On Wed, Sep 19, 2018 at 04:22:52PM +0200, Christophe LEROY wrote: > >It looks like it will be easy to enable on 64 bit as well. > > Will it ? It seems that PPC64 doesn't have r2 pointing to current task > struct, but instead it has r13 pointing to the paca struct. Which means > we should add a canary in the paca struct, and populate it at task > switch from current->stack_canary. Or am I missing something ?
No, I am just forgetting things :-) > >>+ /* Try to get a semi random initial value. */ > >>+ get_random_bytes(&canary, sizeof(canary)); > >>+ canary ^= mftb(); > >>+ canary ^= LINUX_VERSION_CODE; > > > >These last two lines are useless (or worse, they may give people the idea > >that they are not!) > > Well, the last line is in all arches except x86 > The mftb() was suggested by Michael to add some entropy. > x86 does the same sort of thing with their rdtsc() > > > > >You should use wait_for_random_bytes I think. > > On the 8xx, it takes several minutes before crnd_is_ready(), while > boot_init_stack_canary() is called quite early in start_kernel() If you do not provide real entropy to the canary, the canary doesn't help providing protection as much as you may hope. Segher
