| Message ID | 20200825002645.3658-10-yu-cheng.yu@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Control-flow Enforcement: Indirect Branch Tracking, PTRACE | expand |
On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: > > From: "H.J. Lu" <hjl.tools@gmail.com> > > Emulation of the legacy vsyscall page is required by some programs built > before 2013. Newer programs after 2013 don't use it. Disallow vsyscall > emulation when Control-flow Enforcement (CET) is enabled to enhance > security. NAK. By all means disable execute emulation if CET-IBT is enabled at the time emulation is attempted, and maybe even disable the vsyscall page entirely if you can magically tell that CET-IBT will be enabled when a process starts, but you don't get to just disable it outright on a CET-enabled kernel.
* Andy Lutomirski: > On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >> >> From: "H.J. Lu" <hjl.tools@gmail.com> >> >> Emulation of the legacy vsyscall page is required by some programs built >> before 2013. Newer programs after 2013 don't use it. Disallow vsyscall >> emulation when Control-flow Enforcement (CET) is enabled to enhance >> security. > > NAK. > > By all means disable execute emulation if CET-IBT is enabled at the > time emulation is attempted, and maybe even disable the vsyscall page > entirely if you can magically tell that CET-IBT will be enabled when a > process starts, but you don't get to just disable it outright on a > CET-enabled kernel. Yeah, we definitely would have to revert/avoid this downstream. People definitely want to run glibc-2.12-era workloads on current kernels. Thanks for catching it. Florian
On 8/25/2020 2:14 AM, Florian Weimer wrote: > * Andy Lutomirski: > >> On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote: >>> >>> From: "H.J. Lu" <hjl.tools@gmail.com> >>> >>> Emulation of the legacy vsyscall page is required by some programs built >>> before 2013. Newer programs after 2013 don't use it. Disallow vsyscall >>> emulation when Control-flow Enforcement (CET) is enabled to enhance >>> security. >> >> NAK. >> >> By all means disable execute emulation if CET-IBT is enabled at the >> time emulation is attempted, and maybe even disable the vsyscall page >> entirely if you can magically tell that CET-IBT will be enabled when a >> process starts, but you don't get to just disable it outright on a >> CET-enabled kernel. > > Yeah, we definitely would have to revert/avoid this downstream. People > definitely want to run glibc-2.12-era workloads on current kernels. > Thanks for catching it. > That makes sense. I will update the patch. Thanks, Yu-cheng
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5bd6d6a10047..bbc68ecfae2b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1210,7 +1210,7 @@ config X86_ESPFIX64 config X86_VSYSCALL_EMULATION bool "Enable vsyscall emulation" if EXPERT default y - depends on X86_64 + depends on X86_64 && !X86_INTEL_CET help This enables emulation of the legacy vsyscall page. Disabling it is roughly equivalent to booting with vsyscall=none, except @@ -1225,6 +1225,8 @@ config X86_VSYSCALL_EMULATION Disabling this option saves about 7K of kernel size and possibly 4K of additional runtime pagetable memory. + This option is disabled when Intel CET is enabled. + config X86_IOPL_IOPERM bool "IOPERM and IOPL Emulation" default y @@ -2361,7 +2363,7 @@ config COMPAT_VDSO choice prompt "vsyscall table for legacy applications" - depends on X86_64 + depends on X86_64 && !X86_INTEL_CET default LEGACY_VSYSCALL_XONLY help Legacy user code that does not know how to find the vDSO expects @@ -2378,6 +2380,8 @@ choice If unsure, select "Emulate execution only". + This option is not enabled when Intel CET is enabled. + config LEGACY_VSYSCALL_EMULATE bool "Full emulation" help