[0/4] arm64: Add return address protection to asm code

Message

Ard Biesheuvel Nov. 29, 2022, 2:17 p.m. UTC

Control flow integrity features such as shadow call stack or PAC work by
placing special instructions between the reload of the link register
from the stack and the function return. The point of this is not only to
protect the control flow when calling that particular function, but also
to ensure that the sequence of instructions appearing at the end of the
function cannot be subverted and used in other ways than intended in a
ROP/JOP style attack.

This means that it is generally a bad idea to incorporate any code that
is rarely or never used, but lacks such protections. So add some macros
that we can invoke in assembler code to protect the return address while
it is stored on the stack, and wire it up in the ftrace code and the EFI
runtime service wrapper code, both of which are often built into
production kernels even when not used.

Another example of this is crypto code, and I will be sending some fixes
via the crypto tree that ensure that these protections are enabled there
as well.

Cc: Marc Zyngier <maz@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Brown <broonie@kernel.org>

Ard Biesheuvel (4):
  arm64: assembler: Force error on misuse of .Lframe_local_offset
  arm64: assembler: Add macros for return address protection
  arm64: efi: Add return address protection to runtime wrapper
  arm64: ftrace: Add return address protection

 arch/arm64/include/asm/assembler.h | 82 ++++++++++++++++++++
 arch/arm64/kernel/efi-rt-wrapper.S | 12 ++-
 arch/arm64/kernel/entry-ftrace.S   | 28 ++++++-
 3 files changed, 117 insertions(+), 5 deletions(-)