From patchwork Tue Jun 13 00:11:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13277750 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 881C5C7EE2E for ; Tue, 13 Jun 2023 00:13:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 86D348E0024; Mon, 12 Jun 2023 20:12:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7CD108E0023; Mon, 12 Jun 2023 20:12:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5F8EE8E0024; Mon, 12 Jun 2023 20:12:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 434FA8E0023 for ; Mon, 12 Jun 2023 20:12:43 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 233C0C035E for ; Tue, 13 Jun 2023 00:12:43 +0000 (UTC) X-FDA: 80895798606.26.C9DB393 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by imf08.hostedemail.com (Postfix) with ESMTP id EBD79160014 for ; Tue, 13 Jun 2023 00:12:40 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iNOBbaHw; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686615161; a=rsa-sha256; cv=none; b=Ft2ZqW9xSF/Z027r6LM551TNYB27IKq3axv5e0tqEIlCytKodx32SvdavOO4I/ppFf71mp De4Y8fzok2v1G5L4nZGAVpojEsI7727ll9tYy9gRwJTJShrk816uLxSrcX+JJKxroLVTBS HTTJiOLDJABYBlVK5frx4iUbVZ17ZvY= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iNOBbaHw; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf08.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686615161; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DsGV+FArnCWzPmUm3Iwim6nAv4YxSXJQs9pogdjIv6c=; b=PvD/4Bwyz2u+aaN4VanVu/GU9qsVxWR7s1YMQLsR9Ja8EfO307EydVozLE4qgIxdZIpinT IAyj966BuX6SrxUX/9u+8jvMokV92TOpfz467IPgvWDXiqMRx1rbuj37+gClpTlbyfiz0r gBvhlQpnytF9wA6Ndsren2nPhAvWUCM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1686615161; x=1718151161; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Src9+kIB+Tfk1ReeJh4vEiYrNG1G01r+lIh28P15+jA=; b=iNOBbaHwNQrzF+4PxtzNVYv3oBDRPYqyfLVXxcAdFFt/AxsR8UPl9Hr2 OfmHWQdW7C10GMla5xcv6Eqad5f5hHZnQD2LEC1qRahe8sc3EFvz4Abwg KKCnYFmss2sXot/jim+bAUFLm7fdRA333OyZoRPZl8CDtDbZtlIevJ2NU +oDC9o2L51LAi4xZWgGReX+2r7+QJlGFzJnODFOOf/Sppq8wBM+fmJCqX 1pld9n9en+YqLitnavc7+TIwsOaQbQLcASclNBhMr4anotuDY8LEmqhvq kQPgF42ZzHbzLuPPARlqQHXTOmBE6KLRqrgnL3FpuLAvkhS32AtJBoNpj Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="361557498" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="361557498" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="835671131" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="835671131" Received: from almeisch-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.amr.corp.intel.com) ([10.209.42.242]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:37 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com, torvalds@linux-foundation.org, broonie@kernel.org Cc: rick.p.edgecombe@intel.com, Pengfei Xu Subject: [PATCH v9 35/42] x86/shstk: Support WRSS for userspace Date: Mon, 12 Jun 2023 17:11:01 -0700 Message-Id: <20230613001108.3040476-36-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> References: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: EBD79160014 X-Stat-Signature: irojqmsyaaro64xbdid4ojhnekpk99xe X-HE-Tag: 1686615160-633247 X-HE-Meta: U2FsdGVkX1/Xd/u/TXkjyRxNQ8KWDfc8gY0Kh1NJqiqr6psKgyaaza2MgZZ12wv96xNi7cJsPT7WIwYg0KRAoAZ2OrFMAkuP42LzyS1FTtGmzLiKcMJZ/id4q0xk+5F/NxWsRaOQdW5d8YcobtEEpv+0jiyg4H0DMUl32TqMt3ovgUxipi8ExAFxeSznP7+DTg8IsBjvDls7bNwuy1MpaIR80t1jRfZJ7K7aVJePXQWGk8eN0br+ndro0Ed41jt2eoFKkkaXGwAxCZcT338WO8xNIOPd63wV/RVCODivKI0OTZtYomaen3RsjBDXFvCSBDj/iBQM1cdMRKzRaY24ptFCc5xeZ8uzre4AyOzM/5aPKiOrk+QwcL3o8nlgL5Mdg+fnaxpZRWR9Xc1NNiiwcQtmootbpe12aqNBgAIZntZENCPh8UCk8ne1ZmFbRtQKJpoXts32p31apwdWoUiSCAWsmxwzg4O17Z8TwfN9IySCkkoyAan/YNLHPoFnCq0kQhw11kgi/OQjEO8oZpEHJNG4LOEAti4QAPBKlcvgDRhsC8id6qEcupjtOXl9sVsiA05J/qitYKXbHvwi0Z71zB+0JLn8AYlOSONWYgt0EfsWhKHl33jsHSHz4B2pT8d7USVK+G78iHCTum1HG7siWNVNOeTYbzcttSOT87OGy3PCiONrWJS4QGMw3He1QORudy1hWg80Lpl053YWPt7kfxvFQWctH1LmSlWTPFg/gBITP7R37fXmdNb4iBN7y12sphH0Ktc2CuQp5zA5sn9UnBLESwIM+KCL8ijHKgzbxEzsDVCChpJqLlU6Mr1xEAYzjmpx+Jv0ZUXwtq1CsTMMnw22VrKY15Rc6cRHgrqMNph2Njyz3vSG41J/AZaiev8RPaAo99oV83LwnwAhohlcT2KgW+BKpTfTUoPewsyafU95rtaMrv5no3kyL2yrZt0z4kDaq8OmtA+TXXL0pB1 +hR74agE BKvbXMfP6X2KL9vmgO4Y8OeHKb9HKwt9n9J5K+6VmKj8QnNRmlJDEJEkHUCkGE88X65Nlxbp73bKZs+uU5q3bNYQ5w96bGoi0/Etao9u9OBbpQeuJSBSeFf4SUZHNwoato4QQJEd4bxcnlp6CINk4x/BScqgl6OeBsrRPSYNU74YADyYvDgh2LRpeXYdN/PX4VMu9GoHyxh8CA8mK3+705K7Y7V3pdfF7n/EELjDzNQN6qgkIFaclkwZN+cFmDhowwYd1L0aqP2zIrWA84H1BzJXvQaW7tbdeVN5k8fBgdTnM/IWZUBFmqMyd7D+UGbakyRfgmbCqNpsEmuDR9B31Oc0T6QIxaOnMcP+CJtsuf3BHe6uH2sMzTLu9lA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- arch/x86/include/uapi/asm/prctl.h | 1 + arch/x86/kernel/shstk.c | 43 ++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 6a8e0e1bff4a..eedfde3b63be 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -36,5 +36,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 04c37b33a625..ea0bf113f9cf 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -390,6 +390,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -406,7 +447,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; }