| Message ID | 20220929222936.14584-15-rick.p.edgecombe@intel.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Shadowstacks for userspace | expand |
On Thu, Sep 29, 2022 at 03:29:11PM -0700, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However, > read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These > two cases are handled differently for page faults. Introduce > VM_SHADOW_STACK to track shadow stack VMAs. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Cc: Kees Cook <keescook@chromium.org> > --- > Documentation/filesystems/proc.rst | 1 + > arch/x86/mm/mmap.c | 2 ++ > fs/proc/task_mmu.c | 3 +++ > include/linux/mm.h | 8 ++++++++ > 4 files changed, 14 insertions(+) > > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst > index e7aafc82be99..d54ff397947a 100644 > --- a/Documentation/filesystems/proc.rst > +++ b/Documentation/filesystems/proc.rst > @@ -560,6 +560,7 @@ encoded manner. The codes are the following: > mt arm64 MTE allocation tags are enabled > um userfaultfd missing tracking > uw userfaultfd wr-protect tracking > + ss shadow stack page > == ======================================= > > Note that there is no guarantee that every flag and associated mnemonic will > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c > index c90c20904a60..f3f52c5e2fd6 100644 > --- a/arch/x86/mm/mmap.c > +++ b/arch/x86/mm/mmap.c > @@ -165,6 +165,8 @@ unsigned long get_mmap_base(int is_legacy) > > const char *arch_vma_name(struct vm_area_struct *vma) > { > + if (vma->vm_flags & VM_SHADOW_STACK) > + return "[shadow stack]"; > return NULL; > } > But why here? CONFIG_ARCH_HAS_SHADOW_STACK implies that there will be more than one arch that supports shadow stack. The name has to come from generic code too, no?
On Thu, Sep 29, 2022 at 03:29:11PM -0700, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However, > read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These > two cases are handled differently for page faults. Introduce > VM_SHADOW_STACK to track shadow stack VMAs. > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Cc: Kees Cook <keescook@chromium.org> > --- > Documentation/filesystems/proc.rst | 1 + > arch/x86/mm/mmap.c | 2 ++ > fs/proc/task_mmu.c | 3 +++ > include/linux/mm.h | 8 ++++++++ > 4 files changed, 14 insertions(+) > > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst > index e7aafc82be99..d54ff397947a 100644 > --- a/Documentation/filesystems/proc.rst > +++ b/Documentation/filesystems/proc.rst > @@ -560,6 +560,7 @@ encoded manner. The codes are the following: > mt arm64 MTE allocation tags are enabled > um userfaultfd missing tracking > uw userfaultfd wr-protect tracking > + ss shadow stack page > == ======================================= > > Note that there is no guarantee that every flag and associated mnemonic will > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c > index c90c20904a60..f3f52c5e2fd6 100644 > --- a/arch/x86/mm/mmap.c > +++ b/arch/x86/mm/mmap.c > @@ -165,6 +165,8 @@ unsigned long get_mmap_base(int is_legacy) > > const char *arch_vma_name(struct vm_area_struct *vma) > { > + if (vma->vm_flags & VM_SHADOW_STACK) > + return "[shadow stack]"; > return NULL; > } I agree with Kirill: this should be in the arch-agnostic code.
On Mon, 2022-10-03 at 20:47 +0300, Kirill A . Shutemov wrote: > > @@ -165,6 +165,8 @@ unsigned long get_mmap_base(int is_legacy) > > > > const char *arch_vma_name(struct vm_area_struct *vma) > > { > > + if (vma->vm_flags & VM_SHADOW_STACK) > > + return "[shadow stack]"; > > return NULL; > > } > > > > But why here? > > CONFIG_ARCH_HAS_SHADOW_STACK implies that there will be more than one > arch > that supports shadow stack. The name has to come from generic code > too, no? I'm not aware of any other arch that will, so I wonder if I should just remove ARCH_HAS_SHADOW_STACK actually.
diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst index e7aafc82be99..d54ff397947a 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -560,6 +560,7 @@ encoded manner. The codes are the following: mt arm64 MTE allocation tags are enabled um userfaultfd missing tracking uw userfaultfd wr-protect tracking + ss shadow stack page == ======================================= Note that there is no guarantee that every flag and associated mnemonic will diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c index c90c20904a60..f3f52c5e2fd6 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -165,6 +165,8 @@ unsigned long get_mmap_base(int is_legacy) const char *arch_vma_name(struct vm_area_struct *vma) { + if (vma->vm_flags & VM_SHADOW_STACK) + return "[shadow stack]"; return NULL; } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 4e0023643f8b..a20899392c8d 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -700,6 +700,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma) #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR [ilog2(VM_UFFD_MINOR)] = "ui", #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ +#ifdef CONFIG_ARCH_HAS_SHADOW_STACK + [ilog2(VM_SHADOW_STACK)] = "ss", +#endif }; size_t i; diff --git a/include/linux/mm.h b/include/linux/mm.h index be80fc827212..8cd413c5a329 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -314,11 +314,13 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64-bit architectures */ +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ #ifdef CONFIG_ARCH_HAS_PKEYS @@ -334,6 +336,12 @@ extern unsigned int kobjsize(const void *objp); #endif #endif /* CONFIG_ARCH_HAS_PKEYS */ +#ifdef CONFIG_X86_SHADOW_STACK +# define VM_SHADOW_STACK VM_HIGH_ARCH_5 +#else +# define VM_SHADOW_STACK VM_NONE +#endif + #if defined(CONFIG_X86) # define VM_PAT VM_ARCH_1 /* PAT reserves whole VMA at once (x86) */ #elif defined(CONFIG_PPC)