From patchwork Tue Jun 13 00:10:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13277724 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57DF9C88CBE for ; Tue, 13 Jun 2023 00:12:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0F6FC8E0003; Mon, 12 Jun 2023 20:12:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ED1718E000A; Mon, 12 Jun 2023 20:12:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C87788E0003; Mon, 12 Jun 2023 20:12:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id B5CC08E0008 for ; Mon, 12 Jun 2023 20:12:18 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 7DE85A0348 for ; Tue, 13 Jun 2023 00:12:18 +0000 (UTC) X-FDA: 80895797556.22.FBA9195 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by imf01.hostedemail.com (Postfix) with ESMTP id 73E2440004 for ; Tue, 13 Jun 2023 00:12:16 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=OQ97ZvTO; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf01.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686615136; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2/A0JR+pPzLRCqzuy8n+KkCV+4dlid7cWNKSH0w0Lto=; b=BtG0Wjvz+R91vxZ11kYz4LT5DB2f34OlT1lJocel7oITHvabY1wSKaKDWDbIWQiI8ZU6rt 1NWpJcsQ+zuoR20Spl8hrNezjaDoPslSS+jWWdnSyGRMoRcHSqM9eUz5pVrK9E6pQLSQT9 rsvWjzbiXxpLx5TGdlamHnkd/yW51U8= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=OQ97ZvTO; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf01.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686615136; a=rsa-sha256; cv=none; b=1uTFIqv1ANrr0k5XIxUwobeDnzbP7lqjaCYL+oIO1to7Uc5arkTxUc7jsGG1u4+7hlGlbE iFoFZl81vgD8y/UFM4qkZfzcXpKBgu5PvnCVrnISmMVVSKxS48cxbwLQA9HrwgenPy//eG ThFWbJRxHry/DHU65aXkFfWj+jjlpbY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1686615136; x=1718151136; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=sARsUThnVYVYYqaKHA46gpgv7OakP1T/BusMzOfelkg=; b=OQ97ZvTOhUbpI2RMqN4W7lkciajYAFs3LYvjyFWSk871BfyH0KBr2osC pMOtMhfDtUkngKbQLyIjhyxaTCTRLkcM+gjwrfC30nbYdh+XakhV4WuJT yikov8LzYN2bJnfDwayNwTWRlsih2XO7n/P/py58kPaOvCDXY6GwkrM44 ynPevCh/P5KhuFeiR3FxizekOHZ5DuGgtvKBAMG3Vk84y0lebiYKDoxoe ewOijI0o8jtgr8WKUlXSx1dCmWg1SszNdh4mOTzU/QzZTe7v47rZ60Vpo SMR48pqtfosNCYeJWMy61Te2JS3rMMCFbpxDZxpEhE6aspm9LpI3ze5pE Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="361556828" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="361556828" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10739"; a="835670996" X-IronPort-AV: E=Sophos;i="6.00,238,1681196400"; d="scan'208";a="835670996" Received: from almeisch-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.amr.corp.intel.com) ([10.209.42.242]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jun 2023 17:12:13 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com, torvalds@linux-foundation.org, broonie@kernel.org Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu , Pengfei Xu Subject: [PATCH v9 08/42] x86/cpufeatures: Add CPU feature flags for shadow stacks Date: Mon, 12 Jun 2023 17:10:34 -0700 Message-Id: <20230613001108.3040476-9-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> References: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 73E2440004 X-Stat-Signature: 9a3qyihkr67sixx7xbgiq3aj1xtt1t7u X-Rspam-User: X-HE-Tag: 1686615136-222365 X-HE-Meta: U2FsdGVkX1/GwObkrjJucV0ItMr8J0CTOHhBF9A+PNOAwLoR9zkBNZ2EFeuQjPhm87XZl4/3x5D8E0B/rzdbUiy34AKWEkvMwLqBB1d60bK9z6DjGdELNP5VstI0bvza12nDJEIiJ4xvfaj8hTnGtHE/e6UM600ZpInTrbm5ZVamt39qOL/YKeNlrPYc3fSpaCJsFp8CrClY3DpnUxHIinZgRVtSebW92ed/O9WOUHzvetEEi45XzmVemKlmnwxJiJ7OtSYGFP8tcSEY2W7LxHKfoT84RkVzqDfNMd/jvmPUVuWkjk/DTlOTJ3oPFvtkXeldyjYoAoGozY1M0Xx0sC/+u8l1TlRpbOfZey+W3jfNy0zl6eTGAzabX8UHuqAPRFaHJjGumYROwP4F3QQCtYxFfc/exGaxf2iBaLQ7cn7r7PNVKpQsWtqMiN4PfX1RfsUv3M+x2dTuig0xFEqNHbhvVXETjTpBQoSrJMXjaQKxbfimd7EEe3Qal+FDdCuHNe43cLdmZFVfcXOqOkuNz20CXHStuN5ZSqutl8B2iEKKEjPfQnsJgn9OWvWe/mIxZZ/67IVpJ5I3z5lVRnryVipfp4pvqdB48sSAqw8WvlKSpJD99YRxkAPB09kvomrZYjFpJXUO2FuInRbExKOW2Fh6eWDSS+KQsoVpIFsRTAUxy/5JgtHk6YqZpAUD0GEd2mNt+Ib60gVDGsLwFN4VlRQFWZQJ45rSWmnU7OOUpkfP/6iwq36lEEddpC0WYk5zc2Cu9t8zvRM5HUQ5OhciMtYhnrb22TO6u/gOnE69k5IEWwX8i0xJujt0AEpk76aFp0VMuv09X3WSqYgUVGZ1/HkKTOAVUICGqpvattEt8P0ExhQDZ29rp6QJp84/1JTLEHCR+wz8yodP2ulGdkOjkPJB8WwA281PKutf/rgTNkEXZimvU2Y3RmUXIvmj1nXL9uXYPnZ2+kY9ZGbQ7Xx CPRQNWya 7hHCkMMnwfob2kaFgu7tIDcMQ4sGOrmquc4aFl3Hd3ieUcLkTIG/MESSfs1olOQ0D8aLQShOubqQnFVj0YRH+j/pmyk4A9HTP+CTx/jWu2WA0Bh1rmjktwoXET0LfwK8qsR3+XZeD5apVZTcdL4f4RKnl4PTC3k5goEoMzXinhWoJnk838sW0Z4QPFYGtM7HndVIhZ8MmHlU0xTg7HtwmDaz5pvZrbITz0UTApXA03pVR7N/TLBEM8bSKSRCDh6zJYQOdreWp0q0U0EBGjZfLa0fkR29vTtzJeGLcqKg7w6w8pWSLUNtRXqL8zqw+O0HO/lQP85xPUPu9v35ucSgDfdFQCp8/U8P2qUlY8QuM05uoMuX8sZxxHHiPfg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The Control-Flow Enforcement Technology contains two related features, one of which is Shadow Stacks. Future patches will utilize this feature for shadow stack support in KVM, so add a CPU feature flags for Shadow Stacks (CPUID.(EAX=7,ECX=0):ECX[bit 7]). To protect shadow stack state from malicious modification, the registers are only accessible in supervisor mode. This implementation context-switches the registers with XSAVES. Make X86_FEATURE_SHSTK depend on XSAVES. The shadow stack feature, enumerated by the CPUID bit described above, encompasses both supervisor and userspace support for shadow stack. In near future patches, only userspace shadow stack will be enabled. In expectation of future supervisor shadow stack support, create a software CPU capability to enumerate kernel utilization of userspace shadow stack support. This user shadow stack bit should depend on the HW "shstk" capability and that logic will be implemented in future patches. Co-developed-by: Yu-cheng Yu Signed-off-by: Yu-cheng Yu Signed-off-by: Rick Edgecombe Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- arch/x86/include/asm/cpufeatures.h | 2 ++ arch/x86/include/asm/disabled-features.h | 8 +++++++- arch/x86/kernel/cpu/cpuid-deps.c | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index cb8ca46213be..d7215c8b7923 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -308,6 +308,7 @@ #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ #define X86_FEATURE_SMBA (11*32+21) /* "" Slow Memory Bandwidth Allocation */ #define X86_FEATURE_BMEC (11*32+22) /* "" Bandwidth Monitoring Event Configuration */ +#define X86_FEATURE_USER_SHSTK (11*32+23) /* Shadow stack support for user mode applications */ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ @@ -380,6 +381,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* UMONITOR/UMWAIT/TPAUSE Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional AVX512 Vector Bit Manipulation Instructions */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* "" Shadow stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field New Instructions */ #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry-Less Multiplication Double Quadword */ diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h index fafe9be7a6f4..b9c7eae2e70f 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -105,6 +105,12 @@ # define DISABLE_TDX_GUEST (1 << (X86_FEATURE_TDX_GUEST & 31)) #endif +#ifdef CONFIG_X86_USER_SHADOW_STACK +#define DISABLE_USER_SHSTK 0 +#else +#define DISABLE_USER_SHSTK (1 << (X86_FEATURE_USER_SHSTK & 31)) +#endif + /* * Make sure to add features to the correct mask */ @@ -120,7 +126,7 @@ #define DISABLED_MASK9 (DISABLE_SGX) #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ - DISABLE_CALL_DEPTH_TRACKING) + DISABLE_CALL_DEPTH_TRACKING|DISABLE_USER_SHSTK) #define DISABLED_MASK12 (DISABLE_LAM) #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c index f6748c8bd647..e462c1d3800a 100644 --- a/arch/x86/kernel/cpu/cpuid-deps.c +++ b/arch/x86/kernel/cpu/cpuid-deps.c @@ -81,6 +81,7 @@ static const struct cpuid_dep cpuid_deps[] = { { X86_FEATURE_XFD, X86_FEATURE_XSAVES }, { X86_FEATURE_XFD, X86_FEATURE_XGETBV1 }, { X86_FEATURE_AMX_TILE, X86_FEATURE_XFD }, + { X86_FEATURE_SHSTK, X86_FEATURE_XSAVES }, {} };