From patchwork Wed Apr 3 23:35:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 13616780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7645ACD1288 for ; Wed, 3 Apr 2024 23:42:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9D1456B00B5; Wed, 3 Apr 2024 19:42:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9818F6B00B6; Wed, 3 Apr 2024 19:42:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7ABBA6B00B7; Wed, 3 Apr 2024 19:42:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5B6CA6B00B5 for ; Wed, 3 Apr 2024 19:42:15 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 298AF120288 for ; Wed, 3 Apr 2024 23:42:15 +0000 (UTC) X-FDA: 81969846630.16.2E975AB Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by imf15.hostedemail.com (Postfix) with ESMTP id 54A5CA000A for ; Wed, 3 Apr 2024 23:42:13 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=a0ab2hNs; dmarc=none; spf=pass (imf15.hostedemail.com: domain of debug@rivosinc.com designates 209.85.215.169 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712187733; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=oZ8ix94mmk4BD8MMBywPtAuOuTf4nkdzJ2/QigtbDFI=; b=dckuRLZ9v/EFzqLSu5IzkDIX3gqj1e2RApSFTf3HToq7rgdOjaWGkcN8lgD1oM9w0owEzK XzlVeLCCqBgAWswCTaqZ6hN7/YqRg+8CRgerd31UArC4XutdiwuksLn5DOkIpI7Atr8nTa Ku5/4fP1GY0rpMsjrUPmsGP5fxO46wc= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=a0ab2hNs; dmarc=none; spf=pass (imf15.hostedemail.com: domain of debug@rivosinc.com designates 209.85.215.169 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712187733; a=rsa-sha256; cv=none; b=gAHjuXgjXvuZOAfURKPkMCdzDyddAxjRRrUFOVoiwk9yy42TBc9kYTLcXVyPvC6KdCGgsb T9ShN2j4ndSWh/Wk6jUbRjt/TFhDxlDCmstBvmhwoIqbv9xRLNqWlB9GXUBeF6RS3jeZKt GbhGQra+Jv3JujaNsBJLIv+hurRzl/Q= Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-5d8b519e438so375434a12.1 for ; Wed, 03 Apr 2024 16:42:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1712187732; x=1712792532; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oZ8ix94mmk4BD8MMBywPtAuOuTf4nkdzJ2/QigtbDFI=; b=a0ab2hNsHYwQhDJXanuJOF19pp8TGUS69Y7cLaE2TC28qpC3Ubkrzk8Vif3WBMOOsK TJKHLxFYJTW5BYm88zq5oR/OQSEbpgqLMvUu0cpE7OEyKo+3uyMB8cuGQ+NPYvtRhOln NE7eLx/jML8f3RgFnQOo3zEw1kY88fS0m19UviXrE4jttWoDEJpQnsHbQ+99IqJ+OQl9 IjAutVWRSWeOTf3cHJDZ0wvDu1N7fz6tTgJFlWSdGvMZzbwcQox7u/EVzWD1ea2oE0Xa SrnM0KSu63pOAobYdUG/8D5U7rBR9dVQE2iF16Z+1Xb23IguqgGtRfGrMF0QAjsKXK2H fjvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712187732; x=1712792532; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oZ8ix94mmk4BD8MMBywPtAuOuTf4nkdzJ2/QigtbDFI=; b=rk6obPk0PfewvyPF5tZTfarTlcgbV9KrZYF/+hBXPcnWUS7DNbYzcekUSYY82ipq60 xypYRyE7Itsk/VjgkdC4ufRSiXrmYZc0CmgLAHUZ9IlgyA2TDjLkdGufHAUB3o6BJ3VQ ZARjOly/13kTCzF4nKl5LvmGhmhMqUdF5lUc24kxnxHXZgC0NOewVvcsOBHc9eAXnjTU jQrNPg8J0fL6r7HETlkMCwJvIokG6s0WOS635l2U4dZ7PVwUHtqPQeVHFpXu5mHub5V9 5U3HaMb9Znc7YPZ+I7+xIoYn3e1Xqmnz5edRoS5Ll9YZ+x66PR1MA5Le6I117rgqy6k3 NVSQ== X-Forwarded-Encrypted: i=1; AJvYcCW6Dfe1eNh1Czm1oh4z/tFjDIWo2u0vv/aXX9pUUQNzGtX3A+CzraQppIsmK4bzqnNGex4LMQtJv+8GpBkZtDdGYqE= X-Gm-Message-State: AOJu0Yz6FkPWCI2ogNLdcOY4xtRrT60SpbTN9UDjxL3V9Hu/+XZumx3r mqRzcEY5x0M3DBuvJdowuuRADGMTTwqtDCG1cv+QsMaJMCfUX0o0IutYh+97avE= X-Google-Smtp-Source: AGHT+IGqMNLnQifKehVyTniVZ6at0ArgKKWUBm835f674K8o1H2lf66wElH3Yt8D0mQ5+pAZCM+6nA== X-Received: by 2002:a17:90a:134c:b0:299:3035:aede with SMTP id y12-20020a17090a134c00b002993035aedemr916968pjf.44.1712187732279; Wed, 03 Apr 2024 16:42:12 -0700 (PDT) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id b18-20020a170902d51200b001deeac592absm13899117plg.180.2024.04.03.16.42.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 16:42:11 -0700 (PDT) From: Deepak Gupta To: paul.walmsley@sifive.com, rick.p.edgecombe@intel.com, broonie@kernel.org, Szabolcs.Nagy@arm.com, kito.cheng@sifive.com, keescook@chromium.org, ajones@ventanamicro.com, conor.dooley@microchip.com, cleger@rivosinc.com, atishp@atishpatra.org, alex@ghiti.fr, bjorn@rivosinc.com, alexghiti@rivosinc.com, samuel.holland@sifive.com, conor@kernel.org Cc: linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, devicetree@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, corbet@lwn.net, palmer@dabbelt.com, aou@eecs.berkeley.edu, robh+dt@kernel.org, krzysztof.kozlowski+dt@linaro.org, oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de, ebiederm@xmission.com, Liam.Howlett@oracle.com, vbabka@suse.cz, lstoakes@gmail.com, shuah@kernel.org, brauner@kernel.org, debug@rivosinc.com, andy.chiu@sifive.com, jerry.shih@sifive.com, hankuan.chen@sifive.com, greentime.hu@sifive.com, evan@rivosinc.com, xiao.w.wang@intel.com, charlie@rivosinc.com, apatel@ventanamicro.com, mchitale@ventanamicro.com, dbarboza@ventanamicro.com, sameo@rivosinc.com, shikemeng@huaweicloud.com, willy@infradead.org, vincent.chen@sifive.com, guoren@kernel.org, samitolvanen@google.com, songshuaishuai@tinylab.org, gerg@kernel.org, heiko@sntech.de, bhe@redhat.com, jeeheng.sia@starfivetech.com, cyy@cyyself.name, maskray@google.com, ancientmodern4@gmail.com, mathis.salmen@matsal.de, cuiyunhui@bytedance.com, bgray@linux.ibm.com, mpe@ellerman.id.au, baruch@tkos.co.il, alx@kernel.org, david@redhat.com, catalin.marinas@arm.com, revest@chromium.org, josh@joshtriplett.org, shr@devkernel.io, deller@gmx.de, omosnace@redhat.com, ojeda@kernel.org, jhubbard@nvidia.com Subject: [PATCH v3 16/29] prctl: arch-agnostic prctl for shadow stack Date: Wed, 3 Apr 2024 16:35:04 -0700 Message-ID: <20240403234054.2020347-17-debug@rivosinc.com> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240403234054.2020347-1-debug@rivosinc.com> References: <20240403234054.2020347-1-debug@rivosinc.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 54A5CA000A X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: wufzmwgxddbgpe5g3esis6ebm7icqg1e X-HE-Tag: 1712187733-531360 X-HE-Meta: U2FsdGVkX1+vUGzQ6ztiQH6GZw8jYw3C4cFKF6ETufmrDyLigtY3f0pRvNUCaC/uEa45gv+miF44nIUn4o5do390ohhb0AXy2rk8fYwPB8SSm3o/g1RQKzvYO4E+TCp7Q6WL40y90h7ZzaSHJS28XD9Pn6Qlsd7bk4Az0Ph6/4KRLSaaOvlCKmMsUQJ6UXM48qNPPb7ddp+hQkzTERWYlNG3rC+RzlP5HQMZTgNF41o4DjFdcsKqQ+FAww3ss8xdPvmzlEiebIIGTs9YXf24ADNm/85fzbZaWdtFyAaC4Ed0PFGzBoPmI3rog4AEGUIhal6Ek5ulvaqz4dhdNYbRRDlUcT32D4Aq4EbtAcw9p74fckBHUaYpAOzaO9TKM8QEqGe16Js8/6amgPgGg/niuDk86Y9JbJBJHOb65H1MfyVK8OEARWqmBbVOjawDl49K14+iiHkW79MyAF09L+jfQcQuCvLuvB/qsDEHWnaePYyi2shhuoEFGlEqDvQPcTCg6qe4d1slSjDrzScAxxULSRzXlS1FUUBCDcXS7as24g45WIphTYbuCdNWcI7SESh/ooeyXyQI8PrscuXosVXIluR8eKmJ5J95oarLWbgaUEZ9SA4dtKvLNw0SeTVG8kUzzmRSbtIA6I9fkiPTFhCpYSKQMLgQn/fWctSrbDl9/B/5nW2atJ88+ZHpXY1I03IwKiA7vZ3rVNpHCnL55u9iLqFgwtE4kps5XUF6WXYk/HCu/oh8hzb8mU3KUWfXCjfVA/S/OVBrex6oxK9lDwoS6AlaQDPbjFy04LL8LgZ3wNyOh0SCXJhl69D0dpuwxTfiySTiU22aRV7TNejRRt7TXTxX+8s45d6np708G0dpQpONVdxFh5O5BfbJWpJ8iU7csVn0QaIqTJRrrrnPD1PgL+DlQ92YhkQ6hjZcp6nZY6DwL9AAGj3mbZTYDBvMdAyuAEkX4kWqpZSL9AEe5rf o6ZF8eiI hfIv/skBy+EbpzGQbbtn2R5J3caSgCXk9wy5YGoHN0B+H1MzedzWDwPxj8m7kdGrxAadK3LHOnow7tfNk9QiOmUFI/ww7UOUKC1eGWuZr9vqi6hW5+46CI3g6U+Q5wwYaSAVcz90ChKrYSwHn8XEKjgwMaMf35/LOfOiJetxgzzgh7+GYzH8z56fDgsizmbP1HdVESAdeNonEIZUtdaKJKlABZsOXZvX/9RFV930D+4eDJ928+Kg0W3Spl8/HCNDsKld8CXxLxl3H52q7x5MXVSMnwzBfQjoZ4iCN+Iouufw99kcEzMeNR5sokUBhgeDLsrl9vUxwLujgag6/F7bJ/jyWRqQtIbFJvuUVvoqwv52KFeBiYC4aG1K/oGWg8EWChCmRbfLn9/8aeEGQJ5FySO61R71zvjO3pbHbs+mdS9RGTLcwwiw2xUzWy9ty/H3lNenSDQZMwB2OM1CCd4euv/EBaVrzfbse41I5kWdYmSbobnELVr+vmiYV7gRr23ppgt93wnFdQvo/TthH2UCydchEG3T0/vJ9tbriiEpsOYE+x/2pI8zL++hahja6jbQVKWm+KkiRf3DQ0FU= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Mark Brown Three architectures (x86, aarch64, riscv) have announced support for shadow stacks with fairly similar functionality. While x86 is using arch_prctl() to control the functionality neither arm64 nor riscv uses that interface so this patch adds arch-agnostic prctl() support to get and set status of shadow stacks and lock the current configuration to prevent further changes, with support for turning on and off individual subfeatures so applications can limit their exposure to features that they do not need. The features are: - PR_SHADOW_STACK_ENABLE: Tracking and enforcement of shadow stacks, including allocation of a shadow stack if one is not already allocated. - PR_SHADOW_STACK_WRITE: Writes to specific addresses in the shadow stack. - PR_SHADOW_STACK_PUSH: Push additional values onto the shadow stack. - PR_SHADOW_STACK_DISABLE: Allow to disable shadow stack. Note once locked, disable must fail. These features are expected to be inherited by new threads and cleared on exec(), unknown features should be rejected for enable but accepted for locking (in order to allow for future proofing). This is based on a patch originally written by Deepak Gupta but later modified by Mark Brown for arm's GCS patch series. Signed-off-by: Mark Brown Co-developed-by: Deepak Gupta --- include/linux/mm.h | 3 +++ include/uapi/linux/prctl.h | 22 ++++++++++++++++++++++ kernel/sys.c | 30 ++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 9952937be659..1d08e1fd2f6a 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4201,5 +4201,8 @@ static inline bool pfn_is_unaccepted_memory(unsigned long pfn) return range_contains_unaccepted_memory(paddr, paddr + PAGE_SIZE); } +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status); +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status); +int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status); #endif /* _LINUX_MM_H */ diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index 370ed14b1ae0..3c66ed8f46d8 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -306,4 +306,26 @@ struct prctl_mm_map { # define PR_RISCV_V_VSTATE_CTRL_NEXT_MASK 0xc # define PR_RISCV_V_VSTATE_CTRL_MASK 0x1f +/* + * Get the current shadow stack configuration for the current thread, + * this will be the value configured via PR_SET_SHADOW_STACK_STATUS. + */ +#define PR_GET_SHADOW_STACK_STATUS 71 + +/* + * Set the current shadow stack configuration. Enabling the shadow + * stack will cause a shadow stack to be allocated for the thread. + */ +#define PR_SET_SHADOW_STACK_STATUS 72 +# define PR_SHADOW_STACK_ENABLE (1UL << 0) +# define PR_SHADOW_STACK_WRITE (1UL << 1) +# define PR_SHADOW_STACK_PUSH (1UL << 2) + +/* + * Prevent further changes to the specified shadow stack + * configuration. All bits may be locked via this call, including + * undefined bits. + */ +#define PR_LOCK_SHADOW_STACK_STATUS 73 + #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index f8e543f1e38a..242e9f147791 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2315,6 +2315,21 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, return -EINVAL; } +int __weak arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_set_shadow_stack_status(struct task_struct *t, unsigned long status) +{ + return -EINVAL; +} + +int __weak arch_lock_shadow_stack_status(struct task_struct *t, unsigned long status) +{ + return -EINVAL; +} + #define PR_IO_FLUSHER (PF_MEMALLOC_NOIO | PF_LOCAL_THROTTLE) #ifdef CONFIG_ANON_VMA_NAME @@ -2757,6 +2772,21 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, case PR_RISCV_V_GET_CONTROL: error = RISCV_V_GET_CONTROL(); break; + case PR_GET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_get_shadow_stack_status(me, (unsigned long __user *) arg2); + break; + case PR_SET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_set_shadow_stack_status(me, arg2); + break; + case PR_LOCK_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_lock_shadow_stack_status(me, arg2); + break; default: error = -EINVAL; break;