From patchwork Sun Jul 16 21:51:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Brown X-Patchwork-Id: 13314965 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23216C001DE for ; Sun, 16 Jul 2023 21:56:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B0E1A8D000B; Sun, 16 Jul 2023 17:56:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ABE6C8D0001; Sun, 16 Jul 2023 17:56:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 95EE28D000B; Sun, 16 Jul 2023 17:56:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 86DDA8D0001 for ; Sun, 16 Jul 2023 17:56:19 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 5E05F1A01B1 for ; Sun, 16 Jul 2023 21:56:19 +0000 (UTC) X-FDA: 81018834078.30.A59A228 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf28.hostedemail.com (Postfix) with ESMTP id 7705EC000E for ; Sun, 16 Jul 2023 21:56:17 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=OGFccAln; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf28.hostedemail.com: domain of broonie@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=broonie@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689544577; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=yOKu/8lDcTLOtIpWAKP9YRxTYZJtKZhwO6Lv+R5SvSU=; b=GC3ZrWHncgT8xffWzFqp4yc8Tuaxcutc1B3A7GEve1C+/vEF82eWBgRe7KIXkoz6IbtaeK 4le4ADG6ao8Pve9xfHgd5fE7F+uvrUuFskxuNHCcoGHMHN72TU9kyxwhu7AuViJwR80DRN VJud36x3xEOnYcZO/JqLn9KLAH0XoZo= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=OGFccAln; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf28.hostedemail.com: domain of broonie@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=broonie@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689544577; a=rsa-sha256; cv=none; b=8bMHbd29DbERHJfkIu8wOonctAwiq11G3THvJHEx65B1P0XhZEdx/bXEMDBFxOTsIQvuaT k5UO/GAY+zlDC3xzSJ6a75tLi0B+3fgiSKqRPrDcaLXpUeRTvgmKuAV6c3boqblt2ipoI7 oS+6U/7ZHF1DhqVm9VFvY6b9Yj8UXkA= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B861E60EDF; Sun, 16 Jul 2023 21:56:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA02DC433D9; Sun, 16 Jul 2023 21:56:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689544576; bh=SiXcnz4ZnwfGze7/qmS4licirSO3Q/5KRYcvbUHs5Eg=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=OGFccAlnpu1fa6ZC9OGpFv8Zc4wgt8MoQn5TPY6tsVQqf1E3zZjXnDjkNJnXBJSIz lowuW2Fl8zvSqX6M9e4+37BqGMM+sKdLxZMDJ/aN7Z3WDc6Lt6FMEc4rcSXBEG3MIg boRyPeWz6NH5sxXf7z6Uabh+gz9H99WovpKcGGCvM1aDsMzTa4vJ0RDboNT+RVxWx1 W6XayBcZAjFPXnIjGF+9Jqk/X71sGpLqVj6XyYkcktym+HXvmzybfjf1JB7tn8BDSR tlgRs2A+hywcKDhYSvWuvY5OoshQulnvr/dG53s95hHW19Akml6hNXDThYqXQvKoXm 9G2o6gvStPQKQ== From: Mark Brown Date: Sun, 16 Jul 2023 22:51:29 +0100 Subject: [PATCH 33/35] kselftest/arm64: Add a GCS test program built with the system libc MIME-Version: 1.0 Message-Id: <20230716-arm64-gcs-v1-33-bf567f93bba6@kernel.org> References: <20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org> In-Reply-To: <20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org> To: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy Cc: "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Mark Brown X-Mailer: b4 0.13-dev-099c9 X-Developer-Signature: v=1; a=openpgp-sha256; l=7954; i=broonie@kernel.org; h=from:subject:message-id; bh=SiXcnz4ZnwfGze7/qmS4licirSO3Q/5KRYcvbUHs5Eg=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBktGapA4B+X8ht2nuBrVxjpIflYhHilWMB/OcQuIWG t40RyyaJATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCZLRmqQAKCRAk1otyXVSH0FLiB/ 9E1U6uxsV0M6HJ/gTLErPHXG2euepXEA+By7UhFpjSnNkfZ5ypUK331CG/JqOa4CnRV8en6z/eB6xt IhLU+ZbUzW/Vele2XRVXBdRzzlN+8k+82+vnZ/HPV0b9XphWLfpjzjA1V+PX7SAG5JGGhQseQhhuKn WzjvCDgnv5dZlJ9yG6eXeQUS8/UYZKn6ILOI332XNT9Je7jXDFGjc+dzxcuyI/o6tOqF16TujCBgww lz1hAFA+5Ppra9Ax6ij0A6I4XOrUP4XIQtt6IYJNSMEE+DpcA+4RUn1DHptv/JmThUaGpQtCw84GGU BiI0pY7pvplp60AOdb9qImv0XEsGOZ X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB X-Rspamd-Queue-Id: 7705EC000E X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: pjg7mrure6ja1ugr7jhy3694t8hh9jku X-HE-Tag: 1689544577-606805 X-HE-Meta: U2FsdGVkX1/epcJmgXNI4rKUiXCpfoggqfOM6X6RQrlwJQm7fkpHc13SDpIR/6J9gO7qn7cD1n304AG3/QuWKRAf7/5pV96UqOO+N4VFNjr9lkNuIKRI1fdcUEbNGlnWKssF1MSKCs3+YnEM1ghkNFCFEbAbY5oeOWOjbCNLcA7/PBaXKp04wFWk81S6DnyOpWR2/HWjdcV7WKqTqli6MtUtuFE7PzyPlePO/dSWtH2PKw6qX53Luntfs3SzyfrqSglfPeLB42tsoqFLS1oZkLLOOdm34ak20JsK4mfymWRcUtx5PGNnOZslOZv0D8VZti0X+RnQLmAvDWx0SxQLliotn0hpPumN7jXVV3DPfhAFSuFGEDUFazNope3UJ0c8DYHpE2S4MduYH8b7Bv7JEvBqPXdT8x+zWEnMGQS/M0dP4TecKUNDIUymcWs2CFRKRyzJ+yJZQw81dSgp/n0Mssb1WFnZnL8t66qpY5XwFpNU+g3FoQ7DP9ipSPvmgoD1ocImQ5Tm5z2VNqh++PFaUBX57rabCu3qLQBZONHtlYXkZcsyV5uVeYE+XmOXeCwgxt7aCJhAW0TC5Qm+qeQid4daO2FV35LISFf/NljSJqpebkbxCo5vWjyc79yRZSsUoTnAXgbAggDaW1EtFleeE4H8DUf+1HjcEM4S+p6ap6BLnOq7uVBX1VAt+xqUBYoxICLshykAMOiaZPnQTu5Nd9r9fJHflUT6L5ecbM+ooRBOKIgT/tF7ZcHcNO11sfcdU9QRwrRmSSQBCcAm00Lzr3arxCOBqbZlRWoxlUL9L7C+0Lp8HPKB7JDVmrv4T0z8c8/0bGwmiw6VDoz1rF4mEFK0m2ly/4NqNXUXvXjPkABn9h2im0skViN2G8LEO19QTn/sgphob5yohRe9nEzDiRovnf/m9FMDgBAHFHc+ubIrtO9yU3k2ojUxg3cW0RaTnOejWsKs9W7aln6hkQF MbREbEQk 2/YMLODPblW/JLHKW7r5kFNeXRGef9MQfJOBdmvRON22ccBRni4cUn+TH6yp+KmV2mt5+3M2LMLvwKUIyhtRofBJGgbuL47r25juauO5hFQs6ypdkew30bJgDdow/Rn9KUt9+wNVGWa0sWP5NSVaV7Ty87MVh7SUruqqTec9nDqK/AregkvvZ2M2ygtvu1lIvfOoMGcaKJERCnDn0owUUSFJ+kyCNxOLyhqlDzXhUEbDTfRYwHq9nfGRhQmdm7AkjW1tBW7019VLGrFWKTmRAB+5fQbJYaeOP+o4cRcFisQujkA6CLSvhlrANsa8Yi0fyp3vtJqvuG0lwesq3vjEy/ppk5KSvpynbO9DTGSX7y3eRgGlgVq62zQuXq3MwdWFYojrt/owSTHiLgSd1JDVYI4ZZA3zEbjs9669WyrGkYU8u6K0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: There are things like threads which nolibc struggles with which we want to add coverage for, and the ABI allows us to test most of these even if libc itself does not understand GCS so add a test application built using the system libc. Signed-off-by: Mark Brown --- tools/testing/selftests/arm64/gcs/.gitignore | 1 + tools/testing/selftests/arm64/gcs/Makefile | 4 +- tools/testing/selftests/arm64/gcs/libc-gcs.c | 217 +++++++++++++++++++++++++++ 3 files changed, 221 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/arm64/gcs/.gitignore b/tools/testing/selftests/arm64/gcs/.gitignore index 0e5e695ecba5..5810c4a163d4 100644 --- a/tools/testing/selftests/arm64/gcs/.gitignore +++ b/tools/testing/selftests/arm64/gcs/.gitignore @@ -1 +1,2 @@ basic-gcs +libc-gcs diff --git a/tools/testing/selftests/arm64/gcs/Makefile b/tools/testing/selftests/arm64/gcs/Makefile index 322c40d25f2e..31fbd3a6bf27 100644 --- a/tools/testing/selftests/arm64/gcs/Makefile +++ b/tools/testing/selftests/arm64/gcs/Makefile @@ -6,7 +6,9 @@ # nolibc. # -TEST_GEN_PROGS := basic-gcs +TEST_GEN_PROGS := basic-gcs libc-gcs + +LDLIBS+=-lpthread include ../../lib.mk diff --git a/tools/testing/selftests/arm64/gcs/libc-gcs.c b/tools/testing/selftests/arm64/gcs/libc-gcs.c new file mode 100644 index 000000000000..7ac3c3a2da52 --- /dev/null +++ b/tools/testing/selftests/arm64/gcs/libc-gcs.c @@ -0,0 +1,217 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Copyright (C) 2023 ARM Limited. + */ + +#include +#include + +#include +#include + +#include + +#include "kselftest_harness.h" + +#include "gcs-util.h" + +#define my_syscall2(num, arg1, arg2) \ +({ \ + register long _num __asm__ ("x8") = (num); \ + register long _arg1 __asm__ ("x0") = (long)(arg1); \ + register long _arg2 __asm__ ("x1") = (long)(arg2); \ + register long _arg3 __asm__ ("x2") = 0; \ + register long _arg4 __asm__ ("x3") = 0; \ + register long _arg5 __asm__ ("x4") = 0; \ + \ + __asm__ volatile ( \ + "svc #0\n" \ + : "=r"(_arg1) \ + : "r"(_arg1), "r"(_arg2), \ + "r"(_arg3), "r"(_arg4), \ + "r"(_arg5), "r"(_num) \ + : "memory", "cc" \ + ); \ + _arg1; \ +}) + +static __attribute__((noinline)) void valid_gcs_function(void) +{ + /* Do something the compiler can't optimise out */ + prctl(PR_SVE_GET_VL); +} + +/* Smoke test that a function call and return works*/ +TEST(can_call_function) +{ + valid_gcs_function(); +} + +/* Smoke test that GCS is enabled in the current thread */ +TEST(gcs_locked) +{ + unsigned long gcs_mode; + int ret; + + ret = my_syscall2(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &gcs_mode); + ASSERT_EQ(ret, 0); + if (ret != 0) + return; + + /* We are locked, even a noop reconfiguration should fail */ + ret = my_syscall2(__NR_prctl, PR_SET_SHADOW_STACK_STATUS, gcs_mode); + ASSERT_NE(0, ret); +} + +static void *gcs_test_thread(void *arg) +{ + int ret; + unsigned long mode; + + /* + * Some libcs don't seem to fill unused arguments with 0 but + * the kernel validates this so we supply all 5 arguments. + */ + ret = prctl(PR_GET_SHADOW_STACK_STATUS, &mode, 0, 0, 0); + if (ret != 0) { + ksft_print_msg("PR_GET_SHADOW_STACK_STATUS failed: %d\n", ret); + return NULL; + } + + if (!(mode & PR_SHADOW_STACK_ENABLE)) { + ksft_print_msg("GCS not enabled in thread, mode is %u\n", + mode); + return NULL; + } + + /* Just in case... */ + valid_gcs_function(); + + /* Use a non-NULL value to indicate a pass */ + return &gcs_test_thread; +} + +/* Verify that if we start a new thread it has GCS enabled */ +TEST(gcs_enabled_thread) +{ + pthread_t thread; + void *thread_ret; + int ret; + + ret = pthread_create(&thread, NULL, gcs_test_thread, NULL); + ASSERT_TRUE(ret == 0); + if (ret != 0) + return; + + ret = pthread_join(thread, &thread_ret); + ASSERT_TRUE(ret == 0); + if (ret != 0) + return; + + ASSERT_TRUE(thread_ret != NULL); +} + +/* Read the GCS until we find the terminator */ +TEST(gcs_find_terminator) +{ + uint64_t *gcs, *cur; + + gcs = get_gcspr(); + cur = gcs; + while (*cur) + cur++; + + ksft_print_msg("GCS in use from %p-%p\n", gcs, cur); + + /* + * We should have at least whatever called into this test so + * the two pointer should differ. + */ + ASSERT_TRUE(gcs != cur); +} + +/* We can switch between stacks */ +TEST(switch_stacks) +{ + unsigned long orig_gcspr_el0, pivot_gcspr_el0; + unsigned long buf_base, buf_end; + int ret; + void *buf; + + buf = (void *)syscall(__NR_map_shadow_stack, 0, + sysconf(_SC_PAGE_SIZE), 0); + ASSERT_FALSE(buf == MAP_FAILED); + buf_base = (unsigned long)buf; + buf_end = buf_base + sysconf(_SC_PAGE_SIZE); + + /* Skip over the stack terminator and point at the cap */ + pivot_gcspr_el0 = buf_end - 16; + + ksft_print_msg("Mapped GCS at %p-%p\n", buf, buf_end); + + /* Pivot to the new GCS */ + ksft_print_msg("pivoting to %p from %p, target has value 0x%lx\n", + pivot_gcspr_el0, get_gcspr(), + *((unsigned long *)pivot_gcspr_el0)); + gcsss1(pivot_gcspr_el0); + orig_gcspr_el0 = gcsss2(); + ksft_print_msg("pivoted to %p from %p, target has value 0x%lx\n", + pivot_gcspr_el0, get_gcspr(), + *((uint64_t *)pivot_gcspr_el0)); + + /* New GCS must be in the new buffer */ + ASSERT_TRUE((unsigned long)get_gcspr() < buf_base); + ASSERT_TRUE((unsigned long)get_gcspr() > buf_end); + + /* Make sure we can still do calls */ + valid_gcs_function(); + ksft_print_msg("Pivoted to %p\n", get_gcspr()); + + /* Pivot back to the original GCS */ + gcsss1(orig_gcspr_el0); + pivot_gcspr_el0 = gcsss2(); + + valid_gcs_function(); + ksft_print_msg("Pivoted back to 0x%lx\n", get_gcspr()); + + ret = munmap(buf, sysconf(_SC_PAGE_SIZE)); + ASSERT_EQ(ret, 0); +} + +int main(int argc, char **argv) +{ + unsigned long gcs_mode; + int ret; + + if (!(getauxval(AT_HWCAP2) & HWCAP2_GCS)) + ksft_exit_skip("SKIP GCS not supported\n"); + + /* + * Force shadow stacks on, our tests *should* be fine with or + * without libc support and with or without this having ended + * up tagged for GCS and enabled by the dynamic linker. We + * can't use the libc prctl() function since we can't return + * from enabling the stack. Also lock GCS if not already + * locked so we can test behaviour when it's locked. + */ + ret = my_syscall2(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &gcs_mode); + if (ret) { + ksft_print_msg("Failed to read GCS state: %d\n", ret); + return EXIT_FAILURE; + } + + /* If we are already locked we can't configure */ + if (!(gcs_mode & PR_SHADOW_STACK_LOCK)) { + gcs_mode |= PR_SHADOW_STACK_ENABLE | PR_SHADOW_STACK_LOCK; + + ret = my_syscall2(__NR_prctl, PR_SET_SHADOW_STACK_STATUS, + gcs_mode); + if (ret) { + ksft_print_msg("Failed to configure GCS: %d\n", ret); + return EXIT_FAILURE; + } + } + + /* Avoid returning in case libc doesn't understand GCS */ + exit(test_harness_run(argc, argv)); +}