CET) is a new Intel processor feature that blocks > > > return/jump-oriented programming attacks. Details are in "Intel 64 and > > > IA-32 Architectures Software Developer's Manual" [1]. > > > > > > CET can protect applications and the kernel. This series enables only > > > application-level protection, and has three parts: > > > > > > - Shadow stack [2], > > > - Indirect branch tracking [3], and > > > - Selftests [4]. > > > > CET is marketing; afaict SS and IBT are 100% independent and there's no > > reason what so ever to have them share any code, let alone a Kconfig > > knob. > > > In fact, I think all of this would improve is you remove the CET name > > from all of this entirely. Put this series under CONFIG_X86_SHSTK (or > > _SS) and use CONFIG_X86_IBT for the other one. > > > > Similarly with the .c file. > > > > All this CET business is just pure confusion. > > > > What about this, we bring back CONFIG_X86_SHSTK and CONFIG_X86_IBT. > For the CET name itself, can we change it to CFE (Control Flow Enforcement), > or just CF? Carry Flag :-) > In signal handling, ELF header parsing and arch_prctl(), shadow stack and > IBT pretty much share the same code. It is better not to split them into > two sets of files. Aside from redoing the UAPI we're stuck with that I suppose :/ And since I think the CET name is all over the UAPI, you might as well keep it for the kernel part of it as well :-( But if there's sufficient !UAPI bits it might still make sense to also have ibt.c and shstk.c
On 3/23/2021 1:49 PM, Peter Zijlstra wrote: > On Fri, Mar 19, 2021 at 02:43:04PM -0700, Yu, Yu-cheng wrote: >> On 3/16/2021 2:15 PM, Peter Zijlstra wrote: >>> On Tue, Mar 16, 2021 at 08:10:26AM -0700, Yu-cheng Yu wrote: >>>> Control-flow Enforcement (CET) is a new Intel processor feature that blocks >>>> return/jump-oriented programming attacks. Details are in "Intel 64 and >>>> IA-32 Architectures Software Developer's Manual" [1]. >>>> >>>> CET can protect applications and the kernel. This series enables only >>>> application-level protection, and has three parts: >>>> >>>> - Shadow stack [2], >>>> - Indirect branch tracking [3], and >>>> - Selftests [4]. >>> >>> CET is marketing; afaict SS and IBT are 100% independent and there's no >>> reason what so ever to have them share any code, let alone a Kconfig >>> knob. >>>> In fact, I think all of this would improve is you remove the CET name >>> from all of this entirely. Put this series under CONFIG_X86_SHSTK (or >>> _SS) and use CONFIG_X86_IBT for the other one. >>> >>> Similarly with the .c file. >>> >>> All this CET business is just pure confusion. >>> >> >> What about this, we bring back CONFIG_X86_SHSTK and CONFIG_X86_IBT. >> For the CET name itself, can we change it to CFE (Control Flow Enforcement), >> or just CF? > > Carry Flag :-) > >> In signal handling, ELF header parsing and arch_prctl(), shadow stack and >> IBT pretty much share the same code. It is better not to split them into >> two sets of files. > > Aside from redoing the UAPI we're stuck with that I suppose :/ And since > I think the CET name is all over the UAPI, you might as well keep it for > the kernel part of it as well :-( > > But if there's sufficient !UAPI bits it might still make sense to also > have ibt.c and shstk.c > I will move code around and separate it into shadow stack and ibt. Hopefully in the next iteration, things will be more organized. Thanks, Yu-cheng