From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4754C47082 for ; Mon, 7 Jun 2021 11:26:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8216D610A8 for ; Mon, 7 Jun 2021 11:26:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231177AbhFGL2a (ORCPT ); Mon, 7 Jun 2021 07:28:30 -0400 Received: from foss.arm.com ([217.140.110.172]:59188 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230139AbhFGL2a (ORCPT ); Mon, 7 Jun 2021 07:28:30 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EB7511063; Mon, 7 Jun 2021 04:26:38 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CCD983F73D; Mon, 7 Jun 2021 04:26:37 -0700 (PDT) Date: Mon, 7 Jun 2021 12:25:38 +0100 From: Dave Martin To: Catalin Marinas Cc: Mark Brown , linux-arch@vger.kernel.org, libc-alpha@sourceware.org, Szabolcs Nagy , Jeremy Linton , Will Deacon , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Message-ID: <20210607112536.GI4187@arm.com> References: <20210521144621.9306-1-broonie@kernel.org> <20210521144621.9306-3-broonie@kernel.org> <20210603154034.GH4187@arm.com> <20210603165134.GF4257@sirena.org.uk> <20210603180429.GI20338@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210603180429.GI20338@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) Precedence: bulk List-ID: X-Mailing-List: linux-arch@vger.kernel.org On Thu, Jun 03, 2021 at 07:04:31PM +0100, Catalin Marinas via Libc-alpha wrote: > On Thu, Jun 03, 2021 at 05:51:34PM +0100, Mark Brown wrote: > > On Thu, Jun 03, 2021 at 04:40:35PM +0100, Dave Martin wrote: > > > Do we know how libcs will detect that they don't need to do the > > > mprotect() calls? Do we need a detection mechanism at all? > > > > > > Ignoring certain errors from mprotect() when ld.so is trying to set > > > PROT_BTI on the main executable's code pages is probably a reasonable, > > > backwards-compatible compromise here, but it seems a bit wasteful. > > > > I think the theory was that they would just do the mprotect() calls and > > ignore any errors as they currently do, or declare that they depend on a > > new enough kernel version I guess (not an option for glibc but might be > > for others which didn't do BTI yet). > > I think we discussed the possibility of an AT_FLAGS bit. Until recently, > this field was 0 but it gained a new bit now. If we are to expose this > to arch-specific things, it may need some reservations. Anyway, that's > an optimisation that can be added subsequently. I suppose so, but AT_FLAGS doesn't seem appropriate somehow. I wonder why we suddenly start considering adding a flag to AT_FLAGS every few months, when it had sat empty for decades. This may say something about the current health of the kernel ABI, but I'm not sure exactly what. I think having mprotect() fail in a predictable way may be preferable for now: glibc still only needs to probe with a single call and could cache the knowledge after that. Code outside libc / ld.so seems quite unlikely to care about this. Since only the executable segment(s) of the main binary need to be protected, this should require only a very small number of mprotect() calls in normal situations. Although it feels a bit cruddy as a design, cost-wise I think that extra overhead would be swamped by other noise in realistic scenarios. Often, there is just a single executable segment, so the common case would probably require just one mprotect() call. I don't know if it ever gets much more complicated when using the standard linker scripts. Any ideas on how we would document this behaviour? The kernel and libc behaviour are 100% clear: you _are_ allowed to twiddle PROT_BTI on executable mappings, and there is no legitimate (or even useful) reason to disallow this. It's only systemd deliberately breaking the API that causes the behaviour seem by "userspace" to vary. Cheers ---Dave From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 875A6C47082 for ; Mon, 7 Jun 2021 11:28:40 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 52EC9610A8 for ; Mon, 7 Jun 2021 11:28:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 52EC9610A8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=etckqz8H6Ed2nOc6nLbmFEZaX27czaGF/AbZF57B7TA=; b=Gn9db7vm7fgMeK XMJAt2dBkD+ek9K6FUq386fAvdlUeB+tohLU8y2OZlx1/0O+7oGR5xlgOclHZk1MI2WZssM9hRtKm tp79cjZmGxn5u5eplhqN7OycZY+j/dnRCHN9Vzu5iHhjTa+VSJRQMc6x0EiT74vuaiuvVQVqngk37 8TuohnZqHq+fT2kwxDs3eBuYQHN3AKJH7LXq7rtpjXQ+YlN9swKNpDfR2AzeqTQ7tZxtfFJhtZmBa cwQI7ZyJN8m51PCWskhPb2LPzz5N4+L2stgjJSgz+pd80uX2rsppxG5zs4ZiLlDxa1xtJztDneH8d TjeIVUkxY++k5N4J8yag==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lqDPD-003LAh-Tq; Mon, 07 Jun 2021 11:26:57 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lqDP0-003L6r-AR for linux-arm-kernel@lists.infradead.org; Mon, 07 Jun 2021 11:26:48 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EB7511063; Mon, 7 Jun 2021 04:26:38 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CCD983F73D; Mon, 7 Jun 2021 04:26:37 -0700 (PDT) Date: Mon, 7 Jun 2021 12:25:38 +0100 From: Dave Martin To: Catalin Marinas Cc: Mark Brown , linux-arch@vger.kernel.org, libc-alpha@sourceware.org, Szabolcs Nagy , Jeremy Linton , Will Deacon , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Message-ID: <20210607112536.GI4187@arm.com> References: <20210521144621.9306-1-broonie@kernel.org> <20210521144621.9306-3-broonie@kernel.org> <20210603154034.GH4187@arm.com> <20210603165134.GF4257@sirena.org.uk> <20210603180429.GI20338@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210603180429.GI20338@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210607_042642_438085_2EC4E41A X-CRM114-Status: GOOD ( 27.40 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Jun 03, 2021 at 07:04:31PM +0100, Catalin Marinas via Libc-alpha wrote: > On Thu, Jun 03, 2021 at 05:51:34PM +0100, Mark Brown wrote: > > On Thu, Jun 03, 2021 at 04:40:35PM +0100, Dave Martin wrote: > > > Do we know how libcs will detect that they don't need to do the > > > mprotect() calls? Do we need a detection mechanism at all? > > > > > > Ignoring certain errors from mprotect() when ld.so is trying to set > > > PROT_BTI on the main executable's code pages is probably a reasonable, > > > backwards-compatible compromise here, but it seems a bit wasteful. > > > > I think the theory was that they would just do the mprotect() calls and > > ignore any errors as they currently do, or declare that they depend on a > > new enough kernel version I guess (not an option for glibc but might be > > for others which didn't do BTI yet). > > I think we discussed the possibility of an AT_FLAGS bit. Until recently, > this field was 0 but it gained a new bit now. If we are to expose this > to arch-specific things, it may need some reservations. Anyway, that's > an optimisation that can be added subsequently. I suppose so, but AT_FLAGS doesn't seem appropriate somehow. I wonder why we suddenly start considering adding a flag to AT_FLAGS every few months, when it had sat empty for decades. This may say something about the current health of the kernel ABI, but I'm not sure exactly what. I think having mprotect() fail in a predictable way may be preferable for now: glibc still only needs to probe with a single call and could cache the knowledge after that. Code outside libc / ld.so seems quite unlikely to care about this. Since only the executable segment(s) of the main binary need to be protected, this should require only a very small number of mprotect() calls in normal situations. Although it feels a bit cruddy as a design, cost-wise I think that extra overhead would be swamped by other noise in realistic scenarios. Often, there is just a single executable segment, so the common case would probably require just one mprotect() call. I don't know if it ever gets much more complicated when using the standard linker scripts. Any ideas on how we would document this behaviour? The kernel and libc behaviour are 100% clear: you _are_ allowed to twiddle PROT_BTI on executable mappings, and there is no legitimate (or even useful) reason to disallow this. It's only systemd deliberately breaking the API that causes the behaviour seem by "userspace" to vary. Cheers ---Dave _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel