From patchwork Mon Feb 27 22:29:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rick Edgecombe <rick.p.edgecombe@intel.com>
X-Patchwork-Id: 13154247
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6170FC64ED8
	for <linux-mm@archiver.kernel.org>; Mon, 27 Feb 2023 22:31:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 86E3F6B0098; Mon, 27 Feb 2023 17:31:47 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 70A506B008C; Mon, 27 Feb 2023 17:31:47 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4EAC86B0096; Mon, 27 Feb 2023 17:31:47 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com
 [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 3D72A6B0093
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 17:31:47 -0500 (EST)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 14AC540A3E
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 22:31:47 +0000 (UTC)
X-FDA: 80514520254.15.8196269
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
	by imf07.hostedemail.com (Postfix) with ESMTP id 14AB240012
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 22:31:44 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=ftZK3VjD;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf07.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.136 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1677537105;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:content-type:
	 content-transfer-encoding:in-reply-to:in-reply-to:
	 references:references:dkim-signature;
	bh=wceL11ZZ0s1oZMAkJv9xADmkIBB3swH4yWQ/WScjmXo=;
	b=6LcRb1zafXLbIKdWglSqWCRUONK2PKx83iWVMM18TErQ316nN+3Cl2MR7ndABtefuR66JC
	FpNuGYRxxFriX+NR0Hvwt/3dCifZURmP6Uov+NnsnUVEqsllcQJs7m2wzn39+YYcy04XPb
	VtkgEFlbAz+2Ad7jf2LxrmZMCUtsOVI=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=ftZK3VjD;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf07.hostedemail.com: domain of rick.p.edgecombe@intel.com
 designates 192.55.52.136 as permitted sender)
 smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677537105; a=rsa-sha256;
	cv=none;
	b=DvEla1ZWntNFOw1uOInq3aHqQ3NYIJDiMXr+LWDu9jmSQrSB+9SgzogJ0s1hyXZ89OcMLU
	WuYgBGl1sqVxAUNb6EcT1sHF0mD5WPIIV9quNQPxEgFvGuEDpxC9Vsvpq6UUldUEZVsLkw
	ENZU7jmKdfbDHdCdSFtrM20KARbqYeE=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1677537105; x=1709073105;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=9ua4eoVpPkNNqQnm/7DlucqvtoyDtbjdtgZW9gHkRAo=;
  b=ftZK3VjDUU/ccOTrMcU5/bedxgGIQDCx9nQNey6lztLzyz1D4jDL+dSW
   T/1MyPJlpApUjsenOSEZR6iAaTh9Q0G4TXVz2b1CN3WdRzb6lfDaXjNps
   UOh8NTyxJcjYDpL2FNFqvZP5DzbHsz4CpWXV0OYzmcQCejCTIZB8qL2cG
   NlV/0lXQu1D7kPk0Gdb+xObD3HVJCjvOkM6DCxKLAInlEtbGCdR7hP+s0
   RqocO8VszTvB/gbHg0v/Dcpm7hCSaVmgFSTJ7tiQcrglm4fqFBhMCqP7x
   75CJs1hip1LGP1C6dct4mJtKySbUflhqWcjjDxv4LogRmf+EFyTvPtq7i
   g==;
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="313657454"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
   d="scan'208";a="313657454"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 27 Feb 2023 14:31:24 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="848024595"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
   d="scan'208";a="848024595"
Received: from leonqu-mobl1.amr.corp.intel.com (HELO
 rpedgeco-desk.amr.corp.intel.com) ([10.209.72.19])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 27 Feb 2023 14:31:20 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com,
	akpm@linux-foundation.org,
	Andrew.Cooper3@citrix.com,
	christina.schimpe@intel.com,
	david@redhat.com,
	debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com,
	Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH v7 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack
 memory
Date: Mon, 27 Feb 2023 14:29:34 -0800
Message-Id: <20230227222957.24501-19-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 14AB240012
X-Stat-Signature: dygjpzmbifmugn5fhxthp3xnfyqjs6p8
X-HE-Tag: 1677537104-433197
X-HE-Meta: 
 U2FsdGVkX1/CneG0Rl2zbyTGlv7R10p0pzdlaeZiZ8VThbBnf4020kZ7uWb75yJvErFbIYxnTw1rLiqdAuoyBxPXpkKgevvtu0GR6FTA06k/Vdbp/G7b+ovkVCMdXB8vMvcW3h1o3kNQErhax8M/G+uwUsRwlqyPdppJMBveWzDrbSBT/H1ecxdKCgzHg6snUK9xL71zD3IB3V0x5GxhcisFQaVz2aKxIcrVJu86BsBxBgFg8+wWVnsE95dlhc19PVk5CM3qJDlkSQlMxGqZtMX26ZBCs6ZmPxtCKzRd/Lc7yW8zGGMgXufw2vB8lZN+zICKKJUnBd2dqxFYyYvpxQeD7l6yS2KeFPSL6q0UsNEL+hfieeuNTU+Zs1kC0vMGmZ45qPC+a9av2/+mDpHZyjcEVZgfbQ83EeC4jFP56aHgxV3b8cApO8FuD3c26zB0n2mOiG9/vN9119wlPkmf7mpXsHhmooI/1zD6iiuQ9F9qrzrm6YGG8Wmw9NW46uNtR8GLMeciclxNSxUrL7YGfkBDMX1WH5AldlH1kEz6gh/S7wun8gksZbi5q+27zItE+maycAaC92ATKqKsmnd67etMHp3WK0Mb+lJCi/904e95frVkBMrcauDM2ARYgQtV+QWsoq/F63WJetiZUCXt7oUt9MVA7xqMSQHzCWBUsUT1Jmq6LHvF5sPQapyK/gW6Sk86u5i5WQf/jGmzwhdn/69k310XssaYX2xlAjeybyKTkfgkfhAeWXWItqhtSHYeWnAkPiKdbnANT+07lrjHo22bwh4YZ95diRLdw7ZgofLmovcxZ3NSFqMKl8vi/+OHOEfPzXdkujqOb8JJHfKE9Kj7/ZCXagunadG0lT99925R9YWSlvLvEgZWV8iEu42Ebblw+2WxQUrxR8fqDfrnRQ3S+qfZHnLAF8cmHtHajfgz7j8gIlon0guw+iAl46XcKmMhCA2YqFLZ10KTgUa
 GzfWfvUV
 yia1nH/GJ/mKLXAhC6Ik+qvP2vYgxRogbRzl88BEjXh4dk+dx2wuQNyZwxZ0b/GC+nXev7eni8wfFI13DPgOG8mKomyhDQ9AuWVmGsRGBl7c3y5HI8aktaSnPWIL9R0+XomZpDbQ0dU1g+uADz6egUeqq7wSiMGYPn+lGYtUJMY6UliSmahkFZAw0d/P0PaLcpDNolW7wNAKOarGmDUXdAWfqfiMMXlosBgq1W5G6mwoDkYxfn403XfcL1ejtuP2Dwwt+6pqu2GJmHxq0Ui0QpEr6PDuRFReBR8z/g3eT0Kvnll1T0WAdAthrTgqxbGj6JbsipmYagdxxC9HdO/TxcEQ+sRlILm4/rjTNJ/2r1vNBEBZ9wSovV5LgYHz+Fjr5003PLX7GcKtvl6U=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Yu-cheng Yu <yu-cheng.yu@intel.com>

New hardware extensions implement support for shadow stack memory, such
as x86 Control-flow Enforcement Technology (CET). Add a new VM flag to
identify these areas, for example, to be used to properly indicate shadow
stack PTEs to the hardware.

Shadow stack VMA creation will be tightly controlled and limited to
anonymous memory to make the implementation simpler and since that is all
that is required. The solution will rely on pte_mkwrite() to create the
shadow stack PTEs, so it will not be required for vm_get_page_prot() to
learn how to create shadow stack memory. For this reason document that
VM_SHADOW_STACK should not be mixed with VM_SHARED.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Kees Cook <keescook@chromium.org>
---
v7:
 - Use lightly edited commit log verbiage from (David Hildenbrand)
 - Add explanation for VM_SHARED limitation (David Hildenbrand)

v6:
 - Add comment about VM_SHADOW_STACK not being allowed with VM_SHARED
   (David Hildenbrand)

v3:
 - Drop arch specific change in arch_vma_name(). The memory can show as
   anonymous (Kirill)
 - Change CONFIG_ARCH_HAS_SHADOW_STACK to CONFIG_X86_USER_SHADOW_STACK
   in show_smap_vma_flags() (Boris)
---
 Documentation/filesystems/proc.rst | 1 +
 fs/proc/task_mmu.c                 | 3 +++
 include/linux/mm.h                 | 8 ++++++++
 3 files changed, 12 insertions(+)

diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
index 9d5fd9424e8b..8b314df7ccdf 100644
--- a/Documentation/filesystems/proc.rst
+++ b/Documentation/filesystems/proc.rst
@@ -564,6 +564,7 @@ encoded manner. The codes are the following:
     mt    arm64 MTE allocation tags are enabled
     um    userfaultfd missing tracking
     uw    userfaultfd wr-protect tracking
+    ss    shadow stack page
     ==    =======================================
 
 Note that there is no guarantee that every flag and associated mnemonic will
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 6a96e1713fd5..324b092c2ac9 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -711,6 +711,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
 #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR
 		[ilog2(VM_UFFD_MINOR)]	= "ui",
 #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */
+#ifdef CONFIG_X86_USER_SHADOW_STACK
+		[ilog2(VM_SHADOW_STACK)] = "ss",
+#endif
 	};
 	size_t i;
 
diff --git a/include/linux/mm.h b/include/linux/mm.h
index a1b31caae013..097544afb1aa 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -326,11 +326,13 @@ extern unsigned int kobjsize(const void *objp);
 #define VM_HIGH_ARCH_BIT_2	34	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_3	35	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_4	36	/* bit only usable on 64-bit architectures */
+#define VM_HIGH_ARCH_BIT_5	37	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_0	BIT(VM_HIGH_ARCH_BIT_0)
 #define VM_HIGH_ARCH_1	BIT(VM_HIGH_ARCH_BIT_1)
 #define VM_HIGH_ARCH_2	BIT(VM_HIGH_ARCH_BIT_2)
 #define VM_HIGH_ARCH_3	BIT(VM_HIGH_ARCH_BIT_3)
 #define VM_HIGH_ARCH_4	BIT(VM_HIGH_ARCH_BIT_4)
+#define VM_HIGH_ARCH_5	BIT(VM_HIGH_ARCH_BIT_5)
 #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -346,6 +348,12 @@ extern unsigned int kobjsize(const void *objp);
 #endif
 #endif /* CONFIG_ARCH_HAS_PKEYS */
 
+#ifdef CONFIG_X86_USER_SHADOW_STACK
+# define VM_SHADOW_STACK	VM_HIGH_ARCH_5 /* Should not be set with VM_SHARED */
+#else
+# define VM_SHADOW_STACK	VM_NONE
+#endif
+
 #if defined(CONFIG_X86)
 # define VM_PAT		VM_ARCH_1	/* PAT reserves whole VMA at once (x86) */
 #elif defined(CONFIG_PPC)