From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, PDS_RDNS_DYNAMIC_FP,RCVD_IN_DNSWL_HI,RDNS_DYNAMIC,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 9C7511F8C6 for ; Sun, 1 Aug 2021 14:57:43 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 83CFE387088D for ; Sun, 1 Aug 2021 14:57:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 83CFE387088D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1627829862; bh=lFOizAPk7IHBMyrT7Ix5ceXEB1lfjCl4vFYbTMdO33Q=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=QfTm/YRP3yk1CSRCvwfNCiedtNaQe7ajVXlFor9DM8kDYuF3u3775pT6Z4F2EZI/k S8mlyAWY15GYVlIoQpTsMjkufrDJ78o38GnMVzbiPcsPJ7ADtvU0fkkHc7+P3Pknnw ftaP/YYljd5lTKxvpagcj6ayPgGkxq1Rt3W59Ack= Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id 27C493857C50 for ; Sun, 1 Aug 2021 14:56:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 27C493857C50 Received: by mail.kernel.org (Postfix) with ESMTPSA id 54A17610A1; Sun, 1 Aug 2021 14:56:28 +0000 (UTC) Date: Sun, 1 Aug 2021 07:56:25 -0700 To: Mark Brown Subject: Re: [PATCH v5 0/4] arm64: Enable BTI for the executable as well as the interpreter Message-ID: <20210801145623.GA28489@arm.com> References: <20210719164536.19143-1-broonie@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210719164536.19143-1-broonie@kernel.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Catalin Marinas via Libc-alpha Reply-To: Catalin Marinas Cc: linux-arch@vger.kernel.org, Yu-cheng Yu , libc-alpha@sourceware.org, Florian Weimer , Szabolcs Nagy , Jeremy Linton , Topi Miettinen , Lennart Poettering , Mark Rutland , Will Deacon , Dave Martin , linux-arm-kernel@lists.infradead.org Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" On Mon, Jul 19, 2021 at 05:45:32PM +0100, Mark Brown wrote: > Deployments of BTI on arm64 have run into issues interacting with > systemd's MemoryDenyWriteExecute feature. Currently for dynamically > linked executables the kernel will only handle architecture specific > properties like BTI for the interpreter, the expectation is that the > interpreter will then handle any properties on the main executable. > For BTI this means remapping the executable segments PROT_EXEC | > PROT_BTI. > > This interacts poorly with MemoryDenyWriteExecute since that is > implemented using a seccomp filter which prevents setting PROT_EXEC on > already mapped memory and lacks the context to be able to detect that > memory is already mapped with PROT_EXEC. This series resolves this by > handling the BTI property for both the interpreter and the main > executable. > > This does mean that we may get more code with BTI enabled if running on > a system without BTI support in the dynamic linker, this is expected to > be a safe configuration and testing seems to confirm that. It also > reduces the flexibility userspace has to disable BTI but it is expected > that for cases where there are problems which require BTI to be disabled > it is more likely that it will need to be disabled on a system level. One last call on this series as I'd like to at least have it in -next for a few weeks if we are to upstream it. Adding people that have been involved on the previous longer discussion: https://lore.kernel.org/r/8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com The glibc issue has been solved in the sense that if mprotect() fails, the error is ignored and we end up with BTI disabled for the main executable. This series aims to change the responsibility for PROT_BTI on the main (dynamic) executable from the dynamic linker to the kernel. It doesn't come without risks though. Suppose that the dynamic linker in the future decides that it's not safe to mix BTI/non-BTI for some objects, it won't have a way to disable BTI on the main executable if MDWX is enabled. It's a trade-off between the risks introduced by this series vs the benefits of MDWX. If the risk is non-negligible, the next step is assessing the importance of MDWX vs BTI on arm64 and whether we should look for alternatives to MDWX in the future (ideally which don't involve new flags to mprotect()). Thanks. -- Catalin