From: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>,
GNU C Library <libc-alpha@sourceware.org>,
Richard Earnshaw <rearnsha@arm.com>
Subject: Re: [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory
Date: Thu, 26 Nov 2020 16:59:57 +0000 [thread overview]
Message-ID: <cd584f3b-32bd-c5f2-d284-30030a291f3b@foss.arm.com> (raw)
In-Reply-To: <CAMe9rOpXFDLuOtiV=pbkYv2VN9kveuAYLp+MSjemLEzWDBQf1Q@mail.gmail.com>
On 26/11/2020 16:51, H.J. Lu wrote:
> On Thu, Nov 26, 2020 at 8:28 AM Richard Earnshaw
> <Richard.Earnshaw@foss.arm.com> wrote:
>>
>> On 26/11/2020 15:50, H.J. Lu wrote:
>>> On Thu, Nov 26, 2020 at 7:48 AM Richard Earnshaw
>>> <Richard.Earnshaw@foss.arm.com> wrote:
>>>>
>>>> On 26/11/2020 15:27, Siddhesh Poyarekar wrote:
>>>>> On 11/26/20 7:45 PM, Richard Earnshaw wrote:
>>>>>> Sure, I can do that if you really think it's the right thing (I presume
>>>>>> this has already been done for other tunables on other architectures, so
>>>>>
>>>>> There's sysdeps/aarch64/dl-tunables.list too, so there's no additional
>>>>> plumbing needed...
>>>>>
>>>>>> that there isn't a lot of additional plumbing needed). But is it? It
>>>>>> seems odd to me that the generic malloc code would read a tunable that
>>>>>> only existed in a particular sysdep configuration. There has to exist
>>>>>> some mechanism for the machine independent code to know that the tagging
>>>>>> behaviour is needed.
>>>>>
>>>>> ... but I see your point. How about if we look at the patchset as
>>>>> follows, which should make it more clearer. It doesn't really change
>>>>> your patchset in any major way (other than fixing failures and review
>>>>> comments), it's only to make the story behind it and hence the design
>>>>> decisions more deliberate.
>>>>>
>>>>> The first part of the patchset (1-3) enables infrastructure to enable
>>>>> memory tagging in glibc. At the project level, this involves adding
>>>>> tagging calls (can't call them hooks because that name's taken and also
>>>>> invoke nightmares for some) in malloc to allow tagging malloc'd objects.
>>>>> The tagging calls are nops in the default case but support could be
>>>>> added either at the architecture level or in the form of a software
>>>>> implementation.
>>>>>
>>>>> The library could add more tag calls in other parts of the library to
>>>>> colour them library-internal (e.g. dynamic linker data, glibc internal
>>>>> data) but that's for later.
>>>>>
>>>>> This basically means that memory tagging becomes a library-wide concept
>>>>> and hence the glibc.mem.tagging tunable and configury should be
>>>>> implemented project-wide, i.e. the way you've done it with your v3
>>>>> patchset with just the tunable naming changed.
>>>>>
>>>>> The second part (6-8, assuming 4 and 5 get subsumed into 3) of the
>>>>> patchset implements aarch64 architecture support for memory tagging.
>>>>> This involves enabling tagging for the entire process using prctl at
>>>>> startup and tagging malloc'd objects. It is unavoidable that tunables
>>>>> will eventually have processwide impact and not just in the library;
>>>>> there's precedent for that in x86 CET.
>>>>>
>>>>> What do you think?
>>>>
>>>> I think it's exactly the way the patch set was structured, I just wasn't
>>>> explicit in saying that :)
>>>>
>>>>>
>>>>> On a slightly different but related point, you may want to think about
>>>>> inheritance of the glibc.mem.tagging tunable when you work on v4, i.e.:
>>>>>
>>>>> 1. Should child processes inherit them? If you're modeling it along the
>>>>> lines of MALLOC_CHECK_ (i.e. diagnostics only) then you'd want to keep
>>>>> it as default, i.e. no inheritance. However if you model it as a
>>>>> hardening feature, you may want to set security_level to IGNORE so that
>>>>> children inherit tagging and forking doesn't become a way to escape
>>>>> tagging protections.
>>>>>
>>>>> 2. Should setxid children inherit enabled memory tagging? Again if
>>>>> you're modeling it as a hardening feature, then maybe you want to set
>>>>> security_level to NONE so that it is inherited by setxid children. I
>>>>> think it will be the first tunable to cross that boundary if you decide
>>>>> to take that route!
>>>>>
>>>>
>>>> A good question. I'd say at this point it's a bit more of a debugging
>>>> feature (at least until things have settled down); but longer term it
>>>> may well become a hardening feature as well. Before we can go down that
>>>> route, though we'll need to sort out how to mark binaries that are
>>>> genuinely incompatible with MTE. We already know that python's object
>>>> management code violates MTE assumptions, for example; either that will
>>>> need to be fixed, or we'll need a route to automatically disable MTE
>>>> when running programs like that.
>>>
>>> I think we need to address binary marking first before adding MTE to
>>> glibc.
>>
>> Sorry, I disagree. While this is a debugging tool there's no need for
>> binary marking.
>>
>> Once we have a clearer understanding of what's needed there, we can work
>> out how best to do the marking.
>>
>
> If the only goal is to have a malloc with memory tag, you should enable
> memory tag in an out-of-tree malloc implementation. It should be sufficient.
>
It's not the only goal. What's more that would require special linking,
rather than just being able to turn on the feature.
Initially, that might be the main usage, but it's not the ultimate goal.
R.
next prev parent reply other threads:[~2020-11-26 17:00 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-23 15:42 [PATCH v3 0/8] Memory tagging support Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 1/8] config: Allow memory tagging to be enabled when configuring glibc Richard Earnshaw
2020-11-25 15:05 ` Siddhesh Poyarekar
2020-11-25 15:09 ` Richard Earnshaw (lists)
2020-11-25 15:10 ` Siddhesh Poyarekar
2020-11-25 15:12 ` Adhemerval Zanella
2020-11-25 16:11 ` Richard Earnshaw (lists)
2020-11-25 16:40 ` Adhemerval Zanella
2020-11-23 15:42 ` [PATCH v3 2/8] elf: Add a tunable to control use of tagged memory Richard Earnshaw
2020-11-25 15:08 ` Siddhesh Poyarekar
2020-11-25 16:35 ` H.J. Lu
2020-11-25 16:53 ` Siddhesh Poyarekar
2020-11-25 16:58 ` Richard Earnshaw
2020-11-25 17:12 ` Siddhesh Poyarekar
2020-11-25 17:24 ` Richard Earnshaw
2020-11-25 17:48 ` Siddhesh Poyarekar
2020-11-25 19:06 ` H.J. Lu
2020-11-26 0:47 ` Siddhesh Poyarekar
2020-11-26 14:15 ` Richard Earnshaw
2020-11-26 15:27 ` Siddhesh Poyarekar
2020-11-26 15:48 ` Richard Earnshaw
2020-11-26 15:50 ` H.J. Lu
2020-11-26 16:28 ` Richard Earnshaw
2020-11-26 16:51 ` H.J. Lu
2020-11-26 16:59 ` Richard Earnshaw [this message]
2020-11-26 17:06 ` H.J. Lu
2020-11-26 17:20 ` Szabolcs Nagy
2020-11-26 17:31 ` H.J. Lu
2020-11-26 17:56 ` Richard Earnshaw
2020-11-26 18:06 ` H.J. Lu
2020-11-26 18:06 ` Szabolcs Nagy
2020-11-26 18:09 ` H.J. Lu
2020-11-26 18:25 ` Andreas Schwab
2020-11-27 10:34 ` Szabolcs Nagy
2020-11-27 11:08 ` Florian Weimer
2020-11-27 2:59 ` Siddhesh Poyarekar
2020-11-27 10:32 ` Szabolcs Nagy
2020-11-27 11:14 ` Siddhesh Poyarekar
2020-11-26 16:04 ` Siddhesh Poyarekar
2020-11-26 16:19 ` H.J. Lu
2020-11-26 17:13 ` Siddhesh Poyarekar
2020-11-26 17:19 ` H.J. Lu
2020-11-27 2:45 ` Siddhesh Poyarekar
2020-11-27 10:40 ` Richard Earnshaw
2020-11-27 10:49 ` Richard Earnshaw
2020-11-27 11:32 ` Siddhesh Poyarekar
2020-11-27 11:51 ` Richard Earnshaw
2020-11-27 11:27 ` Siddhesh Poyarekar
2020-11-27 12:24 ` Richard Earnshaw
2020-11-27 14:54 ` H.J. Lu
2020-11-27 17:02 ` Szabolcs Nagy
2020-11-27 18:41 ` H.J. Lu
2020-11-27 14:52 ` H.J. Lu
2020-11-27 16:08 ` Richard Earnshaw
2020-11-27 18:37 ` H.J. Lu
2020-11-30 6:28 ` Siddhesh Poyarekar
2020-11-26 16:10 ` Szabolcs Nagy
2020-11-23 15:42 ` [PATCH v3 3/8] malloc: Basic support for memory tagging in the malloc() family Richard Earnshaw
2020-11-25 14:58 ` Florian Weimer
2020-11-25 17:32 ` Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 4/8] malloc: Clean up commentary Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 5/8] malloc: support MALLOC_CHECK_ in conjunction with _MTAG_ENABLE Richard Earnshaw
2020-11-23 15:42 ` [PATCH v3 6/8] linux: Add compatibility definitions to sys/prctl.h for MTE Richard Earnshaw
2020-11-25 15:26 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 7/8] aarch64: Add sysv specific enabling code for memory tagging Richard Earnshaw
2020-11-23 16:53 ` Szabolcs Nagy
2020-11-23 17:33 ` Richard Earnshaw (lists)
2020-11-25 15:34 ` Siddhesh Poyarekar
2020-11-25 16:06 ` Richard Earnshaw
2020-11-25 16:20 ` Siddhesh Poyarekar
2020-11-25 16:23 ` Siddhesh Poyarekar
2020-11-23 15:42 ` [PATCH v3 8/8] aarch64: Add aarch64-specific files for memory tagging support Richard Earnshaw
2020-12-16 15:26 ` Szabolcs Nagy
2020-11-24 10:12 ` [PATCH v3 0/8] Memory " Szabolcs Nagy
2020-11-25 14:49 ` Siddhesh Poyarekar
2020-11-25 15:48 ` Richard Earnshaw
2020-11-25 16:17 ` Siddhesh Poyarekar
2020-11-25 15:45 ` H.J. Lu
2020-12-17 3:57 ` DJ Delorie
2020-12-17 11:31 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd584f3b-32bd-c5f2-d284-30030a291f3b@foss.arm.com \
--to=richard.earnshaw@foss.arm.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=rearnsha@arm.com \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).