From patchwork Tue Apr 23 07:19:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 13639394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7ACD8C4345F for ; Tue, 23 Apr 2024 07:20:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:MIME-Version:Message-Id:Date: Subject:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=LX2bNser8M41Pnp38bR0j0oY1UDhi/0ap1O7zTGbLvg=; b=Jg1DffVtffT9ms K9Kmg4NW0tCwrQ2sFOOQVGm/i4iQts4AKxqa43sHxzdUAHie2iOsF96X0uallQH2D4vgaKpdTUz7r Vybn4mTnaqoLKBoAMcsMqzkm00e5Ea2t/rmQtCzGJio/U2DMdhlhQKXjdBXawK6vDTj8IG9FOAy59 y/bUrFk0IkyvtimYIutzylAb0Mva2+4LQANEw1olhSt402DrN4lNsG2f3N49lDeqtdC6lV1Bcxb7M l2pLNZhJFI2f65EC9PcX0CaEK6IFU1URJ9QBztkA9JHU01e1PmMSWoG4kpmiPA3x+HHwJ3SZG4Stg 0iD2EVT4y/FCvh+IZipA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rzARd-0000000GF80-06x7; Tue, 23 Apr 2024 07:20:01 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rzARY-0000000GF5l-2AJd for linux-arm-kernel@lists.infradead.org; Tue, 23 Apr 2024 07:19:58 +0000 Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-516d1ecaf25so6890601e87.2 for ; Tue, 23 Apr 2024 00:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713856790; x=1714461590; darn=lists.infradead.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=V/646WGmYqvnzTZ+SBFV2qL4kBK/A/ZS4BPL/z5No1A=; b=QkQJLA11dYcl45VGVC4vgEPEXaXypMAw1ae/8zpxtra44FY6gBFFlmxQD/YyOwrUcX vw189/wDIgMU1PJ2N2NwLk6RJt/5B84XtpNfluPOxIxPhMmPyaou3fFapF8+A/C6FDOG 72Y5wKKAoawJQhdqgbPBn3WE+fX2FnK/T1MfriybKWrIibzEbyzE7OANezylbOQZsA5H A990oYuB+r/TvUWsM9MtD4oYG47ylgnLLwbm/vqZ1Cz463miZWM40NUPwdsM2MhhcUz0 klUSMIY/9calccP+lAVIxAi0C1LbnZHIoQDsSsV/4HCabTCAKLKbbLS+JochaVf+6Uj9 R3DA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713856790; x=1714461590; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=V/646WGmYqvnzTZ+SBFV2qL4kBK/A/ZS4BPL/z5No1A=; b=hmF2N70u68diOk6JRY1+p0UjRO814Xw7nrf/v8jx0a+8lnyNSBCQQCxMBj3/khIrx/ TbUsJyNip75kD6WegEPxuPbKQ3xYJLYJuQmRbvmFAsEuRwMHijeTOQYKl/JzEkFV9N2F z0NZCsjXYTmsyZ0AUVecIrO0EgBnEgl+sYxBG3ijTXDpwUUKvXsbWu1SGSWVgF3KHZ6T LsDlvLyb2YsbCmgmKbzMTNwMEu/tf8/lQSpo3evlNGVEXn7I5LwedxEV0LbbOTYMb4he BCao+dDlB39Id/qntuvtn7yqLmMchaa1b09V33enZudQhH0qX1ivYB2t1hHf/u6LM9sS L1CQ== X-Gm-Message-State: AOJu0Yw7K3hVjZwmg6XbxJrL9ZuZCQLg/Mbd4uITX69xqsrPzQjEqUNt IF0dXMAB8Kk8gSfxuU6+GlhZoI9JNlyxT8bVtVkUHxskIM+I083cnG/AwHOb3eY= X-Google-Smtp-Source: AGHT+IGop1wZC6m0k77EbfmuVBJhLZNPt4/i7V+4In+oX0MOWd2bWAsffJWM30AD7pSAlZzhAfnH4Q== X-Received: by 2002:a05:6512:3f03:b0:51b:4204:2f53 with SMTP id y3-20020a0565123f0300b0051b42042f53mr3984809lfa.62.1713856790007; Tue, 23 Apr 2024 00:19:50 -0700 (PDT) Received: from [192.168.1.140] ([85.235.12.238]) by smtp.gmail.com with ESMTPSA id f13-20020a056512360d00b0051ad4552454sm1307588lfs.148.2024.04.23.00.19.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 00:19:49 -0700 (PDT) From: Linus Walleij Subject: [PATCH v8 0/9] CFI for ARM32 using LLVM Date: Tue, 23 Apr 2024 09:19:46 +0200 Message-Id: <20240423-arm32-cfi-v8-0-08f10f5d9297@linaro.org> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIABJhJ2YC/2XQwW7DIAwG4FepOI8JbOOQnfYe0w6EQou0JROZo k1V3n1OdyhRjjZ8v/T7puZUS5rVy+mmalrKXKZRBv90UvEaxkvS5SyzAgNkrHU61E8EHXPR7M5 sMsjWeCX/v2rK5eee9fYu87XM31P9vUcvdtv+pwC0KYvVRnNPiIazYTe8fpQx1Ol5qhe1xSzwo Gi6loLQGDtKQV54wAPFhlrbUhQKQMFkE8hFOFBqKPiWktAgpYkt9hbcgboHpd3FFic0Z7E9phR jPFBu6a4rb2ciz+hdGizygXYNhV3XbqPJIoSefIx+R9d1/QMtkX8LBQIAAA== To: Russell King , Sami Tolvanen , Kees Cook , Nathan Chancellor , Nick Desaulniers , Ard Biesheuvel , Arnd Bergmann Cc: linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev, Linus Walleij X-Mailer: b4 0.13.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240423_001956_657984_9C5D5F6A X-CRM114-Status: GOOD ( 31.79 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is a first patch set to support CLANG CFI (Control Flow Integrity) on ARM32. For information about what CFI is, see: https://clang.llvm.org/docs/ControlFlowIntegrity.html For the kernel KCFI flavor, see: https://lwn.net/Articles/898040/ The base changes required to bring up KCFI on ARM32 was mostly related to the use of custom vtables in the kernel, combined with defines to call into these vtable members directly from sites where they are used. We annotate all assembly calls that are called directly from C with SYM_TYPED_FUNC_START()/SYM_FUNC_END() so it is easy to see while reading the assembly that these functions are called from C and can have CFI prototype information prefixed to them. As protype prefix information is just some random bytes, it is not possible to "fall through" into an assembly function that is tagged with SYM_TYPED_FUNC_START(): there will be some binary noise in front of the function so this design pattern needs to be explicitly avoided at each site where it occurred. The approach to binding the calls to C is two-fold: - Either convert the affected vtable struct to C and provide per-CPU prototypes for all the calls (done for TLB, cache) or: - Provide prototypes in a special files just for CFI and tag all these functions addressable. The permissive mode handles the new breakpoint type (0x03) that LLVM CLANG is emitting. To runtime-test the patches: - Enable CONFIG_LKDTM - echo CFI_FORWARD_PROTO > /sys/kernel/debug/provoke-crash/DIRECT The patch set has been booted to userspace on the following test platforms: - Arm Versatile (QEMU) - Arm Versatile Express (QEMU) - multi_v7 booted on Versatile Express (QEMU) - Footbridge Netwinder (SA110 ARMv4) - Ux500 (ARMv7 SMP) - Gemini (FA526) I am not saying there will not be corner cases that we need to fix in addition to this, but it is enough to get started. Looking at what was fixed for arm64 I am a bit weary that e.g. BPF might need something to trampoline properly. But hopefullt people can get to testing it and help me fix remaining issues before the final version, or we can fix it in-tree. Signed-off-by: Linus Walleij --- Changes in v8: - Drop aliases for the coherent cache maintenance functions, this will not work because these have different return types, despite the resturn valued is mostly ignored. - Picked up Sami's Reviewed-by - Drop the already applied ftrace functions patch. - Drop the first patch in the series (checking calls using vtable instead of function) it is not needed anymore after doing the deeper fix with tagged symbols. - I will update the patches in the patch tracker to this version and they will become the /2 versions. - Link to v7: https://lore.kernel.org/r/20240421-arm32-cfi-v7-0-6e132a948cc8@linaro.org Changes in v7: - Use report_cfi_failure_noaddr() when reporting CFI faults. - Leave a better comment on what needs to be done to get better target reporting. - Link to v6: https://lore.kernel.org/r/20240417-arm32-cfi-v6-0-6486385eb136@linaro.org Changes in v6: - Add a separate patch adding aliases for some cache functions that were just branches to another function. - Link to v5: https://lore.kernel.org/r/20240415-arm32-cfi-v5-0-ff11093eeccc@linaro.org Changes in v5: - I started to put the patches into the patch tracker and it rightfully complained that the patches tagging all assembly with CFI symbol type macros and adding C prototypes were too large. - Split the two patches annotating assembly into one patch doing the annotation and one patch adding the C prototypes. This is a good split anyway. - The first patches from the series are unchanged and in the patch tracker, I resend them anyway and will soon populate the patch tracker with the split patches from this series unless there are more comments. - Link to v4: https://lore.kernel.org/r/20240328-arm32-cfi-v4-0-a11046139125@linaro.org Changes in v4: - Rebase on v6.9-rc1 - Use Ard's patch for converting TLB operation vtables to C - Rewrite the cache vtables in C and use SYM_SYM_TYPED_FUNC in the assembly to make CFI work all the way down. - Instead of tagging all the delay functions as __nocfi get to the root cause and annotate the loop delay code with SYM_TYPED_FUNC_START() and rewrite it using explicit branches so we get CFI all the way down. - Drop the patch turning highmem page accesses into static inlines: this was probably a development artifact since this code does a lot of cache and TLB flusing, and that assembly is now properly annotated. - Do not define static inlines tagged __nocfi for all the proc functions, instead provide proper C prototypes in a separate CFI-only file and make these explicitly addressable. - Link to v3: https://lore.kernel.org/r/20240311-arm32-cfi-v3-0-224a0f0a45c2@linaro.org Changes in v3: - Use report_cfi_failure() like everyone else in the breakpoint handler. - I think we cannot implement target and type for the report callback without operand bundling compiler extensions, so just leaving these as zero. - Link to v2: https://lore.kernel.org/r/20240307-arm32-cfi-v2-0-cc74ea0306b3@linaro.org Changes in v2: - Add the missing ftrace graph tracer stub. - Enable permissive mode using a breakpoint handler. - Link to v1: https://lore.kernel.org/r/20240225-arm32-cfi-v1-0-6943306f065b@linaro.org --- Ard Biesheuvel (1): ARM: mm: Make tlbflush routines CFI safe Linus Walleij (8): ARM: mm: Type-annotate all cache assembly routines ARM: mm: Use symbol alias for two cache functions ARM: mm: Rewrite cacheflush vtables in CFI safe C ARM: mm: Type-annotate all per-processor assembly routines ARM: mm: Define prototypes for all per-processor calls ARM: lib: Annotate loop delay instructions for CFI ARM: hw_breakpoint: Handle CFI breakpoints ARM: Support CLANG CFI arch/arm/Kconfig | 1 + arch/arm/include/asm/glue-cache.h | 28 +- arch/arm/include/asm/hw_breakpoint.h | 1 + arch/arm/kernel/hw_breakpoint.c | 35 ++ arch/arm/lib/delay-loop.S | 16 +- arch/arm/mm/Makefile | 3 + arch/arm/mm/cache-b15-rac.c | 1 + arch/arm/mm/cache-fa.S | 45 ++- arch/arm/mm/cache-nop.S | 61 ++-- arch/arm/mm/cache-v4.S | 53 ++- arch/arm/mm/cache-v4wb.S | 45 ++- arch/arm/mm/cache-v4wt.S | 53 ++- arch/arm/mm/cache-v6.S | 49 ++- arch/arm/mm/cache-v7.S | 74 ++-- arch/arm/mm/cache-v7m.S | 53 ++- arch/arm/mm/cache.c | 663 +++++++++++++++++++++++++++++++++++ arch/arm/mm/proc-arm1020.S | 67 ++-- arch/arm/mm/proc-arm1020e.S | 68 ++-- arch/arm/mm/proc-arm1022.S | 67 ++-- arch/arm/mm/proc-arm1026.S | 68 ++-- arch/arm/mm/proc-arm720.S | 25 +- arch/arm/mm/proc-arm740.S | 26 +- arch/arm/mm/proc-arm7tdmi.S | 34 +- arch/arm/mm/proc-arm920.S | 74 ++-- arch/arm/mm/proc-arm922.S | 67 ++-- arch/arm/mm/proc-arm925.S | 64 ++-- arch/arm/mm/proc-arm926.S | 73 ++-- arch/arm/mm/proc-arm940.S | 67 ++-- arch/arm/mm/proc-arm946.S | 63 ++-- arch/arm/mm/proc-arm9tdmi.S | 26 +- arch/arm/mm/proc-fa526.S | 24 +- arch/arm/mm/proc-feroceon.S | 103 +++--- arch/arm/mm/proc-macros.S | 33 -- arch/arm/mm/proc-mohawk.S | 72 ++-- arch/arm/mm/proc-sa110.S | 23 +- arch/arm/mm/proc-sa1100.S | 31 +- arch/arm/mm/proc-v6.S | 31 +- arch/arm/mm/proc-v7-2level.S | 8 +- arch/arm/mm/proc-v7-3level.S | 8 +- arch/arm/mm/proc-v7.S | 66 ++-- arch/arm/mm/proc-v7m.S | 41 +-- arch/arm/mm/proc-xsc3.S | 73 ++-- arch/arm/mm/proc-xscale.S | 125 +++---- arch/arm/mm/proc.c | 500 ++++++++++++++++++++++++++ arch/arm/mm/tlb-fa.S | 12 +- arch/arm/mm/tlb-v4.S | 15 +- arch/arm/mm/tlb-v4wb.S | 12 +- arch/arm/mm/tlb-v4wbi.S | 12 +- arch/arm/mm/tlb-v6.S | 12 +- arch/arm/mm/tlb-v7.S | 14 +- arch/arm/mm/tlb.c | 84 +++++ 51 files changed, 2300 insertions(+), 969 deletions(-) --- base-commit: 43426466485392d6eedc422fdeddd43eb394d8aa change-id: 20240115-arm32-cfi-65d60f201108 Best regards,