From patchwork Fri Jul  1 15:27:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ardb@kernel.org>
X-Patchwork-Id: 12903527
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BD83EC43334
	for <linux-arm-kernel@archiver.kernel.org>;
 Fri,  1 Jul 2022 15:28:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=JH0e4k1aWNnymCBZzHWrIUAGDBzw/9qc5m/c0jgLwqI=; b=e4oIj/u6AEr3EA
	re6C2LQr35cWA9JxUOzjPY2ADyQj2bEn2io6dxuRlxaJso4LdwgsEpmMBOJ9o2qLXqGJXaFmTBLcV
	QGdB/sRacDdbAFjMqAD8VMi6RBc6BO55fgbLmCDtOfZX/jApLQDGby0J0alqzEGgJ5Q3VTpEIMDQK
	Q997yx2lrghLPfLApGCarGh8UTE76TOP7Jz2Sf+krPX80LhL+XAqFhnJ+w9uIOaPzBq8E996yL9cu
	zIq0MmmRH0snj1bmX1GLs1tmNKGaYtZN4vW9FDBH/ezAH6LVb08EYPPP8100FUaHADzP8SXX/+cGF
	PO/hMvHyLcuDa9Y/+nsA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o7IYY-005fdj-GG; Fri, 01 Jul 2022 15:27:42 +0000
Received: from ams.source.kernel.org ([145.40.68.75])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o7IYU-005fc7-7u
	for linux-arm-kernel@lists.infradead.org; Fri, 01 Jul 2022 15:27:40 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id 78097B82F36;
	Fri,  1 Jul 2022 15:27:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C10E2C3411E;
	Fri,  1 Jul 2022 15:27:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1656689255;
	bh=HhFtKQin8fI9K15hEZXcqgYlHbYq13fXt3PD3g9YDYU=;
	h=From:To:Cc:Subject:Date:From;
	b=NCJQGxmeux+PSuQfC/C2fF5S3HpF1jzvwIN/vdLm9hIBBQaqnuMcBGCpFqmNXPz0o
	 hcvKWzljinr3a7l9he5cGxTOgYT3cw53sPbLDJS1fnba0t80mMVw9EoI8DpEv6bFKu
	 wA4ot3GXpUegQvUjJW4ElW8ebb6LQmdxXq8lLzJ7ZxnLQP0//cenzh/ryCOYAihjHb
	 uWnUEyfnFDNKx0zAcVSrDHOH8N0ZgQzJpDKxkm1m9L1Bg7gWgW/z1pkVpYPh7M2hcy
	 EJ7zeySZZMiMh+oiTQYgspVKE31zJMrBNrW6r6lxYMYQn+ycOMU9BIzX6/EuCKz3So
	 9FTMfirVAT05Q==
From: Ard Biesheuvel <ardb@kernel.org>
To: linux-arm-kernel@lists.infradead.org
Cc: catalin.marinas@arm.com,
	will@kernel.org,
	mark.rutland@arm.com,
	maz@kernel.org,
	Ard Biesheuvel <ardb@kernel.org>
Subject: [PATCH v4 0/3] arm64: dynamic shadow call stack support
Date: Fri,  1 Jul 2022 17:27:21 +0200
Message-Id: <20220701152724.3343599-1-ardb@kernel.org>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4637; h=from:subject;
 bh=HhFtKQin8fI9K15hEZXcqgYlHbYq13fXt3PD3g9YDYU=;
 b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBivxJWbnYk040LASNEYaRgglEhPUZBj0d3RNwSorWQ
 pEdjULiJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCYr8SVgAKCRDDTyI5ktmPJDWiC/
 9EPiceOZQX2UQs8n4vtRob1FM87G7hZjh7N5cPt1+vyzPOVrPFFLQtr8tyvFPKlmk6sj2eSKN/Mu1W
 vdF7Qoo40c2eZIEa01FyL39LyoT/weQtWHhTJ2shLWWHuWEVLKPtKJTGMV1gV8HzumXIBmFp98jAbH
 o+WUi9B9eebQ1g33+8elWOc9UGxqOmBth2S2ZWcKICNf2w+ApEcDSzvbKhFQrDdcqgYkGMPQX5LpEu
 kPBsSuPCsPku+/d8SHA/WO0JKjeer0Pqc7tqpTUEcrQ3p0kAeJQZsVk9UdhdJqdsSfFyj6HdOmJ90m
 o4m+mUSCJQcDZWn4qcOYHbCjgviW4HCrQnjeHak44nHIrnef4bQYKO3FNSSeeTe4N5Ni6BO1hMdNHX
 opgCA8eEEBCKVVoCf2SWrbCEdt+NMrQSZ0xlAI3gJEVGEurGooXs2avXHeGA9ZruyQAa1aO1pP05/J
 aLQhuUrxMtzFRbhQ0haZiWmumQUIMoH7e9vyQG3ESQ5E8=
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220701_082738_624010_D8670CF8 
X-CRM114-Status: GOOD (  21.17  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Generic kernel images such as Android's GKI usually enable all available
security features, which are typically implemented in such a way that
they only take effect if the underlying hardware can support it, but
don't interfere with correct and efficient operation otherwise.

For shadow call stack support, which is always supported by the
hardware, it means it will be enabled even if pointer authentication is
also supported, and enabled for signing return addresses stored on the
stack. The additional security provided by shadow call stack is only
marginal in this case, whereas the performance overhead is not.

Given that return address signing is based on PACIASP/AUTIASP
instructions that implicitly operate on the return address register
(X30) and are not idempotent (i.e., each needs to be emitted exactly
once before the return address is stored on the ordinary stack and after
it has been retrieved from it), we can convert these instruction 1:1
into shadow call stack pushes and pops involving the register X30.
As this is something that can be done at runtime rather than build time,
we can do this conditionally based on whether or not return address
signing is supported on the underlying hardware.

In order to be able to unwind call stacks that involve return address
signing, whether or not the return address is currently signed is
tracked by DWARF CFI directives in the unwinding metadata. This means we
can use this information to locate all PACIASP/AUTIASP instructions in
the binary, instead of having to use brute force and go over all
instructions in the entire program.

This series implements this approach for Clang, which has recently been
fixed to emit all these CFI directives correctly. This series is based
on an older PoC sent out last year [0] that targeted GCC only (due to
this issue). This v3 targets Clang only, as GCC has its own issues with
CFI accuracy.

Changes since v3 [1]:
- rebase onto arm64/for-next/core
- fix init value of dynamic_scs_enabled static key
- don't discard .eh_frame sections (to work around a bug in an older
  Clang version if we are keeping them for dynamic SCS patching,
- print a diagnostic if dynamic SCS patching is enabled,
- apply build fix suggested by Sami and add his ack to patch #2

Changes since v2 [2]:
- don't enable unwind table generation for nVHE code - it cannot be
  patched anyway so it has no use for it;
- drop checks for ID reg overrides
- fix some remaining TODOs regarding augmentation data and the code
  alignment factor
- disable PAC for leaf functions when dynamic SCS is configured, so that
  we don't end up with SCS pushes and pops in all leaf functions too;
- add I-cache maintenance after code patching
- add Rb's from Nick and Kees.

Changes since RFC v1:
- implement boot time check for PAC/BTI support, and only enable dynamic
  SCS if neither are supported;
- implement module patching as well;
- switch to Clang, and drop workaround for GCC bug;

[0] https://lore.kernel.org/linux-arm-kernel/20211013152243.2216899-1-ardb@kernel.org/
[1] https://lore.kernel.org/linux-arm-kernel/20220613134008.3760481-1-ardb@kernel.org/
[2] https://lore.kernel.org/linux-arm-kernel/20220505161011.1801596-1-ardb@kernel.org/

Ard Biesheuvel (3):
  arm64: unwind: add asynchronous unwind tables to kernel and modules
  scs: add support for dynamic shadow call stacks
  arm64: implement dynamic shadow call stack for Clang

 Makefile                              |   2 +
 arch/Kconfig                          |   7 +
 arch/arm64/Kconfig                    |  12 +
 arch/arm64/Makefile                   |  15 +-
 arch/arm64/include/asm/module.lds.h   |   8 +
 arch/arm64/include/asm/scs.h          |  47 ++++
 arch/arm64/kernel/Makefile            |   2 +
 arch/arm64/kernel/head.S              |   3 +
 arch/arm64/kernel/irq.c               |   2 +-
 arch/arm64/kernel/module.c            |   8 +
 arch/arm64/kernel/patch-scs.c         | 257 ++++++++++++++++++++
 arch/arm64/kernel/pi/Makefile         |   1 +
 arch/arm64/kernel/sdei.c              |   2 +-
 arch/arm64/kernel/setup.c             |   4 +
 arch/arm64/kernel/vmlinux.lds.S       |  13 +
 arch/arm64/kvm/hyp/nvhe/Makefile      |   1 +
 drivers/firmware/efi/libstub/Makefile |   1 +
 include/asm-generic/vmlinux.lds.h     |   9 +-
 include/linux/scs.h                   |  18 ++
 kernel/scs.c                          |  14 +-
 scripts/module.lds.S                  |   8 +-
 21 files changed, 425 insertions(+), 9 deletions(-)
 create mode 100644 arch/arm64/kernel/patch-scs.c
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: Sami Tolvanen <samitolvanen@google.com>