From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Brown <broonie@kernel.org>, Will Deacon <will@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
"H . J . Lu" <hjl.tools@gmail.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
libc-alpha@sourceware.org, Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter
Date: Thu, 9 Dec 2021 11:10:48 +0000 [thread overview]
Message-ID: <20211209111048.GM3294453@arm.com> (raw)
In-Reply-To: <YbD4LKiaxG2R0XxN@arm.com>
The 12/08/2021 18:23, Catalin Marinas wrote:
> On Mon, Nov 15, 2021 at 03:27:10PM +0000, Mark Brown wrote:
> > Deployments of BTI on arm64 have run into issues interacting with
> > systemd's MemoryDenyWriteExecute feature. Currently for dynamically
> > linked executables the kernel will only handle architecture specific
> > properties like BTI for the interpreter, the expectation is that the
> > interpreter will then handle any properties on the main executable.
> > For BTI this means remapping the executable segments PROT_EXEC |
> > PROT_BTI.
> >
> > This interacts poorly with MemoryDenyWriteExecute since that is
> > implemented using a seccomp filter which prevents setting PROT_EXEC on
> > already mapped memory and lacks the context to be able to detect that
> > memory is already mapped with PROT_EXEC. This series resolves this by
> > handling the BTI property for both the interpreter and the main
> > executable.
> >
> > This does mean that we may get more code with BTI enabled if running on
> > a system without BTI support in the dynamic linker, this is expected to
> > be a safe configuration and testing seems to confirm that. It also
> > reduces the flexibility userspace has to disable BTI but it is expected
> > that for cases where there are problems which require BTI to be disabled
> > it is more likely that it will need to be disabled on a system level.
>
> Given the silence on this series over the past months, I propose we drop
> it. It's a bit unfortunate that systemd's MemoryDenyWriteExecute cannot
> work with BTI but I also think the former is a pretty blunt hardening
> mechanism (rejecting any mprotect(PROT_EXEC) regardless of the previous
> attributes).
>
> I'm not a security expert to assess whether MDWX is more important than
> BTI (hardware availability also influences the distros decision). My
> suggestion would be to look at a better way to support the MDWX on the
> long run that does not interfere with BTI.
i still think it would be better if the kernel dealt with
PROT_BTI for the exe loaded by the kernel.
things work without this series as glibc will continue to
apply mprotect and ignore the failure, but with the series
security is tighter (neither mdwx nor bti are compromised).
for unrelated reasons bti is not widely deployed currently
so i guess there is no urgent interest in this.
next prev parent reply other threads:[~2021-12-09 11:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-15 15:27 Mark Brown
2021-11-15 15:27 ` [PATCH v7 1/4] elf: Allow architectures to parse properties on the main executable Mark Brown
2021-11-15 15:27 ` [PATCH v7 2/4] arm64: Enable BTI for main executable as well as the interpreter Mark Brown
2021-11-15 15:27 ` [PATCH v7 3/4] elf: Remove has_interp property from arch_adjust_elf_prot() Mark Brown
2021-11-15 15:27 ` [PATCH v7 4/4] elf: Remove has_interp property from arch_parse_elf_property() Mark Brown
2021-12-08 18:23 ` [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter Catalin Marinas
2021-12-09 11:10 ` Szabolcs Nagy [this message]
2022-01-04 17:32 ` Mark Brown
2022-01-05 22:42 ` Jeremy Linton
2022-01-06 11:00 ` Catalin Marinas
2022-01-06 16:09 ` Jeremy Linton
2022-01-06 18:13 ` Catalin Marinas
2022-01-06 19:07 ` Mark Brown
2022-01-07 12:01 ` Catalin Marinas
2022-01-07 13:10 ` Mark Brown
2022-01-17 17:54 ` Catalin Marinas
2022-01-17 18:16 ` Adhemerval Zanella
2022-01-17 19:01 ` H.J. Lu
2022-01-18 11:22 ` Szabolcs Nagy
2022-01-18 12:55 ` H.J. Lu
2022-01-18 11:02 ` Szabolcs Nagy
2022-01-27 12:24 ` Catalin Marinas
2022-01-27 14:48 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211209111048.GM3294453@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=hjl.tools@gmail.com \
--cc=jeremy.linton@arm.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=will@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).