From: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>,
GNU C Library <libc-alpha@sourceware.org>,
Richard Earnshaw <rearnsha@arm.com>
Subject: Re: [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory
Date: Thu, 26 Nov 2020 16:28:40 +0000 [thread overview]
Message-ID: <3b69bc46-df40-f9ad-b76b-b69483b0934c@foss.arm.com> (raw)
In-Reply-To: <CAMe9rOqBeVot-jbHQpU6iHad4hP4ZwkLeCJD73S6WZ04JkiO6w@mail.gmail.com>
On 26/11/2020 15:50, H.J. Lu wrote:
> On Thu, Nov 26, 2020 at 7:48 AM Richard Earnshaw
> <Richard.Earnshaw@foss.arm.com> wrote:
>>
>> On 26/11/2020 15:27, Siddhesh Poyarekar wrote:
>>> On 11/26/20 7:45 PM, Richard Earnshaw wrote:
>>>> Sure, I can do that if you really think it's the right thing (I presume
>>>> this has already been done for other tunables on other architectures, so
>>>
>>> There's sysdeps/aarch64/dl-tunables.list too, so there's no additional
>>> plumbing needed...
>>>
>>>> that there isn't a lot of additional plumbing needed). But is it? It
>>>> seems odd to me that the generic malloc code would read a tunable that
>>>> only existed in a particular sysdep configuration. There has to exist
>>>> some mechanism for the machine independent code to know that the tagging
>>>> behaviour is needed.
>>>
>>> ... but I see your point. How about if we look at the patchset as
>>> follows, which should make it more clearer. It doesn't really change
>>> your patchset in any major way (other than fixing failures and review
>>> comments), it's only to make the story behind it and hence the design
>>> decisions more deliberate.
>>>
>>> The first part of the patchset (1-3) enables infrastructure to enable
>>> memory tagging in glibc. At the project level, this involves adding
>>> tagging calls (can't call them hooks because that name's taken and also
>>> invoke nightmares for some) in malloc to allow tagging malloc'd objects.
>>> The tagging calls are nops in the default case but support could be
>>> added either at the architecture level or in the form of a software
>>> implementation.
>>>
>>> The library could add more tag calls in other parts of the library to
>>> colour them library-internal (e.g. dynamic linker data, glibc internal
>>> data) but that's for later.
>>>
>>> This basically means that memory tagging becomes a library-wide concept
>>> and hence the glibc.mem.tagging tunable and configury should be
>>> implemented project-wide, i.e. the way you've done it with your v3
>>> patchset with just the tunable naming changed.
>>>
>>> The second part (6-8, assuming 4 and 5 get subsumed into 3) of the
>>> patchset implements aarch64 architecture support for memory tagging.
>>> This involves enabling tagging for the entire process using prctl at
>>> startup and tagging malloc'd objects. It is unavoidable that tunables
>>> will eventually have processwide impact and not just in the library;
>>> there's precedent for that in x86 CET.
>>>
>>> What do you think?
>>
>> I think it's exactly the way the patch set was structured, I just wasn't
>> explicit in saying that :)
>>
>>>
>>> On a slightly different but related point, you may want to think about
>>> inheritance of the glibc.mem.tagging tunable when you work on v4, i.e.:
>>>
>>> 1. Should child processes inherit them? If you're modeling it along the
>>> lines of MALLOC_CHECK_ (i.e. diagnostics only) then you'd want to keep
>>> it as default, i.e. no inheritance. However if you model it as a
>>> hardening feature, you may want to set security_level to IGNORE so that
>>> children inherit tagging and forking doesn't become a way to escape
>>> tagging protections.
>>>
>>> 2. Should setxid children inherit enabled memory tagging? Again if
>>> you're modeling it as a hardening feature, then maybe you want to set
>>> security_level to NONE so that it is inherited by setxid children. I
>>> think it will be the first tunable to cross that boundary if you decide
>>> to take that route!
>>>
>>
>> A good question. I'd say at this point it's a bit more of a debugging
>> feature (at least until things have settled down); but longer term it
>> may well become a hardening feature as well. Before we can go down that
>> route, though we'll need to sort out how to mark binaries that are
>> genuinely incompatible with MTE. We already know that python's object
>> management code violates MTE assumptions, for example; either that will
>> need to be fixed, or we'll need a route to automatically disable MTE
>> when running programs like that.
>
> I think we need to address binary marking first before adding MTE to
> glibc.
Sorry, I disagree. While this is a debugging tool there's no need for
binary marking.
Once we have a clearer understanding of what's needed there, we can work
out how best to do the marking.
R.
>
>> So perhaps for now, we'd want to inherit it through normal fork() type
>> calls, but perhaps not for setxid at this stage, but we may want to
>> widen it later. On the other hand, for a security feature you'd perhaps
>> want a more robust (harder to turn off) mechanism than just modifying a
>> user-level environment variable.
>>
>> R.
>>
>>> Siddhesh
>>
>
>
next prev parent reply other threads:[~2020-11-26 16:28 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-23 15:42 [PATCH v3 0/8] Memory tagging support Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 1/8] config: Allow memory tagging to be enabled when configuring glibc Richard Earnshaw
2020-11-25 15:05 ` Siddhesh Poyarekar
2020-11-25 15:09 ` Richard Earnshaw (lists)
2020-11-25 15:10 ` Siddhesh Poyarekar
2020-11-25 15:12 ` Adhemerval Zanella
2020-11-25 16:11 ` Richard Earnshaw (lists)
2020-11-25 16:40 ` Adhemerval Zanella
2020-11-23 15:42 ` [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory Richard Earnshaw
2020-11-25 15:08 ` Siddhesh Poyarekar
2020-11-25 16:35 ` H.J. Lu
2020-11-25 16:53 ` Siddhesh Poyarekar
2020-11-25 16:58 ` Richard Earnshaw
2020-11-25 17:12 ` Siddhesh Poyarekar
2020-11-25 17:24 ` Richard Earnshaw
2020-11-25 17:48 ` Siddhesh Poyarekar
2020-11-25 19:06 ` H.J. Lu
2020-11-26 0:47 ` Siddhesh Poyarekar
2020-11-26 14:15 ` Richard Earnshaw
2020-11-26 15:27 ` Siddhesh Poyarekar
2020-11-26 15:48 ` Richard Earnshaw
2020-11-26 15:50 ` H.J. Lu
2020-11-26 16:28 ` Richard Earnshaw [this message]
2020-11-26 16:51 ` H.J. Lu
2020-11-26 16:59 ` Richard Earnshaw
2020-11-26 17:06 ` H.J. Lu
2020-11-26 17:20 ` Szabolcs Nagy
2020-11-26 17:31 ` H.J. Lu
2020-11-26 17:56 ` Richard Earnshaw
2020-11-26 18:06 ` H.J. Lu
2020-11-26 18:06 ` Szabolcs Nagy
2020-11-26 18:09 ` H.J. Lu
2020-11-26 18:25 ` Andreas Schwab
2020-11-27 10:34 ` Szabolcs Nagy
2020-11-27 11:08 ` Florian Weimer
2020-11-27 2:59 ` Siddhesh Poyarekar
2020-11-27 10:32 ` Szabolcs Nagy
2020-11-27 11:14 ` Siddhesh Poyarekar
2020-11-26 16:04 ` Siddhesh Poyarekar
2020-11-26 16:19 ` H.J. Lu
2020-11-26 17:13 ` Siddhesh Poyarekar
2020-11-26 17:19 ` H.J. Lu
2020-11-27 2:45 ` Siddhesh Poyarekar
2020-11-27 10:40 ` Richard Earnshaw
2020-11-27 10:49 ` Richard Earnshaw
2020-11-27 11:32 ` Siddhesh Poyarekar
2020-11-27 11:51 ` Richard Earnshaw
2020-11-27 11:27 ` Siddhesh Poyarekar
2020-11-27 12:24 ` Richard Earnshaw
2020-11-27 14:54 ` H.J. Lu
2020-11-27 17:02 ` Szabolcs Nagy
2020-11-27 18:41 ` H.J. Lu
2020-11-27 14:52 ` H.J. Lu
2020-11-27 16:08 ` Richard Earnshaw
2020-11-27 18:37 ` H.J. Lu
2020-11-30 6:28 ` Siddhesh Poyarekar
2020-11-26 16:10 ` Szabolcs Nagy
2020-11-23 15:42 ` [PATCH v3 3/8] malloc: Basic support for memory tagging in the malloc() family Richard Earnshaw
2020-11-25 14:58 ` Florian Weimer
2020-11-25 17:32 ` Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 4/8] malloc: Clean up commentary Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 5/8] malloc: support MALLOC_CHECK_ in conjunction with _MTAG_ENABLE Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 6/8] linux: Add compatibility definitions to sys/prctl.h for MTE Richard Earnshaw
2020-11-25 15:26 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 7/8] aarch64: Add sysv specific enabling code for memory tagging Richard Earnshaw
2020-11-23 16:53 ` Szabolcs Nagy
2020-11-23 17:33 ` Richard Earnshaw (lists)
2020-11-25 15:34 ` Siddhesh Poyarekar
2020-11-25 16:06 ` Richard Earnshaw
2020-11-25 16:20 ` Siddhesh Poyarekar
2020-11-25 16:23 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 8/8] aarch64: Add aarch64-specific files for memory tagging support Richard Earnshaw
2020-12-16 15:26 ` Szabolcs Nagy
2020-11-24 10:12 ` [PATCH v3 0/8] Memory " Szabolcs Nagy
2020-11-25 14:49 ` Siddhesh Poyarekar
2020-11-25 15:48 ` Richard Earnshaw
2020-11-25 16:17 ` Siddhesh Poyarekar
2020-11-25 15:45 ` H.J. Lu
2020-12-17 3:57 ` DJ Delorie
2020-12-17 11:31 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b69bc46-df40-f9ad-b76b-b69483b0934c@foss.arm.com \
--to=richard.earnshaw@foss.arm.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=rearnsha@arm.com \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).