From patchwork Mon Feb 13 04:53:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137862 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9531EC636D7 for ; Mon, 13 Feb 2023 04:54:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=x+kR9CWwQBpSRlgVh2fqR//zOB6tTcosjxynW3gGgYc=; b=dvLzBDUkvM5W7v RQ1qN9gBroq2I0LNO4VEv2WyeUVDDvshHARA/EFzCxWNoMy4dwLfolO+fS2DwMiVanDoZSEb/e6tx AnW/p5TXTr9RQEjV+xWyfn4dSPDCcnqkn6IW8R+3f1AcqooTTJ9M9CUjqmnQAKHUeFjDRDpA4WnDV KuvaQ97FB7NQ8Pmm7MoQN0+CMh66/bu6VhIujG6LGOnLKP3umDWKaZi7dxq6O20zjUtvocuMxApIk TCQ/DA7rqGggQhXTyQPdq9viS/GJVqfwEhdrZll5cyIyO16Rl7XmM+Qro2uJxHdFlJ9Da0J38elBB VnHDb0+sx6Jd2SN79ERA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqw-00D9J2-D6; Mon, 13 Feb 2023 04:54:10 +0000 Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqq-00D9GY-EP for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:07 +0000 Received: by mail-pl1-x636.google.com with SMTP id e17so3444391plg.12 for ; Sun, 12 Feb 2023 20:54:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PDt2xtowm1vGovkYD2IOPyMg5XU+WITSemeLQt38+wk=; b=GCKt9FdzGzyUdkocjCliMYjgCOa0QLOjiBhttAdZOxargwxJw4vxLJDmHp57SYMfvU df4SL6t3EB6DwCr+yMREIqZPNA8lH1KY/NmjCtwPh7RiF2sS7CiZ+NVMmais/oNJuTRH oG9Xrug0dghHSuhHhbgxN9qJXDUVlSZvObtB30dIISrsnoeeYB0xZZ+8gPVYP3YKnZCO dt88KRAfl30IBpKYZCytTsdN/Ze3ePYzwWGTvqiW7lM1M2AfAWANpaxMxFedjYeFVoMB HvpyZQbKyRm57FGGHC2NuTZLmtqE8+b7eRudJLnJAgLJFszO3O7vTBEFeEwvQCyU/ukk guYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PDt2xtowm1vGovkYD2IOPyMg5XU+WITSemeLQt38+wk=; b=JGoxJ7bSbFLBqlNyLYJID+q3WfsvPRf5/1ySj85Js9+4sFJhsImgUCoyu7/9iAXer/ Xc0l5IvsyyJfoem1uF0NRrUeRxS8njUBtUFqLqYYju+DUCgPESh4O7Wf3mOCJu6pjX6Q dwxxZKGDgZgiN8Yf0lB20Of7GK/E7/0oeSeAu7HGQiS1biVy7WJs5baJigV2yM2NNY5M v/22t1KpWjeQaYX62dbFOySXyx8sUNm5dBBRgt5YxXQQuLN4+rmTB6LHQyeQ6sm/PuKs GP38RIChDYXytT6LSiPGBBoNYh+8jphMjhz2+UlgfLf8+SKWyMBAm/2tif4DUqrZ6tA2 KmxQ== X-Gm-Message-State: AO0yUKUZWhe3TNdKHsIKkZGGEnY0Ugy0K3XFPjDM6FbQQ9aZfG7Q8frK t288Pp0+VYw6ul7jNDQ1pjoFdQ== X-Google-Smtp-Source: AK7set9Y52bDpNDCM5e4MJvhFWuMbirMIwWV6jFT56ImTqva5KruRhYx1rh/voDp7RXfFbY6juKL1A== X-Received: by 2002:a17:902:f809:b0:199:e58a:61c2 with SMTP id ix9-20020a170902f80900b00199e58a61c2mr13328153plb.29.1676264043302; Sun, 12 Feb 2023 20:54:03 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:02 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 01/20] sslp stubs: shadow stack and landing pad stubs Date: Sun, 12 Feb 2023 20:53:30 -0800 Message-Id: <20230213045351.3945824-2-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205404_502084_3AD918F5 X-CRM114-Status: UNSURE ( 7.16 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org In absence of shadow stack config and landing pad instr config, stubs are needed to indicate whether shadow stack & landing pad instr is supported. In absence of config, these stubs return false (indicating no support) In presence of config, an extern declaration is added and arch specific implementation can choose to implement detection. Signed-off-by: Deepak Gupta --- include/linux/processor.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/linux/processor.h b/include/linux/processor.h index dc78bdc7079a..228aa95a7cd7 100644 --- a/include/linux/processor.h +++ b/include/linux/processor.h @@ -59,4 +59,21 @@ do { \ #endif +#ifndef CONFIG_USER_SHADOW_STACK +static inline bool arch_supports_shadow_stack(void) +{ + return false; +} +#else +extern bool arch_supports_shadow_stack(void); +#endif + +#ifndef CONFIG_USER_INDIRECT_BR_LP +static inline bool arch_supports_indirect_br_lp_instr(void) +{ + return false; +} +#else +extern bool arch_supports_indirect_br_lp_instr(void); +#endif #endif /* _LINUX_PROCESSOR_H */ From patchwork Mon Feb 13 04:53:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137863 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 066F0C6379F for ; Mon, 13 Feb 2023 04:54:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=jzZ+ujtLBzJij6X389D2v+nFSwULsymnJD454ooUeMQ=; b=BI+moNS2S/KJ6O CArePmFuaq7C88PYVQDltEZMuX4W9/POSKvZ9Nf+hEH914Ea5NHalat8K8kBUOWNyRkzDmGNEQFW4 T/QRCx/9kT7Ph+iTLEmldXuFsUlIZ7BGUyuXgIDBA9MTzjLqlZNfKQPcg1OMm4CX8bzXyvBnycXrr VAl4cOKC+ItuGkvUEvFoS4/wTH00PiORqsUnmHOeaYxB2cmDvwdXsjcgkI/0HXgX220J2UzdLgZEh fxTtSh7goWOgch9chVCbu2PjgAj0tA/MlV2T34+RdQgGM12lOkLpzw13bzifoPuH1YH1tmTNncDAA fKPPj78XAIYJxhpEUGHA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqy-00D9Jw-56; Mon, 13 Feb 2023 04:54:12 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqr-00D9HC-Uw for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:08 +0000 Received: by mail-pl1-x633.google.com with SMTP id o8so9929746pls.11 for ; Sun, 12 Feb 2023 20:54:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ygm9hLpLL1KwyacXGpOOuca3iQf7LxxYrIQu5XdYYTM=; b=JmbKf5O4FW7VprGWzT6pTOJ6+XRdEoQ4K+BKlOUVtq85X7g+qzslXWNCPg42IUCWhU rw4+oyC8n0SztanJDULrL0G4HIT5Q6o7vob1J4OfyTnIEsl1YFKX11cOkOdy9uFegNwa x6igQ0OwD2KhxVFTGm59+14EXLtfxvRRr1Av1QGSCWfRbEuBt4TxWInNIgMZ226q7q9/ mmo1iJFG+ymYF8U6azYAqrHjWkWmn7/1v4j2+bnP97Jt2+z8SgCRNd94EPiNAI6ixCai zyDUdTGbuUYxA+xybA1iB80amQlKMk9SNsoRQEq8gcwMLoxLIaePp1DQ1hHVL5zeZHc4 wX6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ygm9hLpLL1KwyacXGpOOuca3iQf7LxxYrIQu5XdYYTM=; b=jMopRwovX9NCQCaGDSP99jCtmnZd7sPHprZlfgQPqFteTnVIqay/87Yge/3nrAruOd aGRwcAQJoQ+dfg+cgQzBcybyHjUhwZNP6YaS/tHULyV7PvplOzy5ox8ggAiMU+7xADpo 6TNTQPxvXWOup1p4FwBVS3eIX/Vu2D0Kjey+IGj3fMtkBUkKG0yaI5BURxIGa5ynxKBc LQM0TSdgAs8JESHOEMF0l/2K+10diAUIqfpOMC8d0qSUew/R88FQT+nJjb9gCdZD+3Ew IPd0R89HKbl4/TcTQaH5lgR0n/8wiJDr0rqVxMwqoP+QVpdUS83y8XdGe4GngNzSR2jX /z9g== X-Gm-Message-State: AO0yUKU6aZAkYkNDMtdpqWqZZmCGwhMppuWTXQTayCvxYHZuWUeOxZgX KCM0zkCcFHM2pRa2TFJikM4ECQ== X-Google-Smtp-Source: AK7set9LivmAL6nscPb/Ur0Knw2PHztkbYBAr8wiViog/IxQpf/a9GLEV3lzuzHcUxnGms82gaueBw== X-Received: by 2002:a17:903:4091:b0:19a:73f7:675f with SMTP id z17-20020a170903409100b0019a73f7675fmr7653937plc.60.1676264044842; Sun, 12 Feb 2023 20:54:04 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:04 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 02/20] riscv: zisslpcfi enumeration Date: Sun, 12 Feb 2023 20:53:31 -0800 Message-Id: <20230213045351.3945824-3-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205406_013949_AC631E01 X-CRM114-Status: GOOD ( 13.74 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org This patch adds support for detecting zisslpcfi. zisslpcfi stands for unprivleged integer spec extension to support shadow stack and landing pad instruction for indirect branch. This patch looks for "zisslpcfi" in device tree and accordinlgy lights up bit in cpu feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/hwcap.h | 6 +++++- arch/riscv/include/asm/processor.h | 12 ++++++++++++ arch/riscv/kernel/cpu.c | 1 + arch/riscv/kernel/cpufeature.c | 1 + 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/hwcap.h b/arch/riscv/include/asm/hwcap.h index 86328e3acb02..245fb7ffddd2 100644 --- a/arch/riscv/include/asm/hwcap.h +++ b/arch/riscv/include/asm/hwcap.h @@ -59,7 +59,8 @@ enum riscv_isa_ext_id { RISCV_ISA_EXT_ZIHINTPAUSE, RISCV_ISA_EXT_SSTC, RISCV_ISA_EXT_SVINVAL, - RISCV_ISA_EXT_ID_MAX + RISCV_ISA_EXT_ZCFI, + RISCV_ISA_EXT_ID_MAX, }; static_assert(RISCV_ISA_EXT_ID_MAX <= RISCV_ISA_EXT_MAX); @@ -72,6 +73,7 @@ enum riscv_isa_ext_key { RISCV_ISA_EXT_KEY_FPU, /* For 'F' and 'D' */ RISCV_ISA_EXT_KEY_ZIHINTPAUSE, RISCV_ISA_EXT_KEY_SVINVAL, + RISCV_ISA_EXT_KEY_ZCFI, RISCV_ISA_EXT_KEY_MAX, }; @@ -95,6 +97,8 @@ static __always_inline int riscv_isa_ext2key(int num) return RISCV_ISA_EXT_KEY_ZIHINTPAUSE; case RISCV_ISA_EXT_SVINVAL: return RISCV_ISA_EXT_KEY_SVINVAL; + case RISCV_ISA_EXT_ZCFI: + return RISCV_ISA_EXT_KEY_ZCFI; default: return -EINVAL; } diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index 94a0590c6971..bdebce2cc323 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -80,6 +80,18 @@ int riscv_of_parent_hartid(struct device_node *node, unsigned long *hartid); extern void riscv_fill_hwcap(void); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); +#ifdef CONFIG_USER_SHADOW_STACK +static inline bool arch_supports_shadow_stack(void) +{ + return __riscv_isa_extension_available(NULL, RISCV_ISA_EXT_ZCFI); +} +#endif +#ifdef CONFIG_USER_INDIRECT_BR_LP +static inline bool arch_supports_indirect_br_lp_instr(void) +{ + return __riscv_isa_extension_available(NULL, RISCV_ISA_EXT_ZCFI); +} +#endif #endif /* __ASSEMBLY__ */ #endif /* _ASM_RISCV_PROCESSOR_H */ diff --git a/arch/riscv/kernel/cpu.c b/arch/riscv/kernel/cpu.c index 1b9a5a66e55a..fe2bb908d805 100644 --- a/arch/riscv/kernel/cpu.c +++ b/arch/riscv/kernel/cpu.c @@ -168,6 +168,7 @@ static struct riscv_isa_ext_data isa_ext_arr[] = { __RISCV_ISA_EXT_DATA(svpbmt, RISCV_ISA_EXT_SVPBMT), __RISCV_ISA_EXT_DATA(zicbom, RISCV_ISA_EXT_ZICBOM), __RISCV_ISA_EXT_DATA(zihintpause, RISCV_ISA_EXT_ZIHINTPAUSE), + __RISCV_ISA_EXT_DATA(zisslpcfi, RISCV_ISA_EXT_ZCFI), __RISCV_ISA_EXT_DATA("", RISCV_ISA_EXT_MAX), }; diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c index 93e45560af30..b44e258a7502 100644 --- a/arch/riscv/kernel/cpufeature.c +++ b/arch/riscv/kernel/cpufeature.c @@ -228,6 +228,7 @@ void __init riscv_fill_hwcap(void) SET_ISA_EXT_MAP("zihintpause", RISCV_ISA_EXT_ZIHINTPAUSE); SET_ISA_EXT_MAP("sstc", RISCV_ISA_EXT_SSTC); SET_ISA_EXT_MAP("svinval", RISCV_ISA_EXT_SVINVAL); + SET_ISA_EXT_MAP("zisslpcfi", RISCV_ISA_EXT_ZCFI); } #undef SET_ISA_EXT_MAP } From patchwork Mon Feb 13 04:53:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137864 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4CA44C64ED6 for ; Mon, 13 Feb 2023 04:54:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=EvOm1tstckQYjgvdFbzMmRTPfZ59b602axdHThadM1A=; b=kqKWH+Q3pgOhG6 wT09SNMhhoIOQu8rdqr/9VYiy1JyfbwfAbg7Esa1LjSjTzI/T+4Hz6HHm3QC0vaSKDLENkkWgQh9x Gv06dxbAPOjF+euBL8rSEIUBMhmHeZq0B//4+/JPuE0JY8gN6RbtOLumPkusgpXYbY4+V35BOXnlX nviUf+XnISrngGTPFjm5wCxJxwMAhft6WxC+eJnOSHRUvjlgZ6I5oHvKW2fmCVWiU0iV6dcjwqlD1 rx71PYXIyOI5PPTDbjxioS5Yo976N0GSaJRP90HYSVyEVv8SxTayc68ecOW3QNFkjTDkSSXcKgrQQ +Dy6Zwr07HmorX5QZTTQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqz-00D9LD-Vj; Mon, 13 Feb 2023 04:54:14 +0000 Received: from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqt-00D9HY-A0 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:08 +0000 Received: by mail-pj1-x1030.google.com with SMTP id f16-20020a17090a9b1000b0023058bbd7b2so11042764pjp.0 for ; Sun, 12 Feb 2023 20:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BbXUylyxKACc1XsVanFRl3U39rfU1yL9GfB2/5jAyl8=; b=qbWZJ8BsHCNFWj0dg8uujRetqC6jzLF98Qdv/TY62Y644xrA0UjPgnfpO72jXiPyG2 qA0e0Qb0k4kUsZptcYNMqeekJ/ZNdE/ea06joo5oBBO3u8UyiQQzx8gt7XiQozyObdBT 5S1fOKKeN6iFkPWI2/K55e5jV4CcFHx5d7+ztaIAS8Z/Xi2kVLIGMcO4+Og2jvtq4jPz RAzoR5jMvKxs+ewm1EgSWtxGFnJPdFTNlkKbcbfqa4+0ug61NJ9vJ3Wxhy+/QMypQuHt qlafd9m4kLvgvu8Ky98yI56IFExsd6VsJfAjUwdMf7xFelnAdTSwalMV6EmXiGgX4z4w oECA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BbXUylyxKACc1XsVanFRl3U39rfU1yL9GfB2/5jAyl8=; b=154H65ypIcAcx/JMtqNa6JuWLrAh7nue9H8u1Tc3Lu3traJ4juSX4vMTbc/K6HncCO s43IfRtW5iP1vByhrLPD9xmYvGXWhRHHD0iw7IUwwKyPl/qgX2a1u3Z77h75wdPWhDqK D2O8DFyNa8kfx+YwYARa4eZ+3teKpXvVfezR4MtRXTzZfa6kCONIGGZBBw2RxffprUI5 sS9gTu0+NHkg6ZjMmD4/EOFhTRQvdjK20prqbniudXYYPhvZOye7twDTHS7AjakypPzK DXgX6ClctbT7bF1FQzjzHk0lsyg0i2C+QWifTJicAZrVGuQiE4ix2RS8EFgxjghURpUi jH7A== X-Gm-Message-State: AO0yUKUIAmLXVj1Mdm0plYHRkwr7M2R9MFTiUAP5SmT0P1MEMKtx5Uzk cmEGVja8F0ioci5Eu1zE7Pnjow== X-Google-Smtp-Source: AK7set/lnkp4iEiPCYd0MC6ThFVrqXatwksChXVC+p44Jl/pjrdhLlhohkg3HazCQvlzxn0/m8o7Lg== X-Received: by 2002:a17:903:11c3:b0:195:e2cc:6f35 with SMTP id q3-20020a17090311c300b00195e2cc6f35mr24707652plh.59.1676264046112; Sun, 12 Feb 2023 20:54:06 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:05 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 03/20] riscv: zisslpcfi extension csr and bit definitions Date: Sun, 12 Feb 2023 20:53:32 -0800 Message-Id: <20230213045351.3945824-4-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205407_366156_547070F2 X-CRM114-Status: UNSURE ( 9.03 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org zisslpcfi extension extends xstatus CSR to hold enabling bits for shadow stack, forward cfi (landing pad instruction enforcement on indirect call/jmp) and recording current landing pad state of cpu. zisslpcfi adds two new CSRs - CSR_LPLR: Strict forward control flow can be implemented by compiler by doing label match on target with label generated on call-site. This CSR can be programmed with label (preserving current abi). New instrs are provided to place label values in this CSR. - CSR_SSP: Return control flow is protected via shadow stack. CSR_SSP contains current shadow stack pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 0e571f6483d9..243031d1d305 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -18,6 +18,23 @@ #define SR_MPP _AC(0x00001800, UL) /* Previously Machine */ #define SR_SUM _AC(0x00040000, UL) /* Supervisor User Memory Access */ +/* zisslpcfi status bits */ +#define SR_UFCFIEN _AC(0x00800000, UL) +#define SR_UBCFIEN _AC(0x01000000, UL) +#define SR_SPELP _AC(0x02000000, UL) +#define SR_MPELP _AC(0x04000000, UL) +#ifdef CONFIG_RISCV_M_MODE +#define SR_ELP SR_MPELP +#else +#define SR_ELP SR_SPELP +#endif + +#ifdef CONFIG_RISCV_M_MODE +#define CFISTATUS_MASK (SR_UFCFIEN | SR_UBCFIEN | SR_MPELP | SR_SPELP) +#else +#define CFISTATUS_MASK (SR_ELP | SR_UFCFIEN | SR_UBCFIEN) +#endif + #define SR_FS _AC(0x00006000, UL) /* Floating-point Status */ #define SR_FS_OFF _AC(0x00000000, UL) #define SR_FS_INITIAL _AC(0x00002000, UL) @@ -168,6 +185,14 @@ #define ENVCFG_CBIE_INV _AC(0x3, UL) #define ENVCFG_FIOM _AC(0x1, UL) +/* + * zisslpcfi user mode csrs + * CSR_LPLR is a label register which holds compiler generated label that must be checked on target. + * CSR_SSP holds current shadow stack pointer. + */ +#define CSR_LPLR 0x006 +#define CSR_SSP 0x020 + /* symbolic CSR names: */ #define CSR_CYCLE 0xc00 #define CSR_TIME 0xc01 From patchwork Mon Feb 13 04:53:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137865 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7A5B2C636CC for ; Mon, 13 Feb 2023 04:54:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=XoOcwEyoTIZfhOiJQQbQCan1CjA6lorGcPzxfQ877rg=; b=N7IWEtNYAJUAev lFz3u+7+GFjSrbzIHjFLT0ZUMwkNyNqKmjrpFGyZ+ChsR1k7zoRUmAcxBIlO95BBpygoyRonsguTx bvAKbPpZlQ1y0e+4XiId9du1WDlLA17gDo7RaWaabnUznE6Q5gWBfHokl7VWSYEzq77coQ2ysLZFZ qrCSHVvgn3ZV49raSIRNNpfoSJlDrQMJA6nFCz8kWiCdTYlqXeqgppj0JjDMuqGu6mn36iROY+GbJ HPMKw2Sn2V/XdNzZqb2DS8H73nhxA5sU3fCzocjVb9Sdom13jLf0R3+lP/l6LMBPYPRlcIibF0sOr IGsgi5nF702t34Bv1HAA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr1-00D9Ma-OB; Mon, 13 Feb 2023 04:54:16 +0000 Received: from mail-pj1-x1031.google.com ([2607:f8b0:4864:20::1031]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqv-00D9I5-7g for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:10 +0000 Received: by mail-pj1-x1031.google.com with SMTP id w14-20020a17090a5e0e00b00233d3b9650eso3255522pjf.4 for ; Sun, 12 Feb 2023 20:54:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iPcTKWGDPVSnaGv0xj2Ptv0rfddqsVuLBZ9aJFRMto4=; b=ubuWRUQI6DO7BXFrAM9O2TncXqmRilKXfzowXV5xcve/F4+hWvI8bU1bI5sCYwrNov xWzsT6/qXeY2wz5ryX3qVeyqTsqVrRn/s3UW2DoOrYNf3MiUDDNou9CMk6L1/oz6H6WB dU9WOxrHlhzoqkkzZ3zk/+UppeNZ3tzBybM7gU1o59qToIXc3KlDQVgPX9EVQHkcfv8P pLfafwQFE3MEzcXXtOJWy7Ic+zdkXeZoKdOzIMMSnWK/NlAKj/jwFBpv0hi/KY5NiGY8 s+1hNqY4Wfbk6uEa34IyNOF/CuCjhHIbS4gNTmG0iU8hA3c/pOm7STbsvA06gX1ZwHSz TN/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iPcTKWGDPVSnaGv0xj2Ptv0rfddqsVuLBZ9aJFRMto4=; b=ESEvb26GhN06zi2N952KvhTW1kXlJPDNJlyzPSElIEpd8HCLv+beMq6xgj+bODBbfO Z6d+C/RBk1PdrgFaItk9o7YXYVqAe2qmMI8jnUBXrXckddlxWTb4OU9lAWM6SPH35LEz 6ZDd9teNr7RomQhi9o4Wk4ydu8d3nfYJq1BlhtTNAgE4u17yi7sMsQK5kgDEGm5K5HAv ORxnFeD/bY9f6wgzMA88kB4NrDf0Rtqx0ZuQnYKOVHBDlrzNxEoe/XrewMAQh4Xfrp6Q vc3dsq5nNCt7vcXETQp7YWLevm7xrG54GkBYR5aJFIb92zvRI30yewh/bMpYisWLBuoV lT/w== X-Gm-Message-State: AO0yUKUY8rCfRpI8y0+2vK0ekwjyMEEMvlGURHws/hzhgNR6FEhBD46A SJs75Y6Y0IB59SzW2Zx8a3WmMKMFV/QV01M+ X-Google-Smtp-Source: AK7set8wsluuoT60XcCmUYhbCv4YoEM/b0+zhHi0Xb0+nvF6B/eyE34xZth1kgXw3SU6JZ4UKZal8w== X-Received: by 2002:a17:903:22c9:b0:198:fded:3b69 with SMTP id y9-20020a17090322c900b00198fded3b69mr25993049plg.53.1676264047642; Sun, 12 Feb 2023 20:54:07 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:07 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 04/20] riscv: kernel enabling user code for shadow stack and landing pad Date: Sun, 12 Feb 2023 20:53:33 -0800 Message-Id: <20230213045351.3945824-5-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205409_308467_906D8E3B X-CRM114-Status: GOOD ( 14.54 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Enables architectural support for shadow stack and landing pad instr for user mode on riscv. This patch does following - Defines a new structure cfi_status - Includes cfi_status in thread_info - Defines offsets to new member fields in thread_info in asm-offsets.c - Saves and restore cfi state on trap entry (U --> S) and exit (S --> U) Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 11 ++++++++ arch/riscv/include/asm/thread_info.h | 5 ++++ arch/riscv/kernel/asm-offsets.c | 5 ++++ arch/riscv/kernel/entry.S | 40 ++++++++++++++++++++++++++++ 4 files changed, 61 insertions(+) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index bdebce2cc323..f065309927b1 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -41,6 +41,17 @@ struct thread_struct { unsigned long bad_cause; }; +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +struct cfi_status { + unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ + unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ + unsigned int rsvd1 : 30; + unsigned int lp_label; /* saved label value (25bit) */ + long user_shdw_stk; /* Current user shadow stack pointer */ + long shdw_stk_base; /* Base address of shadow stack */ +}; +#endif + /* Whitelist the fstate from the task_struct for hardened usercopy */ static inline void arch_thread_struct_whitelist(unsigned long *offset, unsigned long *size) diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h index 67322f878e0d..f74b8bd55d5b 100644 --- a/arch/riscv/include/asm/thread_info.h +++ b/arch/riscv/include/asm/thread_info.h @@ -65,6 +65,11 @@ struct thread_info { */ long kernel_sp; /* Kernel stack pointer */ long user_sp; /* User stack pointer */ +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + /* cfi_state only if config is defined */ + /* state of user cfi state. note this includes LPLR and SSP as well */ + struct cfi_status user_cfi_state; +#endif int cpu; }; diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c index df9444397908..340e6413cf3c 100644 --- a/arch/riscv/kernel/asm-offsets.c +++ b/arch/riscv/kernel/asm-offsets.c @@ -38,6 +38,11 @@ void asm_offsets(void) OFFSET(TASK_TI_KERNEL_SP, task_struct, thread_info.kernel_sp); OFFSET(TASK_TI_USER_SP, task_struct, thread_info.user_sp); +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + OFFSET(TASK_TI_USER_CFI_STATUS, task_struct, thread_info.user_cfi_state); + OFFSET(TASK_TI_USER_LPLR, task_struct, thread_info.user_cfi_state.lp_label); + OFFSET(TASK_TI_USER_SSP, task_struct, thread_info.user_cfi_state.user_shdw_stk); +#endif OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S index 99d38fdf8b18..f283130c81ec 100644 --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -73,6 +73,31 @@ _save_context: REG_S x30, PT_T5(sp) REG_S x31, PT_T6(sp) +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + /* + * If U --> S, CSR_SCRATCH should be holding U TP + * If S --> S, CSR_SCRATCH should be holding S TP + * s2 == tp means, previous mode was S + * else previous mode U + * we need to save cfi status only when previous mode was U + */ + csrr s2, CSR_SCRATCH + xor s2, s2, tp + beqz s2, skip_bcfi_save + /* load cfi status word */ + lw s2, TASK_TI_USER_CFI_STATUS(tp) + andi s3, s2, 1 + beqz s3, skip_fcfi_save + /* fcfi is enabled, capture ELP and LPLR state and record it */ + csrr s3, CSR_LPLR /* record label register */ + sw s3, TASK_TI_USER_LPLR(tp) /* save it back in thread_info structure */ +skip_fcfi_save: + andi s3, s2, 2 + beqz s3, skip_bcfi_save + csrr s3, CSR_SSP + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ +skip_bcfi_save: +#endif /* * Disable user-mode memory access as it should only be set in the * actual user copy routines. @@ -283,6 +308,21 @@ resume_userspace: */ csrw CSR_SCRATCH, tp +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + lw s2, TASK_TI_USER_CFI_STATUS(tp) + andi s3, s2, 1 + beqz s3, skip_fcfi_resume + xor s3, s3, s3 + lw s3, TASK_TI_USER_LPLR(tp) + csrw CSR_LPLR, s3 +skip_fcfi_resume: + andi s3, s2, 2 + beqz s3, skip_bcfi_resume + REG_L s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ + csrw CSR_SSP, s3 +skip_bcfi_resume: +#endif + restore_all: #ifdef CONFIG_TRACE_IRQFLAGS REG_L s1, PT_STATUS(sp) From patchwork Mon Feb 13 04:53:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137866 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6BF6DC6379F for ; Mon, 13 Feb 2023 04:54:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4nJI3cgerLLRq9AMRI44nwlttZqm3aEHMK5FUWYuTfU=; b=HKwurtKsN2Le3U /ULhsZYPwv0NS3gQ19h4ss/o+7mfJNOeSGskM3S7t+XwCVyuCNID3bu0eI/p/95xXElWzboEuBE8K hU5C8Gcxf0VKKMuh4vnhWcEnHtbK6ccQybkdi18w0NFdNiLV5nyx6cC4yx5cIwQVzrJo1je/epm0C /szK461dExN7yFwuPO6Ea+AlcpgW+GtUfe92jqg4RB14IprEFAgRI9RjLbVy5k7ax6s1tJ8CZAl2x n5CXGfvex9eu2pUwt21RtzPivRZERWy+sFbT1rJEme+n9GT50bf6BCwP8hPUV66tSZJC/XzJuq57o P3Rnzfe5IIYtGcL2lZsQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr4-00D9O6-0E; Mon, 13 Feb 2023 04:54:18 +0000 Received: from mail-pj1-x102c.google.com ([2607:f8b0:4864:20::102c]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqw-00D9Im-9C for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:11 +0000 Received: by mail-pj1-x102c.google.com with SMTP id o13so10786550pjg.2 for ; Sun, 12 Feb 2023 20:54:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Lt6u6bYwhuTYMTt/YfubY13MWrPuafF8Y1u+P5cWyE8=; b=vt+qlNRDi7mRznlVUmbqj3O98hmw8TzQhEaLZE107DASJjh3mP5YoOhuFoE/yDgncn OCvZHgb1zW/hH2iTg9NRv5Wvr+diw7rZF11dNmNK02h8Eanq2/2oPPW05Ri4S37QtvJL 22/4YVAOYRBOGaZ1sF7hoskBSUqcx3veQeIhV7or5WE2e3hlEkKjqfifPGWWsd0kxu/j WAyBfRKGlvAkydGHT9alybIs4NM7Z4c5f3VlNPpGkMhJwjPyX420tB4sAm4543ChntNk KKPDv0GKHwLrhhldTsJrjzkPUijMNypauZOdcTMX5tonq3hrIgVD+1N6zaNBQE3PWR3U 6B0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Lt6u6bYwhuTYMTt/YfubY13MWrPuafF8Y1u+P5cWyE8=; b=XjfOI05mV7flvBuYOTVRAbtsdUr5KpvxWOYa5l+5bHhrAR3LBnpM8tDQV0vK/U/y1K s+HOvv8T0mRBG8jNbHOYonHrIpSHZzeNNjHfn9NGcQBMoK45b1wDhWhasDCuSEjX6TDr w+EPSPlbFSLv8hEktyk3y0Nv33pLHLCj9JTF8zzEad32bZSlf+ZhB9gehni/XUzJgOAM hR9RAaGWFI3Xd+fSg9oISsl7CyGoysZWcYWBkTMmt8ywcFvc/n2o9P1B7eI5gGPQjfnP qSVirL73luwCQlW8A83uQZb73ZT29SkAKUPlQbM4STVCdBRXNz2zukqlN+RV7ou4zoVo nATg== X-Gm-Message-State: AO0yUKUMl8kT7ma6dJLFADGKMgGdQF1F/KzUx9ERDZRzhVL0qT/rA/sb jW7FIAxaackLG0nytnf//66+lA== X-Google-Smtp-Source: AK7set/M2hXnLP/wI4jka3ngVh/rpW9tQNim5nRuWweSNonl8MMrLnl7Zea2Dyx/IgKeNWfXUHLJEQ== X-Received: by 2002:a17:902:dcc5:b0:199:482f:d4c4 with SMTP id t5-20020a170902dcc500b00199482fd4c4mr13241724pll.44.1676264049102; Sun, 12 Feb 2023 20:54:09 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:08 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Arnd Bergmann , Andrew Morton , Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta , linux-arch@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 05/20] mmap : Introducing new protection "PROT_SHADOWSTACK" for mmap Date: Sun, 12 Feb 2023 20:53:34 -0800 Message-Id: <20230213045351.3945824-6-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205410_353028_A0FEF29D X-CRM114-Status: GOOD ( 14.62 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Major architectures (x86, arm, riscv) have introduced shadow stack support in their architecture for return control flow integrity ISA extensions have some special encodings to make sure this shadow stack page has special property in page table i.e a readonly page but still writeable under special scenarios. As an example x86 has `call` (or new shadow stack instructions) which can perform store on shadow stack but regular stores are disallowed. Similarly riscv has sspush & ssamoswap instruction which can perform stores but regular stores are not allowed. As evident a page which can only be writeable by certain special instructions but otherwise appear readonly to regular stores need a new protection flag. This patch introduces a new mmap protection flag to indicate such protection in generic manner. Architectures can implement such protection using arch specific encodings in page tables. Signed-off-by: Deepak Gupta --- include/uapi/asm-generic/mman-common.h | 6 ++++++ mm/mmap.c | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/include/uapi/asm-generic/mman-common.h b/include/uapi/asm-generic/mman-common.h index 6ce1f1ceb432..c8e549b29a24 100644 --- a/include/uapi/asm-generic/mman-common.h +++ b/include/uapi/asm-generic/mman-common.h @@ -11,6 +11,12 @@ #define PROT_WRITE 0x2 /* page can be written */ #define PROT_EXEC 0x4 /* page can be executed */ #define PROT_SEM 0x8 /* page may be used for atomic ops */ +/* + * Major architectures (x86, aarch64, riscv) have shadow stack now. Each architecture can + * choose to implement different PTE encodings. x86 encodings are PTE.R=0, PTE.W=1, PTE.D=1 + * riscv encodings are PTE.R=0, PTE.W=1. Aarch64 encodings are not published yet + */ +#define PROT_SHADOWSTACK 0x40 /* 0x10 reserved for arch-specific use */ /* 0x20 reserved for arch-specific use */ #define PROT_NONE 0x0 /* page can not be accessed */ diff --git a/mm/mmap.c b/mm/mmap.c index 425a9349e610..7e877c93d711 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -1251,6 +1252,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (!len) return -EINVAL; + /* If PROT_SHADOWSTACK is specified and arch doesn't support it, return -EINVAL */ + if ((prot & PROT_SHADOWSTACK) && !arch_supports_shadow_stack()) + return -EINVAL; /* * Does the application expect PROT_READ to imply PROT_EXEC? * From patchwork Mon Feb 13 04:53:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137867 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E46C6C636D7 for ; Mon, 13 Feb 2023 04:54:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=B2VRMSTdBr/nC7X7gvcDRq8GEvchSr9vZm1sSpMQdOA=; b=XyjXpznpYBuYnQ wYsnqapJRm9E68gunorn1ej1YI/xZWKdlC9qjRwQUsd4v4H/Phq8CKHevy1y3T7+ige9FRR0eGqjy VCjdNxns1bFUG7DHPasxQa/Q31QBcDdpZXGSjGmhbRIO8zAK8Ivj3cRS4xVJj1imrDHdg7yYoXGdR fJtNErPz6FL6buP1Mt2nSzjhuDI/k5hAdAYrOwWSorAMpR2xey+RPeoPwOx/JGkf8CElXDcGlVDnx jkjwva4mVXgxx6+5JErL+2ndCD6ZPxZl7/9XdtpcU+BfOgJBbOLWFTRMSxWc9pX8a4TEr0MtyVnqm 8SRgO1wdjWwXFy+WEihA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr5-00D9Pd-Uz; Mon, 13 Feb 2023 04:54:19 +0000 Received: from mail-pj1-x102f.google.com ([2607:f8b0:4864:20::102f]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqx-00D9JW-W1 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:13 +0000 Received: by mail-pj1-x102f.google.com with SMTP id e10-20020a17090a630a00b0022bedd66e6dso15712664pjj.1 for ; Sun, 12 Feb 2023 20:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NtGFk1nMQnbVrTZQtdZEMWvYWxpeM1anGce2t/6Js4o=; b=XnLJLE7Snc5+Dado4616bI2S9bt5BoOzPfFJwGy4sODs4id84UZRmeTgvHINl309vQ 14Su83K/zKRWWRUylX+LvkRt46rw/1NmQPiL7ZTYRBArkznoYvQmmpzl5Z1rM4XkHXqf rBcFShV4hBPXc5uzWruqviGPXly8kLMjn2buoQyVJ78MB0g/unbDmmax/ZZW+MA5RiWQ ogB0M9oUzUW0WJhaa+KIDOkbwCoO/Z1xc2lVmLfl1RBXdxIvi47/x8V3ynUmXwT9kABH Wq7UQVpnuXOK+7FT7G8jAwG2P+Mvs0HLCPCDYEFwFUpPExstyaOaxnJUASc2Rtwb889R YtNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NtGFk1nMQnbVrTZQtdZEMWvYWxpeM1anGce2t/6Js4o=; b=io3FCm6/dxZzwXNgF6Csp2jbb/YrYPqjDek348ARup6ylqcxxOjEfNxBB6poYmSGnK c2h+VtNXbbqFYhO+RsHP53wH/qUl6U/JIBwraHDPFPVAbe11lMvqmIrCgnJw7KSpInKB eXiaDYXDmt9E+9os5LFUoRWi6Y5fxDCpmOJVXXfZiIZh/FVmCszYv5DZyUEcgMesC/nY de7wJsZyRdGeRXfcHr55VZVJWiyeLUHtsgZS0UKvhOWthBiX9bhs8hk8CGBKU4/dSZ1k dspK6T9il8Pb1UAB2NT42W8+UGg0+nWZlaMB9EchVHMtMAMjix6TxAiSTLtgnVa269Xz fZkQ== X-Gm-Message-State: AO0yUKWSHRx2+Teb8oeB0m7gcdQMfzfUNM3ihOG3lDCl7/6VK0W2kulN Gcm3YNdkkFpsjtQ0yonH0Yk6xw== X-Google-Smtp-Source: AK7set8VQlMzUrEmfd8Da16vinMvIuF6MGR4zXdfBxivo1pKWlmTbhvBvyR/CFhAZRsTG7lVovToSw== X-Received: by 2002:a17:902:e545:b0:199:60:b9c8 with SMTP id n5-20020a170902e54500b001990060b9c8mr29757414plf.45.1676264050773; Sun, 12 Feb 2023 20:54:10 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:10 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 06/20] riscv: Implementing "PROT_SHADOWSTACK" on riscv Date: Sun, 12 Feb 2023 20:53:35 -0800 Message-Id: <20230213045351.3945824-7-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205412_077216_D71B494B X-CRM114-Status: GOOD ( 16.53 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org This patchimplements new mmap protection flag "PROT_SHADOWSTACK" on riscv Zisslpcfi extension on riscv uses R=0, W=1, X=0 as shadow stack PTE encoding. This encoding is reserved if Zisslpcfi is not implemented or backward cfi is not enabled for the respective mode. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h | 19 +++++++++++++++++++ arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c | 22 ++++++++++++++++++++++ arch/riscv/mm/init.c | 2 +- 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 arch/riscv/include/asm/mman.h diff --git a/arch/riscv/include/asm/mman.h b/arch/riscv/include/asm/mman.h new file mode 100644 index 000000000000..9c8499294a60 --- /dev/null +++ b/arch/riscv/include/asm/mman.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __ASM_MMAN_H__ +#define __ASM_MMAN_H__ + +#include +#include +#include + +static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot, + unsigned long pkey __always_unused) +{ + unsigned long ret = 0; + + ret = (prot & PROT_SHADOWSTACK)?VM_WRITE:0; + return ret; +} +#define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey) + +#endif /* ! __ASM_MMAN_H__ */ diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 4eba9a98d0e3..74dbe122f2fa 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -159,6 +159,7 @@ extern struct pt_alloc_ops pt_ops __initdata; #define PAGE_READ_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_EXEC) #define PAGE_WRITE_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | \ _PAGE_EXEC | _PAGE_WRITE) +#define PAGE_SHADOWSTACK __pgprot(_PAGE_BASE | _PAGE_WRITE) #define PAGE_COPY PAGE_READ #define PAGE_COPY_EXEC PAGE_EXEC diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c index 5d3f2fbeb33c..c3cf6b94c710 100644 --- a/arch/riscv/kernel/sys_riscv.c +++ b/arch/riscv/kernel/sys_riscv.c @@ -18,6 +18,28 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) return -EINVAL; + /* + * If only PROT_WRITE is specified then extend that to PROT_READ + * protection_map[VM_WRITE] is now going to select shadow stack encodings. + * So specifying PROT_WRITE actually should select protection_map [VM_WRITE | VM_READ] + * If user wants to create shadow stack then they should specify PROT_SHADOWSTACK + * protection + */ + if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ))) + prot |= PROT_READ; + + /* + * PROT_SHADOWSTACK is new protection flag. If specified with other like PROT_WRITE or + * PROT_READ PROT_SHADOWSTACK takes precedence. We can do either of following + * - ensure no other protection flags are specified along with it and return EINVAL + * OR + * - ensure we clear other protection flags. + * Choosing to follow former, if any other bit is set in prot, we return EINVAL + * Other architectures can treat different combinations for PROT_SHADOWSTACK + */ + if (unlikely((prot & PROT_SHADOWSTACK) && (prot & ~PROT_SHADOWSTACK))) + return -EINVAL; + return ksys_mmap_pgoff(addr, len, prot, flags, fd, offset >> (PAGE_SHIFT - page_shift_offset)); } diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index 478d6763a01a..ba8138c90450 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -294,7 +294,7 @@ static pmd_t __maybe_unused early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAG static const pgprot_t protection_map[16] = { [VM_NONE] = PAGE_NONE, [VM_READ] = PAGE_READ, - [VM_WRITE] = PAGE_COPY, + [VM_WRITE] = PAGE_SHADOWSTACK, [VM_WRITE | VM_READ] = PAGE_COPY, [VM_EXEC] = PAGE_EXEC, [VM_EXEC | VM_READ] = PAGE_READ_EXEC, From patchwork Mon Feb 13 04:53:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137868 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AE826C6379F for ; Mon, 13 Feb 2023 04:54:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=44QVniVauSMQDtKL2q3NjoMFkYxBVpFYL5i1L9bnaVA=; b=11lEyFgoGz1j7+ LHavV3fH6WbNH+xpWxZd1vCvGBy24As2c3yZWmPzcQV4UdZSTOVIOCHZy1W1w4MD+cRoRaa/ahNUD xuHgpD+ycs2GNjquozxc+++tjvVeDAZzc6FrJdFkpxe0rlgFAugyQEgqp9wopKN3ulhngrCIuBpD1 tRWtfTM4k/lr01RiVGcAAjsU3yviPmmBlqQxJJaJYsdn2sON97y62Fb7CuCQ9KoySRhuHsczqt5wk SZCBsvsTasQcQWHsYCIW3WmfoHmFUgMcrFkFPKc2xIpDFzqlWvKxmZG+z3QWhbl0RQ++Nv9WloU8/ +w9srjtfTnk0v4L94W5w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr8-00D9Rg-1y; Mon, 13 Feb 2023 04:54:22 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQqy-00D9GN-Pe for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:14 +0000 Received: by mail-pl1-x634.google.com with SMTP id e17so3444672plg.12 for ; Sun, 12 Feb 2023 20:54:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oP4wZ0K6nVayFSsIwI2M/qbAeCayW2BZaB6BdNSazd0=; b=kQCkDlkhAa4XVmRG1hxXFbpWGlXPMBYAGXgy0L0uPsR9g5pVZDofnEGhHEJYmp4t70 GThKDRHlZLQeCmf3sShq+tYAdJikORjaEoHzhV8XPsEC3fuBeKmrypEuXS7bnM4Hr1Mu ejAuWJdj4rylP7L48un2eYEoyEM3T/HgHUJ+XVCnMOro/vM0ja9j4XcrCb2wVTAb2ykU VVkETKJNdrlyLnPFCjstqmRxjQbAorY6hbHg6u7JiS4XZd2HNWZ+rc/s5B7cfxPqGP5E y7sCTgg87DvCTzj8NBBDe3V2Zk1icq2em5kbBEcbVFNjlxLiW6d6zxFc1ZAJ17l5bZV5 /rrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oP4wZ0K6nVayFSsIwI2M/qbAeCayW2BZaB6BdNSazd0=; b=JiZgWfZ7FYEdnkVeCzAqXPUe1iZKvpwqHxKSzlKWscx2f2WS5/WwgKk+AOW5D4szOo eOlma85lFkeqVh/H5SwgEMsudXTvfa8kgNGGgvNf1y4f5Lsiw577DCPgAY8lBbaNQJx6 ag+gfoFy0VjbFjaWLpEvNiCZeiWla3Xh99ctxukl05+bE/GLMopdt2N20LriOy0CCgGJ 6ZgvAf1IyaAeV1p7Lc1/I7ignygsx4DT2Di1K7MPo7rIGa31ehDeKYB+JltJfh33xZLQ HcISf3UxbHh9N4BSf/GEfFymWkSbDqh3wcqMsgYxUzl8lmYnA2cILLnIs8CnmpadnO8d gHvQ== X-Gm-Message-State: AO0yUKUhWDZod0j1S4V3bxvTX949AW1tAqO0T+H45qjJhNxMk73U2uBz vjsXqE82+Kzd1VLJQvCYREaOAUAHKil0MvrV X-Google-Smtp-Source: AK7set/Y/udvpjSPyiRHvzVVe58rgU9SM3O2saFl6KwR15sjL2H2TEzdTJbI8CgO0QDxGQ+4+3WsRQ== X-Received: by 2002:a17:902:ce86:b0:19a:9580:750 with SMTP id f6-20020a170902ce8600b0019a95800750mr5863992plg.16.1676264052424; Sun, 12 Feb 2023 20:54:12 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:12 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Alexander Viro , Eric Biederman , Kees Cook , Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 07/20] elf: ELF header parsing in GNU property for cfi state Date: Sun, 12 Feb 2023 20:53:36 -0800 Message-Id: <20230213045351.3945824-8-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205413_060276_35CDBC61 X-CRM114-Status: GOOD ( 12.06 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Binaries enabled with support for control-flow integrity will have new instructions that may fault on cpus which dont implement cfi mechanisms. This change adds - stub for setting up cfi state when loading a binary. Architecture specific implementation can choose to implement this stub and setup cfi state for program. - define riscv ELF flag marker for forward cfi and backward cfi in uapi/linux/elf.h Signed-off-by: Deepak Gupta --- fs/binfmt_elf.c | 5 +++++ include/linux/elf.h | 8 ++++++++ include/uapi/linux/elf.h | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 9a780fafc539..bb431052eb01 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1277,6 +1277,11 @@ static int load_elf_binary(struct linux_binprm *bprm) set_binfmt(&elf_format); +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + retval = arch_elf_setup_cfi_state(&arch_state); + if (retval < 0) + goto out; +#endif #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter); if (retval < 0) diff --git a/include/linux/elf.h b/include/linux/elf.h index c9a46c4e183b..106d28f065aa 100644 --- a/include/linux/elf.h +++ b/include/linux/elf.h @@ -109,4 +109,12 @@ static inline int arch_elf_adjust_prot(int prot, } #endif +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +extern int arch_elf_setup_cfi_state(const struct arch_elf_state *state); +#else +static inline int arch_elf_setup_cfi_state(const struct arch_elf_state *state) +{ + return 0; +} +#endif #endif /* _LINUX_ELF_H */ diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h index 4c6a8fa5e7ed..1cbd332061dc 100644 --- a/include/uapi/linux/elf.h +++ b/include/uapi/linux/elf.h @@ -468,4 +468,10 @@ typedef struct elf64_note { /* Bits for GNU_PROPERTY_AARCH64_FEATURE_1_BTI */ #define GNU_PROPERTY_AARCH64_FEATURE_1_BTI (1U << 0) +/* .note.gnu.property types for RISCV: */ +/* Bits for GNU_PROPERTY_RISCV_FEATURE_1_FCFI/BCFI */ +#define GNU_PROPERTY_RISCV_FEATURE_1_AND 0xc0000000 +#define GNU_PROPERTY_RISCV_FEATURE_1_FCFI (1u << 0) +#define GNU_PROPERTY_RISCV_FEATURE_1_BCFI (1u << 1) + #endif /* _UAPI_LINUX_ELF_H */ From patchwork Mon Feb 13 04:53:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137872 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B57B3C636CC for ; Mon, 13 Feb 2023 04:54:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Fn3axs8lHwUkWPHLfwZ/JjXWkss8WdhOUa6oicj4AeI=; b=flXeGa4RBEU5vJ Vowf5fT6dU2i8L8n91wuXqEhcy1gycf4Jx2cO3WozmaMSz7xLmN0DtndSevnj0pwq+syUcTnz0cr4 qbka5HTsxUzyUCXLXXDjIeR7Kw5VOA1HXZ9JO7EwgZubyChFoek8i/0GpGSZ5oD6qye03PJ586Jgc knRZ/D9MltihrAsyX6aVO/59XoQp4pI825/+Wm15z4wxvu/dEK9qlIB2jJfVPCqlH92BGM/6c5/Q9 aqvnobmY193TZrdUN6k+DfCBV46l7Ov4pqKLRIKJ5+DxYcnlMOsdPMBeJxivFBUnAP7a9OjDY7Xt4 9Sx03DfCIkm01mHi3jMw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrU-00D9ik-P3; Mon, 13 Feb 2023 04:54:45 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrA-00D9TS-8t for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 04:54:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=am9kEKPpClUvzsdTcfB/9cM4LB T6fAjlTv3ujWpFucXYPzwAH+hy5PR1gONu9HWl07kaohjecHM4cvE44nw2nDplbdLF82h5HWuCMaC 4j4dwA/Q7rUenUVPDuB368mCVEJXtJrdRsd9BRTeC2b+jtzeVkXv1RYlTVlGyBHR0l/z+qY+G+iNC +JlFEfiMFJDzGQEmch2lgBVLqXE3QVNLvLhG1C/Jbtg8pJkWw8VkWiUm4gl+2QlU6sm6kbiE74Rhf eM23icVHZjH3qxJF+DWjUuJZj8KsG800Y0oR3VXF5gnagul91qFTeL79fUPLT223RxtCUHpoCrJzL +RMcZcNg==; Received: from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqP-009BQY-0c for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:41 +0000 Received: by mail-pj1-x1030.google.com with SMTP id a8-20020a17090a6d8800b002336b48f653so9653631pjk.3 for ; Sun, 12 Feb 2023 20:54:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=qYf8FTmWzIZq1sj/cRWNqkDlyaUrlHtAkUn706G2DjlsOFiB0iWKuqtT+MxmEI3t6T Ff0DhMKpSFR6ca05rAxMPooGPzA1kFOzhjYrqNY3J0Ka4Zz14ybBi+36q/CVw1rjCcJQ s21yu/DiDLNr4UUmwy6Wsgi9sOq9iax7KYKB0pZOhEhM5LpPkR5ngeHS/g47Fh7aN/AI cMC9Y8a3hzHTiL32AkRANplY0UlHrCUshHymlqQKPn6qaw5BdiwO3FgxJ0F1Iu/SSLhy 5pCenej/IO1VFA3WT/JAMOuCLszHyDZbQ8niFlM4YacqhxIEIz1YG6akTVFEeYQFxrxP 0ULQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=CCOiSOlYTGqPMkkC7GSGD8DJKlsgae0esAz5g7EbtzZV1aNqKDdt4r7bx+lhs6pQjL ksPrO+8SqwLmEUGxNmya81fWGGN1b7WDroz3hoHItCYehNTx6e3X7aTA4n0L3d20Xjh8 XopUn5vLZXMlvBxSM2G4IkXShNdtWVZ46EVdCtMPFd8pRHlPMC8N9zDV2AIYI2O0PEct d1PyohhG+k+YulmsevoTU4D6JcNrqGSz/ZFI5wq8Z+O+01FoHkQNBVB330aPSlnHLeCt btA5xFOngGJ1Y7dgKNZzxBFwdqohhZ12queZo4rO22IE5/GzE6h5u7OWHVOTpOefwgHc QjBg== X-Gm-Message-State: AO0yUKXh2o2TLrU9W29bgRnaGfj3iQWn5LoyF5j1tjnYiGFMqRai9IHf zCG/7qVEBk+RQ6NTnuqn6+nWmA== X-Google-Smtp-Source: AK7set8HPfJbTibzxMHxoi7mMOcMVGZORNN77Z7301T7+NMj1/NsI1Getj9LRbOMwSbpaixi5cPnoA== X-Received: by 2002:a17:903:1c2:b0:198:e1b8:9476 with SMTP id e2-20020a17090301c200b00198e1b89476mr29006123plh.15.1676264053898; Sun, 12 Feb 2023 20:54:13 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:13 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou , Eric Biederman , Kees Cook Cc: Deepak Gupta , linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 08/20] riscv: ELF header parsing in GNU property for riscv zisslpcfi Date: Sun, 12 Feb 2023 20:53:37 -0800 Message-Id: <20230213045351.3945824-9-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045338_529226_A4A7B318 X-CRM114-Status: GOOD ( 19.39 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Binaries enabled for Zisslpcfi will have new instructions that may fault on risc-v cpus which dont implement Zimops or Zicfi. This change adds - support for parsing new backward and forward cfi flags in PT_GNU_PROPERTY - setting cfi state on recognizing cfi flags in ELF - enable back cfi and forward cfi in sstatus Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/elf.h | 54 +++++++++++++++++++++++++++++ arch/riscv/kernel/process.c | 67 ++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h index e7acffdf21d2..60ac2d2390ee 100644 --- a/arch/riscv/include/asm/elf.h +++ b/arch/riscv/include/asm/elf.h @@ -14,6 +14,7 @@ #include #include #include +#include /* * These are used to set parameters in the core dumps. @@ -140,4 +141,57 @@ extern int compat_arch_setup_additional_pages(struct linux_binprm *bprm, compat_arch_setup_additional_pages #endif /* CONFIG_COMPAT */ + +#define RISCV_ELF_FCFI (1 << 0) +#define RISCV_ELF_BCFI (1 << 1) + +#ifdef CONFIG_ARCH_BINFMT_ELF_STATE +struct arch_elf_state { + int flags; +}; + +#define INIT_ARCH_ELF_STATE { \ + .flags = 0, \ +} +#endif + +#ifdef CONFIG_ARCH_USE_GNU_PROPERTY +static inline int arch_parse_elf_property(u32 type, const void *data, + size_t datasz, bool compat, + struct arch_elf_state *arch) +{ + /* + * TODO: Do we want to support in 32bit/compat? + * may be return 0 for now. + */ + if (IS_ENABLED(CONFIG_COMPAT) && compat) + return 0; + if ((type & GNU_PROPERTY_RISCV_FEATURE_1_AND) == GNU_PROPERTY_RISCV_FEATURE_1_AND) { + const u32 *p = data; + + if (datasz != sizeof(*p)) + return -ENOEXEC; + if (arch_supports_indirect_br_lp_instr() && + (*p & GNU_PROPERTY_RISCV_FEATURE_1_FCFI)) + arch->flags |= RISCV_ELF_FCFI; + if (arch_supports_shadow_stack() && (*p & GNU_PROPERTY_RISCV_FEATURE_1_BCFI)) + arch->flags |= RISCV_ELF_BCFI; + } + return 0; +} + +static inline int arch_elf_pt_proc(void *ehdr, void *phdr, + struct file *f, bool is_interp, + struct arch_elf_state *state) +{ + return 0; +} + +static inline int arch_check_elf(void *ehdr, bool has_interp, + void *interp_ehdr, + struct arch_elf_state *state) +{ + return 0; +} +#endif #endif /* _ASM_RISCV_ELF_H */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index 8955f2432c2d..db676262e61e 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -24,6 +24,7 @@ #include #include #include +#include register unsigned long gp_in_global __asm__("gp"); @@ -135,6 +136,14 @@ void start_thread(struct pt_regs *regs, unsigned long pc, else regs->status |= SR_UXL_64; #endif +#ifdef CONFIG_USER_SHADOW_STACK + if (current_thread_info()->user_cfi_state.ufcfi_en) + regs->status |= SR_UFCFIEN; +#endif +#ifdef CONFIG_USER_INDIRECT_BR_LP + if (current_thread_info()->user_cfi_state.ubcfi_en) + regs->status |= SR_UBCFIEN; +#endif } void flush_thread(void) @@ -189,3 +198,61 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) p->thread.sp = (unsigned long)childregs; /* kernel sp */ return 0; } + + +int allocate_shadow_stack(unsigned long *shadow_stack_base, unsigned long *shdw_size) +{ + int flags = MAP_ANONYMOUS | MAP_PRIVATE; + struct mm_struct *mm = current->mm; + unsigned long addr, populate, size; + *shadow_stack = 0; + + if (!shdw_size) + return -EINVAL; + + size = *shdw_size; + + /* If size is 0, then try to calculate yourself */ + if (size == 0) + size = round_up(min_t(unsigned long long, rlimit(RLIMIT_STACK), SZ_4G), PAGE_SIZE); + mmap_write_lock(mm); + addr = do_mmap(NULL, 0, size, PROT_SHADOWSTACK, flags, 0, + &populate, NULL); + mmap_write_unlock(mm); + if (IS_ERR_VALUE(addr)) + return PTR_ERR((void *)addr); + *shadow_stack_base = addr; + *shdw_size = size; + return 0; +} + +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +/* gets called from load_elf_binary(). This'll setup shadow stack and forward cfi enable */ +int arch_elf_setup_cfi_state(const struct arch_elf_state *state) +{ + int ret = 0; + unsigned long shadow_stack_base = 0; + unsigned long shadow_stk_size = 0; + struct thread_info *info = NULL; + + info = current_thread_info(); + /* setup back cfi state */ + /* setup cfi state only if implementation supports it */ + if (arch_supports_shadow_stack() && (state->flags & RISCV_ELF_BCFI)) { + info->user_cfi_state.ubcfi_en = 1; + ret = allocate_shadow_stack(&shadow_stack_base, &shadow_stk_size); + if (ret) + return ret; + + info->user_cfi_state.user_shdw_stk = (shadow_stack_base + shadow_stk_size); + info->user_cfi_state.shdw_stk_base = shadow_stack_base; + } + /* setup forward cfi state */ + if (arch_supports_indirect_br_lp_instr() && (state->flags & RISCV_ELF_FCFI)) { + info->user_cfi_state.ufcfi_en = 1; + info->user_cfi_state.lp_label = 0; + } + + return ret; +} +#endif \ No newline at end of file From patchwork Mon Feb 13 04:53:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137873 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 94D56C6379F for ; Mon, 13 Feb 2023 04:55:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=90ZuH4zWYjqSGNCc/+HKPjcLb4MscAS2ltSkLA8jj9g=; b=L7Dw1aWl2kJDGE dU4Uz7WUPQ5k3zonCBSdmm7W/fEq94OMGup1rOqsSiKd5/QMyDqOVan+LNS2HQK0DhTpBNemyVnMz Z+bXrGEDaFxyWd00/R2tyV9G7kcvD8r0SdYRC8XTNLagkZ8fWgF/QvLJNh1GmBiDjulsM/aWxeNNm vRXiNU2nlbfau4AzrAMfxY5D/mlJpcD59ItoscTMUElwtjNQ3NL5YVZlyJVTe5KM8umcu4NsSEA/S MhM7iHNoU5wBED3GF3uA3IaCCBoGqn3xcj0vt7bqqFI7rmrLbq/U+tGzSNsr02cl6+IOu43FSydj+ vUAcuVqdBvbiJSxWiIFw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrb-00D9nr-Ma; Mon, 13 Feb 2023 04:54:51 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrC-00D9VM-JQ for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 04:54:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=jI9FUlfDJilWmefUMl1t1LT/c2 5Rx8jV+Jd4h1uAx9PGqGPhVzOYkp3+q0adXIAn6ObnehQrWAibGn7RhrkinX6mOIBkhK0c+WFVA0Q eYVoDbCC5/H4QpmO5T4fpnGxOFdZ1W5SNHx+Qdizx1263RmcU1lSSv03d82aicswvSFg2/3xDJyWF vgV+r/O0jIZFTDehAcPC1K1wpNieuSnrCpCN1jY5moBGJyBediIzKAOL38K66864TlZslDtCyktSn QFPKYsEW4whjnQOerii77JO3xpwhv+GbwAgxGzUJVx/WQ3Uc6gDZj9l5YGFWptSwCIbWzMtHv2X6O Q1dYda6w==; Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqP-009BQe-18 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:43 +0000 Received: by mail-pj1-x1034.google.com with SMTP id bx22so10759638pjb.3 for ; Sun, 12 Feb 2023 20:54:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=FGjJdoMrQlppTBz+ObqT8luvhuIMwvfjvmkBZprc9HlYpoiSS1sA85FZnlrmeoeEgh SlSW2oU2EYk9KtAhXRm18M+PupNhB7PJwPtUNGXJcECNEGsnVdHApGyWg64SViYKipvg 76A+vJJvWrYRsBqZ5NpIAB/yexvjeXKgZYZluduj2LNgSueMGYFoy6UM6NpAbW54+uJv n80E0ec86qo5fTn+m5TpVEbZlOl8oMoq1dQ3t1CAp93yrTxg3gz0bUQfZSAdBr3s/OIu sMljApBWJCh4QonvYNxSCj45B5bFELOws2WJg2kb2PQukm27+t6Rb1njgf4IzZonV0W+ 2nJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=7o95A2LgJ37eSBVQ5JKEXx4QDV6BSe1MzsKsgdy+gZjeuoRDKIGjcXuvQjAR0Yd7Yk 09xX/oDQmPXOMmagQM5JKz1Q9L+clX3OC4VYSQkghAbFblS5FLw8M8dkn/qqChmVw3fc Kw4kqffvxZQ1jfFtTvJgSALDxGTQOhs9DMQNEL6ngFmJbX6wx8deeBATMjg4D0JNicLe nYXp7xg2zU4bHXSAAc7cfn5olTtlxvDN12z9R6tn3sQnvjqO6xm6kwwaDvrDdopjK1U4 ZKLtsCEZk3HF+3VEMtW70OxFONYerNixI3HsXXNqvqniQh0HzsbMMw5I1NI7JNF+hF2o RpWA== X-Gm-Message-State: AO0yUKVGAqZGZOlFdXSVE9Os6X0pb3Q1ei3h7gT+P8rBI00+OL/MJwAm TonKVWJQD2mlo0l8QfFi8sNm8g== X-Google-Smtp-Source: AK7set9406LLxtGzTMJ9GgnStCTat5aRGFN2npHB9cBHONwfu4URf5ZDmziYqqSaME7wnrSw88O6bA== X-Received: by 2002:a17:903:2448:b0:198:f027:5925 with SMTP id l8-20020a170903244800b00198f0275925mr25005204pls.64.1676264055395; Sun, 12 Feb 2023 20:54:15 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:14 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 09/20] riscv mmu: riscv shadow stack page fault handling Date: Sun, 12 Feb 2023 20:53:38 -0800 Message-Id: <20230213045351.3945824-10-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045339_976246_FB429374 X-CRM114-Status: GOOD ( 20.91 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Shadow stack load/stores to valid non-shadow memory raise access faults. Regular store to shadow stack memory raise access fault as well. This patch implements load and store access handler. Load access handler reads faulting instruction and if it was an instruction issuing ss load, it'll invoke page fault handler with a synthetic cause (marked reserved in priv spec). Similarly store access hanlder reads faulting instruction and if it was an instruction issuing ss store, it'll invoke page fault handler with a synthetic cause (reserved in spec). All other cases in load/store access handler will lead to SIGSEV. There might be concerns that using a reserved exception code may create an issue because some riscv implementation might already using this code. However counter argument would be, linux kernel is not using this code and thus linux kernel should be able to use this exception code on such a hardware. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 3 ++ arch/riscv/kernel/traps.c | 99 ++++++++++++++++++++++++++++++++++++ arch/riscv/mm/fault.c | 23 ++++++++- 3 files changed, 124 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 243031d1d305..828b1c2a74c2 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -104,6 +104,9 @@ #define EXC_SUPERVISOR_SYSCALL 10 #define EXC_INST_PAGE_FAULT 12 #define EXC_LOAD_PAGE_FAULT 13 +#ifdef CONFIG_USER_SHADOW_STACK +#define EXC_SS_ACCESS_PAGE_FAULT 14 +#endif #define EXC_STORE_PAGE_FAULT 15 #define EXC_INST_GUEST_PAGE_FAULT 20 #define EXC_LOAD_GUEST_PAGE_FAULT 21 diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 549bde5c970a..5553b8d48ba5 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -94,6 +94,85 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code, } } +/* Zisslpcfi instructions encodings */ +#define SS_PUSH_POP 0x81C04073 +#define SS_AMOSWAP 0x82004073 + +bool is_ss_load_store_insn(unsigned long insn) +{ + if ((insn & SS_PUSH_POP) == SS_PUSH_POP) + return true; + /* + * SS_AMOSWAP overlaps with LP_S_LL. + * But LP_S_LL can never raise access fault + */ + if ((insn & SS_AMOSWAP) == SS_AMOSWAP) + return true; + + return false; +} + +ulong get_instruction(ulong epc) +{ + ulong *epc_ptr = (ulong *) epc; + ulong insn = 0; + + __enable_user_access(); + insn = *epc_ptr; + __disable_user_access(); + return insn; +} + +#ifdef CONFIG_USER_SHADOW_STACK +extern asmlinkage void do_page_fault(struct pt_regs *regs); + +/* + * If CFI enabled then following then load access fault can occur if + * ssload (sspop/ssamoswap) happens on non-shadow stack memory. + * This is a valid case when we want to do COW on SS memory on `fork` or memory is swapped out. + * SS memory is marked as readonly and subsequent sspop or sspush will lead to + * load/store access fault. We need to decode instruction. If it's sspop or sspush + * Page fault handler is invoked. + */ +int handle_load_access_fault(struct pt_regs *regs) +{ + ulong insn = get_instruction(regs->epc); + + if (is_ss_load_store_insn(insn)) { + regs->cause = EXC_SS_ACCESS_PAGE_FAULT; + do_page_fault(regs); + return 0; + } + + return 1; +} +/* + * If CFI enabled then following then store access fault can occur if + * -- ssstore (sspush/ssamoswap) happens on non-shadow stack memory + * -- regular store happens on shadow stack memory + */ +int handle_store_access_fault(struct pt_regs *regs) +{ + ulong insn = get_instruction(regs->epc); + + /* + * if a shadow stack store insn, change cause to + * synthetic SS_ACCESS_PAGE_FAULT + */ + if (is_ss_load_store_insn(insn)) { + regs->cause = EXC_SS_ACCESS_PAGE_FAULT; + do_page_fault(regs); + return 0; + } + /* + * Reaching here means it was a regular store. + * A regular access fault anyways had been delivering SIGSEV + * A regular store to shadow stack anyways is also a SIGSEV + */ + return 1; +} +#endif + #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE) #define __trap_section __section(".xip.traps") #else @@ -113,8 +192,18 @@ DO_ERROR_INFO(do_trap_insn_fault, SIGSEGV, SEGV_ACCERR, "instruction access fault"); DO_ERROR_INFO(do_trap_insn_illegal, SIGILL, ILL_ILLOPC, "illegal instruction"); +#ifdef CONFIG_USER_SHADOW_STACK +asmlinkage void __trap_section do_trap_load_fault(struct pt_regs *regs) +{ + if (!handle_load_access_fault(regs)) + return; + do_trap_error(regs, SIGSEGV, SEGV_ACCERR, regs->epc, + "load access fault"); +} +#else DO_ERROR_INFO(do_trap_load_fault, SIGSEGV, SEGV_ACCERR, "load access fault"); +#endif #ifndef CONFIG_RISCV_M_MODE DO_ERROR_INFO(do_trap_load_misaligned, SIGBUS, BUS_ADRALN, "Oops - load address misaligned"); @@ -140,8 +229,18 @@ asmlinkage void __trap_section do_trap_store_misaligned(struct pt_regs *regs) "Oops - store (or AMO) address misaligned"); } #endif +#ifdef CONFIG_USER_SHADOW_STACK +asmlinkage void __trap_section do_trap_store_fault(struct pt_regs *regs) +{ + if (!handle_store_access_fault(regs)) + return; + do_trap_error(regs, SIGSEGV, SEGV_ACCERR, regs->epc, + "store (or AMO) access fault"); +} +#else DO_ERROR_INFO(do_trap_store_fault, SIGSEGV, SEGV_ACCERR, "store (or AMO) access fault"); +#endif DO_ERROR_INFO(do_trap_ecall_u, SIGILL, ILL_ILLTRP, "environment call from U-mode"); DO_ERROR_INFO(do_trap_ecall_s, diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c index d86f7cebd4a7..b5ecf36eba3d 100644 --- a/arch/riscv/mm/fault.c +++ b/arch/riscv/mm/fault.c @@ -18,6 +18,7 @@ #include #include +#include #include "../kernel/head.h" @@ -177,6 +178,7 @@ static inline void vmalloc_fault(struct pt_regs *regs, int code, unsigned long a static inline bool access_error(unsigned long cause, struct vm_area_struct *vma) { + unsigned long prot = 0, shdw_stk_mask = 0; switch (cause) { case EXC_INST_PAGE_FAULT: if (!(vma->vm_flags & VM_EXEC)) { @@ -194,6 +196,20 @@ static inline bool access_error(unsigned long cause, struct vm_area_struct *vma) return true; } break; +#ifdef CONFIG_USER_SHADOW_STACK + /* + * If a ss access page fault. vma must have only VM_WRITE. + * and page prot much match to PAGE_SHADOWSTACK. + */ + case EXC_SS_ACCESS_PAGE_FAULT: + prot = pgprot_val(vma->vm_page_prot); + shdw_stk_mask = pgprot_val(PAGE_SHADOWSTACK); + if (((vma->vm_flags & (VM_WRITE | VM_READ | VM_EXEC)) != VM_WRITE) || + ((prot & shdw_stk_mask) != shdw_stk_mask)) { + return true; + } + break; +#endif default: panic("%s: unhandled cause %lu", __func__, cause); } @@ -274,7 +290,12 @@ asmlinkage void do_page_fault(struct pt_regs *regs) perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); - if (cause == EXC_STORE_PAGE_FAULT) + if (cause == EXC_STORE_PAGE_FAULT +#ifdef CONFIG_USER_SHADOW_STACK + || cause == EXC_SS_ACCESS_PAGE_FAULT + /* if config says shadow stack and cause is ss access then indicate a write */ +#endif + ) flags |= FAULT_FLAG_WRITE; else if (cause == EXC_INST_PAGE_FAULT) flags |= FAULT_FLAG_INSTRUCTION; From patchwork Mon Feb 13 04:53:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137888 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 919DBC636D4 for ; Mon, 13 Feb 2023 06:00:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=nyMCBPQJV3/2PiyLajvPDVpUN7uCrkIe4mH5N9EPoaQ=; b=RIMyWuwmgEITi0 Rdsa//uGei/CumNLKKY17BH+p2RqRqPEV8PxR+geEDlzNknXC6a4kcJd4UMS7wb7SMD8ePcfqxNVm uGJ36jY5RoydnD9J7j7keJIgxHwmkDYL43g0cgZz3/AfAHc0iNLhI+Rl0j0dOVsODj0vxfpXoQQSg u0saTQc81hfslkoZoce+OBVuMsV0b5oERGnrnCSZjN9jRbYF+o5IxC53QJRAMK1Rns8+nykCwYB+N KyShmCx8kosNe2unvJ6ctHUrzn2P0O+deZdsvaytu/ex2Hvv7fj1JaV/VCSK/LG2/PoDjA3T5tknU RmAeHrWFdh0O/0di/lUg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRsu-00DHZv-Tt; Mon, 13 Feb 2023 06:00:17 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr3-00D9HC-48 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:19 +0000 Received: by mail-pl1-x633.google.com with SMTP id o8so9930095pls.11 for ; Sun, 12 Feb 2023 20:54:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+JFNUn7jw7XrbPRCSrUHiiAgppCfO2t4yElt5XDL04Q=; b=MAtbG5JUipDDMVBI03UWeY8vjoTpzFDhlMkb2IIUtB84hOxlG1WyPFh7MJnCD5jfl2 zjmODVBzL2cx3l1Qs7L7jfh8m/gnDVQInUF+dA+7OKyMVa5Haw7ygFvOQ8YMb5gB2b1K UlKt6Pk9ptqgZjApSwCfRHwT68TIIrfBzX5Jl6JawGXdE/pmQdzIpKLWutJX9BdixuK3 dEg5UDIWG8GC41lON9Ist+iD/fEydT5SZ0c9JGyjv3ArzJbqW9GX9L4shJ7ODsyF8FR3 RJbtROJ3z2YLeDw7UoqghirtDnhWaLX120PYm1FT5abaJBxaZZknC9F4Um67Xjgs0Ewy Rc6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+JFNUn7jw7XrbPRCSrUHiiAgppCfO2t4yElt5XDL04Q=; b=0gQwfCp1or8foG/rEaabjFl78TzHK+pLdSFheQaHdLGKNlmpfJtqKJLAqqHfEw+ECp YOlInC0ReTODRbwoh22VkGphnHKdc4TcnClIjHlGzbIfOzUGoS+G4yXqCEBSN7/ZOiB3 arjRK/VIxTMtJKTkmXU++OpuyXazWL/vqxYrIhs6MMe8dhuLWanaJ+ashUcug5naH2XY 9Mv7yVbpE8S+KnrtmndP6tkNSeT0/Q2iJBa/GukHxMtwyVqTQGN+z0FgMJXffJXv2ZE7 MkXEPdmfomvKCNdXuMIrgFeGzwM6m61RgJX2HG909qhtRLrl28clWg4Yd8PnZn5hPsfG dU7A== X-Gm-Message-State: AO0yUKUXT8sh7zkf6kLWHKuZdqYZNbxZ+L0CTEN2cUnKfHCd4WMm9C3O 1SEcmfbSQ0bZzzHqGBFsktYOXw== X-Google-Smtp-Source: AK7set/xGSag1fLoOp9DRLhykiGJTXM3xHC8HavU0BgIlPvd0BoyqCw5ivDdONyysoMRNXPdY5/4ZA== X-Received: by 2002:a17:902:d0d1:b0:19a:7548:da30 with SMTP id n17-20020a170902d0d100b0019a7548da30mr8231577pln.3.1676264056763; Sun, 12 Feb 2023 20:54:16 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:16 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 10/20] riscv mmu: write protect and shadow stack Date: Sun, 12 Feb 2023 20:53:39 -0800 Message-Id: <20230213045351.3945824-11-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205417_247822_42D86D2F X-CRM114-Status: GOOD ( 13.34 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org `fork` implements copy on write (COW) by making pages readonly in child and parent both. ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE. Assumption is that page is readable and on fault copy on write happens. To implement COW on such pages, clearing up W bit makes them XWR = 000. This will result in wrong PTE setting which says no perms but V=1 and PFN field pointing to final page. Instead desired behavior is to turn it into a readable page, take an access (load/store) fault on sspush/sspop (shadow stack) and then perform COW on such pages. This way regular reads would still be allowed and not lead to COW maintaining current behavior of COW on non-shadow stack but writeable memory. On the other hand it doesn't interfere with existing COW for read-write memory. Assumption is always that _PAGE_READ must have been set and thus setting _PAGE_READ is harmless. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 74dbe122f2fa..13b325253c99 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -334,7 +334,7 @@ static inline int pte_special(pte_t pte) static inline pte_t pte_wrprotect(pte_t pte) { - return __pte(pte_val(pte) & ~(_PAGE_WRITE)); + return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ)); } /* static inline pte_t pte_mkread(pte_t pte) */ @@ -509,7 +509,15 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long address, pte_t *ptep) { - atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)ptep); + volatile pte_t read_pte = *ptep; + /* + * ptep_set_wrprotect can be called for shadow stack ranges too. + * shadow stack memory is XWR = 010 and thus clearing _PAGE_WRITE will lead to + * encoding 000b which is wrong encoding with V = 1. This should lead to page fault + * but we dont want this wrong configuration to be set in page tables. + */ + atomic_long_set((atomic_long_t *)ptep, + ((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE) | _PAGE_READ)); } #define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH From patchwork Mon Feb 13 04:53:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137889 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7D91BC636CC for ; Mon, 13 Feb 2023 06:02:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=NF+nBjOTn5FJzMHnKU8jnzsjqnUDxzT7PH+Otgl+Rfw=; b=r7mUsVLw1ThY50 iY1UYbDGEDfyPOnoyq41+pkytvBVOiVKNvuPW9r19Pmvv1yvOe0U0i5Wpx6WlCMgVXzIfBUYYODRv QdhGfd6L/42jxss0fdKJI68LgiW4r2dtv4pnrqreQrIwRHka+uCcn5jxI88TQXAH97mZCQwdO8+7g YdN4rNMf36PIDRsOthWA7r3rdvL9LXu1jnxhzaVWtZ+wLXJ6uH9xBHMAf9ndVMdH7tMR7YVW0ORpb J+2zFhrhf80akfl8InceGdaASL/KZcfQWIKX3tjvIcfgZoTZOJQNS83lD8IcKvzcZtAzztTgc8lZX vHadR+r2jF9sPVwKq4nw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvG-00DHwQ-Hv; Mon, 13 Feb 2023 06:02:42 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvF-00DHvy-Gh for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 06:02:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=XOWSiB72pCNNb1lOnMX9Hyh2W5 WtUrutFIWHzrcncjXCCSqaAfctAC8NnddiQAqz+2oI1+crZ5fm9pjpJ3HTf/TmCj+vAxtsrUDRy35 EyV0DOLop1pMt5f9D9HW4vW+L7j2JLuwt4ftVquK2hY4g5/ZwrnIZoSvSP8YDO5JLVz3amEyNvb9G vITtdHI/9PKLNaeHcIgLGnB9KEamhS9OmirUxz4AhM5Ha0Wbm8VUoVuB0FeFp8UeDlDFxOtpJYsrm pTQQcxhrviPN/shZJGttgkdteEmo6so4av3TrlMQZGIi669cz6k+YXQWyf17evlWIhMDL5YZnnl3g h3cF0XGw==; Received: from mail-pj1-x102d.google.com ([2607:f8b0:4864:20::102d]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqR-009BQg-0B for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:42 +0000 Received: by mail-pj1-x102d.google.com with SMTP id pj3so10786827pjb.1 for ; Sun, 12 Feb 2023 20:54:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=K5WRT8kvkrTRnxFXNxNWmZZe1eWQeiMi1qunE1LIKywvna8j3v5SzYl1jChj3QeZjI oNQVdHcccQpG2WuR1gzQg9kq/+0VuzgdVWD7JtRLTBXEFTOX1GEgMl7e5WBjD6OfQPdd 71LTAu0tFhni4ZSn88ImId4fpVYObX1bY6JW37HXCp7hvg9l286KFURTu9ooi1NBKqLt u26MG8kM25n8svLfFhRQp8B3l5+xVXSXRfyHCQXaBio+kKCjC+Q8QLGXOyPk+PiaEIGE UxpBMq4IRtaJ3U/MEkWjmDf10E4N70sMBA71dAXlsLakRYCt8pcisJr17siP90QETbWq 4NMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=XGQ83wMPcUHXG2lS9YJXez+KQSkfdgaDKCoajOf2n4U8nRXsC8Op1Du7SUgj6dcftx 3rteMrI47AflqH1ylgGRljn0Bk1QTYOvIAI5HuuXvoeT41VqUAZa1I80rMcfqvVgj8E5 XjVj0K4ekMQv5C558aORl5MMOtORhnhAuUNhWixVv57suC6ic83QhJKAkIaXt81r8GAx ryQGRK5zDnw5AeWRM4n0rCC2oY+lLd/WVPaYMU3O36fh5Gtn4aSmGTgs28UpPYC6X4yo IMnA8id8vvbNeZDAPyUC3Lx6Pi8kkkWCHi7piDx/XMmioCpIL56nQLy89D9G0ndzdUVR ktwQ== X-Gm-Message-State: AO0yUKXEEnScZ4x63rLZFOtWAQWcKtUDNaNMAwg59dHd37nEEjx6gwaP ZhAciU+pTfbRQdESp702ayswbQ== X-Google-Smtp-Source: AK7set9FL/syEzV/2KBqufzNCOsrJUvHtlRk/LJL1zmvxtRWPEp1GVPCimz+TSI3kDQUud1c6m89VA== X-Received: by 2002:a17:902:e74c:b0:199:2a36:6c3f with SMTP id p12-20020a170902e74c00b001992a366c3fmr27035701plf.6.1676264058174; Sun, 12 Feb 2023 20:54:18 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:17 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Andrew Morton Cc: Deepak Gupta , linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 11/20] mmu: maybe_mkwrite updated to manufacture shadow stack PTEs Date: Sun, 12 Feb 2023 20:53:40 -0800 Message-Id: <20230213045351.3945824-12-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045339_937650_542C83FF X-CRM114-Status: GOOD ( 13.89 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org maybe_mkwrite creates PTEs with WRITE encodings for underlying arch if VM_WRITE is turned on in vma->vm_flags. Shadow stack memory is a write- able memory except it can only be written by certain specific instructions. This patch allows maybe_mkwrite to create shadow stack PTEs if vma is shadow stack VMA. Each arch can define which combination of VMA flags means a shadow stack. Additionally pte_mkshdwstk must be provided by arch specific PTE construction headers to create shadow stack PTEs. (in arch specific pgtable.h). This patch provides dummy/stub pte_mkshdwstk if CONFIG_USER_SHADOW_STACK is not selected. Signed-off-by: Deepak Gupta --- include/linux/mm.h | 23 +++++++++++++++++++++-- include/linux/pgtable.h | 4 ++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 8f857163ac89..a7705bc49bfe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1093,6 +1093,21 @@ static inline unsigned long thp_size(struct page *page) void free_compound_page(struct page *page); #ifdef CONFIG_MMU + +#ifdef CONFIG_USER_SHADOW_STACK +bool arch_is_shadow_stack_vma(struct vm_area_struct *vma); +#endif + +static inline bool +is_shadow_stack_vma(struct vm_area_struct *vma) +{ +#ifdef CONFIG_USER_SHADOW_STACK + return arch_is_shadow_stack_vma(vma); +#else + return false; +#endif +} + /* * Do pte_mkwrite, but only if the vma says VM_WRITE. We do this when * servicing faults for write access. In the normal case, do always want @@ -1101,8 +1116,12 @@ void free_compound_page(struct page *page); */ static inline pte_t maybe_mkwrite(pte_t pte, struct vm_area_struct *vma) { - if (likely(vma->vm_flags & VM_WRITE)) - pte = pte_mkwrite(pte); + if (likely(vma->vm_flags & VM_WRITE)) { + if (unlikely(is_shadow_stack_vma(vma))) + pte = pte_mkshdwstk(pte); + else + pte = pte_mkwrite(pte); + } return pte; } diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index 1159b25b0542..94b157218c73 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1736,4 +1736,8 @@ pgprot_t vm_get_page_prot(unsigned long vm_flags) \ } \ EXPORT_SYMBOL(vm_get_page_prot); +#ifndef CONFIG_USER_SHADOW_STACK +#define pte_mkshdwstk(pte) pte +#endif + #endif /* _LINUX_PGTABLE_H */ From patchwork Mon Feb 13 04:53:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137869 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4C750C636D7 for ; Mon, 13 Feb 2023 04:54:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=OJyFPDYSErWSuGq/r+qx/W8Uo22NHyLfQJxSLwgcBQk=; b=Js3ytyJo8bFt41 xBaxMR2jwzlRDkAdZIOUSLuu5TjLuDLUSxoEravD1xbRGaNSrGx7zCOZiq+utSkK7V4rygW1E+bJb gg/Oaeqh/VG014GyjVeOafPaqgv/C+3F14KVuKN2nfrmmOVsbjJ3FoSXTlR9BzqhXHwjOC0b4wxJc V2RmjKnCqvK9r5zzR3xY8Cgn+MzzgY2+XEEaat/mcrddFr9vZzwe/I9s09YFhyB716WFEG70VtEvh 3n1dk9sdZHtaatoX68oWOD3dJYD8gUMaP1tiGTtDtTzUQ0p1wZFrRkmaRkJToVJmutToal5pG9sFW O+MllIa1MVeyXMKHvixA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrL-00D9bX-6X; Mon, 13 Feb 2023 04:54:35 +0000 Received: from mail-pj1-x1032.google.com ([2607:f8b0:4864:20::1032]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr7-00D9Q8-G7 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:23 +0000 Received: by mail-pj1-x1032.google.com with SMTP id nh19-20020a17090b365300b00233ceae8407so3451236pjb.3 for ; Sun, 12 Feb 2023 20:54:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aAzQKFN9fphLzkQzVxdl+t+n6lDoHdhoPqbxrAYfAdc=; b=kZrZu0bYDptQxePaYYW5IiHENzLnR3Hl5Yn1XhJJL9GBA8lybF2jXV1FzNJJxICLkT a76RJFpXxug5ATjloRUOr8I8E6r1tLzdXjGJ0Qsl+Fq7DgOVfV1Tj2I18RmYVVGDny57 stTv0BaITP2dFVen5rv+DyWUSEmR4p/4j6Do5jXOkmSh2aCjXbc5cneDYp6VKgWxdYeR V/IITNgt28T1uNdrYT+/i9jvhEWnIFHLATtGzqhKDcK75PyIrKDukVVcIaz5/ofVGCtN JzG6CdfoohdOh1bR5skxW9jJEL8WNm6Yj/noVQmdJFlL81MDGK8ekdk5rZb7EPVZFOCh cRvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aAzQKFN9fphLzkQzVxdl+t+n6lDoHdhoPqbxrAYfAdc=; b=fug5rTRTJYABTaUjMWhZ+/W9p98AyxWz5jgFsaYNSAuklKEkii8BFa7hRu/8kHJe+4 PZ4O/1UY8OXGvRFfQvwn/BrxfpeBwwsizuyVQkjEucn9te9Oc5PDeWxN8LtJprMA016v i+mBe9sj4AdvFfkifmle0o+MCpiHNXp6nT9lz8pHRqvqmCLhoWNBUBrb/hb5C3thcdNd GCfzg9w5B18O+tRmGl7Xki1B4DG8anryIVmf6mRw0EDZrNyiqceDx0B9S/ifmeP/1z+o cdzM7hhSJIjB1fbEMl9ZCXnLDn9cU8bgOgCbE3/sRV5ctWDy0r+a/5Q7cPAM4H7AOms9 PCEg== X-Gm-Message-State: AO0yUKXhRqnQ/H/SieYwRCZSjh2iZTECvKtQpbBOHBf+j+WxS0un444m UrPOGMODc6M3z6ir8ApPlWUXiA== X-Google-Smtp-Source: AK7set+q3tR/PIwP9Bbjl2iUKClzuopM66yTbSa12i2bcSlheS/OuqnmDnzRqlEjdGKp/Rvp7uURng== X-Received: by 2002:a17:902:ec82:b0:198:f145:504f with SMTP id x2-20020a170902ec8200b00198f145504fmr29915899plg.30.1676264059867; Sun, 12 Feb 2023 20:54:19 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:19 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 12/20] riscv mm: manufacture shadow stack pte and is vma shadowstack Date: Sun, 12 Feb 2023 20:53:41 -0800 Message-Id: <20230213045351.3945824-13-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205421_604034_0BB3A8CF X-CRM114-Status: UNSURE ( 8.05 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org This patch implements creating shadow stack pte (on riscv) if CONFIG_USER_SHADOW_STACK is selected. Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Additionally this patch implements `arch_is_shadow_stack_vma`. Each arch can decide which combination of VMA flags are treated as shadow stack. riscv is choosing to following PTE encodings for VMA flags as well i.e. VM_WRITE only (no VM_READ or VM_EXEC) means its a shadow stack vma on riscv. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 8 ++++++++ arch/riscv/mm/pageattr.c | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 13b325253c99..11a423e78d52 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -344,6 +344,14 @@ static inline pte_t pte_mkwrite(pte_t pte) return __pte(pte_val(pte) | _PAGE_WRITE); } +#ifdef CONFIG_USER_SHADOW_STACK +static inline pte_t pte_mkshdwstk(pte_t pte) +{ + /* shadow stack on risc-v is XWR = 010. Clear everything and only set _PAGE_WRITE */ + return __pte((pte_val(pte) & ~(_PAGE_LEAF)) | _PAGE_WRITE); +} +#endif + /* static inline pte_t pte_mkexec(pte_t pte) */ static inline pte_t pte_mkdirty(pte_t pte) diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c index 86c56616e5de..582e17c4dc28 100644 --- a/arch/riscv/mm/pageattr.c +++ b/arch/riscv/mm/pageattr.c @@ -233,3 +233,10 @@ bool kernel_page_present(struct page *page) pte = pte_offset_kernel(pmd, addr); return pte_present(*pte); } + +#ifdef CONFIG_USER_SHADOW_STACK +bool arch_is_shadow_stack_vma(struct vm_area_struct *vma) +{ + return ((vma->vm_flags & (VM_WRITE | VM_READ | VM_EXEC)) == VM_WRITE); +} +#endif \ No newline at end of file From patchwork Mon Feb 13 04:53:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137870 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C95A9C64EC7 for ; Mon, 13 Feb 2023 04:54:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=2ebUDzgdtDve5sAUG96J5Ua4555U+cNCyu/aTSVa0XM=; b=vllEMGp/YG+cjD XZV+YAl+4oNBcEsoopWob/Qw1abmhsb37ObgvfYKdvdTUBYsoxT+VulVI7KJyrI6sRJXshA8Q8Zy5 InrP0tYVc3U8oUu/X8swE3vDrDQYcfrGxNX0uJ0DG6Ru35UofYbeaDTZb0oRpiQ9OOqyD5d2LM890 VTTDxOUP6QAoiAH53Vt2ixUH3jnC9haSs8QvuVS9MIX0z2D7pjSujc4CzFE9aLgwh7DKwgXpI4Lbj ZvP/GktlCWsifIVcm+mHl9VtxTuXEU+U/01CJbeRpHh7vAE7lYsPNRVxCMY+tlpcULl8S82xA7syN 5A1s3wBc75IlCgiiazkQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrP-00D9e8-7W; Mon, 13 Feb 2023 04:54:39 +0000 Received: from mail-pj1-x1035.google.com ([2607:f8b0:4864:20::1035]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr8-00D9RG-Gk for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:24 +0000 Received: by mail-pj1-x1035.google.com with SMTP id mg23so4213015pjb.0 for ; Sun, 12 Feb 2023 20:54:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Jzh1F9dWgL9z5qWHfkyPDeO9BiBZZOuMNa7E/NQMYRA=; b=hBAMguZTqz8mBO0i9eURw5EVnyTRjZI/TA0b+TvPmhimWAwoztTflfei++MGWOOhhp y9UQAG+6WEpmcozlhgFWPCfcNQEzazPzUc/BX/nwlV3/TfGY4oELgmwTzmcXbl8+8cLl YEyUj++v3tAMb1ug4pKO06rWe166GtjQy4/L6hNDTIxwdYO6Ph9pApQUVXelympLBY5P P2ApcmLSjc979qayu5Jclp/xPesWV0Ux6A2gskrj7yI7PMJAnA8Rupt6ysIl/wy30dGv MavO85rbflXHbv+JQi0NDSiLwIMFGmpAvYbubygtTeUtBxtynv9lE2AP/U0geTFdg9Iz T4Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Jzh1F9dWgL9z5qWHfkyPDeO9BiBZZOuMNa7E/NQMYRA=; b=ZvCdo+mxIysO24LAIuv6Q8lUy89KKrcbgudJsang1gvN3vGudPaf3LlzkN0ubea7G7 4kcz552T5hk4BEC4jmr/brDUrXLYiirnhrMpyHs413NXQqXmi5gOD3fbZ+uj6mPA+sgV 3vDVxQ7mnMot29hlO3EiAC2tMVhgRWtMFQ+WXgOpVQpQlyW/qXrwZjVHh3AvJTuwaa96 kiUxswIsp9BfEwMZ/tD9mOwxa0Vy4C/cnqfcb4rk1yULCvLbUpAxtXsS126VTmTmgOuU nydfWmeXAvzpEblFGjPT/lo93jKs0qDTHEHTwVuDYFVC4J7rnT/tsFX+VW8hRL89nyuF TxWg== X-Gm-Message-State: AO0yUKUifiGmNKsUeAEOIINViuNSmf/F+XQGs0DLtEBbKucYUGegaA5Q 4MfEOlR65FyeAgIUOnSfDNmS4g== X-Google-Smtp-Source: AK7set/ieVh7qhs04S/uXJn79ItEgAaNBhP4tICRnJOHZZuCn+oguG49FVAuZKnOk1MHnr6vz9IICA== X-Received: by 2002:a17:902:e40d:b0:19a:a2f3:e41c with SMTP id m13-20020a170902e40d00b0019aa2f3e41cmr1350325ple.35.1676264061243; Sun, 12 Feb 2023 20:54:21 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:20 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 13/20] riscv: illegal instruction handler for cfi violations Date: Sun, 12 Feb 2023 20:53:42 -0800 Message-Id: <20230213045351.3945824-14-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205423_199607_51BE2671 X-CRM114-Status: GOOD ( 15.01 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Zisslpcfi spec proposes that cfi violations are reported as illegal instruction exception. Following are the cases - elp missing: An indirect jmp/call landed on instruction which is not `lpcll` - label mismatch: Static label embedded in instr `lpcll/lpcml/lpcul` doesn't match with repsective label in CSR_LPLR - sscheckra: x1 and x5 don't match. Current changes run user code in audit mode. That means that any cfi violation is suppressed and app is allowed to continue. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/traps.c | 79 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 5553b8d48ba5..a292699f4f25 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -97,6 +97,10 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code, /* Zisslpcfi instructions encodings */ #define SS_PUSH_POP 0x81C04073 #define SS_AMOSWAP 0x82004073 +#define SS_CHECKRA 0x8A12C073 +#define LP_C_LL 0x83004073 +#define LP_C_ML 0x86804073 +#define LP_C_UL 0x8B804073 bool is_ss_load_store_insn(unsigned long insn) { @@ -112,6 +116,71 @@ bool is_ss_load_store_insn(unsigned long insn) return false; } +bool is_cfi_violation_insn(unsigned long insn) +{ + struct task_struct *task = current; + bool ss_exist = false, lp_exist = false; + + ss_exist = arch_supports_shadow_stack(); + lp_exist = arch_supports_indirect_br_lp_instr(); + + if (ss_exist && (insn == SS_CHECKRA)) { + pr_warn("cfi violation (sschkra): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_LL) == LP_C_LL)) { + pr_warn("cfi violation (lpcll): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_ML) == LP_C_ML)) { + pr_warn("cfi violation (lpcml): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_UL) == LP_C_UL)) { + pr_warn("cfi violation (lpcul): comm = %s, task = %p\n", task->comm, task); + return true; + } + + return false; +} + +int handle_illegal_instruction(struct pt_regs *regs) +{ + /* stval should hold faulting opcode */ + unsigned long insn = csr_read(stval); + struct thread_info *info = NULL; + struct task_struct *task = current; + + info = current_thread_info(); + /* + * If CFI enabled then following instructions leads to illegal instruction fault + * -- sscheckra: x1 and x5 mismatch + * -- ELP = 1, Any instruction other than lpcll will fault + * -- lpcll will fault if lower label don't match with LPLR.LL + * -- lpcml will fault if lower label don't match with LPLR.ML + * -- lpcul will fault if lower label don't match with LPLR.UL + */ + + /* If fcfi enabled and ELP = 1, suppress ELP (audit mode) and resume */ + if (arch_supports_indirect_br_lp_instr() && +#ifdef CONFIG_USER_INDIRECT_BR_LP + info->user_cfi_state.ufcfi_en && +#endif + (regs->status & SR_ELP)) { + pr_warn("cfi violation (elp): comm = %s, task = %p\n", task->comm, task); + regs->status &= ~(SR_ELP); + return 0; + } + /* if faulting opcode is sscheckra/lpcll/lpcml/lpcll, advance PC and resume */ + if (is_cfi_violation_insn(insn)) { + /* no compressed form for zisslpcfi instructions */ + regs->epc += 4; + return 0; + } + + return 1; +} + ulong get_instruction(ulong epc) { ulong *epc_ptr = (ulong *) epc; @@ -190,8 +259,14 @@ DO_ERROR_INFO(do_trap_insn_misaligned, SIGBUS, BUS_ADRALN, "instruction address misaligned"); DO_ERROR_INFO(do_trap_insn_fault, SIGSEGV, SEGV_ACCERR, "instruction access fault"); -DO_ERROR_INFO(do_trap_insn_illegal, - SIGILL, ILL_ILLOPC, "illegal instruction"); + +asmlinkage void __trap_section do_trap_insn_illegal(struct pt_regs *regs) +{ + if (!handle_illegal_instruction(regs)) + return; + do_trap_error(regs, SIGILL, ILL_ILLOPC, regs->epc, + "illegal instruction"); +} #ifdef CONFIG_USER_SHADOW_STACK asmlinkage void __trap_section do_trap_load_fault(struct pt_regs *regs) { From patchwork Mon Feb 13 04:53:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137871 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4021AC6379F for ; Mon, 13 Feb 2023 04:54:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=QlCxHn6177rlstXzNOrSxzxV5JypmJM/BK0D9iuIDeY=; b=oUvsw9hdpv6yx2 KMuXwFsZZJdvXaGB8JxmJdIpVLfj2GcuToWlwAipjeb64pxUr//+bcOp3fhNy1Nn1aJLAT2gf2Rv5 YFbUwJsoOlQzmQs922jtlNkxH31vwEoUGhrFRzmLxDvC3lFBa6zIFN3GhuHDFC/oVQTdXB+QYuN9B LkypIOmEXYPM/dFMNQCqGrRrfY/5LkV8KHZL+ee/DNlGVPhsp+HQ27iH8IHc6VWyierk6fik/Lc6i JxgnDEqJlCBIyU+aIo75MZKKRtjB064psJ+N1RGbJk6EPTXxcz6EmgbxIlz9TgJ8SEP9OgK6Miwlv qsfRg/PdhfXC4sdy1P8Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrR-00D9gQ-VZ; Mon, 13 Feb 2023 04:54:42 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQr9-00D9HC-38 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:24 +0000 Received: by mail-pl1-x633.google.com with SMTP id o8so9930231pls.11 for ; Sun, 12 Feb 2023 20:54:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C+FPHf6hRIJPFXwDXSpkdTEJ33J583V063C2UTppgJs=; b=PIc3jlcyk7tBVDiMhDV7vQZElpm10o3G2cwhqlaW4z2UIEx5lX08doq/7HmwkcA5/B mXA4mD3Qibw1ZZXxBKWGnAHzkaBgpiPxYs3SSCxrss438iFkUzY+I1LbmCO0Wy7Qv4zy OaGCmO23kCrbduaQZBVgTYiLM/xSzD/oJvobRKtEDu6wJbbzlkleuglQwO3UeTxWhlgA fAtMy+u3iW8kehvHhqtC3eqchwEPIk5+4Fgy7oyU8w/+z6lfr5E2IZ2FvGNy0muTuG8G kF9cuzHt65MD3IYO5Qezafy2tL+DHy52TBkbL+mYMz2pP3AJNcMSZFeiBzRu8l1mioSD 7LlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C+FPHf6hRIJPFXwDXSpkdTEJ33J583V063C2UTppgJs=; b=hlt6IJEMzOH3ZxFoNz7Hw41dDHX2L/aMRy1GGkMHOU5ebclWXb2aFbca5RHaUR7vxF VCVZwEvvrh4gLkrCmiLY3liJ+3AlXUHvNY69ZhHKW/nU2JOXrQFYNBPHwN4pcH9+MN6I IVhDldHcZQt9HCOXXA4a5wbvV50EqignNBxsUdEjS+SCs0xO4Pxm+PIZaqJX7LvzMvax V/vjRfeC8fk0q2QSxwblNnma7tDdH1JF1jJjyqnUVwiFnG+5JQdZAwtK03LS2O2mhR/n moLuq7kJ6RV7t7fBMRFEqoNbLYHf4BEr7qXTKYGj49yIU2O/W7j7QLtCLQgK6Ljw6OxJ vEzQ== X-Gm-Message-State: AO0yUKXF4e6WaAwgXrm0uPHLV7gFKIeeY0jvVaoPopQk10d7b1XG/oVZ AFeH7wB+0B5MtBSZKKvsojBmtQ== X-Google-Smtp-Source: AK7set+VN154o5HYEXLyYzceYsxMjWF7xqCTBzBvD1DF80PZB4FAd3bVA3SAcm+ftMrJgNi5gBcRcA== X-Received: by 2002:a17:902:dad0:b0:199:1f42:8bed with SMTP id q16-20020a170902dad000b001991f428bedmr14338448plx.12.1676264062760; Sun, 12 Feb 2023 20:54:22 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:22 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 14/20] riscv: audit mode for cfi violations Date: Sun, 12 Feb 2023 20:53:43 -0800 Message-Id: <20230213045351.3945824-15-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205423_197536_28E2FFBB X-CRM114-Status: GOOD ( 12.06 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Adding an audit mode per task which suppresses cfi violations reported as illegal instruction exception. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 3 ++- arch/riscv/kernel/process.c | 2 ++ arch/riscv/kernel/traps.c | 7 ++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index f065309927b1..39c36f739ebb 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -45,7 +45,8 @@ struct thread_struct { struct cfi_status { unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ - unsigned int rsvd1 : 30; + unsigned int audit_mode : 1; + unsigned int rsvd1 : 29; unsigned int lp_label; /* saved label value (25bit) */ long user_shdw_stk; /* Current user shadow stack pointer */ long shdw_stk_base; /* Base address of shadow stack */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index db676262e61e..bfd8511914d9 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -246,11 +246,13 @@ int arch_elf_setup_cfi_state(const struct arch_elf_state *state) info->user_cfi_state.user_shdw_stk = (shadow_stack_base + shadow_stk_size); info->user_cfi_state.shdw_stk_base = shadow_stack_base; + info->user_cfi_state.audit_mode = 1; } /* setup forward cfi state */ if (arch_supports_indirect_br_lp_instr() && (state->flags & RISCV_ELF_FCFI)) { info->user_cfi_state.ufcfi_en = 1; info->user_cfi_state.lp_label = 0; + info->user_cfi_state.audit_mode = 1; } return ret; diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index a292699f4f25..1901a8b73de5 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -165,6 +165,7 @@ int handle_illegal_instruction(struct pt_regs *regs) if (arch_supports_indirect_br_lp_instr() && #ifdef CONFIG_USER_INDIRECT_BR_LP info->user_cfi_state.ufcfi_en && + info->user_cfi_state.audit_mode && #endif (regs->status & SR_ELP)) { pr_warn("cfi violation (elp): comm = %s, task = %p\n", task->comm, task); @@ -172,7 +173,11 @@ int handle_illegal_instruction(struct pt_regs *regs) return 0; } /* if faulting opcode is sscheckra/lpcll/lpcml/lpcll, advance PC and resume */ - if (is_cfi_violation_insn(insn)) { + if (is_cfi_violation_insn(insn) +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + && info->user_cfi_state.audit_mode +#endif + ) { /* no compressed form for zisslpcfi instructions */ regs->epc += 4; return 0; From patchwork Mon Feb 13 04:53:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137874 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 095E8C636CC for ; Mon, 13 Feb 2023 04:55:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=9S8xoPa2wMEpP/R47NGrj69RdHQjj4MoF6JhrSgKl5g=; b=JaOOLbm/VLW06P taRkbY9dG8nPhufDDkC73a136MAItom5cP1MHU7bfUIOIUDRQyaJvZk/i5RsduLiC2il74dd7m/aV 2NJolzYe575H11hw7+M6EXs7FjfVCr8/or7LWgPKa4hnaIy9k2QxZXSvQmEnDIth3lXu5D56dmne3 bBohlAoo6fN7UvYc/2bp7xhi1r6rYPW9rW29f6msRzgoQan7p0d9BRz93FbfV/2b/QPA99I++WLO7 7Lv1m4tb7siGRLlnqJ6ZelQ5Ficdiq1Xe0GeQZQXgPMOTlcC9RPyQTL96FWktrXJEmFgDoFmRPNmS bVkj+JF7qcBrhuZK6lqQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQre-00D9q1-Gu; Mon, 13 Feb 2023 04:54:54 +0000 Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrB-00D9U2-5v for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:28 +0000 Received: by mail-pl1-x630.google.com with SMTP id b5so12304509plz.5 for ; Sun, 12 Feb 2023 20:54:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NyKgXXAf6eIxCQNqJDUpc+Bj2CrwyhmFgAHD2REeyJQ=; b=EXvhS/VncGgKvwJ3Q0vZAYHmSdbk7Ij5M1B09iI7kQPmHIhtYw0rjfb6raSugnp38T RmNzvD40b33QG81EShtF2MT2OnlPOZTgPjpHaiOK24MRNbT55VmbG0wr5uOlczteExqe 7RyzXdUw1jdcb3u3wJdELeWUM43o7pNbFJcVOiNL1mEjeC1ZstyzXdFxHLminnErv+6t 5Gh0QI8ML2GvM2ZfYK5uGt1BPhOYeh2whz4oZIvrTreSdNvkkyj2I+Y//kj6Jiov3w3K Jk+yFBa6l72SXXXD2fakph5Hh2wqGj5Gb42T4I9/9BIeNQHqONbq+9UgRdavksLsUOeW yE7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NyKgXXAf6eIxCQNqJDUpc+Bj2CrwyhmFgAHD2REeyJQ=; b=M/FF7jLe3Vwx4ny1kLdLYX7BRAW8bm4AC3B3spfkTaPixtVgE9RYXBqV7rUV3mTCQJ GOFr3SDbznBK6yozLHxmDCXxDkBprwW59pZVskLxkLz2DKkB8yd+c1cLoGN6BtDvjPOX waXlpz4Fgea/pYnR6NXJbKBvHhihOXTJzlwZeJLFBA5fdmh7mYkZcxhGZctQFigNm7Tj BS977brrBOaNuW5+EaAjTxP957zucGqvGayOIgFCqSjfNx6ArxSOtsF7yJZJtt1EOHvo J3xId6Auqz4HLa7NCctJ+EaeOEL+durUps5yFgnVBN09IkrnbjUfbn29QwvPwAahQviv LPjw== X-Gm-Message-State: AO0yUKXC0Qd1r1VZdUXvJE+GunjpbPDMbGR7itYLTtOM7l0nACwKp5ER 17Na/A+j7pmuavTBWvfq2N6Ew8IY8phOqSyn X-Google-Smtp-Source: AK7set+NkvkqLLx1ODFEJuYixtO6pgsq1Kd5F2Cn+dnuIzgerTzZYBASHAeY5bJ7M/OE6P4BYW1Gjw== X-Received: by 2002:a17:903:1c2:b0:199:1d6f:3cab with SMTP id e2-20020a17090301c200b001991d6f3cabmr28540571plh.21.1676264064208; Sun, 12 Feb 2023 20:54:24 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:23 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 15/20] sslp prctl: arch-agnostic prctl for shadow stack and landing pad instr Date: Sun, 12 Feb 2023 20:53:44 -0800 Message-Id: <20230213045351.3945824-16-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205425_780604_20AD6090 X-CRM114-Status: GOOD ( 11.27 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Three architectures (x86, aarch64, riscv) have announced support for shadow stack and enforcing requirement of landing pad instructions on indirect call/jmp. This patch adds arch-agnostic prtcl support to enable /disable/get/set status of shadow stack and forward control (landing pad) flow cfi statuses. New prctls are - PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS - PR_GET_INDIRECT_BR_LP_STATUS, PR_SET_INDIRECT_BR_LP_STATUS Signed-off-by: Deepak Gupta Reviewed-by: Mark Brown --- include/uapi/linux/prctl.h | 26 +++++++++++++++++++++++++ kernel/sys.c | 40 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index a5e06dcbba13..0f401cb2d6d1 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -284,4 +284,30 @@ struct prctl_mm_map { #define PR_SET_VMA 0x53564d41 # define PR_SET_VMA_ANON_NAME 0 +/* + * get shadow stack status for current thread. Assumes shadow stack is min 4 byte aligned. + * Note shadow stack can be 8 byte aligned on 64bit. + * Lower 2 bits can give status of locked and enabled/disabled. + * size and address range can be obtained via /proc/maps. get_shadow_stack_status will + * return base of shadow stack. + */ +#define PR_GET_SHADOW_STACK_STATUS 65 +/* + * set shadow stack status for current thread (including enabling, disabling or locking) + * note that it will only set the status and setup of the shadow stack. Allocating shadow + * stack should be done separately using mmap. + */ +#define PR_SET_SHADOW_STACK_STATUS 66 +# define PR_SHADOW_STACK_LOCK (1UL << 0) +# define PR_SHADOW_STACK_ENABLE (1UL << 1) + +/* get status of requirement of a landing pad instruction for current thread */ +#define PR_GET_INDIRECT_BR_LP_STATUS 67 +/* + * set status of requirement of a landing pad instruction for current thread + * (including enabling, disabling or locking) + */ +#define PR_SET_INDIRECT_BR_LP_STATUS 68 +# define PR_INDIRECT_BR_LP_LOCK (1UL << 0) +# define PR_INDIRECT_BR_LP_ENABLE (1UL << 1) #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index 88b31f096fb2..da8c65d474df 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2284,6 +2284,26 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, return -EINVAL; } +int __weak arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_set_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_set_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + #define PR_IO_FLUSHER (PF_MEMALLOC_NOIO | PF_LOCAL_THROTTLE) #ifdef CONFIG_ANON_VMA_NAME @@ -2628,6 +2648,26 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, case PR_SET_VMA: error = prctl_set_vma(arg2, arg3, arg4, arg5); break; + case PR_GET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_get_shadow_stack_status(me, (unsigned long __user *) arg2); + break; + case PR_SET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_set_shadow_stack_status(me, (unsigned long __user *) arg2); + break; + case PR_GET_INDIRECT_BR_LP_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_get_indir_br_lp_status(me, (unsigned long __user *) arg2); + break; + case PR_SET_INDIRECT_BR_LP_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_set_indir_br_lp_status(me, (unsigned long __user *) arg2); + break; default: error = -EINVAL; break; From patchwork Mon Feb 13 04:53:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137875 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9E53CC6379F for ; Mon, 13 Feb 2023 04:55:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=VrnQLBrgAdR/11ZOmyCylVTmqltMpFWg0P1DdL/33cE=; b=pbWVWCWo17dDrx 9VgHKaRH8URWGhNTTVZS4MjdatrjFLLt0FLd9VUxzAePGObRFuDaDoERaTkzxpL+Ci5pUO0RPoIGm axvnJmt3I9Q6jJK2Qq2P11oXR4Xc4bjePALzrYP5Afx+1Q93WGgybKe++8gmDR0o+XybXu3u8Dx0O HX92yJvKJnZQ//D04BBNrnqqsGneUrBmSyDDrdzjXZv6sKwraUdMBYGQnrxnGTZ+LjWcHcgbDI+qw QPfmAd3hBUxH4aHaMoiZoZXVZbByAHsQC1wPCczziq/ZJ5dODl+4i9rW1NX/JUWffWsrbN+NU/wE9 GUmcjiuDaBATdkB2DhUw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrh-00D9sg-8U; Mon, 13 Feb 2023 04:54:58 +0000 Received: from mail-pj1-x1033.google.com ([2607:f8b0:4864:20::1033]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrC-00D9VR-Kp for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:35 +0000 Received: by mail-pj1-x1033.google.com with SMTP id d2so10743803pjd.5 for ; Sun, 12 Feb 2023 20:54:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9sWo6wCd+6s/qv8qKQzFAIRIpzM1RXjpCLCKpSqwk7c=; b=wt3q+VJD6Cp/b63Im6YhKcHv2i1AyapK9Tkrv/Lhww4i7czsTc+eUGnKJic8SCla3/ PZeWAHDzQcpwxfG87wj9siHJ53pcxmGJj0Al/qZsMz4b8wLG4BExSAIQ4Nh0yVWI8eA1 mdxKCUjoG1enCDnovmujulzh9ivudh8B7fewqOfdwU/ZGjXrEe0tnW65F6JP3I73DJ0O 2pC+POBx+yCDZm97cI3uisSvoGWjp5y005oxdW98wIerdHNjp+Fv0zqfuea3nWldQhEm 4GleUJiZnFqHyNc5rExalqnFx+zUnW254K9Y/BfKidu8I/uoOfcdaSt+6r9FSxD1x7yu usKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9sWo6wCd+6s/qv8qKQzFAIRIpzM1RXjpCLCKpSqwk7c=; b=sYzOO6P2xmSvTp6lAn0rH/j2P3yhgUthe5j3xEgU+xJiq6nxnhMFnym5U74u8tP4lt AdFGDh7EjzSz7YEGe5RnwKlqcml5SnC2uscII6+fTnkGHKs5axw5UQJmxo3O0LCI3oSZ TDQaEFH6vIF5N9M9AnK3ZYoFA6DqfbbZdF0stPcO6P9q+5xFtBGUrC94nC3svD2H7W3s tLYJhDLZ/LQoMnHr+cUXFrF5sy3F0u8k+S7hI4HL4JRwH+imVSK8wZ0/55D+sQlQM8rL gOoQaAfGX3o31t4l2zCDdYcPBrKGxr8xc4BQ1z3xpPhqL3fNQCycKOyWQjwUJEADCgJa H4qw== X-Gm-Message-State: AO0yUKW5aDKrwHC1YPLtyA8FHswMilP7EqeS4fO1J1mE14hGZn7wYKlY fv1L88aNK9R+o1b7IoGN/lPVlg== X-Google-Smtp-Source: AK7set/We3gZfKBWsBui9LQ+h2dQamScS+mnmA55bftJ1qX9qQdJsEmqonYKb0jOGqlzZmSqaU7JgA== X-Received: by 2002:a17:903:124b:b0:19a:9406:b234 with SMTP id u11-20020a170903124b00b0019a9406b234mr5720720plh.45.1676264065599; Sun, 12 Feb 2023 20:54:25 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:25 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 16/20] riscv: Implements sslp prctls Date: Sun, 12 Feb 2023 20:53:45 -0800 Message-Id: <20230213045351.3945824-17-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205433_292889_E34453AD X-CRM114-Status: GOOD ( 13.76 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org New prctls are PR_GET_SHADOW_STACK_STATUS/PR_SET_SHADOW_STACK_STATUS and PR_GET_INDIRECT_BR_LP_STATUS/PR_SET_INDIRECT_BR_LP_STATUS are implemented on riscv in this patch. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 4 +- arch/riscv/kernel/process.c | 88 +++++++++++++++++++++++++++++- 2 files changed, 90 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index 39c36f739ebb..c088584580b4 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -46,7 +46,9 @@ struct cfi_status { unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ unsigned int audit_mode : 1; - unsigned int rsvd1 : 29; + unsigned int ufcfi_locked : 1; + unsigned int ubcfi_locked : 1; + unsigned int rsvd1 : 27; unsigned int lp_label; /* saved label value (25bit) */ long user_shdw_stk; /* Current user shadow stack pointer */ long shdw_stk_base; /* Base address of shadow stack */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index bfd8511914d9..1218ed4fd29f 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -257,4 +257,90 @@ int arch_elf_setup_cfi_state(const struct arch_elf_state *state) return ret; } -#endif \ No newline at end of file +#endif + +#ifdef CONFIG_USER_SHADOW_STACK +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long bcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_shadow_stack()) + return -EINVAL; + + info = current_thread_info(); + bcfi_status |= info->user_cfi_state.ubcfi_locked ? (1UL << 0) : 0; + bcfi_status |= info->user_cfi_state.ubcfi_en ? ((1UL << 1) | + (info->user_cfi_state.user_shdw_stk)) : 0; + + return copy_to_user(status, &bcfi_status, sizeof(bcfi_status)) ? -EFAULT : 0; +} + +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long bcfi_status = 0; + struct thread_info *info = NULL; + unsigned long shdw_stk = 0; + + if (!arch_supports_shadow_stack()) + return -EINVAL; + + info = current_thread_info(); + /* bcfi status is locked and further can't be modified by user */ + if (info->user_cfi_state.ubcfi_locked) + return -EINVAL; + + if (copy_from_user(&bcfi_status, status, sizeof(bcfi_status))) + return -EFAULT; + /* clear two least significant bits. Always assume min 4 byte alignment */ + shdw_stk = (long) (bcfi_status & (~3)); + + if (shdw_stk >= TASK_SIZE) + return -EINVAL; + + info->user_cfi_state.ubcfi_en = (bcfi_status & (1UL << 1)) ? 1 : 0; + info->user_cfi_state.ubcfi_locked = (bcfi_status & (1UL << 0)) ? 1 : 0; + info->user_cfi_state.user_shdw_stk = (long) shdw_stk; + + return 0; +} +#endif + +#ifdef CONFIG_USER_INDIRECT_BR_LP +int arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long fcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_indirect_br_lp_instr()) + return -EINVAL; + + info = current_thread_info(); + fcfi_status |= info->user_cfi_state.ufcfi_locked ? (1UL << 0) : 0; + fcfi_status |= info->user_cfi_state.ufcfi_en ? (1UL << 1) : 0; + + return copy_to_user(status, &fcfi_status, sizeof(fcfi_status)) ? -EFAULT : 0; +} + +int arch_set_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long fcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_indirect_br_lp_instr()) + return -EINVAL; + + info = current_thread_info(); + /* bcfi status is locked and further can't be modified by user */ + if (info->user_cfi_state.ufcfi_locked) + return -EINVAL; + + if (copy_from_user(&fcfi_status, status, sizeof(fcfi_status))) + return -EFAULT; + + info->user_cfi_state.ufcfi_en = (fcfi_status & (1UL << 1)) ? 1 : 0; + info->user_cfi_state.ufcfi_locked = (fcfi_status & (1UL << 0)) ? 1 : 0; + + return 0; +} +#endif From patchwork Mon Feb 13 04:53:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137876 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 309B7C636CC for ; Mon, 13 Feb 2023 04:55:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=wyq2FQBTrRXSejXSYmM5vMl/iah006NRZ3Qe8EVsIe0=; b=XazGJ9OH+S4ZFU XQpcvOileosWH1k+nT0z5olqOm1TNbc3zCmFzhZp+0zhqLd8We78R75Oc2ZrwOfkxzS3oyac4bL3u CVPTjEg9QwEi+bqCmL2S8D0tu3qv9V/tXYeRYs9NoV/ltyY9OZsBwzfTjdg9xv+tlenR0KKeobIz/ CDQs+VCjVXWMjuzdYCUS98yD9u4qMDN5BF4we7+dQl/KvDzai2f4StvYDwYKFC9BnL1r7X/i51lyi nE/Xo3mvhsGJ1+Q6LIKiUWS2FqKhlRGW1IXosxOqAnulsRtEyAiB3vTucAgKr2ssSU6af5sobnT3U CkNh1Cr93HLQH4x0xMzQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrm-00D9xh-TX; Mon, 13 Feb 2023 04:55:03 +0000 Received: from mail-pj1-x1033.google.com ([2607:f8b0:4864:20::1033]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRQrD-00D9WH-Fg for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:54:35 +0000 Received: by mail-pj1-x1033.google.com with SMTP id v6-20020a17090ad58600b00229eec90a7fso13050167pju.0 for ; Sun, 12 Feb 2023 20:54:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3kFxia6anvFekuQwjCC0QPCBdBTnfubmGffGfTpNbSM=; b=Afh0xW9utFfUPrEQU4hWTDRSLlXwhIpd8cKrKCCTb090OxZcC7+dw1lGI4WLigSRcR SlTrKyg46yjgyducZFlnzNgMFLW5ERNIE51qDZs52oKKqKeicOr0GQ+2vSpH+tMZHU2f xYrN3xaSDbe059vhC8YmE0Mo0lm4LvpwwnWJlS9G0hlCENclXKagmo2zWcBcb/mdENgY 1gAOJIewodgaQQlqmUK6bvaKGXX2/aGrqMFG9OmQDkZFfYSfsjHFpOrGmHNtyqkqNXHp spSkkxoNxWE3KUzm1/n3/sYW083aXMKfQdw4fAAEkBpyepXmSDGgPYoR/nS0jY3uaDuw o80A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3kFxia6anvFekuQwjCC0QPCBdBTnfubmGffGfTpNbSM=; b=8Fi25o32s7XJ1dGNYFA+v8gQhOp7r0I+3Oes8rmFb7nZSPURQmC/xUZJa0+ihRtVBR yZPA1WmfGx+KIQz3j0UageECEPfZiVJQAOOlD0q+xkk1GyytN5MaN4rG2yY2Qe0INnJZ /n0cMQAC9UilLMBSNoIIXbh1WHfN1qBv/2tle1eThG+pmC+BQCumEXDWvAke8Q7kHHj/ XOT62BPOZY8Nia6y6ApDjAO+hnnzVkyvRtfYaCPGwKtRUaUYzA2cMvYdRgw82fixjd73 a/4JnmQEuWarz7dfQkcMK9PALwLLRuMTqRu+ktGVc5GAF8KxIyZOxd3ts5UysNpoxe9O itvg== X-Gm-Message-State: AO0yUKWor5ZrhExVNyvJMN1AtyaFBnvvpTglObY6t35BuM8npf7ZgdPK fllxLksfNmrWzKrrVQyN64kH5A== X-Google-Smtp-Source: AK7set9VuKBu8EY+mqmdMSQsVnXb77Y1JO5W24ZyHIbOWCePXvCVZrSZJKZ86C/lIOIyZdIFSrBmVw== X-Received: by 2002:a17:902:f64f:b0:198:adc4:229f with SMTP id m15-20020a170902f64f00b00198adc4229fmr16162307plg.26.1676264066962; Sun, 12 Feb 2023 20:54:26 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:26 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 17/20] riscv ucontext: adding shadow stack pointer field in ucontext Date: Sun, 12 Feb 2023 20:53:46 -0800 Message-Id: <20230213045351.3945824-18-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230212_205433_269158_B39C64A5 X-CRM114-Status: GOOD ( 14.31 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Shadow stack needs to be saved and restored on signal delivery and signal return. ucontext structure on riscv has existing large padding for possible future extension of uc_sigmask. This patch steals XLEN/8 bytes from padding to keep structure size and offset of existing member fields same. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ucontext.h | 32 +++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/arch/riscv/include/uapi/asm/ucontext.h b/arch/riscv/include/uapi/asm/ucontext.h index 516bd0bb0da5..72303e5618a1 100644 --- a/arch/riscv/include/uapi/asm/ucontext.h +++ b/arch/riscv/include/uapi/asm/ucontext.h @@ -21,9 +21,12 @@ struct ucontext { * at the end of this structure and explicitly state it can be * expanded, so we didn't want to box ourselves in here. */ - __u8 __unused[1024 / 8 - sizeof(sigset_t)]; - /* - * We can't put uc_sigmask at the end of this structure because we need + __u8 __unused[1024 / 8 - sizeof(sigset_t) +#ifdef CONFIG_USER_SHADOW_STACK + - sizeof(unsigned long) +#endif + ]; + /* We can't put uc_sigmask at the end of this structure because we need * to be able to expand sigcontext in the future. For example, the * vector ISA extension will almost certainly add ISA state. We want * to ensure all user-visible ISA state can be saved and restored via a @@ -31,7 +34,30 @@ struct ucontext { * infinite extensibility. Since we know this will be extended and we * assume sigset_t won't be extended an extreme amount, we're * prioritizing this. + */ + + /* + * Zisslpcfi will need state in ucontext to save and restore across + * makecontext/setcontext. Such one state is shadow stack pointer. We may need + * to save label (of the target function) as well (but that's to be decided). + * Stealing 8 (64bit) / 4 (32bit) bytes from padding (__unused) reserved + * for expanding sigset_t. We could've expanded the size of ucontext. But + * shadow stack is something which by default would be enabled via ELF. + * ucontext expansion makes more sense for situations like vector where + * app is willingly opting in to get special functionality. Opt-in allows + * for enlightening in ucontext restore. Second reason is shadow stack + * doesn't need a lot of state and only shadow stack pointer. Tax on + * ecosystem due to a small size change (8 bytes) of ucontext is more than + * simply keeping the size same and shoving the ss pointer in here. Please + * note that shadow stack pointer is pointing to a shadow stack address. + * Shadow stack address has shadow stack restore token using which shadow + * stack should be restored. + * Please note that we're keeping uc_ss_ptr at that this location so that + * every other offsets are same and thus works for compatibility. */ +#ifdef CONFIG_USER_SHADOW_STACK + unsigned long uc_ss_ptr; +#endif struct sigcontext uc_mcontext; }; From patchwork Mon Feb 13 04:53:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137890 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 02C71C636CC for ; Mon, 13 Feb 2023 06:02:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=i+lT0KHUrvYU/sCDU0DAsDoBm3meKPSgnTAAtDWXSiU=; b=GrbtGp2vqtFwrl g7Pav4H+SdjFtIa3AOM9qTDs2tCoC2E4nZ2IF1aNgKz3/7PBKdcj/ZdhQjt1+1OQvcHcR+Uid33hv waBiZnhX9arVlKg+Lks4IEYlRjGv+wWrVgmxm5T3/efd3/mZd66QLgjEnPNLNziZFvPW8QSV1SH1A U79zZa+g6h1HKTD0MHHP4dz6022NRqnMt2BF/QGPdsSWNJBZDeTFzhKFxB6Ns03zghb5PbcPrI1vP /KptTI+RRmMOGVKVXyNAoWMhlTUNPgfnH34ORMTeKVK/3IipIavgZ5BiJdoU7IiIkcjOGG1EZ1/MD Hp7hpVxVAzABoXwDZJLQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvP-00DHyy-8a; Mon, 13 Feb 2023 06:02:51 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvN-00DHy7-GK for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 06:02:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=L288A+gHpkeUWAMrh7om4kX6R6 kEyjNsJkw/FvyUT9MIX4/JaneXW3y8OqcYgm535w3NSHZMe9fJABSCmypuU4M0QqGVoG7svDLSUrS sQSsklTXjaLAUN4Gi8enhcBZN3mvStLvv475sp/onlIWF6gMN74uyVFtcmJF1LXy8k8GZtHvXz1oD JtzF2T5cXX1XG4Ij5jzumy6o+LCcaQNN+pObOmmUMBMvsO19pmMcZKykEIKoIAst+lDk48bn32Nj7 qgY5cD3By/PfhAl+bEEsobRqZhqepylfsBWjAnscMXlXki2BcaumVqybLHVEevcAd7uziMnXvvC5Z Ipyenl5g==; Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqb-009BSY-2Z for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:53 +0000 Received: by mail-pl1-x633.google.com with SMTP id be8so12299695plb.7 for ; Sun, 12 Feb 2023 20:54:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=7eSn2qdyORPNxiUoyovTXFhpXsZHqi8gnCLRE8GgSFK5tj4/mM+NE2BEscg9ShWtpB PzxBxeovnUU8KeQiZs+IWnuGNyAcMW1KXbhp2VQESntSd2LWuz+pzNCUJWIPxB0JU5Ab EesW3hY9NeyIHHfTNOmY/6BwGaMaUJiMo3GIx05W9NZJ0qvDJ0bluOBnu//KNpG2uyou 4SOQKrmR4F5ng8nIZLAVUY7neQXbZCIE2lfTveTDHH94wb4oRM14reOmS/4svizRqEPL rwqB8M6hauOSNhA0VumODFAY0bMXd/4v8bTFTh5K1IeqLZXyl0c6K01GuPfSNRRgUsul zsOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=gvx208lm3wM0tMrJmoXc5N+Xka42bbFevrGmJTAhHqYjwz6EUFeECzcoc/y1OLuFph 5eGY8r73NK2VxVS/ux31tCV8WGsb/FwRKsNSIyD15qASNpedQ2ITCgitmUMLdnn/wVtK RnlP6/jXyv0xYvgVF4230LdAdZop//rPAgSdamEV84l7b4jvH+4FR5H2K5njisrZmvO4 meJWRqWWEn7vwfCDaRos8IWv0hw08KqbowBcpdMLS9IkPF7udzeqSuZq2qkSTz2+Nn91 zE4isdD+ilPO4dqbu2plMZ/xE9erYryNVhKNT8rxuv/BHfNGPZdkEa34Kdc5lSHqD8Y/ iU1g== X-Gm-Message-State: AO0yUKVB54fPNgD6RO10UZBy6FL/TJAdGQGB49OVjnBH8RYt7GbI7se9 Zi1SryCxwl/28TH2kKzxqlBp9A== X-Google-Smtp-Source: AK7set/p0rkBQR17h7qM1KcTLnHTByuWpmwwvmpl6P367bUJpgMQejcCNRaERuAYYCD3D7dwaqjSJg== X-Received: by 2002:a17:902:e545:b0:199:60:b9c8 with SMTP id n5-20020a170902e54500b001990060b9c8mr29757848plf.45.1676264068264; Sun, 12 Feb 2023 20:54:28 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:27 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 18/20] riscv signal: Save and restore of shadow stack for signal Date: Sun, 12 Feb 2023 20:53:47 -0800 Message-Id: <20230213045351.3945824-19-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045350_965526_D3498D12 X-CRM114-Status: GOOD ( 12.28 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Save shadow stack pointer in ucontext structure while delivering signal. Restore shadow stack pointer from ucontext on sigreturn. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/signal.c | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c index bfb2afa4135f..b963bbce5879 100644 --- a/arch/riscv/kernel/signal.c +++ b/arch/riscv/kernel/signal.c @@ -103,6 +103,7 @@ SYSCALL_DEFINE0(rt_sigreturn) struct pt_regs *regs = current_pt_regs(); struct rt_sigframe __user *frame; struct task_struct *task; + struct thread_info *info = NULL; sigset_t set; /* Always make any pending restarted system calls return -EINTR */ @@ -124,6 +125,27 @@ SYSCALL_DEFINE0(rt_sigreturn) if (restore_altstack(&frame->uc.uc_stack)) goto badframe; +#if defined(CONFIG_USER_SHADOW_STACK) + /* + * TODO: Restore shadow stack as a form of token stored on shadow stack itself as a safe + * way to restore. + * A token on shadow gives following properties + * - Safe save and restore for shadow stack switching. Any save of shadow stack + * must have had saved a token on shadow stack. Similarly any restore of shadow + * stack must check the token before restore. Since writing to shadow stack with + * address of shadow stack itself is not easily allowed. A restore without a save + * is quite difficult for an attacker to perform. + * - A natural break. A token in shadow stack provides a natural break in shadow stack + * So a single linear range can be bucketed into different shadow stack segments. + * Any sspop; sscheckra will detect the condition and fault to kernel. + */ + info = current_thread_info(); + if (info->user_cfi_state.ubcfi_en && + __copy_from_user(&info->user_cfi_state.user_shdw_stk, &frame->uc.uc_ss_ptr, + sizeof(unsigned long))) + goto badframe; +#endif + regs->cause = -1UL; return regs->a0; @@ -180,6 +202,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct rt_sigframe __user *frame; + struct thread_info *info = NULL; long err = 0; frame = get_sigframe(ksig, regs, sizeof(*frame)); @@ -191,6 +214,23 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, /* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); err |= __put_user(NULL, &frame->uc.uc_link); +#if defined(CONFIG_USER_SHADOW_STACK) + /* + * TODO: Save a pointer to shadow stack itself on shadow stack as a form of token. + * A token on shadow gives following properties + * - Safe save and restore for shadow stack switching. Any save of shadow stack + * must have had saved a token on shadow stack. Similarly any restore of shadow + * stack must check the token before restore. Since writing to shadow stack with + * address of shadow stack itself is not easily allowed. A restore without a save + * is quite difficult for an attacker to perform. + * - A natural break. A token in shadow stack provides a natural break in shadow stack + * So a single linear range can be bucketed into different shadow stack segments. Any + * sspop; sscheckra will detect the condition and fault to kernel. + */ + info = current_thread_info(); + if (info->user_cfi_state.ubcfi_en) + err |= __put_user(info->user_cfi_state.user_shdw_stk, &frame->uc.uc_ss_ptr); +#endif err |= __save_altstack(&frame->uc.uc_stack, regs->sp); err |= setup_sigcontext(frame, regs); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); @@ -201,6 +241,11 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, #ifdef CONFIG_MMU regs->ra = (unsigned long)VDSO_SYMBOL( current->mm->context.vdso, rt_sigreturn); +#if defined(CONFIG_USER_SHADOW_STACK) + /* if bcfi is enabled x1 (ra) and x5 (t0) must match */ + if (info->user_cfi_state.ubcfi_en) + regs->t0 = regs->ra; +#endif #else /* * For the nommu case we don't have a VDSO. Instead we push two From patchwork Mon Feb 13 04:53:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137891 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7B027C636D4 for ; Mon, 13 Feb 2023 06:03:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=soy6mO7UjopDjPlFDST7QPt7Wk1UFbZmO8ZsNyKscgU=; b=s/llqqc2Znzz72 vJOjE2OcXj8/DBtmcbQsjyADl+WnivMPFYzyJJswds8gqg52aNBOOYY3IkvsC+SrzL9B0PW55jfKd kC4RHH7xQaI2TYB7YD55EPF/mG3AW+RhBd2IWgE0L1eEx+TW3vNyaaSdBqOFbGH+3zdiqYKCNBrJG fO39AKerwDsAhZDGy9J78KQV6nPhniS2WP8sGxVbDBz7y7k2lEUTNlAmCUQgaP4SNfek6deqxn8m1 S7LXoy+d5LeeXpO+DRRwwe/pExmhITxmKe9y9MJzBXEjK/FC43yApT/AAa6LdqXCLomUYT/odshRw gKobsZ9KTiPBy0vYySxw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvY-00DI1z-1f; Mon, 13 Feb 2023 06:03:00 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvW-00DI0s-Fp for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 06:02:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=FY0NlIDyLXlkIE/Hh3zueS7SjI HkImrRSvWWFoISqERkHiqgscUvWiwEHDmUDInvAD4G/Iknb/2lDAVoYENP0qUGyy5bRJWOUNL8B3+ evsUeeKYhCfW1Rla3fJYKLvUZ0tvdMWxhCioqo07/NNn1BnyEPYnwWKruhg3i3PPHkdkp+eg8Rcur eXWrri/nw2YCWxAGOC/Ze1vKEvrrVm3L4OmsQ8DGKuV839TJdYCh7v9RluvnKSLXlSObtDD6sEQ38 rGoxGu1i53fnCX7h2H2nBwRnXLpUVgczlI7cthp5i3E4cEAaoVb1xdu3P8k0qI+ayXFfUyat1yJ+B r9w3fwpw==; Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqc-009BSp-18 for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:54 +0000 Received: by mail-pj1-x1036.google.com with SMTP id bg2so1476509pjb.4 for ; Sun, 12 Feb 2023 20:54:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=wq1vjGt5Dk5GTt2uM2o1fsU4IewccIkdZiTiZ7Q6QROKj7XotzLnQnbGMt7mkKvcxn Uxr0y6xeaOCw0m3jmFx4LdilZxIzFkNBZUysklHVUGRQgJUL2fG/YYfw9ujVUppzfGLO K2+9aqLeM3PSle+L5sFQoNf3ArhkOzkMUImcbHjhQmj01b4KtjSLsZc0o27pdRVwgFoD gmJsi6NkemAEVMiZjtqLPqgGgv2Z5vh743ofDqsf+8HUhJwOQVi30lbfExMhXxuLElj8 xHOnKu08Ovp/uV/YddPhlNoEHhLPdW6MlLGLla9JQ4zUjud10AC/I0X8tPdayr8dpskh va1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=futoW7ahwfC4tNOjWERpJLiuqaOFOr/d7ORLNtx6OAfdrxTDvZJOE1Skk6bujsAGTJ KEgt0u3cTvMS/gtm8qYR8ceyUX3nRY8BaZxgt815R16s7xyXKo4KPUQxRggVTd7DlxYn ytf29BjEUK7jTLpBU33KP+IwKNbVQwzkd37M48Sg09ytYq+q9G291k0jgAz2/MoUMybM dNPyBT7qdHTKFYdeVA0vVRl69fJAAEfxw9YSPhaimD+bo34VcflgF81a6IPCrCdM2OGj Z9rpw6eI1c9kycBw+43Qob02A3gfJqwihXGw/p+w9MJQb7OGd585jH/vKg5P6I9k/tQw 1UsQ== X-Gm-Message-State: AO0yUKVZALGOfHsA7V9gF7cIZ6ImdNySqzxWp0ffZL/Z2LoIrB/HfFbi EI5mbpP/6M6OyK5eer4/vkvvDA== X-Google-Smtp-Source: AK7set/buAEv0Dcf3oki/D1OsCxjOnHbCXwSRzLrgXj1477fOT32uLPajUBPeIjkACO2s7SI5kT0TA== X-Received: by 2002:a17:902:f20b:b0:199:aae:7569 with SMTP id m11-20020a170902f20b00b001990aae7569mr17492690plc.28.1676264069586; Sun, 12 Feb 2023 20:54:29 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:29 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 19/20] config: adding two new config for control flow integrity Date: Sun, 12 Feb 2023 20:53:48 -0800 Message-Id: <20230213045351.3945824-20-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045351_127668_B58D403D X-CRM114-Status: GOOD ( 11.43 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org To maintain control flow integrity of a program, integrity of indirect control transfers has to be maintained. Almost in all architectures there are two mechanisms for indirect control transfer - Indirect call relying on a memory operand. - Returns which pop an address from stack and return to caller. Control transfers relying on memory operands are inherently susceptible to memory corruption bugs and thus allowing attackers to perform code re-use attacks which eventually is used to inject attacker's payload. All major architectures (x86, aarch64 and riscv) have introduced hardware assistance in form of architectural extensions to protect returns (using alternate shadow/control stack) and forward control flow (by enforcing all indirect control transfers land on a landing pad instruction) This patch introduces two new CONFIGs - CONFIG_USER_SHADOW_STACK Config to enable kernel support for user mode shadow stacks - CONFIG_USER_INDIRECT_BR_LP Config to enable kernel support for enforcing landing pad instruction on target of an indirect control transfer. Signed-off-by: Deepak Gupta --- init/Kconfig | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/init/Kconfig b/init/Kconfig index 44e90b28a30f..8867ea4b074f 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -121,6 +121,25 @@ config THREAD_INFO_IN_TASK One subtle change that will be needed is to use try_get_task_stack() and put_task_stack() in save_thread_stack_tsk() and get_wchan(). +config USER_SHADOW_STACK + bool + help + Select this to enable kernel to support user mode shadow stack. Most + major architectures now support hardware assisted shadow stack. This + allows to enable non-arch specifics related to shadow stack in kernel. + Arch specific configuration options may also need to be enabled. + +config USER_INDIRECT_BR_LP + bool + help + Select this to allow user mode apps to opt-in to force requirement for + a landing pad instruction on indirect jumps or indirect calls in user mode. + Most major architectures now support hardware assistance for landing pad + instruction on indirect call or a jump. This config option allows non-arch + specifics related to landing pad instruction to be enabled separately from + arch specific implementations. Arch specific configuration options may also + need to be enabled. + menu "General setup" config BROKEN From patchwork Mon Feb 13 04:53:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13137892 X-Patchwork-Delegate: palmer@dabbelt.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1F2C9C636CC for ; Mon, 13 Feb 2023 06:03:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cVQa6T2lr/5Qn8/XvmkJMHUhOKQwBVpTSqchwBBbFdA=; b=m8XCq7f6jeomNY tNIwq5pwUdAL/1v2YR14pvUI9Yc+6bkbYcv42IqWOSiW0NY4UOkGj/qegzvJjhNAkcL7JKCrGpi1r ygKE2D4IiBQAwVSFW/zBp8m69A5AXbvH3sHb5DliK9q6vTFYMBOe7UYbqa9Ha+XK8nXjDzR9D7n05 PS1AXlu1nzk7PlyNIYBI+anO1qoIDPokdMB6vD9S+KCcf/aL2PEsqxVddNRac7UJOTuQFyXj+Aozr lZPb+aDJxYdZEZGzF8ZSLo7Po61b6yWEMxAWRGLSeUpfvBIz3tK/llh7yXz2pJ+WvdDAGjyyhwhBu YGIvidNPTis2NhXMp6WQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRva-00DI3L-Ji; Mon, 13 Feb 2023 06:03:02 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRRvX-00DI0s-F4 for linux-riscv@bombadil.infradead.org; Mon, 13 Feb 2023 06:02:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=k5Jk8JhzYzbnok1c4Zb7WJfAt1 gsGvQQvq91MNDmmxJDVRKoQVzlRLgMehHk/iBMxm0hM2ooLBetQE0XF/F5IWOclBI0aMvXoP8gjgr +dVa2cr38T5BVqRd1QgjISorSUVh0Ma+zkVoGx8Xw19+as+E7rRQZzmiNxkp6OFpPgINNMuQ9XOoy 56EvWtZjFxmdhNnpeXQDeX2IqpO9ARYjgOzQBDKlXETu55VHVzNEmpndrKZjg75pJtqniFYj2VSrm Jf2E4jXNgkz4CF9LZTC6D1Hns+mxJc22MKHdCTonmPEKytOH6TZ9FyRIgRRhrg6Kd0dXbMdEEqQSu 6WSE12yA==; Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pRQqc-009BQe-0J for linux-riscv@lists.infradead.org; Mon, 13 Feb 2023 04:53:52 +0000 Received: by mail-pj1-x1034.google.com with SMTP id bx22so10759987pjb.3 for ; Sun, 12 Feb 2023 20:54:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=31KnFLQ1jXjMLjTchl1w4moDo9CD9TiKyNs+4OObUXS/bu6U2VBl4731Df6PD7Y9/g 2XNYNTjZyG7bXyvHEUioI3gERdD7LvSkrCK98xrIHVYmvA5asSACcG8DzwHY9Elw91gc KrYDDfbQ0WGQKLe3OQqMCXoSdQognrXbgKTQeLFi2du2ewZSoi8M3yoq4iVIAUO0iC8j c+HEm7ay6XzwKJD0dg054Mp6qh6jGMCArVxGFrAxDUUDqIrGtX7IhEKyTa8tCMlq6uPJ YpP8FzRMvT6ihcXz/hH1cCXAqlBEJCSPIWcmpziCZgstPBhZ07n1DnUYd6pvHpmuIT8C lNMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=JOqvR9VykCk1Nwy0Z2/ygusWrX9csBvacep3zHR3iqF0c2JaXhmdrJ5lfHdC8p/KFS MhwODG71ZFMhuJWKBxautiEx1fUSSX6f4qQ//Gt6GsEmFY0rMMRnknCERNREACNTPfjk m8ZYlamuNgku/nByUzy3mu4zw4eXENh9+SK9i9VXz4i9EGdFIXSQ9mn580VPdgzSkx9w d7I1eyQ28LsTogpzboT1LW/iSWDvoSK8urASQlLi41+amHAkVGUpfkXDN9J3R8j3+e08 otsTa0nMpiu0tsEZ2FWew6QEXfUn90odwEUISn1vx35RurGyQ3VnixEDf+cqeVDU1rKM EIdg== X-Gm-Message-State: AO0yUKVaf8jZAqing/HZw96ZjVoUnCncZmM8jenxzah/F2ylsDWERvD8 mf0F/BsHJSBt/kkeF4hOW4rhi/QuUZG5KaaN X-Google-Smtp-Source: AK7set/LsQt20km3cdR/Kp4fADKzzPOahuIH182d8bTSETTWkRIjfVk2zOeUnxJfWQP4yrfUrjZ6+g== X-Received: by 2002:a17:902:e843:b0:199:2a89:f912 with SMTP id t3-20020a170902e84300b001992a89f912mr27069676plg.20.1676264070858; Sun, 12 Feb 2023 20:54:30 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:30 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 20/20] riscv: select config for shadow stack and landing pad instr support Date: Sun, 12 Feb 2023 20:53:49 -0800 Message-Id: <20230213045351.3945824-21-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230213_045350_629167_6C2E0982 X-CRM114-Status: UNSURE ( 7.38 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org This patch selects config shadow stack support and landing pad instr support. Since shadow stack support and landing instr support relies on ELF header, this change also selects ARCH_USE_GNU_PROPERTY and ARCH_BINFMT_ELF_STATE. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index e2b656043abf..9a39ada1d9d0 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -132,6 +132,10 @@ config RISCV select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select TRACE_IRQFLAGS_SUPPORT + select USER_SHADOW_STACK + select USER_INDIRECT_BR_LP + select ARCH_USE_GNU_PROPERTY + select ARCH_BINFMT_ELF_STATE select UACCESS_MEMCPY if !MMU select ZONE_DMA32 if 64BIT select HAVE_DYNAMIC_FTRACE if !XIP_KERNEL && MMU && $(cc-option,-fpatchable-function-entry=8)