From patchwork Tue Oct 8 22:36:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13827081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1366FCF042B for ; Tue, 8 Oct 2024 22:37:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2FAB46B0083; Tue, 8 Oct 2024 18:37:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2AA4C6B0085; Tue, 8 Oct 2024 18:37:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 173186B0088; Tue, 8 Oct 2024 18:37:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id E62B46B0083 for ; Tue, 8 Oct 2024 18:37:50 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 39C02ABF37 for ; Tue, 8 Oct 2024 22:37:47 +0000 (UTC) X-FDA: 82651898700.10.D144947 Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by imf09.hostedemail.com (Postfix) with ESMTP id 8D75F14000F for ; Tue, 8 Oct 2024 22:37:48 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=IJFYmUfv; spf=pass (imf09.hostedemail.com: domain of debug@rivosinc.com designates 209.85.215.172 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728426932; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=YT6jBbRZ8hZ5+d5YKC7Sze5MFu5F8/gSPRiKDGliAGQ=; b=BGuRc3vd1tve6lDYfBSTjrYuNuP1y3sK9sssYpBZ1oEwlHVLTVUUO1rWSlrmYMDvVkb61u /l7n7G/Hzc2zxLk/Bfq6gO9PjmRsjFhF6ttA1hoYWGAtrof9eOBfxcbLj//WjOkCgoQDWA gtw5cB5Fy9br0993ct0apNV866dUxgQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728426932; a=rsa-sha256; cv=none; b=06n7lGZxK5Cx1up4FMbcWd4cjwTVEp7PsxEDITBuFNINW+myzrLjB79wJw9hpDyUsUY4dE D8WTpLkYg/H+5rRRXSf0agLq6fW+f+NTSzn8x9Atkar3OwWlrchMbS4AXE6tXGGdzRtcvv soUbD5Jv1bT32BfEE0GOpyjzfsE490U= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=IJFYmUfv; spf=pass (imf09.hostedemail.com: domain of debug@rivosinc.com designates 209.85.215.172 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-7cd8803fe0aso4215459a12.0 for ; Tue, 08 Oct 2024 15:37:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1728427067; x=1729031867; darn=kvack.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=YT6jBbRZ8hZ5+d5YKC7Sze5MFu5F8/gSPRiKDGliAGQ=; b=IJFYmUfvr6HM6bjHCCCOH0FQ65fdLyhpWMVN+60Qvn+uB5F05eXGj6q3icNysbKBxZ 0YrPM/XqLmVQBjvjv0cWf+BmcscRFUAKLQXqI7XI6Fv7Q/2hbsR6DJv05/piy2Qf5nig LsXixF0uCGr5jGdZNeSvb6QKPkZO7pbvaO/s08Nj23jl/VMNk4AbOPqDBOGu2ZcZhZYO hmBMomkjmuLU00+kN/d2yIZtYuLKwe2EMacfxI/5IoilUW8aO6YPtC7S3873Yf3Ec3wF 7lpuD0Zsreg1m5POr/61ZvkQqRucnQB/10rCMeN9UdvQ8/+JPpAYR3ptyAMQxG3IJP/l X9Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728427067; x=1729031867; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YT6jBbRZ8hZ5+d5YKC7Sze5MFu5F8/gSPRiKDGliAGQ=; b=Vir8SJ3vXZidPWWHfIiBqICMUwKzcmctPN1BVaWUdVUryWyrH7snDzu9/MEdaZtCVh bDv0PxMijj/5nTyZh1Ruwkke9452U9dpFpM4nQ3SZPG2P4ORZK3kmtfnZPyGZTJyjRAp 5Qhebh50F+UIIqcAuD7Dh16ymYw5TLWLEQQnNTSH7vSzpONqltbjGPBee+an9b5l43Rp KZsK2tueHg6zXQXDkI8QqDY7JcZwwkAa9GZjLwioUhX9Qs869oHGZBQDwVlLs4JvLsXF i02N8+g0l8v5zOMNSC/oraYGCTG6CDt58opBnT3tMssVzyhtMurdRRVY3RO04abEiWcT KpOg== X-Forwarded-Encrypted: i=1; AJvYcCX8goyupW91F1TR6+JCRoVovJTSAcQ1L7qjtH/fhx2WyrrXe+7CZp/pKoSj0IwqBeMqtRSNIEagtQ==@kvack.org X-Gm-Message-State: AOJu0YzrrcWM96me66TxwwPczIdNcgh8H+037GcZB5ZB6GVub1GcdMaD QFOh8xxw9PeI5uxEcb5l16CmXIi6TXDXUhkkLybRma5llNoXZANbsiG/J4n36ik= X-Google-Smtp-Source: AGHT+IHoy0X8xSg8yluDnHlNMiuIhfODa4MLaXY5veheVmh0OO+3syJQ+aerSJIHUmm6Sml2D5IVfA== X-Received: by 2002:a05:6a20:9f03:b0:1d8:a247:945d with SMTP id adf61e73a8af0-1d8a3c5c4famr587986637.50.1728427066964; Tue, 08 Oct 2024 15:37:46 -0700 (PDT) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71df0ccc4b2sm6591270b3a.45.2024.10.08.15.37.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Oct 2024 15:37:46 -0700 (PDT) From: Deepak Gupta Subject: [PATCH v6 00/33] riscv control-flow integrity for usermode Date: Tue, 08 Oct 2024 15:36:42 -0700 Message-Id: <20241008-v5_user_cfi_series-v6-0-60d9fe073f37@rivosinc.com> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAPuzBWcC/22NwQ7CIBAFf6XZs5gFhKgn/8M0pFCwe7A0oETT8 O9ivXqcl8y8FbJP5DOcuxWSL5Qpzg30rgM3DfPNMxobg0BxwJNEVpR5Nse4QObnMjk6KUU4BmU FNHFJPtBri177xhPlR0zv7aPw77rlOCL/lyucIZN20MpqrxSGS6ISM81u7+Id+lrrB3OP87W3A AAA To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, Deepak Gupta , David Hildenbrand , Carlos Bilbao , Samuel Holland , Andrew Jones , Conor Dooley , Andy Chiu X-Mailer: b4 0.14.0 X-Stat-Signature: 131wr7mif8y919okfj98ue37t5ibb8un X-Rspamd-Queue-Id: 8D75F14000F X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1728427068-831715 X-HE-Meta: U2FsdGVkX19m8JqwGBjpIsMQQuqcxA+HAfNr01N6O/XKz347LFREsm4XMwoBDdQPnekE6zEz7S0QcntNQIr0bBjIhpDLvv9rJ75C1K4JvNKpYyBpjHXcGg8aqSDpWXfJnT+J5H5e7Tju7NcYN+edg8MfQZRPoqxRvp6xJN6ksJmmsxHBwdCltB1wNzX2qut/1EUJPrlkTsPBWXNAbo8qi4lVoWZs4a2l7mSvGGVj6W9SfEddwSQ8POvDrkhzQWcLeHttHM9VhWWEkpRaZcvR+C5P9n3ryPJJ3bUvIqeuKgRIn7CXTXyoMsD68ImUgr7i8x3egswg67knJ2bjLivKbPHM0NMOq1C/vFlnbuRgpJ5szHkk9jBt6NZtjILrEI6SV2DoULCa9hII4fyVv1o0zRpZ1hpXLBq6jRUzp9ImwRUWJCp72VBhdj7J5TIUpdZuW/27E7XizXHfKn+hbv+D7zzDfZ0n8dMPyjss9uWchkeqsBqyp8O7FDhK0Cylj3bwjqLWFJURm/qrDLWmpdvlY0ex9qsOEmZGtZRmw1NXOCu/BfyIYJ7JsUnZklbTD76GX0qgca3490U4FcfYxJoy6qAYUXDR3P73F9ttYuujiJGN9mUXUhIQQ5JCgCiLMtTQzxspI1TdgColhf2uDHqjJyBiGpfBcijfnJp6m2uQUnl82ux53iJzx7DD+bV424NtN7OWkYTcXd9Dzjh2keh7gPIkMJ6YDfqM1L1P41C/LdRwb9JXAw3jZ1QRG4anSvr5O9+7rd4NX6ebz7+vgmOZ5NtwXSCxxuUFkmlOpjnqOKygZZfglZmSff7kAzrw77v5vHxAHV4Ns6mZhq7FzYq93WIae+YutTvydZhfcnzosxdMjw4gS+/Ojq0Fryob1QUKA042ab9Bh1oJYNZyiUGTMiIwkHgWdeQJLN0q4ckSJ/FdQ16Wilu52tSlDE1gdAm9Z9EHrXTR/GZglgA7iz5 uygAX+z5 nic3RhEYSOiQpD+HPL5MilLRYU8n1sqrp035QPulThKryZuqtXr4649Z7YcFPI/05LBYNzDPDaAlC63E7/fF2viaiFeUJfXoheUezSlTaOzER/32h5Rtc7Kx/jnDjEgxLJwZ1b8oO+IGC/aDL2p0nU0RR6q6wDBnQ/xT8ey/f+Lq5ixbFK4Ik6zqXwjaLgIFlpnJ5Av5aRYM8aoAF0u+0gL8J3NTN3DjXyv04n8Utg0/DVWz+eswWAwUvI8LzMcb1L+jD7kb7lGuCTaJMRAsecTCIW4ZaR2VWgm/6I+xxpqPtCSomMynuklq5neJgvpj2BlVlw/eWPN0N07MiD+egFTy10k7baLk4Py6Vd/3VVOgIcox0OyRFFF3WsopvcU6oxwrKMPNOl4iqIsaVkXpsK1C3JPYlZIWQQ6Z7omQ1SHN8pyGa1/6tKt2ZSo/PO10STeM2nVrT3cnBxdSUqrYFdN/JJhWAmZDEhhGmNCI7sXRywDynM4w+V+TFDgDkFr7lFdwk+dvORA5De8KM9+yCORSRtch9fakf9xJ1NthHG2fRnxlF+ZRKE/yGXsaKHHe/BgGwwxKHxo8p/GZReqIbNNub/813vmHe9YIm5tMGGEBeAAOJ7aIex16SGvIn8fBB4cf0uAQRhC1sy9vXHlBq7xOS3BS8PaJ8ve50Cck+zPxvRMy4iJ9of2DadDkDbP89AiSsbMm70o5h1JkYvpr6OKUoUpf3Fen4T+m+cGzhzL2HijZTFKMJjqJWZo5Bk9E6UMSGJeCk1CdKZOYlJ9hbNF000WQ+SUPRfNcPyux0wHUsuQ3JtkCu9UYv/j+5SjFJEGOeItFTVak97/wWQ5M8Qr+9rGYxuABY32fVXuPf5AYfa2ltoBUP60MPPvF4u7Yh4QwfAUfARkiKlXuU/t7eJTbEEViBy+KW9XOoigguzZK3DxWA6WEI24Hp0wxglURzjloUxfOFmu9JLb0LlI+rdtk+SRKr oU8t6XKN i2wvt04U88GE7JSlKrSrga0n1isXtZ776xENuCMLwgZxrnuJgTI5Lqy2WBBPzfOPVRcLsX4HUjYfZSErvWaEEvbOGp1GA9uT+HDkWemQDtY5mltkoKxDGjYgfIlMMFYnS9eRR72/qYm+VeUNwaMuiXnW9f2gxj26HTfovMAlunSRnOJOK97oGjzPn9dtY8TRIz/t2+UR1cuEKhrBtF2uizsjAqNqq+5h5bv0WmSwqXlm4QH7ZOGBWfCb+6xPjhzkym91r4s/vQqechB0lAtDb1fRp+du4FVzqCNAfTnumv4nHWRdGA8m25zwF+KUwiwnJze41C9dGa8TtjWmZMLsW77kpmqbr/yc X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Basics and overview =================== Software with larger attack surfaces (e.g. network facing apps like databases, browsers or apps relying on browser runtimes) suffer from memory corruption issues which can be utilized by attackers to bend control flow of the program to eventually gain control (by making their payload executable). Attackers are able to perform such attacks by leveraging call-sites which rely on indirect calls or return sites which rely on obtaining return address from stack memory. To mitigate such attacks, risc-v extension zicfilp enforces that all indirect calls must land on a landing pad instruction `lpad` else cpu will raise software check exception (a new cpu exception cause code on riscv). Similarly for return flow, risc-v extension zicfiss extends architecture with - `sspush` instruction to push return address on a shadow stack - `sspopchk` instruction to pop return address from shadow stack and compare with input operand (i.e. return address on stack) - `sspopchk` to raise software check exception if comparision above was a mismatch - Protection mechanism using which shadow stack is not writeable via regular store instructions More information an details can be found at extensions github repo [1]. Equivalent to landing pad (zicfilp) on x86 is `ENDBRANCH` instruction in Intel CET [3] and branch target identification (BTI) [4] on arm. Similarly x86's Intel CET has shadow stack [5] and arm64 has guarded control stack (GCS) [6] which are very similar to risc-v's zicfiss shadow stack. x86 already supports shadow stack for user mode and arm64 support for GCS in usermode [7] is ongoing. Kernel awareness for user control flow integrity ================================================ This series picks up Samuel Holland's envcfg changes [2] as well. So if those are being applied independently, they should be removed from this series. Enabling: In order to maintain compatibility and not break anything in user mode, kernel doesn't enable control flow integrity cpu extensions on binary by default. Instead exposes a prctl interface to enable, disable and lock the shadow stack or landing pad feature for a task. This allows userspace (loader) to enumerate if all objects in its address space are compiled with shadow stack and landing pad support and accordingly enable the feature. Additionally if a subsequent `dlopen` happens on a library, user mode can take a decision again to disable the feature (if incoming library is not compiled with support) OR terminate the task (if user mode policy is strict to have all objects in address space to be compiled with control flow integirty cpu feature). prctl to enable shadow stack results in allocating shadow stack from virtual memory and activating for user address space. x86 and arm64 are also following same direction due to similar reason(s). clone/fork: On clone and fork, cfi state for task is inherited by child. Shadow stack is part of virtual memory and is a writeable memory from kernel perspective (writeable via a restricted set of instructions aka shadow stack instructions) Thus kernel changes ensure that this memory is converted into read-only when fork/clone happens and COWed when fault is taken due to sspush, sspopchk or ssamoswap. In case `CLONE_VM` is specified and shadow stack is to be enabled, kernel will automatically allocate a shadow stack for that clone call. map_shadow_stack: x86 introduced `map_shadow_stack` system call to allow user space to explicitly map shadow stack memory in its address space. It is useful to allocate shadow for different contexts managed by a single thread (green threads or contexts) risc-v implements this system call as well. signal management: If shadow stack is enabled for a task, kernel performs an asynchronous control flow diversion to deliver the signal and eventually expects userspace to issue sigreturn so that original execution can be resumed. Even though resume context is prepared by kernel, it is in user space memory and is subject to memory corruption and corruption bugs can be utilized by attacker in this race window to perform arbitrary sigreturn and eventually bypass cfi mechanism. Another issue is how to ensure that cfi related state on sigcontext area is not trampled by legacy apps or apps compiled with old kernel headers. In order to mitigate control-flow hijacting, kernel prepares a token and place it on shadow stack before signal delivery and places address of token in sigcontext structure. During sigreturn, kernel obtains address of token from sigcontext struture, reads token from shadow stack and validates it and only then allow sigreturn to succeed. Compatiblity issue is solved by adopting dynamic sigcontext management introduced for vector extension. This series re-factor the code little bit to allow future sigcontext management easy (as proposed by Andy Chiu from SiFive) config and compilation: Introduce a new risc-v config option `CONFIG_RISCV_USER_CFI`. Selecting this config option picks the kernel support for user control flow integrity. This optin is presented only if toolchain has shadow stack and landing pad support. And is on purpose guarded by toolchain support. Reason being that eventually vDSO also needs to be compiled in with shadow stack and landing pad support. vDSO compile patches are not included as of now because landing pad labeling scheme is yet to settle for usermode runtime. To get more information on kernel interactions with respect to zicfilp and zicfiss, patch series adds documentation for `zicfilp` and `zicfiss` in following: Documentation/arch/riscv/zicfiss.rst Documentation/arch/riscv/zicfilp.rst How to test this series ======================= Toolchain --------- $ git clone git@github.com:sifive/riscv-gnu-toolchain.git -b cfi-dev $ riscv-gnu-toolchain/configure --prefix= --with-arch=rv64gc_zicfilp_zicfiss --enable-linux --disable-gdb --with-extra-multilib-test="rv64gc_zicfilp_zicfiss-lp64d:-static" $ make -j$(nproc) Qemu ---- $ git clone git@github.com:deepak0414/qemu.git -b zicfilp_zicfiss_ratified_master_july11 $ cd qemu $ mkdir build $ cd build $ ../configure --target-list=riscv64-softmmu $ make -j$(nproc) Opensbi ------- $ git clone git@github.com:deepak0414/opensbi.git -b v6_cfi_spec_split_opensbi $ make CROSS_COMPILE= -j$(nproc) PLATFORM=generic Linux ----- Running defconfig is fine. CFI is enabled by default if the toolchain supports it. $ make ARCH=riscv CROSS_COMPILE=/build/bin/riscv64-unknown-linux-gnu- -j$(nproc) defconfig $ make ARCH=riscv CROSS_COMPILE=/build/bin/riscv64-unknown-linux-gnu- -j$(nproc) Branch where user cfi enabling patches are maintained https://github.com/deepak0414/linux-riscv-cfi/tree/vdso_user_cfi_v6.12-rc1 In case you're building your own rootfs using toolchain, please make sure you pick following patch to ensure that vDSO compiled with lpad and shadow stack. "arch/riscv: compile vdso with landing pad" Running ------- Modify your qemu command to have: -bios /build/platform/generic/firmware/fw_dynamic.bin -cpu rv64,zicfilp=true,zicfiss=true,zimop=true,zcmop=true vDSO related Opens (in the flux) ================================= I am listing these opens for laying out plan and what to expect in future patch sets. And of course for the sake of discussion. Shadow stack and landing pad enabling in vDSO ---------------------------------------------- vDSO must have shadow stack and landing pad support compiled in for task to have shadow stack and landing pad support. This patch series doesn't enable that (yet). Enabling shadow stack support in vDSO should be straight forward (intend to do that in next versions of patch set). Enabling landing pad support in vDSO requires some collaboration with toolchain folks to follow a single label scheme for all object binaries. This is necessary to ensure that all indirect call-sites are setting correct label and target landing pads are decorated with same label scheme. How many vDSOs --------------- Shadow stack instructions are carved out of zimop (may be operations) and if CPU doesn't implement zimop, they're illegal instructions. Kernel could be running on a CPU which may or may not implement zimop. And thus kernel will have to carry 2 different vDSOs and expose the appropriate one depending on whether CPU implements zimop or not. References ========== [1] - https://github.com/riscv/riscv-cfi [2] - https://lore.kernel.org/all/20240814081126.956287-1-samuel.holland@sifive.com/ [3] - https://lwn.net/Articles/889475/ [4] - https://developer.arm.com/documentation/109576/0100/Branch-Target-Identification [5] - https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf [6] - https://lwn.net/Articles/940403/ [7] - https://lore.kernel.org/all/20241001-arm64-gcs-v13-0-222b78d87eee@kernel.org/ To: Thomas Gleixner To: Ingo Molnar To: Borislav Petkov To: Dave Hansen To: x86@kernel.org To: H. Peter Anvin To: Andrew Morton To: Liam R. Howlett To: Vlastimil Babka To: Lorenzo Stoakes To: Paul Walmsley To: Palmer Dabbelt To: Albert Ou To: Conor Dooley To: Rob Herring To: Krzysztof Kozlowski To: Arnd Bergmann To: Christian Brauner To: Peter Zijlstra To: Oleg Nesterov To: Eric Biederman To: Kees Cook To: Jonathan Corbet To: Shuah Khan Cc: linux-kernel@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Cc: linux-riscv@lists.infradead.org Cc: devicetree@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-doc@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: alistair.francis@wdc.com Cc: richard.henderson@linaro.org Cc: jim.shu@sifive.com Cc: andybnac@gmail.com Cc: kito.cheng@sifive.com Cc: charlie@rivosinc.com Cc: atishp@rivosinc.com Cc: evan@rivosinc.com Cc: cleger@rivosinc.com Cc: alexghiti@rivosinc.com Cc: samitolvanen@google.com Cc: broonie@kernel.org Cc: rick.p.edgecombe@intel.com Signed-off-by: Deepak Gupta --- changelog --------- v6: - Picked up Samuel Holland's changes as is with `envcfg` placed in `thread` instead of `thread_info` - fixed unaligned newline escapes in kselftest - cleaned up messages in kselftest and included test output in commit message - fixed a bug in clone path reported by Zong Li - fixed a build issue if CONFIG_RISCV_ISA_V is not selected (this was introduced due to re-factoring signal context management code) v5: - rebased on v6.12-rc1 - Fixed schema related issues in device tree file - Fixed some of the documentation related issues in zicfilp/ss.rst (style issues and added index) - added `SHADOW_STACK_SET_MARKER` so that implementation can define base of shadow stack. - Fixed warnings on definitions added in usercfi.h when CONFIG_RISCV_USER_CFI is not selected. - Adopted context header based signal handling as proposed by Andy Chiu - Added support for enabling kernel mode access to shadow stack using FWFT (https://github.com/riscv-non-isa/riscv-sbi-doc/blob/master/src/ext-firmware-features.adoc) - Link to v5: https://lore.kernel.org/r/20241001-v5_user_cfi_series-v1-0-3ba65b6e550f@rivosinc.com (Note: I had an issue in my workflow due to which version number wasn't picked up correctly while sending out patches) v4: - rebased on 6.11-rc6 - envcfg: Converged with Samuel Holland's patches for envcfg management on per- thread basis. - vma_is_shadow_stack is renamed to is_vma_shadow_stack - picked up Mark Brown's `ARCH_HAS_USER_SHADOW_STACK` patch - signal context: using extended context management to maintain compatibility. - fixed `-Wmissing-prototypes` compiler warnings for prctl functions - Documentation fixes and amending typos. - Link to v4: https://lore.kernel.org/all/20240912231650.3740732-1-debug@rivosinc.com/ v3: - envcfg logic to pick up base envcfg had a bug where `ENVCFG_CBZE` could have been picked on per task basis, even though CPU didn't implement it. Fixed in this series. - dt-bindings As suggested, split into separate commit. fixed the messaging that spec is in public review - arch_is_shadow_stack change arch_is_shadow_stack changed to vma_is_shadow_stack - hwprobe zicfiss / zicfilp if present will get enumerated in hwprobe - selftests As suggested, added object and binary filenames to .gitignore Selftest binary anyways need to be compiled with cfi enabled compiler which will make sure that landing pad and shadow stack are enabled. Thus removed separate enable/disable tests. Cleaned up tests a bit. - Link to v3: https://lore.kernel.org/lkml/20240403234054.2020347-1-debug@rivosinc.com/ v2: - Using config `CONFIG_RISCV_USER_CFI`, kernel support for riscv control flow integrity for user mode programs can be compiled in the kernel. - Enabling of control flow integrity for user programs is left to user runtime - This patch series introduces arch agnostic `prctls` to enable shadow stack and indirect branch tracking. And implements them on riscv. --- Andy Chiu (1): riscv: signal: abstract header saving for setup_sigcontext Clément Léger (1): riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta (26): mm: helper `is_shadow_stack_vma` to check shadow stack vma riscv/Kconfig: enable HAVE_EXIT_THREAD for riscv dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml) riscv: zicfiss / zicfilp enumeration riscv: zicfiss / zicfilp extension csr and bit definitions riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE riscv mm: manufacture shadow stack pte riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs riscv mmu: write protect and shadow stack riscv/mm: Implement map_shadow_stack() syscall riscv/shstk: If needed allocate a new shadow stack on clone prctl: arch-agnostic prctl for indirect branch tracking riscv: Implements arch agnostic shadow stack prctls riscv: Implements arch agnostic indirect branch tracking prctls riscv/traps: Introduce software check exception riscv/signal: save and restore of shadow stack for signal riscv/kernel: update __show_regs to print shadow stack register riscv/ptrace: riscv cfi status and state via ptrace and in core files riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe riscv: enable kernel access to shadow stack memory via FWFT sbi call riscv: kernel command line option to opt out of user cfi riscv: create a config for shadow stack and landing pad instr support riscv: Documentation for landing pad / indirect branch tracking riscv: Documentation for shadow stack on riscv kselftest/riscv: kselftest for user mode cfi Mark Brown (2): mm: Introduce ARCH_HAS_USER_SHADOW_STACK prctl: arch-agnostic prctl for shadow stack Samuel Holland (3): riscv: Enable cbo.zero only when all harts support Zicboz riscv: Add support for per-thread envcfg CSR values riscv: Call riscv_user_isa_enable() only on the boot hart Documentation/arch/riscv/index.rst | 2 + Documentation/arch/riscv/zicfilp.rst | 115 +++++ Documentation/arch/riscv/zicfiss.rst | 176 +++++++ .../devicetree/bindings/riscv/extensions.yaml | 14 + arch/riscv/Kconfig | 21 + arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/include/asm/cpufeature.h | 15 +- arch/riscv/include/asm/csr.h | 16 + arch/riscv/include/asm/entry-common.h | 2 + arch/riscv/include/asm/hwcap.h | 2 + arch/riscv/include/asm/mman.h | 24 + arch/riscv/include/asm/pgtable.h | 30 +- arch/riscv/include/asm/processor.h | 3 + arch/riscv/include/asm/sbi.h | 27 ++ arch/riscv/include/asm/switch_to.h | 8 + arch/riscv/include/asm/thread_info.h | 3 + arch/riscv/include/asm/usercfi.h | 89 ++++ arch/riscv/include/asm/vector.h | 3 + arch/riscv/include/uapi/asm/hwprobe.h | 2 + arch/riscv/include/uapi/asm/ptrace.h | 22 + arch/riscv/include/uapi/asm/sigcontext.h | 1 + arch/riscv/kernel/Makefile | 2 + arch/riscv/kernel/asm-offsets.c | 8 + arch/riscv/kernel/cpufeature.c | 13 +- arch/riscv/kernel/entry.S | 31 +- arch/riscv/kernel/head.S | 12 + arch/riscv/kernel/process.c | 31 +- arch/riscv/kernel/ptrace.c | 83 ++++ arch/riscv/kernel/signal.c | 140 +++++- arch/riscv/kernel/smpboot.c | 2 - arch/riscv/kernel/suspend.c | 4 +- arch/riscv/kernel/sys_hwprobe.c | 2 + arch/riscv/kernel/sys_riscv.c | 10 + arch/riscv/kernel/traps.c | 42 ++ arch/riscv/kernel/usercfi.c | 526 +++++++++++++++++++++ arch/riscv/mm/init.c | 2 +- arch/riscv/mm/pgtable.c | 17 + arch/x86/Kconfig | 1 + fs/proc/task_mmu.c | 2 +- include/linux/cpu.h | 4 + include/linux/mm.h | 5 +- include/uapi/asm-generic/mman.h | 4 + include/uapi/linux/elf.h | 1 + include/uapi/linux/prctl.h | 48 ++ kernel/sys.c | 60 +++ mm/Kconfig | 6 + mm/gup.c | 2 +- mm/mmap.c | 1 + mm/vma.h | 10 +- tools/testing/selftests/riscv/Makefile | 2 +- tools/testing/selftests/riscv/cfi/.gitignore | 3 + tools/testing/selftests/riscv/cfi/Makefile | 10 + tools/testing/selftests/riscv/cfi/cfi_rv_test.h | 84 ++++ tools/testing/selftests/riscv/cfi/riscv_cfi_test.c | 78 +++ tools/testing/selftests/riscv/cfi/shadowstack.c | 373 +++++++++++++++ tools/testing/selftests/riscv/cfi/shadowstack.h | 37 ++ 56 files changed, 2190 insertions(+), 42 deletions(-) --- base-commit: 7d9923ee3960bdbfaa7f3a4e0ac2364e770c46ff change-id: 20240930-v5_user_cfi_series-3dc332f8f5b2 -- - debug