On Fri, 2023-10-27 at 12:49 +0100, Szabolcs.Nagy@arm.com wrote:
no. the lifetime is the issue: a stack in principle can outlive a thread and resumed even after the original thread exited. for that to work the shadow stack has to outlive the thread too.
Hmm, this makes me think about the tracing usages.
(or the other way around: a stack can be freed before the thread exits, if the thread pivots away from that stack.)
posix threads etc. don't allow this, but the linux syscall abi (clone) does allow it.
i think it is reasonable to tie the shadow stack lifetime to the thread lifetime, but this clearly introduces a limitation on how the clone api can be used. such constraint on the userspace programming model is normally a bad decision, but given that most software (including all posix conforming code) is not affected, i think it is acceptable for an opt-in feature like shadow stack.
Do you have any updated plans to share around your earlier ideas for token schemes that try to shoot for more compatibility or security?