From patchwork Thu Mar 28 08:19:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 13608166 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9714CC54E64 for ; Thu, 28 Mar 2024 08:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:MIME-Version:Message-Id:Date: Subject:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=2NQS8/5Us8f+bNhipiexp50mAQTiPG2FiUCznC8Tdzo=; b=2qZWGkCQqZJFoi 5l4UKBBZ6MSQukvFgQ5cEZQq6ef9EcmAWq8hgTWZ0lqt0gXdutgspvStz9jI/+kwuykvSxk8UQ9FA pXFhwMnjZfhd0RjUkN/0gyafBnelES5w8z2YzvJKvFW92sohfYpeha8BGLZ87wcjf00/5ejtT5mqz Xv+XQNc/Ux49o1aJgx+fcWPAin10L/XkiTe5X2t2CmomTwbxUvNvQllSl2poxCl8ohgGYD96z7ODo kjvUD/O3yYCi4II1czzwQo6WgJPyNJ7zXqc234U5Bly7IJUn8IJO1pcIUA7ugd8phEftCnCLmm7hs /6Setk2JsgJ53B/VJ/6Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rpkz1-0000000D44q-0nW5; Thu, 28 Mar 2024 08:19:35 +0000 Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rpkyy-0000000D43A-2VHB for linux-arm-kernel@lists.infradead.org; Thu, 28 Mar 2024 08:19:34 +0000 Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-56c197d042fso792630a12.0 for ; Thu, 28 Mar 2024 01:19:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1711613969; x=1712218769; darn=lists.infradead.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=LfIN1MzXThe1rBpZb5u/eNS+0QSCH8ZMd5pV/D4hiQg=; b=dWtVAjLrM/kLehronE9PkCwSKLaY+8SogxJeE1TeBcuH+1Lsf0VO51Uk1xsoX8HiJv nc2Du/PcYYqjsWC+LwmD3jSM12lbvXoLhb74A+Bui9NFzeJObeUNfd4h9JwTc+ScGoZ0 21TV/Y7J0hOAq5P0kzsmrslqKGyoe21FkQi4wXyVqo2GmXl8k5TofFluVIxsXBNztsIV 3cojc6WET5hyQIjGmyPmp0VbDsaO+rOCV+HCIWokCYwm3bvaRwLG3UMry/OjTJad16Ba jS8vQ3WnviMbfVPXdkeTr8PPMK8pLdviS0YCttFzHoR1Hw9Q3OVtqthPyRM9MgxGe3Fk 0SLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711613969; x=1712218769; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LfIN1MzXThe1rBpZb5u/eNS+0QSCH8ZMd5pV/D4hiQg=; b=n4vMUYVN5LxngkagplNiqrG3BL/3TWw0kPW1rcUnetdYndFB33secGyXtOSm0WXec0 Dbc3eg1ZGoy0IV+5ALUA2oxC/UyPH8PPPOyXRS7E0GILF223Anjjnardecjj+z+m+cMT hl5FvT1jYvL9CP+Uk1xRRbHVh/yGoXMstpOM0csglfhDN7oNosc7lK1pfThiGqFj8R8J fWYdHmKsztR+zRY174yUWasIWXwqQHW5/TgoyZrutjfM20lT3xHljLI087gUV26iW0HI C0VmbnmELiP/CwEATK8M2yXvECTVpUezMERC1DcdNymAotMI/wB0esO0mHzoAxy1jnPO xaEQ== X-Gm-Message-State: AOJu0YzBT1hkxX6ahYhXju+vart4OU1iEtGISVCfHGnYp5rM1vG8EXWt xtelYQMKVb0TcBk1Wm+TmS8hQsC6zzY3dimpkPVYqeffBRSZ2ZUy4t3tZf7UbHs= X-Google-Smtp-Source: AGHT+IHWrj2D5MLNF8Z1XXL0AQJm+LgqWkB5W15NNjGu/fwpRKamPdgHbFHU4PgENska/CwdbgdRsw== X-Received: by 2002:a50:bac4:0:b0:568:180a:284b with SMTP id x62-20020a50bac4000000b00568180a284bmr1457635ede.37.1711613969361; Thu, 28 Mar 2024 01:19:29 -0700 (PDT) Received: from [192.168.1.140] ([85.235.12.238]) by smtp.gmail.com with ESMTPSA id n7-20020a509347000000b0056c24df7a78sm566397eda.5.2024.03.28.01.19.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Mar 2024 01:19:29 -0700 (PDT) From: Linus Walleij Subject: [PATCH v4 0/8] CFI for ARM32 using LLVM Date: Thu, 28 Mar 2024 09:19:23 +0100 Message-Id: <20240328-arm32-cfi-v4-0-a11046139125@linaro.org> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAAsoBWYC/2XMTQ7CIBCG4asY1mKG4afqynsYF5RCS6LFgCGap neX1oUYl9/A804k2ehtIsfNRKLNPvkwliG2G2IGPfaW+q5sgoACGJNUxxtHapynSnYKHJYr7En 5f4/W+efaOl/KHnx6hPha05kt108Fsa5kRoGqg+AclAMl29PVjzqGXYg9WTIZv5RDU1Ms1JhGW F1eVMv/KK8oYzXlhSIKDQ60kAZ/6DzPb0/WpKwZAQAA To: Russell King , Sami Tolvanen , Kees Cook , Nathan Chancellor , Nick Desaulniers , Ard Biesheuvel , Arnd Bergmann Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev, Linus Walleij X-Mailer: b4 0.13.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240328_011932_689868_1B116292 X-CRM114-Status: GOOD ( 24.64 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is a first patch set to support CLANG CFI (Control Flow Integrity) on ARM32. For information about what CFI is, see: https://clang.llvm.org/docs/ControlFlowIntegrity.html For the kernel KCFI flavor, see: https://lwn.net/Articles/898040/ The base changes required to bring up KCFI on ARM32 was mostly related to the use of custom vtables in the kernel, combined with defines to call into these vtable members directly from sites where they are used. We annotate all assembly calls that are called directly from C with SYM_TYPED_FUNC_START()/SYM_FUNC_END() so it is easy to see while reading the assembly that these functions are called from C and can have CFI prototype information prefixed to them. As protype prefix information is just some random bytes, it is not possible to "fall through" into an assembly function that is tagged with SYM_TYPED_FUNC_START(): there will be some binary noise in front of the function so this design pattern needs to be explicitly avoided at each site where it occurred. The approach to binding the calls to C is two-fold: - Either convert the affected vtable struct to C and provide per-CPU prototypes for all the calls (done for TLB, cache) or: - Provide prototypes in a special files just for CFI and tag all these functions addressable. The permissive mode handles the new breakpoint type (0x03) that LLVM CLANG is emitting. To runtime-test the patches: - Enable CONFIG_LKDTM - echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT The patch set has been booted to userspace on the following test platforms: - Arm Versatile (QEMU) - Arm Versatile Express (QEMU) - multi_v7 booted on Versatile Express (QEMU) - Footbridge Netwinder (SA110 ARMv4) - Ux500 (ARMv7 SMP) - Gemini (FA526) I am not saying there will not be corner cases that we need to fix in addition to this, but it is enough to get started. Looking at what was fixed for arm64 I am a bit weary that e.g. BPF might need something to trampoline properly. But hopefullt people can get to testing it and help me fix remaining issues before the final version, or we can fix it in-tree. Signed-off-by: Linus Walleij Tested-by: Kees Cook --- Changes in v4: - Rebase on v6.9-rc1 - Use Ard's patch for converting TLB operation vtables to C - Rewrite the cache vtables in C and use SYM_SYM_TYPED_FUNC in the assembly to make CFI work all the way down. - Instead of tagging all the delay functions as __nocfi get to the root cause and annotate the loop delay code with SYM_TYPED_FUNC_START() and rewrite it using explicit branches so we get CFI all the way down. - Drop the patch turning highmem page accesses into static inlines: this was probably a development artifact since this code does a lot of cache and TLB flusing, and that assembly is now properly annotated. - Do not define static inlines tagged __nocfi for all the proc functions, instead provide proper C prototypes in a separate CFI-only file and make these explicitly addressable. - Link to v3: https://lore.kernel.org/r/20240311-arm32-cfi-v3-0-224a0f0a45c2@linaro.org Changes in v3: - Use report_cfi_failure() like everyone else in the breakpoint handler. - I think we cannot implement target and type for the report callback without operand bundling compiler extensions, so just leaving these as zero. - Link to v2: https://lore.kernel.org/r/20240307-arm32-cfi-v2-0-cc74ea0306b3@linaro.org Changes in v2: - Add the missing ftrace graph tracer stub. - Enable permissive mode using a breakpoint handler. - Link to v1: https://lore.kernel.org/r/20240225-arm32-cfi-v1-0-6943306f065b@linaro.org --- Ard Biesheuvel (1): ARM: mm: Make tlbflush routines CFI safe Linus Walleij (7): ARM: bugs: Check in the vtable instead of defined aliases ARM: ftrace: Define ftrace_stub_graph ARM: mm: Rewrite cacheflush vtables in CFI safe C ARM: mm: Define prototypes for all per-processor calls ARM: lib: Annotate loop delay instructions for CFI ARM: hw_breakpoint: Handle CFI breakpoints ARM: Support CLANG CFI arch/arm/Kconfig | 1 + arch/arm/include/asm/glue-cache.h | 28 +- arch/arm/include/asm/hw_breakpoint.h | 1 + arch/arm/kernel/bugs.c | 2 +- arch/arm/kernel/entry-ftrace.S | 4 + arch/arm/kernel/hw_breakpoint.c | 30 ++ arch/arm/lib/delay-loop.S | 16 +- arch/arm/mm/Makefile | 3 + arch/arm/mm/cache-b15-rac.c | 1 + arch/arm/mm/cache-fa.S | 47 +-- arch/arm/mm/cache-nop.S | 57 +-- arch/arm/mm/cache-v4.S | 55 +-- arch/arm/mm/cache-v4wb.S | 47 ++- arch/arm/mm/cache-v4wt.S | 55 +-- arch/arm/mm/cache-v6.S | 49 ++- arch/arm/mm/cache-v7.S | 74 ++-- arch/arm/mm/cache-v7m.S | 53 ++- arch/arm/mm/cache.c | 663 +++++++++++++++++++++++++++++++++++ arch/arm/mm/proc-arm1020.S | 69 ++-- arch/arm/mm/proc-arm1020e.S | 70 ++-- arch/arm/mm/proc-arm1022.S | 69 ++-- arch/arm/mm/proc-arm1026.S | 70 ++-- arch/arm/mm/proc-arm720.S | 25 +- arch/arm/mm/proc-arm740.S | 26 +- arch/arm/mm/proc-arm7tdmi.S | 34 +- arch/arm/mm/proc-arm920.S | 76 ++-- arch/arm/mm/proc-arm922.S | 69 ++-- arch/arm/mm/proc-arm925.S | 66 ++-- arch/arm/mm/proc-arm926.S | 75 ++-- arch/arm/mm/proc-arm940.S | 69 ++-- arch/arm/mm/proc-arm946.S | 65 ++-- arch/arm/mm/proc-arm9tdmi.S | 26 +- arch/arm/mm/proc-fa526.S | 24 +- arch/arm/mm/proc-feroceon.S | 105 +++--- arch/arm/mm/proc-macros.S | 33 -- arch/arm/mm/proc-mohawk.S | 74 ++-- arch/arm/mm/proc-sa110.S | 23 +- arch/arm/mm/proc-sa1100.S | 31 +- arch/arm/mm/proc-v6.S | 31 +- arch/arm/mm/proc-v7-2level.S | 8 +- arch/arm/mm/proc-v7-3level.S | 8 +- arch/arm/mm/proc-v7-bugs.c | 4 +- arch/arm/mm/proc-v7.S | 66 ++-- arch/arm/mm/proc-v7m.S | 41 +-- arch/arm/mm/proc-xsc3.S | 75 ++-- arch/arm/mm/proc-xscale.S | 127 +++---- arch/arm/mm/proc.c | 500 ++++++++++++++++++++++++++ arch/arm/mm/tlb-fa.S | 12 +- arch/arm/mm/tlb-v4.S | 15 +- arch/arm/mm/tlb-v4wb.S | 12 +- arch/arm/mm/tlb-v4wbi.S | 12 +- arch/arm/mm/tlb-v6.S | 12 +- arch/arm/mm/tlb-v7.S | 14 +- arch/arm/mm/tlb.c | 84 +++++ 54 files changed, 2334 insertions(+), 972 deletions(-) --- base-commit: 4cece764965020c22cff7665b18a012006359095 change-id: 20240115-arm32-cfi-65d60f201108 Best regards,