From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Dave.Martin@arm.com>
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by sourceware.org (Postfix) with ESMTP id 329C23857C40
 for <libc-alpha@sourceware.org>; Mon,  8 Feb 2021 14:53:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 329C23857C40
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A9BF71FB;
 Mon,  8 Feb 2021 06:53:38 -0800 (PST)
Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8DC043F719;
 Mon,  8 Feb 2021 06:53:37 -0800 (PST)
Date: Mon, 8 Feb 2021 14:53:16 +0000
From: Dave Martin <Dave.Martin@arm.com>
To: Mark Brown <broonie@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
 Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>,
 libc-alpha@sourceware.org, Kees Cook <keescook@chromium.org>,
 Jeremy Linton <jeremy.linton@arm.com>, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] arm64: bti: Set PROT_BTI on all BTI executables mapped
 by the kernel
Message-ID: <20210208145315.GE21837@arm.com>
References: <20210205173837.39315-1-broonie@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210205173837.39315-1-broonie@kernel.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 14:53:40 -0000

On Fri, Feb 05, 2021 at 05:38:37PM +0000, Mark Brown via Libc-alpha wrote:
> Currently for dynamically linked executables the kernel only enables
> PROT_BTI for the interpreter, the interpreter is responsible for
> enabling it for everything else including the main executable.
> Unfortunately this interacts poorly with systemd's
> MemoryDenyWriteExecute feature which uses a seccomp filter to prevent
> setting PROT_EXEC on already mapped memory via mprotect(), it lacks the
> context to detect that PROT_EXEC is already set and so refuses to allow
> the mprotect() on the main executable which the kernel has already
> mapped.
> 
> Since we don't want to force users to choose between having MDWX and BTI
> as these are othogonal features have the kernel enable PROT_BTI for all
> the ELF objects it loads, not just the dynamic linker.  This means that
> if there is a problem with BTI it will be harder to disable at the
> executable level but we currently have no conditional support for this
> in any libc anyway so that would be new development.  Ideally we would
> have interfaces that allowed us to more clearly specify what is enabled
> and disabled by a given syscall but this would be a far more difficult
> change to deploy.
> 
> Reported-by: Jeremy Linton <jeremy.linton@arm.com>
> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Szabolcs Nagy <szabolcs.nagy@arm.com>
> Cc: Dave Martin <dave.martin@arm.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: libc-alpha@sourceware.org
> ---
> 
> This solution was proposed by Catalin, I'm just writing it up into a
> patch since it looks to be what we've converged on as the most practical
> solution and but things seemed to have stalled out.
> 
>  arch/arm64/kernel/process.c | 8 --------
>  1 file changed, 8 deletions(-)
> 
> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> index 71c8265b9139..0967f9e1f9fd 100644
> --- a/arch/arm64/kernel/process.c
> +++ b/arch/arm64/kernel/process.c
> @@ -717,14 +717,6 @@ asmlinkage void __sched arm64_preempt_schedule_irq(void)
>  int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state,
>  			 bool has_interp, bool is_interp)
>  {
> -	/*
> -	 * For dynamically linked executables the interpreter is
> -	 * responsible for setting PROT_BTI on everything except
> -	 * itself.
> -	 */
> -	if (is_interp != has_interp)
> -		return prot;
> -

Reviewed-by: Dave Martin <Dave.Martin@arm.com>

>  	if (!(state->flags & ARM64_ELF_BTI))
>  		return prot;

The original idea was to interfere with userspace as little as possible,
and leave this until/unless there was a clear need for it and a clear
understanding that it wouldn't break anything.

Looks like we have both of those now -- I'll leave it to Szabolcs to
confirm the userspace view of this.

Question: will this change prevent BTI executables from working under a
non-BTI-aware ld.so?  And do we care?  (I think "probably not" for both,
but I'd be interested in others' views.)

Cheers
---Dave