[02/35] x86/cet/shstk: Add Kconfig option for Shadow Stack

Message ID	20220130211838.8382-3-rick.p.edgecombe@intel.com (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, "Ravi V . Shankar" <ravi.v.shankar@intel.com>, Dave Martin <Dave.Martin@arm.com>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, joao.moreira@intel.com, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com> Subject: [PATCH 02/35] x86/cet/shstk: Add Kconfig option for Shadow Stack Date: Sun, 30 Jan 2022 13:18:05 -0800 Message-Id: <20220130211838.8382-3-rick.p.edgecombe@intel.com> In-Reply-To: <20220130211838.8382-1-rick.p.edgecombe@intel.com> References: <20220130211838.8382-1-rick.p.edgecombe@intel.com> Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Shadow stacks for userspace \| expand [00/35] Shadow stacks for userspace [01/35] Documentation/x86: Add CET description [02/35] x86/cet/shstk: Add Kconfig option for Shadow Stack [03/35] x86/cpufeatures: Add CET CPU feature flags for Control-flow Enforcement Technology (CET) [04/35] x86/cpufeatures: Introduce CPU setup and option parsing for CET [05/35] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [06/35] x86/cet: Add control-protection fault handler [07/35] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [08/35] x86/mm: Move pmd_write(), pud_write() up in the file [09/35] x86/mm: Introduce _PAGE_COW [10/35] drm/i915/gvt: Change _PAGE_DIRTY to _PAGE_DIRTY_BITS [11/35] x86/mm: Update pte_modify for _PAGE_COW [12/35] x86/mm: Update ptep_set_wrprotect() and pmdp_set_wrprotect() for transition from _PAGE_DIRT… [13/35] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [14/35] mm: Introduce VM_SHADOW_STACK for shadow stack memory [15/35] x86/mm: Check Shadow Stack page fault errors [16/35] x86/mm: Update maybe_mkwrite() for shadow stack [17/35] mm: Fixup places that call pte_mkwrite() directly [18/35] mm: Add guard pages around a shadow stack. [19/35] mm/mmap: Add shadow stack pages to memory accounting [20/35] mm: Update can_follow_write_pte() for shadow stack [21/35] mm/mprotect: Exclude shadow stack from preserve_write [22/35] x86/mm: Prevent VM_WRITE shadow stacks [23/35] x86/fpu: Add helpers for modifying supervisor xstate [24/35] mm: Re-introduce vm_flags to do_mmap() [25/35] x86/cet/shstk: Add user-mode shadow stack support [26/35] x86/process: Change copy_thread() argument 'arg' to 'stack_size' [27/35] x86/fpu: Add unsafe xsave buffer helpers [28/35] x86/cet/shstk: Handle thread shadow stack [29/35] x86/cet/shstk: Introduce shadow stack token setup/verify routines [30/35] x86/cet/shstk: Handle signals for shadow stack [31/35] x86/cet/shstk: Add arch_prctl elf feature functions [32/35] x86/cet/shstk: Introduce map_shadow_stack syscall [33/35] selftests/x86: Add map_shadow_stack syscall test [34/35] x86/cet/shstk: Support wrss for userspace [35/35] x86/cpufeatures: Limit shadow stack to Intel CPUs

Message ID

20220130211838.8382-3-rick.p.edgecombe@intel.com (mailing list archive)

State

New

Headers

From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	"Ravi V . Shankar" <ravi.v.shankar@intel.com>,
	Dave Martin <Dave.Martin@arm.com>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	joao.moreira@intel.com,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com
Cc: rick.p.edgecombe@intel.com,
	Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH 02/35] x86/cet/shstk: Add Kconfig option for Shadow Stack
Date: Sun, 30 Jan 2022 13:18:05 -0800
Message-Id: <20220130211838.8382-3-rick.p.edgecombe@intel.com>
In-Reply-To: <20220130211838.8382-1-rick.p.edgecombe@intel.com>
References: <20220130211838.8382-1-rick.p.edgecombe@intel.com>
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

Shadow stacks for userspace | expand

Commit Message

Rick Edgecombe Jan. 30, 2022, 9:18 p.m. UTC

From: Yu-cheng Yu <yu-cheng.yu@intel.com>

Shadow Stack provides protection against function return address
corruption.  It is active when the processor supports it, the kernel has
CONFIG_X86_SHADOW_STACK enabled, and the application is built for the
feature.  This is only implemented for the 64-bit kernel.  When it is
enabled, legacy non-Shadow Stack applications continue to work, but without
protection.

Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Kees Cook <keescook@chromium.org>
---

Yu-cheng v25:
 - Remove X86_CET and use X86_SHADOW_STACK directly.

Yu-cheng v24:
 - Update for the splitting X86_CET to X86_SHADOW_STACK and X86_IBT.

 arch/x86/Kconfig           | 22 ++++++++++++++++++++++
 arch/x86/Kconfig.assembler |  5 +++++
 2 files changed, 27 insertions(+)

Comments

Dave Hansen Feb. 7, 2022, 10:39 p.m. UTC | #1

On 1/30/22 13:18, Rick Edgecombe wrote:
> +config X86_SHADOW_STACK
> +	prompt "Intel Shadow Stack"
> +	def_bool n
> +	depends on AS_WRUSS
> +	depends on ARCH_HAS_SHADOW_STACK
> +	select ARCH_USES_HIGH_VMA_FLAGS
> +	help
> +	  Shadow Stack protection is a hardware feature that detects function
> +	  return address corruption.  This helps mitigate ROP attacks.
> +	  Applications must be enabled to use it, and old userspace does not
> +	  get protection "for free".
> +	  Support for this feature is present on Tiger Lake family of
> +	  processors released in 2020 or later.  Enabling this feature
> +	  increases kernel text size by 3.7 KB.

I guess the "2020" comment is still OK.  But, given that it's on AMD and
a could of other Intel models, maybe we should just leave this at:

	CPUs supporting shadow stacks were first released in 2020.

If we say anything.  We mostly want folks to just go read the
documentation if they needs more details.

Thomas Gleixner Feb. 8, 2022, 8:39 a.m. UTC | #2

On Sun, Jan 30 2022 at 13:18, Rick Edgecombe wrote:
> +config ARCH_HAS_SHADOW_STACK
> +	def_bool n
> +
> +config X86_SHADOW_STACK
> +	prompt "Intel Shadow Stack"

It's also available on AMD, right?

Thanks,

        tglx

Thomas Gleixner Feb. 8, 2022, 8:41 a.m. UTC | #3

On Mon, Feb 07 2022 at 14:39, Dave Hansen wrote:

> On 1/30/22 13:18, Rick Edgecombe wrote:
>> +config X86_SHADOW_STACK
>> +	prompt "Intel Shadow Stack"
>> +	def_bool n
>> +	depends on AS_WRUSS
>> +	depends on ARCH_HAS_SHADOW_STACK
>> +	select ARCH_USES_HIGH_VMA_FLAGS
>> +	help
>> +	  Shadow Stack protection is a hardware feature that detects function
>> +	  return address corruption.  This helps mitigate ROP attacks.
>> +	  Applications must be enabled to use it, and old userspace does not
>> +	  get protection "for free".
>> +	  Support for this feature is present on Tiger Lake family of
>> +	  processors released in 2020 or later.  Enabling this feature
>> +	  increases kernel text size by 3.7 KB.
>
> I guess the "2020" comment is still OK.  But, given that it's on AMD and
> a could of other Intel models, maybe we should just leave this at:
>
> 	CPUs supporting shadow stacks were first released in 2020.

Yes.

> If we say anything.  We mostly want folks to just go read the
> documentation if they needs more details.

Also the kernel text size increase blurb is pretty useless as that's a
number which is wrong from day one.

Thanks,

        tglx

Rick Edgecombe Feb. 8, 2022, 8:20 p.m. UTC | #4

On Tue, 2022-02-08 at 09:41 +0100, Thomas Gleixner wrote:
> On Mon, Feb 07 2022 at 14:39, Dave Hansen wrote:
> 
> > On 1/30/22 13:18, Rick Edgecombe wrote:
> > > +config X86_SHADOW_STACK
> > > +    prompt "Intel Shadow Stack"
> > > +    def_bool n
> > > +    depends on AS_WRUSS
> > > +    depends on ARCH_HAS_SHADOW_STACK
> > > +    select ARCH_USES_HIGH_VMA_FLAGS
> > > +    help
> > > +      Shadow Stack protection is a hardware feature that detects
> > > function
> > > +      return address corruption.  This helps mitigate ROP
> > > attacks.
> > > +      Applications must be enabled to use it, and old userspace
> > > does not
> > > +      get protection "for free".
> > > +      Support for this feature is present on Tiger Lake family
> > > of
> > > +      processors released in 2020 or later.  Enabling this
> > > feature
> > > +      increases kernel text size by 3.7 KB.
> > 
> > I guess the "2020" comment is still OK.  But, given that it's on
> > AMD and
> > a could of other Intel models, maybe we should just leave this at:
> > 
> >        CPUs supporting shadow stacks were first released in 2020.
> 
> Yes.
> 
> > If we say anything.  We mostly want folks to just go read the
> > documentation if they needs more details.
> 
> Also the kernel text size increase blurb is pretty useless as that's
> a
> number which is wrong from day one.

Makes sense. Thanks.

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index ebe8fc76949a..b9efa0fd906d 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -26,6 +26,7 @@  config X86_64
 	depends on 64BIT
 	# Options that are inherently 64-bit kernel only:
 	select ARCH_HAS_GIGANTIC_PAGE
+	select ARCH_HAS_SHADOW_STACK
 	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
 	select ARCH_USE_CMPXCHG_LOCKREF
 	select HAVE_ARCH_SOFT_DIRTY
@@ -1940,6 +1941,27 @@  config X86_SGX
 
 	  If unsure, say N.
 
+config ARCH_HAS_SHADOW_STACK
+	def_bool n
+
+config X86_SHADOW_STACK
+	prompt "Intel Shadow Stack"
+	def_bool n
+	depends on AS_WRUSS
+	depends on ARCH_HAS_SHADOW_STACK
+	select ARCH_USES_HIGH_VMA_FLAGS
+	help
+	  Shadow Stack protection is a hardware feature that detects function
+	  return address corruption.  This helps mitigate ROP attacks.
+	  Applications must be enabled to use it, and old userspace does not
+	  get protection "for free".
+	  Support for this feature is present on Tiger Lake family of
+	  processors released in 2020 or later.  Enabling this feature
+	  increases kernel text size by 3.7 KB.
+	  See Documentation/x86/intel_cet.rst for more information.
+
+	  If unsure, say N.
+
 config EFI
 	bool "EFI runtime service support"
 	depends on ACPI
diff --git a/arch/x86/Kconfig.assembler b/arch/x86/Kconfig.assembler
index 26b8c08e2fc4..00c79dd93651 100644
--- a/arch/x86/Kconfig.assembler
+++ b/arch/x86/Kconfig.assembler
@@ -19,3 +19,8 @@  config AS_TPAUSE
 	def_bool $(as-instr,tpause %ecx)
 	help
 	  Supported by binutils >= 2.31.1 and LLVM integrated assembler >= V7
+
+config AS_WRUSS
+	def_bool $(as-instr,wrussq %rax$(comma)(%rbx))
+	help
+	  Supported by binutils >= 2.31 and LLVM integrated assembler

[02/35] x86/cet/shstk: Add Kconfig option for Shadow Stack

Commit Message

Comments

Patch