Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Oct 2019 10:18:40 -0700
From: Sami Tolvanen <>
To: Jann Horn <>
Cc: Will Deacon <>, Catalin Marinas <>, 
	Steven Rostedt <>, Ard Biesheuvel <>, 
	Dave Martin <>, Kees Cook <>, 
	Laura Abbott <>, Mark Rutland <>, 
	Nick Desaulniers <>, 
	clang-built-linux <>, 
	Kernel Hardening <>, 
	linux-arm-kernel <>, 
	kernel list <>
Subject: Re: [PATCH 18/18] arm64: implement Shadow Call Stack

On Fri, Oct 18, 2019 at 10:13 AM Jann Horn <> wrote:
> These things should probably be __always_inline or something like
> that? If the compiler decides not to inline them (e.g. when called
> from scs_thread_switch()), stuff will blow up, right?

Correct. I'll change these to __always_inline in v2. I think there
might be other places in the kernel where not inlining a static inline
function would break things, but there's no need to add more.

> This is different from the intended protection level according to
> <>, which
> talks about "a runtime that avoids exposing the address of the shadow
> call stack to attackers that can read arbitrary memory". Of course,
> that's extremely hard to implement in the context of the kernel, where
> you can see all the memory management data structures and all physical
> memory.

Yes, the security guarantees in the kernel are different as hiding
shadow stack pointers is more challenging.

> You might want to write something in the cover letter about what the
> benefits of this mechanism compared to STACKPROTECTOR are in the
> context of the kernel, including a specific description of which types
> of attacker capabilities this is supposed to defend against.

Sure, I'll add something about that in v2. Thanks.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.