[v7,40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK

Message ID	20230227222957.24501-41-rick.p.edgecombe@intel.com (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com, Mike Rapoport <rppt@linux.ibm.com> Subject: [PATCH v7 40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK Date: Mon, 27 Feb 2023 14:29:56 -0800 Message-Id: <20230227222957.24501-41-rick.p.edgecombe@intel.com> In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com> References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Shadow stacks for userspace \| expand [v7,00/41] Shadow stacks for userspace [v7,01/41] Documentation/x86: Add CET shadow stack description [v7,02/41] x86/shstk: Add Kconfig option for shadow stack [v7,03/41] x86/cpufeatures: Add CPU feature flags for shadow stacks [v7,04/41] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v7,05/41] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v7,06/41] x86/fpu: Add helper for modifying xstate [v7,07/41] x86: Move control protection handler to separate file [v7,08/41] x86/shstk: Add user control-protection fault handler [v7,09/41] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v7,10/41] x86/mm: Move pmd_write(), pud_write() up in the file [v7,11/41] mm: Introduce pte_mkwrite_kernel() [v7,12/41] s390/mm: Introduce pmd_mkwrite_kernel() [v7,13/41] mm: Make pte_mkwrite() take a VMA [v7,14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY [v7,15/41] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY [v7,16/41] x86/mm: Start actually marking _PAGE_SAVED_DIRTY [v7,17/41] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v7,18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v7,19/41] x86/mm: Check shadow stack page fault errors [v7,20/41] x86/mm: Teach pte_mkwrite() about stack memory [v7,21/41] mm: Add guard pages around a shadow stack. [v7,22/41] mm/mmap: Add shadow stack pages to memory accounting [v7,23/41] mm: Re-introduce vm_flags to do_mmap() [v7,24/41] mm: Don't allow write GUPs to shadow stack memory [v7,25/41] x86/mm: Introduce MAP_ABOVE4G [v7,26/41] mm: Warn on shadow stack memory in wrong vma [v7,27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot [v7,28/41] x86: Introduce userspace API for shadow stack [v7,29/41] x86/shstk: Add user-mode shadow stack support [v7,30/41] x86/shstk: Handle thread shadow stack [v7,31/41] x86/shstk: Introduce routines modifying shstk [v7,32/41] x86/shstk: Handle signals for shadow stack [v7,33/41] x86/shstk: Introduce map_shadow_stack syscall [v7,34/41] x86/shstk: Support WRSS for userspace [v7,35/41] x86: Expose thread features in /proc/$PID/status [v7,36/41] x86/shstk: Wire in shadow stack interface [v7,37/41] selftests/x86: Add shadow stack test [v7,38/41] x86/fpu: Add helper for initing features [v7,39/41] x86: Add PTRACE interface for shadow stack [v7,40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK [v7,41/41] x86/shstk: Add ARCH_SHSTK_STATUS

Message ID

20230227222957.24501-41-rick.p.edgecombe@intel.com (mailing list archive)

State

New

Headers

From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com,
	akpm@linux-foundation.org,
	Andrew.Cooper3@citrix.com,
	christina.schimpe@intel.com,
	david@redhat.com,
	debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com,
	Mike Rapoport <rppt@linux.ibm.com>
Subject: [PATCH v7 40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK
Date: Mon, 27 Feb 2023 14:29:56 -0800
Message-Id: <20230227222957.24501-41-rick.p.edgecombe@intel.com>
In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

Shadow stacks for userspace | expand

Commit Message

Rick Edgecombe Feb. 27, 2023, 10:29 p.m. UTC

From: Mike Rapoport <rppt@linux.ibm.com>

Userspace loaders may lock features before a CRIU restore operation has
the chance to set them to whatever state is required by the process
being restored. Allow a way for CRIU to unlock features. Add it as an
arch_prctl() like the other shadow stack operations, but restrict it being
called by the ptrace arch_pctl() interface.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
[Merged into recent API changes, added commit log and docs]
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

---
v4:
 - Add to docs that it is ptrace only.
 - Remove "CET" references

v3:
 - Depend on CONFIG_CHECKPOINT_RESTORE (Kees)
---
 Documentation/x86/shstk.rst       | 4 ++++
 arch/x86/include/uapi/asm/prctl.h | 1 +
 arch/x86/kernel/process_64.c      | 1 +
 arch/x86/kernel/shstk.c           | 9 +++++++--
 4 files changed, 13 insertions(+), 2 deletions(-)

Comments

Borislav Petkov March 11, 2023, 3:11 p.m. UTC | #1

On Mon, Feb 27, 2023 at 02:29:56PM -0800, Rick Edgecombe wrote:
> From: Mike Rapoport <rppt@linux.ibm.com>
> 
> Userspace loaders may lock features before a CRIU restore operation has
> the chance to set them to whatever state is required by the process
> being restored. Allow a way for CRIU to unlock features. Add it as an
> arch_prctl() like the other shadow stack operations, but restrict it being
> called by the ptrace arch_pctl() interface.
> 
> Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> Tested-by: John Allen <john.allen@amd.com>
> Tested-by: Kees Cook <keescook@chromium.org>
> Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>

That tag is kinda implicit here. Unless he doesn't ACK his own patch.
:-P

> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
> [Merged into recent API changes, added commit log and docs]
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

...

> diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
> index 2faf9b45ac72..3197ff824809 100644
> --- a/arch/x86/kernel/shstk.c
> +++ b/arch/x86/kernel/shstk.c
> @@ -451,9 +451,14 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long features)
>  		return 0;
>  	}
>  
> -	/* Don't allow via ptrace */
> -	if (task != current)
> +	/* Only allow via ptrace */
> +	if (task != current) {

Is that the only case? task != current means ptrace and there's no other
way to do this from userspace?

Isn't there some flag which says that task is ptraced? I think we should
check that one too...

Rick Edgecombe March 13, 2023, 3:04 a.m. UTC | #2

On Sat, 2023-03-11 at 16:11 +0100, Borislav Petkov wrote:
> On Mon, Feb 27, 2023 at 02:29:56PM -0800, Rick Edgecombe wrote:
> > From: Mike Rapoport <rppt@linux.ibm.com>
> > 
> > Userspace loaders may lock features before a CRIU restore operation
> > has
> > the chance to set them to whatever state is required by the process
> > being restored. Allow a way for CRIU to unlock features. Add it as
> > an
> > arch_prctl() like the other shadow stack operations, but restrict
> > it being
> > called by the ptrace arch_pctl() interface.
> > 
> > Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> > Tested-by: John Allen <john.allen@amd.com>
> > Tested-by: Kees Cook <keescook@chromium.org>
> > Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
> 
> That tag is kinda implicit here. Unless he doesn't ACK his own patch.
> :-P

Uhh, right. This was me mindlessly adding his ack to all the patches in
the series.

> 
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
> > [Merged into recent API changes, added commit log and docs]
> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> 
> ...
> 
> > diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
> > index 2faf9b45ac72..3197ff824809 100644
> > --- a/arch/x86/kernel/shstk.c
> > +++ b/arch/x86/kernel/shstk.c
> > @@ -451,9 +451,14 @@ long shstk_prctl(struct task_struct *task, int
> > option, unsigned long features)
> >                return 0;
> >        }
> >   
> > -     /* Don't allow via ptrace */
> > -     if (task != current)
> > +     /* Only allow via ptrace */
> > +     if (task != current) {
> 
> Is that the only case? task != current means ptrace and there's no
> other
> way to do this from userspace?

Not that I could see...

> 
> Isn't there some flag which says that task is ptraced? I think we
> should
> check that one too...

This is how the other arch_prctl()s handle it (if they do handle it,
some don't). So I would think it would be nice to keep all the logic
the same.

I guess the flag might work based on the assumption that if the task is
being ptraced, the arch_prctl() couldn't be coming from anywhere else.
Maybe it should get a nicely named helper that they could all use and
whatever best logic could be commented.

Would this maybe be better as a future cleanup that did the change for
them all?

Borislav Petkov March 13, 2023, 11:05 a.m. UTC | #3

On Mon, Mar 13, 2023 at 03:04:10AM +0000, Edgecombe, Rick P wrote:
> This is how the other arch_prctl()s handle it (if they do handle it,
> some don't). So I would think it would be nice to keep all the logic
> the same.
> 
> I guess the flag might work based on the assumption that if the task is
> being ptraced, the arch_prctl() couldn't be coming from anywhere else.
> Maybe it should get a nicely named helper that they could all use and
> whatever best logic could be commented.
> 
> Would this maybe be better as a future cleanup that did the change for
> them all?

Yeah, I'm just being overly paranoid.

Because if there's another way to unlock that feature, then this whole
"overhead" we're doing is for nothing.

diff --git a/Documentation/x86/shstk.rst b/Documentation/x86/shstk.rst
index f2e6f323cf68..e8ed5fc0f7ae 100644
--- a/Documentation/x86/shstk.rst
+++ b/Documentation/x86/shstk.rst
@@ -73,6 +73,10 @@  arch_prctl(ARCH_SHSTK_LOCK, unsigned long features)
     are ignored. The mask is ORed with the existing value. So any feature bits
     set here cannot be enabled or disabled afterwards.
 
+arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long features)
+    Unlock features. 'features' is a mask of all features to unlock. All
+    bits set are processed, unset bits are ignored. Only works via ptrace.
+
 The return values are as follows. On success, return 0. On error, errno can
 be::
 
diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index e31495668056..200efbbe5809 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -25,6 +25,7 @@ 
 #define ARCH_SHSTK_ENABLE		0x5001
 #define ARCH_SHSTK_DISABLE		0x5002
 #define ARCH_SHSTK_LOCK			0x5003
+#define ARCH_SHSTK_UNLOCK		0x5004
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 71094c8a305f..d368854fa9c4 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -835,6 +835,7 @@  long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
 	case ARCH_SHSTK_ENABLE:
 	case ARCH_SHSTK_DISABLE:
 	case ARCH_SHSTK_LOCK:
+	case ARCH_SHSTK_UNLOCK:
 		return shstk_prctl(task, option, arg2);
 	default:
 		ret = -EINVAL;
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 2faf9b45ac72..3197ff824809 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -451,9 +451,14 @@  long shstk_prctl(struct task_struct *task, int option, unsigned long features)
 		return 0;
 	}
 
-	/* Don't allow via ptrace */
-	if (task != current)
+	/* Only allow via ptrace */
+	if (task != current) {
+		if (option == ARCH_SHSTK_UNLOCK && IS_ENABLED(CONFIG_CHECKPOINT_RESTORE)) {
+			task->thread.features_locked &= ~features;
+			return 0;
+		}
 		return -EINVAL;
+	}
 
 	/* Do not allow to change locked features */
 	if (features & task->thread.features_locked)

[v7,40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK

Commit Message

Comments

Patch