From: "H.J. Lu" <hjl.tools@gmail.com>
To: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>,
GNU C Library <libc-alpha@sourceware.org>,
Richard Earnshaw <rearnsha@arm.com>
Subject: Re: [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory
Date: Thu, 26 Nov 2020 07:50:54 -0800 [thread overview]
Message-ID: <CAMe9rOqBeVot-jbHQpU6iHad4hP4ZwkLeCJD73S6WZ04JkiO6w@mail.gmail.com> (raw)
In-Reply-To: <6173c59d-ee67-9499-ac61-c2dd37b56c67@foss.arm.com>
On Thu, Nov 26, 2020 at 7:48 AM Richard Earnshaw
<Richard.Earnshaw@foss.arm.com> wrote:
>
> On 26/11/2020 15:27, Siddhesh Poyarekar wrote:
> > On 11/26/20 7:45 PM, Richard Earnshaw wrote:
> >> Sure, I can do that if you really think it's the right thing (I presume
> >> this has already been done for other tunables on other architectures, so
> >
> > There's sysdeps/aarch64/dl-tunables.list too, so there's no additional
> > plumbing needed...
> >
> >> that there isn't a lot of additional plumbing needed). But is it? It
> >> seems odd to me that the generic malloc code would read a tunable that
> >> only existed in a particular sysdep configuration. There has to exist
> >> some mechanism for the machine independent code to know that the tagging
> >> behaviour is needed.
> >
> > ... but I see your point. How about if we look at the patchset as
> > follows, which should make it more clearer. It doesn't really change
> > your patchset in any major way (other than fixing failures and review
> > comments), it's only to make the story behind it and hence the design
> > decisions more deliberate.
> >
> > The first part of the patchset (1-3) enables infrastructure to enable
> > memory tagging in glibc. At the project level, this involves adding
> > tagging calls (can't call them hooks because that name's taken and also
> > invoke nightmares for some) in malloc to allow tagging malloc'd objects.
> > The tagging calls are nops in the default case but support could be
> > added either at the architecture level or in the form of a software
> > implementation.
> >
> > The library could add more tag calls in other parts of the library to
> > colour them library-internal (e.g. dynamic linker data, glibc internal
> > data) but that's for later.
> >
> > This basically means that memory tagging becomes a library-wide concept
> > and hence the glibc.mem.tagging tunable and configury should be
> > implemented project-wide, i.e. the way you've done it with your v3
> > patchset with just the tunable naming changed.
> >
> > The second part (6-8, assuming 4 and 5 get subsumed into 3) of the
> > patchset implements aarch64 architecture support for memory tagging.
> > This involves enabling tagging for the entire process using prctl at
> > startup and tagging malloc'd objects. It is unavoidable that tunables
> > will eventually have processwide impact and not just in the library;
> > there's precedent for that in x86 CET.
> >
> > What do you think?
>
> I think it's exactly the way the patch set was structured, I just wasn't
> explicit in saying that :)
>
> >
> > On a slightly different but related point, you may want to think about
> > inheritance of the glibc.mem.tagging tunable when you work on v4, i.e.:
> >
> > 1. Should child processes inherit them? If you're modeling it along the
> > lines of MALLOC_CHECK_ (i.e. diagnostics only) then you'd want to keep
> > it as default, i.e. no inheritance. However if you model it as a
> > hardening feature, you may want to set security_level to IGNORE so that
> > children inherit tagging and forking doesn't become a way to escape
> > tagging protections.
> >
> > 2. Should setxid children inherit enabled memory tagging? Again if
> > you're modeling it as a hardening feature, then maybe you want to set
> > security_level to NONE so that it is inherited by setxid children. I
> > think it will be the first tunable to cross that boundary if you decide
> > to take that route!
> >
>
> A good question. I'd say at this point it's a bit more of a debugging
> feature (at least until things have settled down); but longer term it
> may well become a hardening feature as well. Before we can go down that
> route, though we'll need to sort out how to mark binaries that are
> genuinely incompatible with MTE. We already know that python's object
> management code violates MTE assumptions, for example; either that will
> need to be fixed, or we'll need a route to automatically disable MTE
> when running programs like that.
I think we need to address binary marking first before adding MTE to
glibc.
> So perhaps for now, we'd want to inherit it through normal fork() type
> calls, but perhaps not for setxid at this stage, but we may want to
> widen it later. On the other hand, for a security feature you'd perhaps
> want a more robust (harder to turn off) mechanism than just modifying a
> user-level environment variable.
>
> R.
>
> > Siddhesh
>
--
H.J.
next prev parent reply other threads:[~2020-11-26 15:51 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-23 15:42 [PATCH v3 0/8] Memory tagging support Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 1/8] config: Allow memory tagging to be enabled when configuring glibc Richard Earnshaw
2020-11-25 15:05 ` Siddhesh Poyarekar
2020-11-25 15:09 ` Richard Earnshaw (lists)
2020-11-25 15:10 ` Siddhesh Poyarekar
2020-11-25 15:12 ` Adhemerval Zanella
2020-11-25 16:11 ` Richard Earnshaw (lists)
2020-11-25 16:40 ` Adhemerval Zanella
2020-11-23 15:42 ` [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory Richard Earnshaw
2020-11-25 15:08 ` Siddhesh Poyarekar
2020-11-25 16:35 ` H.J. Lu
2020-11-25 16:53 ` Siddhesh Poyarekar
2020-11-25 16:58 ` Richard Earnshaw
2020-11-25 17:12 ` Siddhesh Poyarekar
2020-11-25 17:24 ` Richard Earnshaw
2020-11-25 17:48 ` Siddhesh Poyarekar
2020-11-25 19:06 ` H.J. Lu
2020-11-26 0:47 ` Siddhesh Poyarekar
2020-11-26 14:15 ` Richard Earnshaw
2020-11-26 15:27 ` Siddhesh Poyarekar
2020-11-26 15:48 ` Richard Earnshaw
2020-11-26 15:50 ` H.J. Lu [this message]
2020-11-26 16:28 ` Richard Earnshaw
2020-11-26 16:51 ` H.J. Lu
2020-11-26 16:59 ` Richard Earnshaw
2020-11-26 17:06 ` H.J. Lu
2020-11-26 17:20 ` Szabolcs Nagy
2020-11-26 17:31 ` H.J. Lu
2020-11-26 17:56 ` Richard Earnshaw
2020-11-26 18:06 ` H.J. Lu
2020-11-26 18:06 ` Szabolcs Nagy
2020-11-26 18:09 ` H.J. Lu
2020-11-26 18:25 ` Andreas Schwab
2020-11-27 10:34 ` Szabolcs Nagy
2020-11-27 11:08 ` Florian Weimer
2020-11-27 2:59 ` Siddhesh Poyarekar
2020-11-27 10:32 ` Szabolcs Nagy
2020-11-27 11:14 ` Siddhesh Poyarekar
2020-11-26 16:04 ` Siddhesh Poyarekar
2020-11-26 16:19 ` H.J. Lu
2020-11-26 17:13 ` Siddhesh Poyarekar
2020-11-26 17:19 ` H.J. Lu
2020-11-27 2:45 ` Siddhesh Poyarekar
2020-11-27 10:40 ` Richard Earnshaw
2020-11-27 10:49 ` Richard Earnshaw
2020-11-27 11:32 ` Siddhesh Poyarekar
2020-11-27 11:51 ` Richard Earnshaw
2020-11-27 11:27 ` Siddhesh Poyarekar
2020-11-27 12:24 ` Richard Earnshaw
2020-11-27 14:54 ` H.J. Lu
2020-11-27 17:02 ` Szabolcs Nagy
2020-11-27 18:41 ` H.J. Lu
2020-11-27 14:52 ` H.J. Lu
2020-11-27 16:08 ` Richard Earnshaw
2020-11-27 18:37 ` H.J. Lu
2020-11-30 6:28 ` Siddhesh Poyarekar
2020-11-26 16:10 ` Szabolcs Nagy
2020-11-23 15:42 ` [PATCH v3 3/8] malloc: Basic support for memory tagging in the malloc() family Richard Earnshaw
2020-11-25 14:58 ` Florian Weimer
2020-11-25 17:32 ` Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 4/8] malloc: Clean up commentary Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 5/8] malloc: support MALLOC_CHECK_ in conjunction with _MTAG_ENABLE Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 6/8] linux: Add compatibility definitions to sys/prctl.h for MTE Richard Earnshaw
2020-11-25 15:26 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 7/8] aarch64: Add sysv specific enabling code for memory tagging Richard Earnshaw
2020-11-23 16:53 ` Szabolcs Nagy
2020-11-23 17:33 ` Richard Earnshaw (lists)
2020-11-25 15:34 ` Siddhesh Poyarekar
2020-11-25 16:06 ` Richard Earnshaw
2020-11-25 16:20 ` Siddhesh Poyarekar
2020-11-25 16:23 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 8/8] aarch64: Add aarch64-specific files for memory tagging support Richard Earnshaw
2020-12-16 15:26 ` Szabolcs Nagy
2020-11-24 10:12 ` [PATCH v3 0/8] Memory " Szabolcs Nagy
2020-11-25 14:49 ` Siddhesh Poyarekar
2020-11-25 15:48 ` Richard Earnshaw
2020-11-25 16:17 ` Siddhesh Poyarekar
2020-11-25 15:45 ` H.J. Lu
2020-12-17 3:57 ` DJ Delorie
2020-12-17 11:31 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMe9rOqBeVot-jbHQpU6iHad4hP4ZwkLeCJD73S6WZ04JkiO6w@mail.gmail.com \
--to=hjl.tools@gmail.com \
--cc=Richard.Earnshaw@foss.arm.com \
--cc=libc-alpha@sourceware.org \
--cc=rearnsha@arm.com \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).