From patchwork Thu Oct 27 15:59:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 13022342 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B7F92FA3741 for ; Thu, 27 Oct 2022 16:00:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=q3w5bNZs0GndT0ryQoSbI1ElqjThLQOei+5Mq732IGo=; b=ESvGYnrGQsrES/ XcwLG/Yy3fiZqClSXhoieJi0hEHszU0qbGiCiAf8TdI7L17l6JyTvOnROn/gv28Sg/ebdiePMfY4K Za7FgIEtR6AXa6lU7cPVXmdj4pwlHthKUwqZOV4eH4yKufP0BYiFSmzEuss5w0GMVvoBYR/ZQEfoG 7lHVn7fpsyP+k1tZwQlyo6gq58Tp80tb4hOm9Q4BougjmP3foDr0rMicvz95KF9ko3XS7NPfKIZun YeruDcjWScMcGC3vYXlc3IXOuLBTKaNvYgpF/ksM7MHpi4fBTvT8Ci4KREsfWoWrQgiCdTDkbE+3e v+kfKL5nyZjVvIephzEA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oo5Hu-00E8yQ-Q4; Thu, 27 Oct 2022 15:59:22 +0000 Received: from ams.source.kernel.org ([2604:1380:4601:e00::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oo5Hr-00E8xT-In for linux-arm-kernel@lists.infradead.org; Thu, 27 Oct 2022 15:59:21 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F17FCB8268E; Thu, 27 Oct 2022 15:59:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97DD2C433B5; Thu, 27 Oct 2022 15:59:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666886356; bh=VhgoERMYs7qBi/HXgMtTNK/+51efloDBfTFCpHB6cuw=; h=From:To:Cc:Subject:Date:From; b=SN6Aks5v1pdRyqmhbpjpQRim1ekS6xtLoi4eEj2AjvDZWy5Ep8aciReLrMb8CGNEV kOdbDsff0YPGVcdBa5lqE9L4LmUSUq/aBi0OYUxf+cUDujq2r5z3Io8u/btSKF2R8X hoy5OmBKcU3AiVm1q3XpmYnb8sTZ/IKqVPNj4JPEk1peBVCmpyABxZj6V4jjtNRB3g RbhNkBXD9mG5lqTqPo3Vs47Y46T9jNN6ro2mAEPWaZQrZmdB90DasVhnsvAb+It+kv hxbHqt34Lw7fwbq5wy9DT1rl6ahugFQTRjKLayJ0vXy2HRxxCwToJF/CcfMUOTh/lk ghYi3r7Q1gvIQ== From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: Ard Biesheuvel , Will Deacon , Catalin Marinas , Marc Zyngier , Mark Rutland , Mark Brown , Sami Tolvanen , Nick Desaulniers , Kees Cook Subject: [PATCH v6 0/3] arm64: dynamic shadow call stack support Date: Thu, 27 Oct 2022 17:59:05 +0200 Message-Id: <20221027155908.1940624-1-ardb@kernel.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5237; i=ardb@kernel.org; h=from:subject; bh=VhgoERMYs7qBi/HXgMtTNK/+51efloDBfTFCpHB6cuw=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjWqrGMC7IGxA4uWe7K0X9SCzrEalMarqTyVwE/hQF Q04AH4uJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY1qqxgAKCRDDTyI5ktmPJHDPC/ 0TC5eU3tr/gOgisNwjIwvhPUyAJCCVtjjEbITlXt+MlWvqmwnYeXnxNA4Obru1m38g4ffb4DzR6aBs XlpcooSa48Cyv4XJKSYWaNpb6CRMsOp+STojpM+gSGwjDiEOM4qCxwUW8ochTlFzaLoGUaECX4MpTv U7+l7hYqe80as7AQvr7BUxJ3GIBsoL128Y8ZG8gtQ0L9FGG7osY0n0cKikU6cCXRworRHU8Srp02GQ HgoyXoEZdo7xgyCXgS1iRiRfSkE9Zzxngrzo9QI00hVREvAfPfHSoFQF2vy3N3cXftr6D4/8O/FHr/ 4jyARmXIuMzKC0dtbrRBa9HfspD7+pr2Z8aH07qEIQkD6d6KpgCg8SFGJD2BXfPSQSLPPyBwlPQ2zN BXW1x8xsQfjYUuNKdE8QnTLtEdo3eTOonxX6WW/8pkCMWvZYIFqi2/gjSPROQxoADSXkij7+HO69uv ORMs8cyYzqdICd6ERg3DG7+mk03d6iKrKvbEav1dPI8Qo= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221027_085919_932487_798EE1C7 X-CRM114-Status: GOOD ( 23.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Generic kernel images such as Android's GKI usually enable all available security features, which are typically implemented in such a way that they only take effect if the underlying hardware can support it, but don't interfere with correct and efficient operation otherwise. For shadow call stack support, which is always supported by the hardware, it means it will be enabled even if pointer authentication is also supported, and enabled for signing return addresses stored on the stack. The additional security provided by shadow call stack is only marginal in this case, whereas the performance overhead is not. Given that return address signing is based on PACIASP/AUTIASP instructions that implicitly operate on the return address register (X30) and are not idempotent (i.e., each needs to be emitted exactly once before the return address is stored on the ordinary stack and after it has been retrieved from it), we can convert these instruction 1:1 into shadow call stack pushes and pops involving the register X30. As this is something that can be done at runtime rather than build time, we can do this conditionally based on whether or not return address signing is supported on the underlying hardware. In order to allow runtimes to unwind call stacks that involve return address signing, we track whether or not the return address is currently signed by means of DWARF CFI directives in the unwinding metadata. This means we can use this information to locate all PACIASP/AUTIASP instructions in the binary, instead of having to use brute force and go over all instructions in the entire program. This series implements this approach for Clang, which has been vetted (and fixed in release 15) to ensure that the unwind metadata is 100% accurate when it comes to PACIASP/AUTIASP occurrences. Sadly, GCC does not always get that quite right, so this series is Clang-only for the moment. Changes since v5: - trivial rebase onto v6.1-rc1 Changes since v4 [1]: - rebase onto v6.0-rc2 - use SYS_FIELD_GET for AA64ISAR1/2 sysreg field accesses - add Sami's Rb/Tb Changes since v3 [2]: - rebase onto arm64/for-next/core - fix init value of dynamic_scs_enabled static key - don't discard .eh_frame sections (to work around a bug in an older Clang version if we are keeping them for dynamic SCS patching, - print a diagnostic if dynamic SCS patching is enabled, - apply build fix suggested by Sami and add his ack to patch #2 Changes since v2 [3]: - don't enable unwind table generation for nVHE code - it cannot be patched anyway so it has no use for it; - drop checks for ID reg overrides - fix some remaining TODOs regarding augmentation data and the code alignment factor - disable PAC for leaf functions when dynamic SCS is configured, so that we don't end up with SCS pushes and pops in all leaf functions too; - add I-cache maintenance after code patching - add Rb's from Nick and Kees. Changes since RFC v1: - implement boot time check for PAC/BTI support, and only enable dynamic SCS if neither are supported; - implement module patching as well; - switch to Clang, and drop workaround for GCC bug; [0] https://lore.kernel.org/linux-arm-kernel/20211013152243.2216899-1-ardb@kernel.org/ [1] https://lore.kernel.org/linux-arm-kernel/20220701152724.3343599-1-ardb@kernel.org/ [2] https://lore.kernel.org/linux-arm-kernel/20220613134008.3760481-1-ardb@kernel.org/ [3] https://lore.kernel.org/linux-arm-kernel/20220505161011.1801596-1-ardb@kernel.org/ Cc: Will Deacon Cc: Catalin Marinas Cc: Marc Zyngier Cc: Mark Rutland Cc: Mark Brown Cc: Sami Tolvanen Cc: Nick Desaulniers Cc: Kees Cook Ard Biesheuvel (3): arm64: unwind: add asynchronous unwind tables to kernel and modules scs: add support for dynamic shadow call stacks arm64: implement dynamic shadow call stack for Clang Makefile | 2 + arch/Kconfig | 7 + arch/arm64/Kconfig | 12 + arch/arm64/Makefile | 15 +- arch/arm64/include/asm/module.lds.h | 8 + arch/arm64/include/asm/scs.h | 49 ++++ arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/head.S | 3 + arch/arm64/kernel/irq.c | 2 +- arch/arm64/kernel/module.c | 8 + arch/arm64/kernel/patch-scs.c | 257 ++++++++++++++++++++ arch/arm64/kernel/pi/Makefile | 1 + arch/arm64/kernel/sdei.c | 2 +- arch/arm64/kernel/setup.c | 4 + arch/arm64/kernel/vmlinux.lds.S | 13 + arch/arm64/kvm/hyp/nvhe/Makefile | 1 + drivers/firmware/efi/libstub/Makefile | 1 + include/asm-generic/vmlinux.lds.h | 9 +- include/linux/scs.h | 18 ++ kernel/scs.c | 14 +- scripts/module.lds.S | 6 + 21 files changed, 426 insertions(+), 8 deletions(-) create mode 100644 arch/arm64/kernel/patch-scs.c