On Fri, Aug 16, 2024 at 11:51:57AM +0100, Mark Brown wrote:
On Fri, Aug 16, 2024 at 09:44:46AM +0100, Catalin Marinas wrote:
We could, in theory, consume this token in the parent before the child mm is created. The downside is that if a parent forks multiple processes using the same shadow stack, it will have to set the token each time. I'd be fine with this, that's really only for the mostly theoretical case where one doesn't use CLONE_VM and still want a separate stack and shadow stack.
I originally implemented things that way but people did complain about the !CLONE_VM case, which does TBH seem reasonable. Note that the parent won't as standard be able to set the token again - since the shadow stack is not writable to userspace by default it'd instead need to allocate a whole new shadow stack for each child.
Ah, good point.
I change back to parsing the token in the parent but I don't want to end up in a cycle of bouncing between the two implementations depending on who's reviewed the most recent version.
You and others spent a lot more time looking at shadow stacks than me. I'm not necessarily asking to change stuff but rather understand the choices made.