From patchwork Thu Jan 19 21:23:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rick Edgecombe <rick.p.edgecombe@intel.com>
X-Patchwork-Id: 13108810
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A3E4CC6379F
	for <linux-mm@archiver.kernel.org>; Thu, 19 Jan 2023 21:24:25 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 1CE3A280009; Thu, 19 Jan 2023 16:24:19 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 157BD280001; Thu, 19 Jan 2023 16:24:19 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id EC389280009; Thu, 19 Jan 2023 16:24:18 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id D6D37280001
	for <linux-mm@kvack.org>; Thu, 19 Jan 2023 16:24:18 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id B0CB6160E15
	for <linux-mm@kvack.org>; Thu, 19 Jan 2023 21:24:18 +0000 (UTC)
X-FDA: 80372826996.25.754E283
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
	by imf16.hostedemail.com (Postfix) with ESMTP id B09B9180016
	for <linux-mm@kvack.org>; Thu, 19 Jan 2023 21:24:16 +0000 (UTC)
Authentication-Results: imf16.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=VLWcf1GM;
	spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.93 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com;
	dmarc=pass (policy=none) header.from=intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1674163457;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:content-type:
	 content-transfer-encoding:in-reply-to:in-reply-to:
	 references:references:dkim-signature;
	bh=e6Ucp8srnUL/pIV8RzS949UTzc2xSGWpmpvzoBTxJjU=;
	b=RM0d2MagJyiM+xe+IsKZuokpoqKSgaAmVFHlfZ7HsKNMTMFh2YYw8RM+4PR3Gi7ddpFMBH
	DZGkbnpkMoRIOxEImqoy1M0QlQLRt8qVc4F/Ys9Ye3MH8x1VdrsHwMDhfC83i986tn5X1a
	+MFBOkMyWCUOieYDlulR3zZuCHEUj/w=
ARC-Authentication-Results: i=1;
	imf16.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=VLWcf1GM;
	spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.93 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com;
	dmarc=pass (policy=none) header.from=intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674163457; a=rsa-sha256;
	cv=none;
	b=38YZKv+OKSB14nyY+CytrmEJt2axZRU7EBoDLOBjdX4bFqw7on9E8V0mzAco8oENBkS/hE
	AfhVxMxbuDMFD8oJPZmfmNCMcOT7PQjuxGnrMIX4tLI9StL3UJz1ERZogEfS+kjIuR6aMV
	2bV5fjYvQ6N4kVbhvjI05mYVpjdF0vQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1674163456; x=1705699456;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=miL5v57uRD6gfvhLMCiJeO3l14zaMekSGW7g+Pa5v08=;
  b=VLWcf1GMSmVIXib8mIGh/H1nPovuzJoISWtACZyvN1O9JH7tIE4LybK6
   GF6YpF3jPdICOLnkUxPuJlVQttPsJxq7HSotdyt8NoZtcKJ+0ZruLadw2
   fJd8nslzNhvPiC4Kyajuf6f3mHC8pPczU/1sHzaC87KhY5ihyHOcyxfhZ
   x1Gv7dg6CYEtt7W60Yjb4zvgkkny88vRITfc2tI0FHRrwQCCV4xvv8bS8
   zmLcLz0BbNHC0SL9LTvcDhQHqDjqtbm/VCyTmWptaRAqqZ5DlLObP42Kr
   tIwf/RrPaabGVHSTbK/20S0aWp3Qz58u6xRZFyWn4V0wWnZm6bXAsrYjK
   w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="323119953"
X-IronPort-AV: E=Sophos;i="5.97,230,1669104000";
   d="scan'208";a="323119953"
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 19 Jan 2023 13:24:16 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="989139164"
X-IronPort-AV: E=Sophos;i="5.97,230,1669104000";
   d="scan'208";a="989139164"
Received: from hossain3-mobl.amr.corp.intel.com (HELO
 rpedgeco-desk.amr.corp.intel.com) ([10.252.128.187])
  by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 19 Jan 2023 13:24:14 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com,
	akpm@linux-foundation.org,
	Andrew.Cooper3@citrix.com,
	christina.schimpe@intel.com
Cc: rick.p.edgecombe@intel.com
Subject: [PATCH v5 32/39] x86/shstk: Support WRSS for userspace
Date: Thu, 19 Jan 2023 13:23:10 -0800
Message-Id: <20230119212317.8324-33-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230119212317.8324-1-rick.p.edgecombe@intel.com>
References: <20230119212317.8324-1-rick.p.edgecombe@intel.com>
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: B09B9180016
X-Stat-Signature: t87sod6rx7eqydim47b8qfj615ie4bjw
X-Rspam-User: 
X-HE-Tag: 1674163456-249550
X-HE-Meta: 
 U2FsdGVkX1/oAO+i8VbZMrUXUS5kPLNMPFZK6vD7AQC5RwffOChO5Dd86LPjmxjmxTOlkhyACB3C2B76sDzEznJo4IMDBiKYxUcXhzxXs+uiE7CMM9TqpzLZcTJyqfLH+MTLmkEpP/mqG2LnFcU8rXn/iYfHNIEhpNB32GKRmcwpJazLoeEY+Le8biSDQ4JRco9FOTZE6gqBJ39j9bxYEpqYyq1GO3obhsH1KXvSpomJcnOdtuqfqCj5MnLsG3xRHSGvq9QsZt8BTdlcVplgVPxngIk8r3a+Oc6Bz5bycQnGhj+RTJ99QMqhWwqvMDGNeKdSus+0sXh5zFeTDMYf9/2kCTsuFsowgqI9F62tTzqqzEW9mhsVUCtlUY955I043NaFNwrOk4MxGdzoyUD2OwLp23gtF3ptaTssKJ2uHvkVZq17c8LP9mossrd4SMSTezPVgBOJqdjAr9P3gYg4HV/hevsiln2Kpaf5I4MM3mLIAv/K9zf6QZmD1zfoKZjo8wqxWWxL08Uz/LDTvSCyeRlilqEQlB5pkGvY4FEbqeyilt8/XCYlXyw4/dtWkfXwezLLqoeJrvkOclR4r6fhBFGWTWJAsmCkbX6V3aKvk7fjYHW6iWulCRw9SnnF82cumgvd1WvEP4jQ5mm8z4pCbEwg8aLXpfIulbzzdUjYhETU6b08wJqYqM6hBzKPKM9l8uHltJEJNhRFXNai7l+ECrc0sRi4zMRwHRTMzPSN12vJF2KkzK61/ejxqob14ja6NLHtPc3JOtZyort3RzWCeBudy+htNIVFdsLhDFOc15ajpE7A8AtrcAoSXwjqQLQ1mqxaV0ETRFI/30Lo1btTV9JMUidmgBG4hMPixdFPfgGFgfBmQgyOIatSxF/JgLZ3CNsqlPyO4NdUQVgZ4sSzcJnCNEaxkllkJDf53O36X1nyYT4JT1KynlXqWP7cf8hqnBYyKEPB7RQZn4PZrZM
 ZtY03McF
 AxutgM0CYr56XdoYWH0C2vAhv3cnXRJcPBBFVZ51poNzM88nJTFdmelvCZCy2Z4U8ml82Epf1n5/6pq191LiQP0reQgKga2pxgaBoJ6IJy57RKd9htRRicCF0T6oTaRLx9Kyr0F4rDngfsCDL6CyPciQyEiMVoPHa5DyIb5B7z2n8JYgfQ0+b5nZUmmvfRUPx0uPYBN/tzRq0IzqDJ0i4x7jZ/UbUT6InRvk1i9qTFaTvXQU=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

For the current shadow stack implementation, shadow stacks contents can't
easily be provisioned with arbitrary data. This property helps apps
protect themselves better, but also restricts any potential apps that may
want to do exotic things at the expense of a little security.

The x86 shadow stack feature introduces a new instruction, WRSS, which
can be enabled to write directly to shadow stack permissioned memory from
userspace. Allow it to get enabled via the prctl interface.

Only enable the userspace WRSS instruction, which allows writes to
userspace shadow stacks from userspace. Do not allow it to be enabled
independently of shadow stack, as HW does not support using WRSS when
shadow stack is disabled.

From a fault handler perspective, WRSS will behave very similar to WRUSS,
which is treated like a user access from a #PF err code perspective.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---

v5:
 - Switch to EOPNOTSUPP
 - Move set_clr_bits_msrl() to patch where it is first used
 - Commit log formatting

v3:
 - Make wrss_control() static
 - Fix verbiage in commit log (Kees)

v2:
 - Add some commit log verbiage from (Dave Hansen)

v1:
 - New patch.

 arch/x86/include/asm/msr.h        | 11 +++++++++++
 arch/x86/include/uapi/asm/prctl.h |  1 +
 arch/x86/kernel/shstk.c           | 31 ++++++++++++++++++++++++++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h
index 65ec1965cd28..a4b86eb537d6 100644
--- a/arch/x86/include/asm/msr.h
+++ b/arch/x86/include/asm/msr.h
@@ -310,6 +310,17 @@ void msrs_free(struct msr *msrs);
 int msr_set_bit(u32 msr, u8 bit);
 int msr_clear_bit(u32 msr, u8 bit);
 
+/* Helper that can never get accidentally un-inlined. */
+#define set_clr_bits_msrl(msr, set, clear)	do {	\
+	u64 __val, __new_val;				\
+							\
+	rdmsrl(msr, __val);				\
+	__new_val = (__val & ~(clear)) | (set);		\
+							\
+	if (__new_val != __val)				\
+		wrmsrl(msr, __new_val);			\
+} while (0)
+
 #ifdef CONFIG_SMP
 int rdmsr_on_cpu(unsigned int cpu, u32 msr_no, u32 *l, u32 *h);
 int wrmsr_on_cpu(unsigned int cpu, u32 msr_no, u32 l, u32 h);
diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index 7dfd9dc00509..e31495668056 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -28,5 +28,6 @@
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
+#define ARCH_SHSTK_WRSS			(1ULL <<  1)
 
 #endif /* _ASM_X86_PRCTL_H */
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index e857083b9e14..71dbb49b93cd 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -364,6 +364,35 @@ void shstk_free(struct task_struct *tsk)
 	unmap_shadow_stack(shstk->base, shstk->size);
 }
 
+static int wrss_control(bool enable)
+{
+	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+		return -EOPNOTSUPP;
+
+	/*
+	 * Only enable wrss if shadow stack is enabled. If shadow stack is not
+	 * enabled, wrss will already be disabled, so don't bother clearing it
+	 * when disabling.
+	 */
+	if (!features_enabled(ARCH_SHSTK_SHSTK))
+		return -EPERM;
+
+	/* Already enabled/disabled? */
+	if (features_enabled(ARCH_SHSTK_WRSS) == enable)
+		return 0;
+
+	fpregs_lock_and_load();
+	if (enable) {
+		set_clr_bits_msrl(MSR_IA32_U_CET, CET_WRSS_EN, 0);
+		features_set(ARCH_SHSTK_WRSS);
+	} else {
+		set_clr_bits_msrl(MSR_IA32_U_CET, 0, CET_WRSS_EN);
+		features_clr(ARCH_SHSTK_WRSS);
+	}
+	fpregs_unlock();
+
+	return 0;
+}
 
 static int shstk_disable(void)
 {
@@ -381,7 +410,7 @@ static int shstk_disable(void)
 	fpregs_unlock();
 
 	shstk_free(current);
-	features_clr(ARCH_SHSTK_SHSTK);
+	features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS);
 
 	return 0;
 }