From patchwork Thu Jan 25 06:21:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13530089 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4246BC47258 for ; Thu, 25 Jan 2024 06:30:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5EC958D000A; Thu, 25 Jan 2024 01:30:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 52BF88D0001; Thu, 25 Jan 2024 01:30:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 32BE78D000A; Thu, 25 Jan 2024 01:30:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 1E0968D0001 for ; Thu, 25 Jan 2024 01:30:10 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id BCF0914046B for ; Thu, 25 Jan 2024 06:30:09 +0000 (UTC) X-FDA: 81716858538.16.BBDDFAC Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) by imf02.hostedemail.com (Postfix) with ESMTP id E9C3A8000E for ; Thu, 25 Jan 2024 06:30:07 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=DcN83G6V; dmarc=none; spf=pass (imf02.hostedemail.com: domain of debug@rivosinc.com designates 209.85.167.182 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706164208; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=uRwHXwAm0bShEXUK35E9/V7WUW2K3zxNpdrnhUWhVek=; b=D60j4mgM39xrnDBlXM34PzBgFAsygb3x+AvaM1OrrHSIjOlFUJzowx27F2DDfi2oYV3srh O//Cf6u6+EL6djk7WZPCCsg5X5UZ7oiJ55n+2nzkGHp1E32zVq7oOrXuiC0EXSZqu0ujzz l/XYiDn/SDEMW5DuavIATUBg8Eq5+7c= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=DcN83G6V; dmarc=none; spf=pass (imf02.hostedemail.com: domain of debug@rivosinc.com designates 209.85.167.182 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706164208; a=rsa-sha256; cv=none; b=YXov9hEOPmMRgnBB9ee76KmV3p/yepGADPMR1abNF/usRohFYvrKuqlZssRubZy73S2WPC 0C6IsW72Qeh93TSlXnhBFOzczo+jqyOAzkpw4YFt7k96RxtfvD1fQmsoOQYB6Ge0g+XR6r lqp1mOirtAfDzarrDKymqyno7AUpj/I= Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3bda741ad7dso4930594b6e.1 for ; Wed, 24 Jan 2024 22:30:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1706164207; x=1706769007; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uRwHXwAm0bShEXUK35E9/V7WUW2K3zxNpdrnhUWhVek=; b=DcN83G6V3k1rE2xu4heOhaAET0RjyGwLENLGlBJjy5MaVrCCiDc1KRFAqHxCCUgSGM Y+8V3fL/km0vO62lI0+WkPmYiFyTZnwemVICWPreOmNaaRc5bWW1hJ3AjQXt5fZgCiFW BWY9GXfnfKFpuLHbCBV7sFb6vS5sH4rXIHtZ56CUjSi5DusPO9hPnTqm0Tp1ahOZSiuM 2CfOsYXbD1Qt6JZOF0TX4RB8Kj0y70kLlbSfVHNfQCxtByQe1tHvBcWo1VEmWDkNe0g/ QVyzUZQBj0H1r03chG7Cvu6x95ublER70v5dHzEn9DCUJAUs3Myo02//ykfWYIayXSM8 V3UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706164207; x=1706769007; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uRwHXwAm0bShEXUK35E9/V7WUW2K3zxNpdrnhUWhVek=; b=ugmjph6/qstuMW7Piq6gJH/0M7A67ygDw/EXzDib6rG+T9IZWIJVFJkLIbD1C3x6Od IrEgtEf+HcmEVAXKrxURN8+DczXqn2TJh7ofGhFV0ahcfab9Gy7g27M1IzgX59KsFXWP Xe9UebGJtvQPePZZXTXHKSVntaebTrl9q1yKxYjCBmv5c8u6++H4z549n1LbPilbqD2P kdZ0TrTcoC+IurvbOWl25DjT1mSDhH8oV4UjZLFF2WNe7bj2O/s8mebUFJ1Fn+iGcVtR KO4BtfyehuL9MISo5HKgdnF+aogeR1DszC+87opwg01NTzkAL+pHHI26AKJnQGfKn2u/ SmZg== X-Gm-Message-State: AOJu0YyOikUkF0Ykg3/oIERN8+RXvt7QBF9yl0fXs2K8QFvjY1DsyzjM iAFD4ifa2fxe8AM+4IuZsG8ilIyiHavHVjamYSwKKI6G+Pl+wTuxD9Ydz6FsfKw= X-Google-Smtp-Source: AGHT+IF2nRVvpyMXEbPJKSQolKqo6YC/sGsNRR3PtemnrQHSXb7Izvts4H7oiEK6bWKQLfrB7po8uA== X-Received: by 2002:a05:6808:3990:b0:3bc:7171:b7c7 with SMTP id gq16-20020a056808399000b003bc7171b7c7mr569515oib.67.1706164206921; Wed, 24 Jan 2024 22:30:06 -0800 (PST) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id t19-20020a056a00139300b006dd870b51b8sm3201139pfg.126.2024.01.24.22.30.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 22:30:06 -0800 (PST) From: debug@rivosinc.com To: rick.p.edgecombe@intel.com, broonie@kernel.org, Szabolcs.Nagy@arm.com, kito.cheng@sifive.com, keescook@chromium.org, ajones@ventanamicro.com, paul.walmsley@sifive.com, palmer@dabbelt.com, conor.dooley@microchip.com, cleger@rivosinc.com, atishp@atishpatra.org, alex@ghiti.fr, bjorn@rivosinc.com, alexghiti@rivosinc.com Cc: corbet@lwn.net, aou@eecs.berkeley.edu, oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de, ebiederm@xmission.com, shuah@kernel.org, brauner@kernel.org, debug@rivosinc.com, guoren@kernel.org, samitolvanen@google.com, evan@rivosinc.com, xiao.w.wang@intel.com, apatel@ventanamicro.com, mchitale@ventanamicro.com, waylingii@gmail.com, greentime.hu@sifive.com, heiko@sntech.de, jszhang@kernel.org, shikemeng@huaweicloud.com, david@redhat.com, charlie@rivosinc.com, panqinglin2020@iscas.ac.cn, willy@infradead.org, vincent.chen@sifive.com, andy.chiu@sifive.com, gerg@kernel.org, jeeheng.sia@starfivetech.com, mason.huo@starfivetech.com, ancientmodern4@gmail.com, mathis.salmen@matsal.de, cuiyunhui@bytedance.com, bhe@redhat.com, chenjiahao16@huawei.com, ruscur@russell.cc, bgray@linux.ibm.com, alx@kernel.org, baruch@tkos.co.il, zhangqing@loongson.cn, catalin.marinas@arm.com, revest@chromium.org, josh@joshtriplett.org, joey.gouly@arm.com, shr@devkernel.io, omosnace@redhat.com, ojeda@kernel.org, jhubbard@nvidia.com, linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [RFC PATCH v1 19/28] riscv: Implements arch agnostic shadow stack prctls Date: Wed, 24 Jan 2024 22:21:44 -0800 Message-ID: <20240125062739.1339782-20-debug@rivosinc.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240125062739.1339782-1-debug@rivosinc.com> References: <20240125062739.1339782-1-debug@rivosinc.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: E9C3A8000E X-Stat-Signature: tsupifbxq7etio6kwn5zsefbcje39np6 X-HE-Tag: 1706164207-479938 X-HE-Meta: U2FsdGVkX19So1oP9KTKB+EdOBzewMFUbvaybrUgL7cyxRTp48lsgca59ln9s08EOKUFGs4hkQ9Zd5SXP9lV3xwWCnHt9k2RrMEMKVftvEFHTQKcLk6G5E+ESJAabsw2SatYvGCFggyRuVsnL/oVyKPbGV9eIUJuEILwDRBJSDLOIn+7ktJzKPbH4rTKyKDKJKnTJDsYcpExMfZ4HxpWGqaIQbw4KMFnafzMMCsAM/hCJ+Qfnq6nU1pziIrGorlvNbPw5gU0HP/tRZj2bqTb9V+0RDFP3EDw/OggxtdqOzeFm81euowDfvH7U2ooAOUh6PHviifkDTlp3Ps/CcatDdhl7ZybPFkNw09QXYRbUn0JP8x7ryyksoeuMTtirkPx7BtVo+qSIr5bryW7zMkdr4pdDFJZnz9NUIkZ5bfG9l9WbiMCR9bFsuSqZR+uM+EVPFKnZB3CqsGddQ9/j6BgEnU2/CI3Q66vzYxmnZPoau1Uzpplo9sNL1uZYZmz51RnPK37+nnVA3OJpB4LDAY1ooVpnTsCzXkikSSrKKN6gyfnX6hPy2/ZjPUhrSdh5yVdxCf6Bs8hnFlKL2QrKxBmITaZulFY126pZwbYD8XHPHk69vCxRTZ59Gtbe+zklXIDB7VRqjQbXZK3vU4Btu0vK7qNpazbwX8pPxs6ei9YYok7Sjg+hs2c1y88BG3sFqhwffYdGBne8Fh/WnrbcHZCKheGdcxAP9ZahzIeXdLjLD51zl9SAL3CPYdvtaHsUxMdkUGRT+eidESBJCnmk5cVcCwKoErFRGRxnOWrZp4SJFoyRrJW6wyc80Esv5GwY50B5tsH3WTCSHFfDL39QoNB5BgeSWDtsdrL080HbO7NMKa4buK+nt6xEvk0+vJ0f5Y5WTOfbtmpI188seuWsokC1yf3nP/rkCvv1VclBW4H7N2nJGFIf1M1EcilYsAluixXH05RvgLF6LgbSJh2Woo jKUndHWs KI22ItGQLg8rk5vRFcHVQHoy1Cccu2t8YGwxRL/YEyr0WZzIOSFLCJJ3h5/+eEi3WlhaEJXS6AVbsLhP4qLTzOqY6c/fcRp8C3YlzCfagyzoVmDT9tQws1f+pzb2VxOYcGhUsYCPvt1dF93lWqr9lu1IMIMbh7OyMs15Qp3gc2HOsZOlWAEbC9lI+5r1TqpTjxDj/zSym+21S35g7sIXneH1Nq5HDCPHgMhMQc2z38sS2+CSTIGeuT7NEuz82Zdn8FfpEzIRPPSv62h8X1CNAo0My1nP1MP0ky3whQcPO7RJjhaAAzVE2P9ZjLlk0Eb6JbRf2jI5vivV3opyFo6xDBk7j13Kt16laS3UFA9p8QGa45wtx/sVXYUWL+8Mqi35g/ZcadfY22v/jLYOKQsmQThzl1dvwrVQ2BAYpgJdpR2mmR8sneu6UX9g3N6LWDh5IltJg X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Deepak Gupta Implement architecture agnostic prctls() interface for setting and getting shadow stack status. prctls implemented are PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS and PR_LOCK_SHADOW_STACK_STATUS. As part of PR_SET_SHADOW_STACK_STATUS/PR_GET_SHADOW_STACK_STATUS, only PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling Following is not supported "Enable shadow stack, then disable and enable again." It's not sure whether providing such semantics are useful. It's better to return error code when such situation arises. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 12 +++- arch/riscv/kernel/usercfi.c | 105 +++++++++++++++++++++++++++++++ 2 files changed, 116 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h index eb9a0905e72b..72bcfa773752 100644 --- a/arch/riscv/include/asm/usercfi.h +++ b/arch/riscv/include/asm/usercfi.h @@ -7,6 +7,7 @@ #ifndef __ASSEMBLY__ #include +#include struct task_struct; struct kernel_clone_args; @@ -14,7 +15,8 @@ struct kernel_clone_args; #ifdef CONFIG_RISCV_USER_CFI struct cfi_status { unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ - unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); + unsigned long ubcfi_locked : 1; + unsigned long rsvd : ((sizeof(unsigned long)*8) - 2); unsigned long user_shdw_stk; /* Current user shadow stack pointer */ unsigned long shdw_stk_base; /* Base address of shadow stack */ unsigned long shdw_stk_size; /* size of shadow stack */ @@ -26,6 +28,9 @@ void shstk_release(struct task_struct *tsk); void set_shstk_base(struct task_struct *task, unsigned long shstk_addr, unsigned long size); void set_active_shstk(struct task_struct *task, unsigned long shstk_addr); bool is_shstk_enabled(struct task_struct *task); +bool is_shstk_locked(struct task_struct *task); + +#define PR_SHADOW_STACK_SUPPORTED_STATUS_MASK (PR_SHADOW_STACK_ENABLE) #else @@ -56,6 +61,11 @@ static inline bool is_shstk_enabled(struct task_struct *task) return false; } +static inline bool is_shstk_locked(struct task_struct *task) +{ + return false; +} + #endif /* CONFIG_RISCV_USER_CFI */ #endif /* __ASSEMBLY__ */ diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c index 36cac0d653f5..be3a071272d8 100644 --- a/arch/riscv/kernel/usercfi.c +++ b/arch/riscv/kernel/usercfi.c @@ -24,6 +24,16 @@ bool is_shstk_enabled(struct task_struct *task) return task->thread_info.user_cfi_state.ubcfi_en ? true : false; } +bool is_shstk_allocated(struct task_struct *task) +{ + return task->thread_info.user_cfi_state.shdw_stk_base ? true : false; +} + +bool is_shstk_locked(struct task_struct *task) +{ + return task->thread_info.user_cfi_state.ubcfi_locked ? true : false; +} + void set_shstk_base(struct task_struct *task, unsigned long shstk_addr, unsigned long size) { task->thread_info.user_cfi_state.shdw_stk_base = shstk_addr; @@ -42,6 +52,21 @@ void set_active_shstk(struct task_struct *task, unsigned long shstk_addr) task->thread_info.user_cfi_state.user_shdw_stk = shstk_addr; } +void set_shstk_status(struct task_struct *task, bool enable) +{ + task->thread_info.user_cfi_state.ubcfi_en = enable ? 1 : 0; + + if (enable) + task->thread_info.envcfg |= ENVCFG_SSE; + else + task->thread_info.envcfg &= ~ENVCFG_SSE; +} + +void set_shstk_lock(struct task_struct *task) +{ + task->thread_info.user_cfi_state.ubcfi_locked = 1; +} + /* * If size is 0, then to be compatible with regular stack we want it to be as big as * regular stack. Else PAGE_ALIGN it and return back @@ -269,3 +294,83 @@ void shstk_release(struct task_struct *tsk) vm_munmap(base, size); set_shstk_base(tsk, 0, 0); } + +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long bcfi_status = 0; + + if (!cpu_supports_shadow_stack()) + return -EINVAL; + + /* this means shadow stack is enabled on the task */ + bcfi_status |= (is_shstk_enabled(t) ? PR_SHADOW_STACK_ENABLE : 0); + + return copy_to_user(status, &bcfi_status, sizeof(bcfi_status)) ? -EFAULT : 0; +} + +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status) +{ + unsigned long size = 0, addr = 0; + bool enable_shstk = false; + + if (!cpu_supports_shadow_stack()) + return -EINVAL; + + /* Reject unknown flags */ + if (status & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK) + return -EINVAL; + + /* bcfi status is locked and further can't be modified by user */ + if (is_shstk_locked(t)) + return -EINVAL; + + enable_shstk = status & PR_SHADOW_STACK_ENABLE; + /* Request is to enable shadow stack and shadow stack is not enabled already */ + if (enable_shstk && !is_shstk_enabled(t)) { + /* shadow stack was allocated and enable request again + * no need to support such usecase and return EINVAL. + */ + if (is_shstk_allocated(t)) + return -EINVAL; + + size = calc_shstk_size(0); + addr = allocate_shadow_stack(0, size, 0, false); + if (IS_ERR_VALUE(addr)) + return -ENOMEM; + set_shstk_base(t, addr, size); + set_active_shstk(t, addr + size); + } + + /* + * If a request to disable shadow stack happens, let's go ahead and release it + * Although, if CLONE_VFORKed child did this, then in that case we will end up + * not releasing the shadow stack (because it might be needed in parent). Although + * we will disable it for VFORKed child. And if VFORKed child tries to enable again + * then in that case, it'll get entirely new shadow stack because following condition + * are true + * - shadow stack was not enabled for vforked child + * - shadow stack base was anyways pointing to 0 + * This shouldn't be a big issue because we want parent to have availability of shadow + * stack whenever VFORKed child releases resources via exit or exec but at the same + * time we want VFORKed child to break away and establish new shadow stack if it desires + * + */ + if (!enable_shstk) + shstk_release(t); + + set_shstk_status(t, enable_shstk); + return 0; +} + +int arch_lock_shadow_stack_status(struct task_struct *task, + unsigned long arg) +{ + /* If shtstk not supported or not enabled on task, nothing to lock here */ + if (!cpu_supports_shadow_stack() || + !is_shstk_enabled(task)) + return -EINVAL; + + set_shstk_lock(task); + + return 0; +}