| Message ID | 20210719164536.19143-1-broonie@kernel.org |
|---|---|
| Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EC25F3955404 for <patchwork@sourceware.org>; Mon, 19 Jul 2021 16:46:30 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EC25F3955404 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1626713191; bh=d79ZAWm0+3GZtMOi4yK5qMHc4vQ/iBBddK80MgtXGRY=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=DoGG/cJR/wdCmmI8WqkagORZhgL2Y/hSMJZedWqE2aLzF8uR1wN0ZZuJgS8ikwQPO R6Q3C/vZ84qj4McT0dsGmhLwDwasyf6TU8KIHxsoSoossXoC6wEdBRg+PSRE9RwrTt KUlPwNezMHl4NP09MvEep8crM8//EdGgCTO4Rg40= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id DAB7C3959E47 for <libc-alpha@sourceware.org>; Mon, 19 Jul 2021 16:46:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DAB7C3959E47 Received: by mail.kernel.org (Postfix) with ESMTPSA id 04B0861166; Mon, 19 Jul 2021 16:46:06 +0000 (UTC) To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org> Subject: [PATCH v5 0/4] arm64: Enable BTI for the executable as well as the interpreter Date: Mon, 19 Jul 2021 17:45:32 +0100 Message-Id: <20210719164536.19143-1-broonie@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2311; h=from:subject; bh=BuNpEVw0Z7QF7T6Pg1Y4iSPkryr1pnhL0UsAdhxfVKQ=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBg9awsKt64aeGMJqs+SFgkYb2M102fvMXDFSgSE/pz XyqRHxuJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCYPWsLAAKCRAk1otyXVSH0Mq7B/ 9LyoRg5d1BWXInbLMROy7vixqHG8dTgSGcnxpFWRikeVZT5UKgZ8V9QItAlMVaEppYaBRw98PfBkDq kQEQWmcgg+Aghu8ifnM1pCArevFtntF3Oa0jgYRVPOXLr9rOteR+1UkQYFSycaTvWrWnD1Epv2BuL8 WDOczzWGZLhkE+oVhpkwKm9sUNtKGZb3N3+Z7HqOGA/mBxAVho58BbGlpQLndfyqljSr3n9xdFac4f 1Megg/C2xlo2/JoyS70SjWDMQhSR02sPRDwwPDyKlR0VEc9tHaylGooFLp8WU7j2Wge+5EQyfOkcpC kJ3SD34oIISkfqQmYV2q1DNVwc3bRV X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: Mark Brown via Libc-alpha <libc-alpha@sourceware.org> Reply-To: Mark Brown <broonie@kernel.org> Cc: linux-arch@vger.kernel.org, Yu-cheng Yu <yu-cheng.yu@intel.com>, libc-alpha@sourceware.org, Szabolcs Nagy <szabolcs.nagy@arm.com>, Jeremy Linton <jeremy.linton@arm.com>, Mark Brown <broonie@kernel.org>, Dave Martin <dave.martin@arm.com>, linux-arm-kernel@lists.infradead.org Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> |
| Series |
arm64: Enable BTI for the executable as well as the interpreter
|
|
Message
Mark Brown
July 19, 2021, 4:45 p.m. UTC
Deployments of BTI on arm64 have run into issues interacting with systemd's MemoryDenyWriteExecute feature. Currently for dynamically linked executables the kernel will only handle architecture specific properties like BTI for the interpreter, the expectation is that the interpreter will then handle any properties on the main executable. For BTI this means remapping the executable segments PROT_EXEC | PROT_BTI. This interacts poorly with MemoryDenyWriteExecute since that is implemented using a seccomp filter which prevents setting PROT_EXEC on already mapped memory and lacks the context to be able to detect that memory is already mapped with PROT_EXEC. This series resolves this by handling the BTI property for both the interpreter and the main executable. This does mean that we may get more code with BTI enabled if running on a system without BTI support in the dynamic linker, this is expected to be a safe configuration and testing seems to confirm that. It also reduces the flexibility userspace has to disable BTI but it is expected that for cases where there are problems which require BTI to be disabled it is more likely that it will need to be disabled on a system level. v5: - Rebase onto v5.14-rc2. - Tweak changelog on patch 1. - Use the helper for interpreter/executable flag in elf.h as well. v4: - Rebase onto v5.14-rc1. v3: - Fix passing of properties for parsing by the main executable. - Drop has_interp from arch_parse_elf_property(). - Coding style tweaks. v2: - Add a patch dropping has_interp from arch_adjust_elf_prot() - Fix bisection issue with static executables on arm64 in the first patch. Mark Brown (4): elf: Allow architectures to parse properties on the main executable arm64: Enable BTI for main executable as well as the interpreter elf: Remove has_interp property from arch_adjust_elf_prot() elf: Remove has_interp property from arch_parse_elf_property() arch/arm64/include/asm/elf.h | 14 ++++++++++++-- arch/arm64/kernel/process.c | 16 +++------------- fs/binfmt_elf.c | 29 ++++++++++++++++++++--------- include/linux/elf.h | 8 +++++--- 4 files changed, 40 insertions(+), 27 deletions(-) base-commit: 2734d6c1b1a089fb593ef6a23d4b70903526fe0c
Comments
On Mon, Jul 19, 2021 at 05:45:32PM +0100, Mark Brown wrote: > Deployments of BTI on arm64 have run into issues interacting with > systemd's MemoryDenyWriteExecute feature. Currently for dynamically > linked executables the kernel will only handle architecture specific > properties like BTI for the interpreter, the expectation is that the > interpreter will then handle any properties on the main executable. > For BTI this means remapping the executable segments PROT_EXEC | > PROT_BTI. > > This interacts poorly with MemoryDenyWriteExecute since that is > implemented using a seccomp filter which prevents setting PROT_EXEC on > already mapped memory and lacks the context to be able to detect that > memory is already mapped with PROT_EXEC. This series resolves this by > handling the BTI property for both the interpreter and the main > executable. > > This does mean that we may get more code with BTI enabled if running on > a system without BTI support in the dynamic linker, this is expected to > be a safe configuration and testing seems to confirm that. It also > reduces the flexibility userspace has to disable BTI but it is expected > that for cases where there are problems which require BTI to be disabled > it is more likely that it will need to be disabled on a system level. One last call on this series as I'd like to at least have it in -next for a few weeks if we are to upstream it. Adding people that have been involved on the previous longer discussion: https://lore.kernel.org/r/8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com The glibc issue has been solved in the sense that if mprotect() fails, the error is ignored and we end up with BTI disabled for the main executable. This series aims to change the responsibility for PROT_BTI on the main (dynamic) executable from the dynamic linker to the kernel. It doesn't come without risks though. Suppose that the dynamic linker in the future decides that it's not safe to mix BTI/non-BTI for some objects, it won't have a way to disable BTI on the main executable if MDWX is enabled. It's a trade-off between the risks introduced by this series vs the benefits of MDWX. If the risk is non-negligible, the next step is assessing the importance of MDWX vs BTI on arm64 and whether we should look for alternatives to MDWX in the future (ideally which don't involve new flags to mprotect()). Thanks.