From patchwork Tue Jun 13 00:11:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
X-Patchwork-Id: 13277756
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 97FC4C7EE2E
	for <linux-mm@archiver.kernel.org>; Tue, 13 Jun 2023 00:13:55 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id D9A198E0029; Mon, 12 Jun 2023 20:12:48 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CD97B8E0003; Mon, 12 Jun 2023 20:12:48 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A3F0F8E0029; Mon, 12 Jun 2023 20:12:48 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 8ABAE8E0003
	for <linux-mm@kvack.org>; Mon, 12 Jun 2023 20:12:48 -0400 (EDT)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id C36871C7CAB
	for <linux-mm@kvack.org>; Tue, 13 Jun 2023 00:12:47 +0000 (UTC)
X-FDA: 80895798774.15.8D50F60
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
	by imf08.hostedemail.com (Postfix) with ESMTP id A354B160011
	for <linux-mm@kvack.org>; Tue, 13 Jun 2023 00:12:45 +0000 (UTC)
Authentication-Results: imf08.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=aKNYSLyl;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 134.134.136.65 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686615166; a=rsa-sha256;
	cv=none;
	b=8U64MMcicPqnal12ax/d3R0tbKnD+lI+n/JvbLDtTC0eHJ33Pv4f/awLnzBUbQJ1xlaJtR
	dZ2rOxnzab4BT6FYzfQFKftvTTGMJoh6200XF69hWfVi0FnTwIgyOer08tbUH5e8spppHD
	kuFV1gchs31nfHu3byg33Y9O0NC5814=
ARC-Authentication-Results: i=1;
	imf08.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=aKNYSLyl;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 134.134.136.65 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1686615165;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=RkSEKvOu5kgy5PUfrb3PfcTMpS5rTzAByk+WnpSbRuQ=;
	b=ZnMOvLZvxbEsIxADyqzqR5CSlUyIHM0xgbdBLvSNnJrvLWNsUH6cLdY4Yu5S4IbVFABG5D
	FOc2sTtLmFHTNW/eKfJE8zlv2QiHU1a52qnYmPvE5934JXRcqkoPMrLEhzSQ2Rd52175nG
	Y2Zg2UNFDv0nlkABhRYNfi00FHYMFcg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1686615165; x=1718151165;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=hFHVnW9lxN9HUD3QIC9fY4x2IPOgeGJUGkzddQmtaZw=;
  b=aKNYSLyliunpSvJCIc1022QyindVWQwpEm2w+BPn/L40RO4wWN7G9PNQ
   BimElzG4WMkpfZRkr/8jV6iLvPnxmbDKuKzIXDEeS7tmQHiBVu57dqy/5
   fklmgkFBdZUA6RUTz7Urabragzz1ofjb4j8bXXQbM4jwDT9lrdWAU/5P4
   8jlHu/YwwjBU+s92TWS14CQ9UeIgjT9GYfp+J7wbH5jC1LTMGaAGAcI7H
   mMiLS7gX/4LMuLUOx4OLstgpYozwg3mFcvj5cHMyudk0EztowM3kC8PBM
   b1mWq9Hjjf1GFBHL0l8F93xW9LSVITLlas1u3vCA3dGIuFjuvIejY/EuR
   A==;
X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="361557646"
X-IronPort-AV: E=Sophos;i="6.00,238,1681196400";
   d="scan'208";a="361557646"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 12 Jun 2023 17:12:44 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="835671183"
X-IronPort-AV: E=Sophos;i="6.00,238,1681196400";
   d="scan'208";a="835671183"
Received: from almeisch-mobl1.amr.corp.intel.com (HELO
 rpedgeco-desk4.amr.corp.intel.com) ([10.209.42.242])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 12 Jun 2023 17:12:43 -0700
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com,
	akpm@linux-foundation.org,
	Andrew.Cooper3@citrix.com,
	christina.schimpe@intel.com,
	david@redhat.com,
	debug@rivosinc.com,
	szabolcs.nagy@arm.com,
	torvalds@linux-foundation.org,
	broonie@kernel.org
Cc: rick.p.edgecombe@intel.com,
	Mike Rapoport <rppt@linux.ibm.com>,
	Pengfei Xu <pengfei.xu@intel.com>
Subject: [PATCH v9 41/42] x86/shstk: Add ARCH_SHSTK_UNLOCK
Date: Mon, 12 Jun 2023 17:11:07 -0700
Message-Id: <20230613001108.3040476-42-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com>
References: <20230613001108.3040476-1-rick.p.edgecombe@intel.com>
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: A354B160011
X-Stat-Signature: d6untj4ow1rcksauwjnmbha6765zkuxp
X-HE-Tag: 1686615165-84826
X-HE-Meta: 
 U2FsdGVkX18hKx9Mger/nV1i2rJLUA/rLXQeZeVVlVl9oFP9OT0bFy2DYabUQ0q92BUm9mRg3VgOyXFXY2kRL74zujHlmKt8fTSf/iZWUi1D65smY03lG53fS7ACiLgSpt9RY+sfLIeEhgdlC79F9GwiR5e6MgD6iAfC2QYxrD14TXTMuN3IAwN1xN5erzT4BQDBpoDeH8VMtlnY6KgXA4Td+5Kfhxyrc9tywYS6PGt4D+VIfLMCtoxIrqmdXD7GmP6W4R9M7+b9XAt78Q9Cru6oPxeog2Bm7itNNraSyG16KUnYAMJjI9dEweQFybTRC0K/J4/RMcRi6mMP/uZ/PdiBmTc+zriZaWflRecwkOQ90Xnxv6/8Ru9I0I469ix6JxuyC7hRJUyZ4Qj0MCBTmfnyIOChVu6bJC/8zrwGlStbAQ4/Nyu5i7LIeDlzbInLMIbuPRGuxm02NiNohQkyOOd4eT3HxenmezF6xTt+fFXc5hPpdUQZ+jgYraRf2iSVmxVDssfr7KhQHn8tgfS4a2qRWX4Mte+/j//2syv0LGwIicc9GzHlrYDTfOOKxTQC3zuMxEGulT/szV+QwPbo+C/C3yXjNlbNvoxlBAqkU3nYusORp90oU/iRA4S1Dr+4VJXWzVemsbJ7NNmo6zeW4GYy3tFlz7lwYfBYPv94vEq9aQ+gOFBfgFdP61uH/YiYS0wGP/dNiuw8czvVq2M11HxXb/MzYf/L13SPPN44jii5qK2Wpsfd68gjPdnI/ATkZtsnm7rmJJ2zYBLJ6iUeTeswAV+xw/Lk33Z73eDasGEgpY1bsRPFDnulwzmXaZmCj8LDHPL3o+rLGKznWW9qHON9KF55r8MLD+XO4StQ3QjGbDEJyjkaPcwrdPpInwlalIsp0rRUJ0fVgWTGhi7IEr38+6n0jVuWRxl45yWjQnxmZt9Nd5hzI5dAEyj2ti5U/ykf+PGyTzrxj5gSLd/
 7qoh1f7S
 RFA2SssBKHAaBe1qJ1QIglW1F9V9ShKPTkG4JIl+L7FrwdJHEYgMNTb6skRzP3G8QKx8XXk/wjB4tbAVt6vTrIPH8peV3lxDcsVTG2UWRKpFzjxHXhW4alH7RH4NsxcIxIkJk5P9gdtQYsO24a5I2FWASptdL7VJJP6W00Jll4UceqiBsAezZHexhZ+Ob/DsyayCq1yqcGXUPoaj84Kp+SsV+Edzym5NeO9HhKuxBZW+Wsqyu/dLLY4hgUAF57HDbulazWX7Ljsg3KZV7kYv4gOEUl3cLhxlciutaOrey9aeiDMJL1hXi/iObnfoa/tfVh3zPXCf/DERIVkiv6hJ8Syxj4UJbNTjhHTOJ1n6As0TnLAouZsfwRBapKPyqQRa/yTt/
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Mike Rapoport <rppt@linux.ibm.com>

Userspace loaders may lock features before a CRIU restore operation has
the chance to set them to whatever state is required by the process
being restored. Allow a way for CRIU to unlock features. Add it as an
arch_prctl() like the other shadow stack operations, but restrict it being
called by the ptrace arch_pctl() interface.

[Merged into recent API changes, added commit log and docs]

Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
---
 Documentation/arch/x86/shstk.rst  | 4 ++++
 arch/x86/include/uapi/asm/prctl.h | 1 +
 arch/x86/kernel/process_64.c      | 1 +
 arch/x86/kernel/shstk.c           | 9 +++++++--
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/Documentation/arch/x86/shstk.rst b/Documentation/arch/x86/shstk.rst
index f09afa504ec0..f3553cc8c758 100644
--- a/Documentation/arch/x86/shstk.rst
+++ b/Documentation/arch/x86/shstk.rst
@@ -75,6 +75,10 @@ arch_prctl(ARCH_SHSTK_LOCK, unsigned long features)
     are ignored. The mask is ORed with the existing value. So any feature bits
     set here cannot be enabled or disabled afterwards.
 
+arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long features)
+    Unlock features. 'features' is a mask of all features to unlock. All
+    bits set are processed, unset bits are ignored. Only works via ptrace.
+
 The return values are as follows. On success, return 0. On error, errno can
 be::
 
diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index eedfde3b63be..3189c4a96468 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -33,6 +33,7 @@
 #define ARCH_SHSTK_ENABLE		0x5001
 #define ARCH_SHSTK_DISABLE		0x5002
 #define ARCH_SHSTK_LOCK			0x5003
+#define ARCH_SHSTK_UNLOCK		0x5004
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 0f89aa0186d1..e6db21c470aa 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -899,6 +899,7 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
 	case ARCH_SHSTK_ENABLE:
 	case ARCH_SHSTK_DISABLE:
 	case ARCH_SHSTK_LOCK:
+	case ARCH_SHSTK_UNLOCK:
 		return shstk_prctl(task, option, arg2);
 	default:
 		ret = -EINVAL;
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index d723cdc93474..d43b7a9c57ce 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -489,9 +489,14 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long features)
 		return 0;
 	}
 
-	/* Don't allow via ptrace */
-	if (task != current)
+	/* Only allow via ptrace */
+	if (task != current) {
+		if (option == ARCH_SHSTK_UNLOCK && IS_ENABLED(CONFIG_CHECKPOINT_RESTORE)) {
+			task->thread.features_locked &= ~features;
+			return 0;
+		}
 		return -EINVAL;
+	}
 
 	/* Do not allow to change locked features */
 	if (features & task->thread.features_locked)