public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed
From: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>,
	Szabolcs Nagy <szabolcs.nagy@arm.com>,
	Jeremy Linton <jeremy.linton@arm.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Yu-cheng Yu <yu-cheng.yu@intel.com>,
	linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	libc-alpha@sourceware.org, Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter
Date: Wed, 8 Dec 2021 18:23:40 +0000	[thread overview]
Message-ID: <YbD4LKiaxG2R0XxN@arm.com> (raw)
In-Reply-To: <20211115152714.3205552-1-broonie@kernel.org>

On Mon, Nov 15, 2021 at 03:27:10PM +0000, Mark Brown wrote:
> Deployments of BTI on arm64 have run into issues interacting with
> systemd's MemoryDenyWriteExecute feature.  Currently for dynamically
> linked executables the kernel will only handle architecture specific
> properties like BTI for the interpreter, the expectation is that the
> interpreter will then handle any properties on the main executable.
> For BTI this means remapping the executable segments PROT_EXEC |
> PROT_BTI.
> 
> This interacts poorly with MemoryDenyWriteExecute since that is
> implemented using a seccomp filter which prevents setting PROT_EXEC on
> already mapped memory and lacks the context to be able to detect that
> memory is already mapped with PROT_EXEC.  This series resolves this by
> handling the BTI property for both the interpreter and the main
> executable.
> 
> This does mean that we may get more code with BTI enabled if running on
> a system without BTI support in the dynamic linker, this is expected to
> be a safe configuration and testing seems to confirm that. It also
> reduces the flexibility userspace has to disable BTI but it is expected
> that for cases where there are problems which require BTI to be disabled
> it is more likely that it will need to be disabled on a system level.

Given the silence on this series over the past months, I propose we drop
it. It's a bit unfortunate that systemd's MemoryDenyWriteExecute cannot
work with BTI but I also think the former is a pretty blunt hardening
mechanism (rejecting any mprotect(PROT_EXEC) regardless of the previous
attributes).

I'm not a security expert to assess whether MDWX is more important than
BTI (hardware availability also influences the distros decision). My
suggestion would be to look at a better way to support the MDWX on the
long run that does not interfere with BTI.

-- 
Catalin

  parent reply	other threads:[~2021-12-08 18:23 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-15 15:27 Mark Brown
2021-11-15 15:27 ` [PATCH v7 1/4] elf: Allow architectures to parse properties on the main executable Mark Brown
2021-11-15 15:27 ` [PATCH v7 2/4] arm64: Enable BTI for main executable as well as the interpreter Mark Brown
2021-11-15 15:27 ` [PATCH v7 3/4] elf: Remove has_interp property from arch_adjust_elf_prot() Mark Brown
2021-11-15 15:27 ` [PATCH v7 4/4] elf: Remove has_interp property from arch_parse_elf_property() Mark Brown
2021-12-08 18:23 ` Catalin Marinas [this message]
2021-12-09 11:10   ` [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter Szabolcs Nagy
2022-01-04 17:32     ` Mark Brown
2022-01-05 22:42       ` Jeremy Linton
2022-01-06 11:00         ` Catalin Marinas
2022-01-06 16:09           ` Jeremy Linton
2022-01-06 18:13             ` Catalin Marinas
2022-01-06 19:07               ` Mark Brown
2022-01-07 12:01                 ` Catalin Marinas
2022-01-07 13:10                   ` Mark Brown
2022-01-17 17:54                   ` Catalin Marinas
2022-01-17 18:16                     ` Adhemerval Zanella
2022-01-17 19:01                       ` H.J. Lu
2022-01-18 11:22                         ` Szabolcs Nagy
2022-01-18 12:55                           ` H.J. Lu
2022-01-18 11:02                     ` Szabolcs Nagy
2022-01-27 12:24                       ` Catalin Marinas
2022-01-27 14:48                         ` Szabolcs Nagy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YbD4LKiaxG2R0XxN@arm.com \
    --to=catalin.marinas@arm.com \
    --cc=broonie@kernel.org \
    --cc=hjl.tools@gmail.com \
    --cc=jeremy.linton@arm.com \
    --cc=libc-alpha@sourceware.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=mark.rutland@arm.com \
    --cc=szabolcs.nagy@arm.com \
    --cc=will@kernel.org \
    --cc=yu-cheng.yu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).