From patchwork Thu May 5 16:10:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 12839761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 829F5C433EF for ; Thu, 5 May 2022 16:11:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=n475vRHO7SL5C3WFehNZ5BzMgEzMHyNoy7R/+Yt1gjA=; b=yNGtNL+1PANrAw 4L7nVEXR7yN+A49NSvOpRHN5cCJkp9DO4IT9KlKrHhYCp7mbZi1LPZWzqPY01x7KnMw//rW2Jxcbg hb+8WwoEl4LMyUWvEgBjOYua53mnk64eEv9CsUaqdrwxHWKmqCq4II96Kf+JYLi0EBVh7uCLDELZX 0ota0gSvJy2Z1La4Ln8qJk73EEifMzE7s3Oe+Exuiwuhr5/bIyZ2Xc0/LVMJ6akWGnVXW9Yg/xgHI RY/bI5cJs4Kqisrn70MvBuEjLFLtIy35M25lhYX5FuDbjxHYSbKuOTLhow+VzI7HYkW/eHYMFwP2G VE5GC1CDIHiBNeBU8JNw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nme3l-00Gn0B-JD; Thu, 05 May 2022 16:10:33 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nme3i-00Gmzc-2k for linux-arm-kernel@lists.infradead.org; Thu, 05 May 2022 16:10:31 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 412C461E2A; Thu, 5 May 2022 16:10:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 58DC4C385A8; Thu, 5 May 2022 16:10:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1651767028; bh=kQVHCy1r4cGnIHVnv86qJ3w8YVqqEVOrPf1ULviliKg=; h=From:To:Cc:Subject:Date:From; b=X9KnSMwxv08xSPF3NFgzW/5AKS/AB8b3miConDKBWJOvj16StwjE1Lnhmde225D+H RY6hTufKTadW/6BarHxSQrQa2V5eDPoHvd2EvMGLWH1qYec5bBmP6T1RkkkEoj1Fw8 8pAy79AbzjGrDYBxlwMvIfihWbDsRK3g2c0ySUTb/C46+bmI2RZuc+w96cw65BN9h5 0JjB397hXLjtO7Q9dbTMcpTXSYiQigKQ0q2rqyca6hwpYOq4eRH5SCDFKcqMGqyaS7 nqvbJtn2nQnf7788p1+f+TmcsttKOhzoA7rrOOQ0uzl9b3JUoVpVDgjZY3dbjFTTi+ Fumx34LYsrLgw== From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: will@kernel.org, mark.rutland@arm.com, catalin.marinas@arm.com, maz@kernel.org, Ard Biesheuvel , Kees Cook , Sami Tolvanen , Fangrui Song , Nick Desaulniers , Dan Li Subject: [RFC PATCH v2 0/3] arm64: dynamic shadow call stack support Date: Thu, 5 May 2022 18:10:08 +0200 Message-Id: <20220505161011.1801596-1-ardb@kernel.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3613; h=from:subject; bh=kQVHCy1r4cGnIHVnv86qJ3w8YVqqEVOrPf1ULviliKg=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBic/bfmrtoJAMImCKUdiZm5o4zYX9aAwa36zdgN6aP 1t6UrfyJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCYnP23wAKCRDDTyI5ktmPJI5hDA DAMajoPO3kDHQFC4yDzOhhAeLDlRxd5TYyClAEKlU4ldFPUgblml31Tj6x+o+x4GKlm97H3k5rS+Io khguU8eQn47mn9Lh0WBPrOmAxTPt0zvo95sgzcQHenjQ2Xf0tPN1sWEY7HdskP8IOg3n1lXwq0WXHc wiopXHqwIZJp5M754hHZARilP32GLbA+5t3KxAhbvMiBJYIISv3+84E7WkCzyGIDBuWerFxZD7bc5a bwUMSLvvEU6Yn0l2g9h2GOww0F6f1/tZ5BSkEL1moPLpSKNdnIH/xwFQx+v99FbkNTLD4DHvFx7qOE MMocqXM870Iwp4bl8jqMM0KC2pGVtog6mzyoXfeJjBN/BvvucnZ+TNNt0xHFhRyt4qdN62LcQoEWqu fhRtz/LO7fG9g/ePmIH/OtJi0WE3IOosokhj3NDcDhP3Ac6HsJpgAzjm9lJC8nalK8GKpaNpKTAi21 O5cGygeDu8NFpiN6j6Lwq+0gT8/on1HUkYKL0zRAig9vA= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220505_091030_237002_338878BF X-CRM114-Status: GOOD ( 19.20 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Generic kernel images such as Android's GKI typically enable all security features, which are typically implemented in such a way that they only take effect if the underlying hardware can support it, but don't interfere with correct and efficient operation otherwise. For shadow call stack support, which is always supported by the hardware, it means it will be enabled even if pointer authentication is also supported, and enabled for signing return addresses stored on the stack. The additional security provided by shadow call stack is only marginal in this case, whereas the performance overhead is not. Given that return address signing is based on PACIASP/AUTIASP instructions that implicitly operate on the return address register (X30) and are not idempotent (i.e., each needs to be emitted exactly once before the return address is stored on the ordinary stack and after it has been retrieved from it), we can convert these instruction 1:1 into shadow call stack pushed and pops involving the register X30. As this is something that can be done at runtime rather than build time, we can do this conditionally based on whether or not return address signing is supported on the underlying hardware. In order to be able to unwind call stacks that involve return address signing, whether or not the return address is currently signed is tracked by DWARF CFI directives in the unwinding metadata. This means we can use this information to locate all PACIASP/AUTIASP instructions in the binary, instead of having to use brute force and go over all instructions in the entire program. This series implements this approach for Clang, which has recently been fixed to emit all these CFI directives correctly. This series is based on an older PoC sent out last year [0] that targeted GCC only (due to this issue). This v2 targets Clang only, as GCC has its own issues with CFI correctness. Changes since RFC v1: - implement boot time check for PAC/BTI support, and only enable dynamic SCS if neither are supported; - implement module patching as well; - switch to Clang, and drop workaround for GCC bug; [0] https://lore.kernel.org/linux-arm-kernel/20211013152243.2216899-1-ardb@kernel.org/ Cc: Kees Cook Cc: Sami Tolvanen Cc: Fangrui Song Cc: Nick Desaulniers Cc: Dan Li Ard Biesheuvel (3): arm64: unwind: add asynchronous unwind tables to kernel and modules scs: add support for dynamic shadow call stacks arm64: implement dynamic shadow call stack for Clang Makefile | 2 + arch/Kconfig | 7 + arch/arm64/Kconfig | 11 + arch/arm64/Makefile | 5 + arch/arm64/include/asm/module.lds.h | 8 + arch/arm64/include/asm/scs.h | 12 + arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/head.S | 3 + arch/arm64/kernel/irq.c | 2 +- arch/arm64/kernel/module.c | 10 + arch/arm64/kernel/patch-scs.c | 257 ++++++++++++++++++++ arch/arm64/kernel/sdei.c | 2 +- arch/arm64/kernel/setup.c | 5 + arch/arm64/kernel/vmlinux.lds.S | 16 ++ drivers/firmware/efi/libstub/Makefile | 1 + include/linux/scs.h | 10 + kernel/scs.c | 14 +- 17 files changed, 363 insertions(+), 4 deletions(-) create mode 100644 arch/arm64/kernel/patch-scs.c