Re: [PATCH v11 9/9] x86: Disallow vsyscall emulation when CET is enabled
On 8/25/2020 2:14 AM, Florian Weimer wrote: * Andy Lutomirski: On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu wrote: From: "H.J. Lu" Emulation of the legacy vsyscall page is required by some programs built before 2013. Newer programs after 2013 don't use it. Disallow vsyscall emulation when Control-flow Enforcement (CET) is enabled to enhance security. NAK. By all means disable execute emulation if CET-IBT is enabled at the time emulation is attempted, and maybe even disable the vsyscall page entirely if you can magically tell that CET-IBT will be enabled when a process starts, but you don't get to just disable it outright on a CET-enabled kernel. Yeah, we definitely would have to revert/avoid this downstream. People definitely want to run glibc-2.12-era workloads on current kernels. Thanks for catching it. That makes sense. I will update the patch. Thanks, Yu-cheng
Re: [PATCH v11 9/9] x86: Disallow vsyscall emulation when CET is enabled
* Andy Lutomirski: > On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu wrote: >> >> From: "H.J. Lu" >> >> Emulation of the legacy vsyscall page is required by some programs built >> before 2013. Newer programs after 2013 don't use it. Disallow vsyscall >> emulation when Control-flow Enforcement (CET) is enabled to enhance >> security. > > NAK. > > By all means disable execute emulation if CET-IBT is enabled at the > time emulation is attempted, and maybe even disable the vsyscall page > entirely if you can magically tell that CET-IBT will be enabled when a > process starts, but you don't get to just disable it outright on a > CET-enabled kernel. Yeah, we definitely would have to revert/avoid this downstream. People definitely want to run glibc-2.12-era workloads on current kernels. Thanks for catching it. Florian
Re: [PATCH v11 9/9] x86: Disallow vsyscall emulation when CET is enabled
On Mon, Aug 24, 2020 at 5:30 PM Yu-cheng Yu wrote: > > From: "H.J. Lu" > > Emulation of the legacy vsyscall page is required by some programs built > before 2013. Newer programs after 2013 don't use it. Disallow vsyscall > emulation when Control-flow Enforcement (CET) is enabled to enhance > security. NAK. By all means disable execute emulation if CET-IBT is enabled at the time emulation is attempted, and maybe even disable the vsyscall page entirely if you can magically tell that CET-IBT will be enabled when a process starts, but you don't get to just disable it outright on a CET-enabled kernel.
[PATCH v11 9/9] x86: Disallow vsyscall emulation when CET is enabled
From: "H.J. Lu" Emulation of the legacy vsyscall page is required by some programs built before 2013. Newer programs after 2013 don't use it. Disallow vsyscall emulation when Control-flow Enforcement (CET) is enabled to enhance security. Signed-off-by: H.J. Lu Signed-off-by: Yu-cheng Yu --- arch/x86/Kconfig | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5bd6d6a10047..bbc68ecfae2b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1210,7 +1210,7 @@ config X86_ESPFIX64 config X86_VSYSCALL_EMULATION bool "Enable vsyscall emulation" if EXPERT default y - depends on X86_64 + depends on X86_64 && !X86_INTEL_CET help This enables emulation of the legacy vsyscall page. Disabling it is roughly equivalent to booting with vsyscall=none, except @@ -1225,6 +1225,8 @@ config X86_VSYSCALL_EMULATION Disabling this option saves about 7K of kernel size and possibly 4K of additional runtime pagetable memory. +This option is disabled when Intel CET is enabled. + config X86_IOPL_IOPERM bool "IOPERM and IOPL Emulation" default y @@ -2361,7 +2363,7 @@ config COMPAT_VDSO choice prompt "vsyscall table for legacy applications" - depends on X86_64 + depends on X86_64 && !X86_INTEL_CET default LEGACY_VSYSCALL_XONLY help Legacy user code that does not know how to find the vDSO expects @@ -2378,6 +2380,8 @@ choice If unsure, select "Emulate execution only". + This option is not enabled when Intel CET is enabled. + config LEGACY_VSYSCALL_EMULATE bool "Full emulation" help -- 2.21.0
