From patchwork Thu Sep 29 22:29:01 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
X-Patchwork-Id: 12994658
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BDBCBC4321E
	for <linux-mm@archiver.kernel.org>; Thu, 29 Sep 2022 22:29:56 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 583666B0078; Thu, 29 Sep 2022 18:29:56 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 496C16B007B; Thu, 29 Sep 2022 18:29:56 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 24C8A6B007D; Thu, 29 Sep 2022 18:29:56 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 15FF96B0078
	for <linux-mm@kvack.org>; Thu, 29 Sep 2022 18:29:56 -0400 (EDT)
Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id DEF3DABA03
	for <linux-mm@kvack.org>; Thu, 29 Sep 2022 22:29:55 +0000 (UTC)
X-FDA: 79966566750.16.06A637E
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
	by imf12.hostedemail.com (Postfix) with ESMTP id 5A39E4000E
	for <linux-mm@kvack.org>; Thu, 29 Sep 2022 22:29:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1664490595; x=1696026595;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=aQ5z6eOsVvFJ2Mg3fViTs1TwTvR0tJtyuBHvl8Ak6H4=;
  b=i+GLSjqVxqwZzDEZvf39+OCk93/XQdKdlfMZsDR+CAFmq/QA9joaAUDt
   IEAuq5DHPPejxi7NDTjVQL3r1IShzgGoRW3+wjRl5/VOqylBPEcDIuYZ1
   T4pzZe2nZinRxsaWh9eJTDBMy8vPTpRm5bL7MicSIvFthLxqV4jJJkjRp
   Wjo0mBfDezdjBlRFzfxeKDibkWZ3YzBKx3OvonUo2wlVM8rnmRxLQdudQ
   oEj01yti2SbLLTEyGgtN5d+HwFgp4HNs9P695dzSax9CvPq2tYEKaGBWJ
   gRRdUM/nu4/9aFJj7veYY2DJwcPZP2762dezPmkRZJUHn89KzgOOAadJ2
   g==;
X-IronPort-AV: E=McAfee;i="6500,9779,10485"; a="328420326"
X-IronPort-AV: E=Sophos;i="5.93,356,1654585200";
   d="scan'208";a="328420326"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 29 Sep 2022 15:29:54 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10485"; a="691016087"
X-IronPort-AV: E=Sophos;i="5.93,356,1654585200";
   d="scan'208";a="691016087"
Received: from sergungo-mobl.amr.corp.intel.com (HELO
 rpedgeco-desk.amr.corp.intel.com) ([10.251.25.88])
  by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 29 Sep 2022 15:29:52 -0700
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	"Ravi V . Shankar" <ravi.v.shankar@intel.com>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	joao.moreira@intel.com,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com
Cc: rick.p.edgecombe@intel.com,
	Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH v2 04/39] x86/cpufeatures: Enable CET CR4 bit for shadow stack
Date: Thu, 29 Sep 2022 15:29:01 -0700
Message-Id: <20220929222936.14584-5-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220929222936.14584-1-rick.p.edgecombe@intel.com>
References: <20220929222936.14584-1-rick.p.edgecombe@intel.com>
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664490595; a=rsa-sha256;
	cv=none;
	b=3EM9/0UDYrwA0WKzVwHkxVB2KF+Gk2/WTyxYuje8nc6N1YEqeV0br6/otZfdSjW+VXv+KG
	tXy6kbBzkeLT4MRuTr+Z2G5JJ6YO9PtcF40RzSJCKAA5C+GTaWz+HAowgcYnioMe4987gp
	NJ3lTFzjf6yqV1wJ8mMi3wzi8upGJLw=
ARC-Authentication-Results: i=1;
	imf12.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=i+GLSjqV;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf12.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.88 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1664490595;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:content-type:
	 content-transfer-encoding:in-reply-to:in-reply-to:
	 references:references:dkim-signature;
	bh=OQwgkH5qeQG8mhrHgr+T4c1CVgHWe4YBvkrgm0uxPJ0=;
	b=Ce5NN/S00kkcIlHfya8JGwCXHJUit2POLObKxIiD1STkxj/8j8E9LRFjBk1LOZNVLb8DrX
	ubVsi+5S+xzLZzzV98ybWJv6fbTTdVDaomkrmYCXM1BfsQW2weoQbesHkv1xdCQwuGBvn9
	SDgm8Eqd9cAQyZOWcoOazCJhaqlQZXI=
X-Rspamd-Queue-Id: 5A39E4000E
X-Rspam-User: 
Authentication-Results: imf12.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=i+GLSjqV;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf12.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.88 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
X-Rspamd-Server: rspam03
X-Stat-Signature: gawu67uek4xhhotc18tn4muqyu6duabu
X-HE-Tag: 1664490595-524214
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Yu-cheng Yu <yu-cheng.yu@intel.com>

Utilizing CET features requires a CR4 bit to be enabled as well as bits
to be set in CET MSRs. Setting the CR4 bit does two things:
 1. Enables the usage of WRUSS instruction, which the kernel can use to
    write to userspace shadow stacks.
 2. Allows those individual aspects of CET to be enabled later via the MSR.
 3. Allows CET to be enabled in guests

While future patches will allow the MSR values to be saved and restored
per task, the CR4 bit will allow for WRUSS to be used regardless of if a
tasks CET MSRs have been restored.

Kernel IBT already enables the CET CR4 bit when it detects IBT HW support
and is configured with kernel IBT. However future patches that enable
userspace shadow stack support will need the bit set as well. So change
the logic to enable it in either case.

Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see
userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT.

Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
---

v2:
 - In the shadow stack case, go back to only setting CR4.CET if the
   kernel is compiled with user shadow stack support.
 - Clear MSR_IA32_U_CET as well. (PeterZ)

KVM refresh:
 - Set CR4.CET if SHSTK or IBT are supported by HW, so that KVM can
   support CET even if IBT is disabled.
 - Drop no_user_shstk (Dave Hansen)
 - Elaborate on what the CR4 bit does in the commit log
 - Integrate with Kernel IBT logic

v1:
 - Moved kernel-parameters.txt changes here from patch 1.

Yu-cheng v25:
 - Remove software-defined X86_FEATURE_CET.

 arch/x86/kernel/cpu/common.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 3e508f239098..d7415bb556b2 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -598,16 +598,21 @@ __noendbr void ibt_restore(u64 save)
 
 static __always_inline void setup_cet(struct cpuinfo_x86 *c)
 {
-	u64 msr = CET_ENDBR_EN;
+	bool kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT);
+	bool user_shstk = IS_ENABLED(CONFIG_X86_SHADOW_STACK) &&
+			  cpu_feature_enabled(X86_FEATURE_SHSTK);
+	u64 msr = 0;
 
-	if (!HAS_KERNEL_IBT ||
-	    !cpu_feature_enabled(X86_FEATURE_IBT))
+	if (!kernel_ibt && !user_shstk)
 		return;
 
+	if (kernel_ibt)
+		msr = CET_ENDBR_EN;
+
 	wrmsrl(MSR_IA32_S_CET, msr);
 	cr4_set_bits(X86_CR4_CET);
 
-	if (!ibt_selftest()) {
+	if (kernel_ibt && !ibt_selftest()) {
 		pr_err("IBT selftest: Failed!\n");
 		setup_clear_cpu_cap(X86_FEATURE_IBT);
 		return;
@@ -616,10 +621,15 @@ static __always_inline void setup_cet(struct cpuinfo_x86 *c)
 
 __noendbr void cet_disable(void)
 {
-	if (cpu_feature_enabled(X86_FEATURE_IBT))
-		wrmsrl(MSR_IA32_S_CET, 0);
+	if (!(cpu_feature_enabled(X86_FEATURE_IBT) ||
+	      cpu_feature_enabled(X86_FEATURE_SHSTK)))
+		return;
+
+	wrmsrl(MSR_IA32_S_CET, 0);
+	wrmsrl(MSR_IA32_U_CET, 0);
 }
 
+
 /*
  * Some CPU features depend on higher CPUID levels, which may not always
  * be available due to CPUID level capping or broken virtualization