From patchwork Thu Aug 29 08:22:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alice Ryhl X-Patchwork-Id: 13782727 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 792A1C6FD35 for ; Thu, 29 Aug 2024 08:24:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:Cc:To:From: Subject:Message-ID:Mime-Version:Date:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=9RdvbeG3hnzyWF9MND8CckF4Y5Hzjn0WZIgh7L/jyIU=; b=lgmlC1vNWSL3U6dj/KzbpkpMBe kZCps8pYLrIYFZf1FTvi7sSkLdo2Pz+eM1N6lu8MeHmArFyU2hIjg2FpQx4WsdjeyMSPKlJXO9w1D G8WuR7D0G9/m/UeO3WErvZxTMfvUe/Ihg4gjVZ23nz1D79W97oGTPHNWxwBso4SReeYiryusaLN1z nzh39ZvMj/5q8qJBrOPEPd54Lj85dPBHANr8OdRz9q9WgSC21/qR3lzwOzQl7++DRIJoAHxqBFSxU fMdE1sSsbSe3QuvoP6ThfVcrLIJICsSR/xLHeB0duAFwuwL+5+GQa9p/parkFWvPkrj98XmfitA7l rxZwhgkw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sjaRx-000000017gK-2Dul; Thu, 29 Aug 2024 08:24:13 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sjaR6-000000017X8-1Nfm for linux-arm-kernel@lists.infradead.org; Thu, 29 Aug 2024 08:23:22 +0000 Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-e03b3f48c65so852634276.0 for ; Thu, 29 Aug 2024 01:23:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1724919798; x=1725524598; darn=lists.infradead.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=9RdvbeG3hnzyWF9MND8CckF4Y5Hzjn0WZIgh7L/jyIU=; b=pO6Hb02GYk5ULpQJsZcky5BzVLLvx1nX19e/F8HEBEgV9ZjrjAoAFOfK2VQJkUj34Q FciQqJCymGD3HSJMwKB8+5t8zZEOTQRo8nXe6zaP1GTfJ+CkCpOAAr120rLGa1Gi0fic HnDydxcOwbYZ0A1F+qbxvA3SS4XdCzE3tYAa31OHuAe5KGvLQDXE6/l4fval2sb2WdA2 asFAQFum8xpt0krCnNgCWPduqgU78FjmPLVqcolUUNb6zDeoBCTY+dOUlkscZ54gSyfM P9Vm6JnsW2dUKUQ++00v0OEGJIL25ktNndjH/zOOF8IzmNz9kS9zM7odLV2cqnVwFT9Y KMUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724919798; x=1725524598; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=9RdvbeG3hnzyWF9MND8CckF4Y5Hzjn0WZIgh7L/jyIU=; b=S58CaH/JUHvAyZx048LY6jBei1NDo6+Z0i5BgofuEtxqzT5q+BdnuztenpFZEbOaIa OzO7L4e6H20Jrsi/OQUhuRcGBLd10eVH6D+tWWPk7/+c5dd+g+Kkzub4iyKt9jhNW2v7 HmxAPy971x+n1yB4MW6zDXNE09DXg5eDPtcOMbCqqijIwf+2SRSXK2CPcaaRVq6auHz+ jdPbeYIWHsgw4vuK2Mmu4ApdKOHEXIJbpbq/GilDi5M1bJ2GN+X+LPeVO9Dobplv8Llw yLy+3o1hFbwRzC8JdOf7631IkPGZA7j75/4UVj9Y+MEtggtr1q7YFutC/s+f+ZC9lcVn Bkgg== X-Forwarded-Encrypted: i=1; AJvYcCXHZq8ynRFxuEZv1iSDoD0Y0SbxBZjygEi3ZEb++/Lj84P4qIsI4mAj5lNSgr7A0SBXA+eirNEFTDzt7NljXR2X@lists.infradead.org X-Gm-Message-State: AOJu0YwCitpyHMkn3posctQ3pxL7oqVjTTO/9JSGKaLdoKoCv2hI7xn3 udcrbO7rDClnTfbLhvbCJfMOKGcnXwu0/GhdnHN1eCRu8rgx/W1pLKkOdv0smmmS7TvGHrmQ/ZL 9viGNxkeY9TL0pA== X-Google-Smtp-Source: AGHT+IFokD/yVvPfvQHwIqtYzdfKDhst22uRMPQK2UkcQgpj0CXoQ3GfhlgIXYvGU9+Xsj5TZTk5fiV0WBwvs3w= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:35bd]) (user=aliceryhl job=sendgmr) by 2002:a25:c54f:0:b0:e11:5f9f:f069 with SMTP id 3f1490d57ef6-e1a5adf5550mr10086276.8.1724919798172; Thu, 29 Aug 2024 01:23:18 -0700 (PDT) Date: Thu, 29 Aug 2024 08:22:45 +0000 Mime-Version: 1.0 X-B4-Tracking: v=1; b=H4sIANUv0GYC/33PTW7DIBAF4KtErEvFzwAmq94j6mIMYxvVDZWJn FaR716STVzZ6vKNNN+bubFCU6LCjocbm2hOJeVzDe7lwMKA5554ijUzJRQILYCXAWO+8oDjyMs Fwwf3QXqHoK2MntW9r4m69P0wT+81D6lc8vTzqJjlffqfNksueSeMIexAoApvfc79SK8hf7I7N 6s1YfYIVYngWkDdQbTSbgj9JNz+FZoLHqUMDi21pMWGgBWh/B4BlVBoLbSiUYSwIcyTaITdI0x 9RNkYQtsoL82WsCtC7RK2EuANOtLUCur+EMuy/ALYkZ/hAgIAAA== X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=7498; i=aliceryhl@google.com; h=from:subject:message-id; bh=VLdwL20LiNzTUaWtt93FFxTZ648rvn76IDWLN5/vv4Q=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBm0C/g26QBldwF4R1q5+2D0JMs4Ht23FBu5pV6l uyQHbWnFZGJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCZtAv4AAKCRAEWL7uWMY5 RlULEACXdQc0K9R587GDlUGJswtbNuo3QR+1aYblBU+3AtdqidLh+s8iLwdgJBfj3406ogldHQA Nx+FfEa0P0zLSDzKyvlqTuHP1LC0N9OsB91bdYBUGvZxxQwLWhXd8ZFnflmHrCZuiPpzEwfSYWG RnIFUctqaLrWG2l1hgX/vPPgamUrwtTx3lJGEwvpKjhIddol6WStWONtUyVHDZvSBgQZq2uKd2v Y6lRRlEY45oMxj5xOu5LcfOZ4WQWCaKKkSZ/W+RyxLhf2WUzYTrBH0XqfXtB80Q6nRxFkyWjzUB k4/4YRxL8b07XYi0x7yjXx37fUmQf0kiUBSrnzzUA616le7RTI4g7Esz2rWYVMew35/j5dPue3R 9p/mk+UVbOysEcOCvaWp5Jsf3qhesQMmHWlOgaSKf21ByeGxVilaUDt401PmClMAvuVqe4Psh6K Hm6hpkKmtoCyKilxgqPHG2OY9LU1+YsFEZiBh+6AY4BvAKwK3n8YdhjwyM8JEZ4XhojHj0WQVp2 DYffxzTOac0CYc+LqsAGdUJ/6nlL/ndyyT/PXariyjX0/pqgcDWF4yT/qTivSAHy8XlhH9tEqMm mYf0MDOIaoFh86FhXUGZ9I2SN6PCrB1xChyw19cMSZw6zTPY8l+3aNalTpi6B1/PtqRmMFB7L4I lXuvSdLH+/IJPrw== X-Mailer: b4 0.13.0 Message-ID: <20240829-shadow-call-stack-v7-1-2f62a4432abf@google.com> Subject: [PATCH v7] rust: support for shadow call stack sanitizer From: Alice Ryhl To: Catalin Marinas , Will Deacon , Ard Biesheuvel , Jamie Cunliffe , Sami Tolvanen , Nathan Chancellor , Conor Dooley , Kees Cook Cc: Masahiro Yamada , Nicolas Schier , Marc Zyngier , Mark Rutland , Mark Brown , Nick Desaulniers , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , Valentin Obst , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, rust-for-linux@vger.kernel.org, Kees Cook , Alice Ryhl X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240829_012320_399982_F7C03A2D X-CRM114-Status: GOOD ( 26.86 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add all of the flags that are needed to support the shadow call stack (SCS) sanitizer with Rust, and updates Kconfig to allow only configurations that work. The -Zfixed-x18 flag is required to use SCS on arm64, and requires rustc version 1.80.0 or greater. This restriction is reflected in Kconfig. When CONFIG_DYNAMIC_SCS is enabled, the build will be configured to include unwind tables in the build artifacts. Dynamic SCS uses the unwind tables at boot to find all places that need to be patched. The -Cforce-unwind-tables=y flag ensures that unwind tables are available for Rust code. In non-dynamic mode, the -Zsanitizer=shadow-call-stack flag is what enables the SCS sanitizer. Using this flag requires rustc version 1.82.0 or greater on the targets used by Rust in the kernel. This restriction is reflected in Kconfig. It is possible to avoid the requirement of rustc 1.80.0 by using -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However, this flag emits a warning during the build, so this patch does not add support for using it and instead requires 1.80.0 or greater. The dependency is placed on `select HAVE_RUST` to avoid a situation where enabling Rust silently turns off the sanitizer. Instead, turning on the sanitizer results in Rust being disabled. We generally do not want changes to CONFIG_RUST to result in any mitigations being changed or turned off. At the time of writing, rustc 1.82.0 only exists via the nightly release channel. There is a chance that the -Zsanitizer=shadow-call-stack flag will end up needing 1.83.0 instead, but I think it is small. Reviewed-by: Sami Tolvanen Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Acked-by: Will Deacon Signed-off-by: Alice Ryhl --- This patch depends on RUSTC_VERSION: https://lore.kernel.org/rust-for-linux/20240808221138.873750-1-ojeda@kernel.org/ --- Changes in v7: - Add comment to `config RUSTC_SUPPORTS_[ARM64|RISCV]` - Pick up tags from reviewers. - Link to v6: https://lore.kernel.org/r/20240826-shadow-call-stack-v6-1-495a7e3eb0ef@google.com Changes in v6: - Move Kconfig requirements into arch/*/Kconfig. - List non-dynamic SCS as supported on 1.82. This reflects newly added things in rustc. - Link to v5: https://lore.kernel.org/r/20240806-shadow-call-stack-v5-1-26dccb829154@google.com Changes in v5: - Rebase series on v6.11-rc2. - The first patch is no longer included as it was merged in v6.11-rc2. - The commit message is rewritten from scratch. - Link to v4: https://lore.kernel.org/r/20240729-shadow-call-stack-v4-0-2a664b082ea4@google.com Changes in v4: - Move `depends on` to CONFIG_RUST. - Rewrite commit messages to include more context. - Link to v3: https://lore.kernel.org/r/20240704-shadow-call-stack-v3-0-d11c7a6ebe30@google.com Changes in v3: - Use -Zfixed-x18. - Add logic to reject unsupported rustc versions. - Also include a fix to be backported. - Link to v2: https://lore.kernel.org/rust-for-linux/20240305-shadow-call-stack-v2-1-c7b4a3f4d616@google.com/ Changes in v2: - Add -Cforce-unwind-tables flag. - Link to v1: https://lore.kernel.org/rust-for-linux/20240304-shadow-call-stack-v1-1-f055eaf40a2c@google.com/ --- Makefile | 1 + arch/arm64/Kconfig | 14 +++++++++++++- arch/arm64/Makefile | 3 +++ arch/riscv/Kconfig | 9 ++++++++- init/Kconfig | 1 - 5 files changed, 25 insertions(+), 3 deletions(-) --- base-commit: 12f2c9d5c2bef419700514ca627e3a5c27f380d9 change-id: 20240304-shadow-call-stack-9c197a4361d9 Best regards, diff --git a/Makefile b/Makefile index 68ebd6d6b444..2b384a72ff39 100644 --- a/Makefile +++ b/Makefile @@ -927,6 +927,7 @@ ifdef CONFIG_SHADOW_CALL_STACK ifndef CONFIG_DYNAMIC_SCS CC_FLAGS_SCS := -fsanitize=shadow-call-stack KBUILD_CFLAGS += $(CC_FLAGS_SCS) +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack endif export CC_FLAGS_SCS endif diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a2f8ff354ca6..827497df6fa3 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -231,7 +231,7 @@ config ARM64 select HAVE_FUNCTION_ARG_ACCESS_API select MMU_GATHER_RCU_TABLE_FREE select HAVE_RSEQ - select HAVE_RUST if CPU_LITTLE_ENDIAN + select HAVE_RUST if RUSTC_SUPPORTS_ARM64 select HAVE_STACKPROTECTOR select HAVE_SYSCALL_TRACEPOINTS select HAVE_KPROBES @@ -265,6 +265,18 @@ config ARM64 help ARM 64-bit (AArch64) Linux support. +config RUSTC_SUPPORTS_ARM64 + def_bool y + depends on CPU_LITTLE_ENDIAN + # Shadow call stack is only supported on certain rustc versions. + # + # When using the UNWIND_PATCH_PAC_INTO_SCS option, rustc version 1.80+ is + # required due to use of the -Zfixed-x18 flag. + # + # Otherwise, rustc version 1.82+ is required due to use of the + # -Zsanitizer=shadow-call-stack flag. + depends on !SHADOW_CALL_STACK || RUSTC_VERSION >= 108200 || RUSTC_VERSION >= 108000 && UNWIND_PATCH_PAC_INTO_SCS + config CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS def_bool CC_IS_CLANG # https://github.com/ClangBuiltLinux/linux/issues/1507 diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index f6bc3da1ef11..b058c4803efb 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -57,9 +57,11 @@ KBUILD_AFLAGS += $(call cc-option,-mabi=lp64) ifneq ($(CONFIG_UNWIND_TABLES),y) KBUILD_CFLAGS += -fno-asynchronous-unwind-tables -fno-unwind-tables KBUILD_AFLAGS += -fno-asynchronous-unwind-tables -fno-unwind-tables +KBUILD_RUSTFLAGS += -Cforce-unwind-tables=n else KBUILD_CFLAGS += -fasynchronous-unwind-tables KBUILD_AFLAGS += -fasynchronous-unwind-tables +KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n endif ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y) @@ -114,6 +116,7 @@ endif ifeq ($(CONFIG_SHADOW_CALL_STACK), y) KBUILD_CFLAGS += -ffixed-x18 +KBUILD_RUSTFLAGS += -Zfixed-x18 endif ifeq ($(CONFIG_CPU_BIG_ENDIAN), y) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 0f3cd7c3a436..7ffdb3bdfd3f 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -172,7 +172,7 @@ config RISCV select HAVE_REGS_AND_STACK_ACCESS_API select HAVE_RETHOOK if !XIP_KERNEL select HAVE_RSEQ - select HAVE_RUST if 64BIT + select HAVE_RUST if RUSTC_SUPPORTS_RISCV select HAVE_SAMPLE_FTRACE_DIRECT select HAVE_SAMPLE_FTRACE_DIRECT_MULTI select HAVE_STACKPROTECTOR @@ -202,6 +202,13 @@ config RISCV select UACCESS_MEMCPY if !MMU select ZONE_DMA32 if 64BIT +config RUSTC_SUPPORTS_RISCV + def_bool y + depends on 64BIT + # Shadow call stack requires rustc version 1.82+ due to use of the + # -Zsanitizer=shadow-call-stack flag. + depends on !SHADOW_CALL_STACK || RUSTC_VERSION >= 108200 + config CLANG_SUPPORTS_DYNAMIC_FTRACE def_bool CC_IS_CLANG # https://github.com/ClangBuiltLinux/linux/issues/1817 diff --git a/init/Kconfig b/init/Kconfig index 38c1cfcce821..2d3d5caee1e0 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1909,7 +1909,6 @@ config RUST depends on !MODVERSIONS depends on !GCC_PLUGIN_RANDSTRUCT depends on !RANDSTRUCT - depends on !SHADOW_CALL_STACK depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE help Enables Rust support in the kernel.