From patchwork Sat Feb 18 21:13:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13145643 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4909C636CC for ; Sat, 18 Feb 2023 21:16:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9B3E86B0075; Sat, 18 Feb 2023 16:16:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 96527280002; Sat, 18 Feb 2023 16:16:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 82BF06B0078; Sat, 18 Feb 2023 16:16:06 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 62BEB280002 for ; Sat, 18 Feb 2023 16:16:06 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 2F69EAAD6E for ; Sat, 18 Feb 2023 21:16:06 +0000 (UTC) X-FDA: 80481670332.05.8FEE1DB Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by imf12.hostedemail.com (Postfix) with ESMTP id 2D80040024 for ; Sat, 18 Feb 2023 21:16:02 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=QoR9Uns6; spf=pass (imf12.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676754963; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=sdaF8qREkYkB5csxYfyAu821rzAR90Mq4vm6siSgLrI=; b=osGwO5YM48bKe9RnpWknYFVcYqUcvuy88mI4QzLA4Ruzwg8mbABeyHKWVo+kPzw0fz/eT9 0L0Xn697Ee3qmfOfobWAzFUC2jbW9VsM8TT76C5+PXsBn5oZnqm0bOkP37ITvm4TkCS4Ft 4LvF6f+7LDjNq3hg2TQDvCah3MrbwGw= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=QoR9Uns6; spf=pass (imf12.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676754963; a=rsa-sha256; cv=none; b=JYBGdDaRl9aUk69u8jGnH+p5kVsmR7tIS4JE9H+4xCxozj3dPmILYZotyd6zJlTYql5kMe aRHD9Qu3R0WU2W691bOOzp/HY4NnEdrGh4AXzVf1+RlqWyaT6zA1HuoK7TFZDhJyfS1vxp 5PgDXNlkh3208nBTzG231XU7bb7ZWHY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676754963; x=1708290963; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=taTLN9jgTVYTLY9Eitvg4bLvIT9+A18uF00hT2wXoJs=; b=QoR9Uns6+z59pdUqv/+4WzK2POjyoZYSbYZSEIzMXYVIgVdxKgfr4nLa 0ATaaH5/E/E5Pwo+tBlBtc5CqZwqJg5vSLFibe1ImEI9rX2YTVJ7yTLJB TPW6R+fcJ6AoTRin10+QiB8QKe5RFjbSaxDkPZ6brSXSYK2zmLKWrL3MD MYTsPxR6AT5ySAtLvsKhZ9XJ1+NsQfkHhYVa1j/VAA/tskjwcJQ5Ucllp Q0V++1QdXldAoNrwHQ/10M1/6JSm7mS78zs7e/fkRnETJAPtIBGwUJV1e 5YzI5MKSqjEOdOkQyLKcZT69v1e+jiDiJNdsSlmFBbc9WOyReLIzOKeRx Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="418427144" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="418427144" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:15:59 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="664241580" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="664241580" Received: from adityava-mobl1.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.209.80.223]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:15:58 -0800 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu Subject: [PATCH v6 03/41] x86/cpufeatures: Add CPU feature flags for shadow stacks Date: Sat, 18 Feb 2023 13:13:55 -0800 Message-Id: <20230218211433.26859-4-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com> References: <20230218211433.26859-1-rick.p.edgecombe@intel.com> X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: docqf8ao54ni41uaq46c6iyxwqi1riw5 X-Rspamd-Queue-Id: 2D80040024 X-HE-Tag: 1676754962-681410 X-HE-Meta: U2FsdGVkX1+ljC4L44nR5xbMcw5uPhss+EIIoRRuFRUyzcdzaibLyuvdQjykOLBx+Udx8pfy6qzAqs44iGcWLyxaXZuNmxbAo+scoj/eC8wBHXy+a+RdeH0EfHx87ctBn3UNOPTrRUi8hz0SYqHuEIPDncF19o8y5oBw8vE0YDlEXdhOmkgKeemvT7takK7PUlQTnqVTItH9iNOCK274p64oK/Mix8kjqf9EFfGLlWWNcnHHrJEjWhYw7f3C2tVhA0cIksyQICI8NMjcUV0L6AVygvJ+aw3et8mPMbQdZmjOWvXnMJjE0LLJY/h38EyjplCxGe2/itOj1zixwpG8ShxWMkuTSpV6Nly8SxxQnvfSDbmsCdrsJ1KuguxNQkKCxVwCyZJtDc1PEneuN6ih4HqWD3HpLSYvUJ14PTdpOfK2v9MXNypqVv+TkgDGvdDhmR7ncFaArY4cyIQVyZHeZMr9k7QO24HwZciw9h3MUWOckLlMUxc12z2WnNFbJsupf8lRjtYqrofTkbBy9fr6nqdexzb/D0dQbAk5Me8c408mPzXYGXqozuYyxktMu1uZ84LLNG2oYyiIcdQn8qoilnmQdactMmZPvUBHbmherb2dyTtftUyRZ7wF0wiRFJFponInWu0YzGIovfia/nydpC2S5u+zPFvRS+rgs5OPj3SXL2amuVFQqsCH+u4wR/H+gn/xOpa1TTbO3JVSOlg+3swpYxTV71bohlJdLowe2nltOB3w/G+B6Sg3w5y5+188tDdRztYeELd65mtGPqeWqw1XcAFZyZdLlkIsl801CPrDGvt+Ze5WhMsKxIW/mPZLXVpvqATUoCPz0BAhZG8be2kwrEjIoPjofsSPR2yklMaKTDkiCmgIcTpH0lgnJHR9vYbT5ZVZjrSyXZyH0NaBaueHtogzY1vgFLqZSmOyABFkCLhF9aWcrke0AS8H9vTc9EgtwUg9Z5beGdfOZ57 TDaUoA6L dlCbp1yB0fCqEdbSqGM9ZpEmeeG6+glSkakuUBG4rVtsLB9f5pcjW2OS2W18bNYiKLMHzfHB8LNV3uhYW3EBNaAvhy5vn9sQs1txL8xNmLOUEaO7e+vglIzQBbjcxkJF7K4S9yXXsr5v9hqMcep75pHzgVOGMl4/z2JIcZOJKXAHtLBY1f/HFn6euR8v/KOji2mWYmEI2eyn3SdAIOOq4wAdh31QczIcF1E0s0Hfa+zJgLpOHprLgkCa/tTQxh5fdrJInhVCzGSK85lJlrmssncXuiw6zhhWZD+07 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Yu-cheng Yu The Control-Flow Enforcement Technology contains two related features, one of which is Shadow Stacks. Future patches will utilize this feature for shadow stack support in KVM, so add a CPU feature flags for Shadow Stacks (CPUID.(EAX=7,ECX=0):ECX[bit 7]). To protect shadow stack state from malicious modification, the registers are only accessible in supervisor mode. This implementation context-switches the registers with XSAVES. Make X86_FEATURE_SHSTK depend on XSAVES. The shadow stack feature, enumerated by the CPUID bit described above, encompasses both supervisor and userspace support for shadow stack. In near future patches, only userspace shadow stack will be enabled. In expectation of future supervisor shadow stack support, create a software CPU capability to enumerate kernel utilization of userspace shadow stack support. This user shadow stack bit should depend on the HW "shstk" capability and that logic will be implemented in future patches. Tested-by: Pengfei Xu Tested-by: John Allen Reviewed-by: Kees Cook Signed-off-by: Yu-cheng Yu Co-developed-by: Rick Edgecombe Signed-off-by: Rick Edgecombe Cc: Kees Cook --- v5: - Drop "shstk" from cpuinfo (Boris) - Remove capitalization on shadow stack (Boris) v3: - Add user specific shadow stack cpu cap (Andrew Cooper) - Drop reviewed-bys from Boris and Kees due to the above change. v2: - Remove IBT reference in commit log (Kees) - Describe xsaves dependency using text from (Dave) v1: - Remove IBT, can be added in a follow on IBT series. --- arch/x86/include/asm/cpufeatures.h | 2 ++ arch/x86/include/asm/disabled-features.h | 8 +++++++- arch/x86/kernel/cpu/cpuid-deps.c | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index fdb8e09234ba..af4178e0d76a 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -309,6 +309,7 @@ #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ #define X86_FEATURE_SMBA (11*32+21) /* "" Slow Memory Bandwidth Allocation */ #define X86_FEATURE_BMEC (11*32+22) /* "" Bandwidth Monitoring Event Configuration */ +#define X86_FEATURE_USER_SHSTK (11*32+23) /* Shadow stack support for user mode applications */ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ @@ -375,6 +376,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* UMONITOR/UMWAIT/TPAUSE Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional AVX512 Vector Bit Manipulation Instructions */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* "" Shadow stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field New Instructions */ #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry-Less Multiplication Double Quadword */ diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h index 5dfa4fb76f4b..505f78ddca82 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -99,6 +99,12 @@ # define DISABLE_TDX_GUEST (1 << (X86_FEATURE_TDX_GUEST & 31)) #endif +#ifdef CONFIG_X86_USER_SHADOW_STACK +#define DISABLE_USER_SHSTK 0 +#else +#define DISABLE_USER_SHSTK (1 << (X86_FEATURE_USER_SHSTK & 31)) +#endif + /* * Make sure to add features to the correct mask */ @@ -114,7 +120,7 @@ #define DISABLED_MASK9 (DISABLE_SGX) #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ - DISABLE_CALL_DEPTH_TRACKING) + DISABLE_CALL_DEPTH_TRACKING|DISABLE_USER_SHSTK) #define DISABLED_MASK12 0 #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c index f6748c8bd647..e462c1d3800a 100644 --- a/arch/x86/kernel/cpu/cpuid-deps.c +++ b/arch/x86/kernel/cpu/cpuid-deps.c @@ -81,6 +81,7 @@ static const struct cpuid_dep cpuid_deps[] = { { X86_FEATURE_XFD, X86_FEATURE_XSAVES }, { X86_FEATURE_XFD, X86_FEATURE_XGETBV1 }, { X86_FEATURE_AMX_TILE, X86_FEATURE_XFD }, + { X86_FEATURE_SHSTK, X86_FEATURE_XSAVES }, {} };