From patchwork Tue Nov 29 14:17:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 13058629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E28FDC4321E for ; Tue, 29 Nov 2022 14:19:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=DWCAxHP2se9DL5FgYX2QcilOoK7dnBJbGo6UNSSrhZw=; b=1pZCjTrrZt+L1v Ng5LCcKfkN45lc/Fk3bJ6EnsY0t8vrwIlqDKmBw8xgNX4kepiEXLukOb07Q3YK/OeIUyhz5X/l7ck HeNTzZlxczkPK9+n3GWgDr4Micv1f7XHYT7Ci8Z++yWIOV0lQslQ8mXFOmPAPakvVCJh88C7K3A8F 7nPSFcD1M01XO1F+hjkp7hW+1nLOUpC8OoDXEv4Zu6pJYpVHW0EpJvFKb5IHoewn9HG3qAvuTeyCh Xw823QuszghzbKl74dlQioE2iSrCZsXT9dsDT0aMHRgHZPu6LWgss4GBCbQUKy4TKPJmuPRlBHhmQ jhRXZapwncT3zJCXwYTA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1p01RW-009AQO-7A; Tue, 29 Nov 2022 14:18:38 +0000 Received: from ams.source.kernel.org ([2604:1380:4601:e00::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1p01R8-009AEr-Eq for linux-arm-kernel@lists.infradead.org; Tue, 29 Nov 2022 14:18:16 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id EA82BB81699; Tue, 29 Nov 2022 14:18:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D2912C433C1; Tue, 29 Nov 2022 14:18:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1669731490; bh=niQ3SZyUB2fVVwQa94z1wdVfkrC3wtbdOQJInxQsnmc=; h=From:To:Cc:Subject:Date:From; b=jGgUhQCxvWObZuXmghRuD1rr/zcK+1gfyjn1loDN9xBIiwStLuWo28U3qTDYP2eDk 1GA3ScqATVPOKLMhhpFShjOCLI1M/fiF41l8NuuF1SNgXnJv+R8PKYMy6CRWk0wlYU YdAgqNKlKI2YBW34yYVTnjt3VdxsOVYVFxI78KhfBhXKDObOQjSVUcTV5GcdTNiRyo oRTymALtBGmKFRqkt47uMutEMlbuhO1xSMPdkr1lruiSFBKiWQdDwkx44hBmCWhB0L 9IHYJxi1NxJB7S4S0G5zgEQHRg6TPeFK9O75aFcY93kr97n+agEj8/XtXNuq8u/Cy7 9i4LTUb6Gs0VA== From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: Ard Biesheuvel , Marc Zyngier , Will Deacon , Mark Rutland , Kees Cook , Catalin Marinas , Mark Brown Subject: [PATCH 0/4] arm64: Add return address protection to asm code Date: Tue, 29 Nov 2022 15:17:59 +0100 Message-Id: <20221129141803.1746898-1-ardb@kernel.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1751; i=ardb@kernel.org; h=from:subject; bh=niQ3SZyUB2fVVwQa94z1wdVfkrC3wtbdOQJInxQsnmc=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjhhST6arIG+bmEW9To/DTRt1UfBOCNnj2CHhbENYF QQULU2KJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY4YUkwAKCRDDTyI5ktmPJPQaC/ 9GT9FhSLjYRnay1kxSk55bErFPICRtPI46kR/rievaIIItbE0l5ZQhrSiFMlJXgdtIaO8XuxP6hjDP HnfMbag32qqJKxKuSB5SoagT/il8XiajT3QDQBjprkUYbfVBMjLaxTeZPFkSf4qjM0BODbQxBn9MMy ZOmBLBw4oIia6fWBobKdqG1nV6Mh1s7uKz7PlO2F+mP24SL/Jvg6FIxI59t/bhVLK9GEmawsqQe3h/ 4rzH7ZUrYIUxIbX7YJLkkc2EJm9IZRTb1ybGWHeBfPBmdHgYzGzlPuPOThSGrTOJxoEIl1itLR49RS zmMKJVRvmMUlzyLXcJht2LVYZYPSw37NPGJpstTt3LCmRDsW2P2u4PMX5H5fsKHTQ5aSLc/WFIdCWK gp0G0ju7KdqBYuOt1+ImTvHwDMtls87+4JtZ2pRT6hbUUBFWUDTA1giFFXe7YSkGOcqYFRTcCGxSAz XaxeyVGY1LcaepFdfmj1D8l+FE03/ty4a5Ejii8oNAheg= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221129_061814_811282_723CF68A X-CRM114-Status: GOOD ( 14.25 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Control flow integrity features such as shadow call stack or PAC work by placing special instructions between the reload of the link register from the stack and the function return. The point of this is not only to protect the control flow when calling that particular function, but also to ensure that the sequence of instructions appearing at the end of the function cannot be subverted and used in other ways than intended in a ROP/JOP style attack. This means that it is generally a bad idea to incorporate any code that is rarely or never used, but lacks such protections. So add some macros that we can invoke in assembler code to protect the return address while it is stored on the stack, and wire it up in the ftrace code and the EFI runtime service wrapper code, both of which are often built into production kernels even when not used. Another example of this is crypto code, and I will be sending some fixes via the crypto tree that ensure that these protections are enabled there as well. Cc: Marc Zyngier Cc: Will Deacon Cc: Mark Rutland Cc: Kees Cook Cc: Catalin Marinas Cc: Mark Brown Ard Biesheuvel (4): arm64: assembler: Force error on misuse of .Lframe_local_offset arm64: assembler: Add macros for return address protection arm64: efi: Add return address protection to runtime wrapper arm64: ftrace: Add return address protection arch/arm64/include/asm/assembler.h | 82 ++++++++++++++++++++ arch/arm64/kernel/efi-rt-wrapper.S | 12 ++- arch/arm64/kernel/entry-ftrace.S | 28 ++++++- 3 files changed, 117 insertions(+), 5 deletions(-)