From patchwork Wed Sep 27 22:47:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sami Tolvanen X-Patchwork-Id: 13401738 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3BA4FE80ABE for ; Wed, 27 Sep 2023 22:48:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: Mime-Version:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=bk9AKxbuOFxkCQt8UMkh26K2v1/qgFwSY19bzkp+AXg=; b=D9k Vy7Z9rsX+X4spyQTj5MlYyDPq1VSPInsOX1XyfkRiP8DCytQbLX5i+kwo3WTzpfD7k6l/ixjDgnja ihZd+V55CiEj5vK1/tsFXj1ThP21sOQh4xsgwYgaepZHC0EXeIQ7VgJWnZ3ug016KyXLEnOIdxYvm 2f51dyaDKjen7/omf0cs+TNBM+vQwZgmdTwXs6slH5qp6kW6da1wcB/iTaeU3yPcbbMCbrAUIoHHG +FGWAVT8IfpMHjzwYZh3sBIyw4YOiNH8hEmbm4wCyevVndt7RSQ+HuXapNDQHzXWN13BaadcNdlfD 2I3a6O6Fp4ppbaachZXKXsQpVSYBsTQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qldKI-001s21-19; Wed, 27 Sep 2023 22:48:14 +0000 Received: from mail-pl1-x649.google.com ([2607:f8b0:4864:20::649]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qldKA-001rwd-2r for linux-riscv@lists.infradead.org; Wed, 27 Sep 2023 22:48:10 +0000 Received: by mail-pl1-x649.google.com with SMTP id d9443c01a7336-1c5b80fe118so164554065ad.3 for ; Wed, 27 Sep 2023 15:48:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1695854882; x=1696459682; darn=lists.infradead.org; h=content-transfer-encoding:cc:to:from:subject:message-id :mime-version:date:from:to:cc:subject:date:message-id:reply-to; bh=WgWh/gTAC4d5wcFhfvGxWr9mtitpn8knrAdbajEBfhU=; b=uH73QDEXl7ePjaYq/1A7hIBsBy2l1JP1hm7837dvfGLu3UIQJbKdGnAIcGcKyayiKy C84G3nIFVEa0SrsaKmPgu/KfvmZT7aJ3lW614uRuvZmpUsymYcO2EWilgjFRuiDZVaVE kOORd+oj0PYy2hSTSs+JCXphkcghKOz1Z4T+yysFoJ58XaqU75QFmx/2Hmu2Jq9PqN1b 6s8AyxVhyeAwbLvLIBlOJlu1+HggCUZXSVV2t96saUTTnDyxYKtCVB4caoyEAqlfl16o BRTTC4oiNg3vAALQZ12TauO3a4nVX7Af1YoaF5gmaeHE6xs9WbgDfFvTrFw9R7fsn18L N5Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695854882; x=1696459682; h=content-transfer-encoding:cc:to:from:subject:message-id :mime-version:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WgWh/gTAC4d5wcFhfvGxWr9mtitpn8knrAdbajEBfhU=; b=h4iLMMNNGT/JqfDln9BcdiC83g7z9g4S6bHoRPmn5hEUeo/5G3BL4NPTGy+5CDM2TN BGI38DtgjnA0AwlnQj4Nv+dN4y8FZO7UrBUK2kowvATIsDo9EqwSorChqIwxLYdCrCq1 3yP6NllY8oedC3+C7VWzhQmZQJga7Nk6iPFusj7Pxuh1EvR7ldn6UI0c5grll6KG9WrA h/XkfnGM0KXLSZcjrmwFLGutObXrtVeFG1wVuo+MouSNlkIHI2yJuhQhfzT4a0AzBZ8B BkM7t5iVUAiVtQtXM4rqv0BrJ12uESV3+GhCTQnLr7E0ntt2LFHEwvEXGJaG1ksYDjFi J0Dw== X-Gm-Message-State: AOJu0Yyq3j+EnOKxsZyYMTAxMJInHvDiFekzI4BUqg1cUAQY+JejolH0 i9I+nBFBTYeDUNnJm8mFVVdEhKVg9Ftp5/+7keg= X-Google-Smtp-Source: AGHT+IGk7G47CUj9RF4pKzDPxTmtIoJ1wCsb9Pr7q3C8UWIAzHgCr3LMujULViUFT/Y4wYbyqLGeqN8JHqUBvqNtx3A= X-Received: from samitolvanen.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:4f92]) (user=samitolvanen job=sendgmr) by 2002:a17:903:32c8:b0:1c3:4d70:6ed9 with SMTP id i8-20020a17090332c800b001c34d706ed9mr43384plr.3.1695854881902; Wed, 27 Sep 2023 15:48:01 -0700 (PDT) Date: Wed, 27 Sep 2023 22:47:58 +0000 Mime-Version: 1.0 X-Developer-Key: i=samitolvanen@google.com; a=openpgp; fpr=35CCFB63B283D6D3AEB783944CB5F6848BBC56EE X-Developer-Signature: v=1; a=openpgp-sha256; l=3761; i=samitolvanen@google.com; h=from:subject; bh=f76u/UaoOPWAzvVIRbNmavYgFKWbwPzMxrH4Tc8hYhQ=; b=owEB7QES/pANAwAKAUy19oSLvFbuAcsmYgBlFLEdhYoTc+kz3ZoLrFhYKOOymIFWJZVZRQni9 KhyoZ1LHfaJAbMEAAEKAB0WIQQ1zPtjsoPW0663g5RMtfaEi7xW7gUCZRSxHQAKCRBMtfaEi7xW 7rnpC/0fjS9A3U3PayoFxJDC7BIBn2TZclbDccTnDGN8dmOZRr0q32iccvz1rwMtx5qn8nLSZy2 HTDLopQWMRD97unLAk17J7+oywB1UqD9qjuCnhmwY10hlZvYQs+jeFjKtaJDjldiXjVVR7g//bZ ZSbBsc5fj1bc39TUa1lCyKHTSTMQo6n1nzdKY19gEwdvmt9XaomfUDlCyACj7U1PZLQ1oZ/MGVt JOnItns+7CtNGbq28/mjQkuoZ8w04WsGDOAaAecbjIY9dk4BPaEgKT0/4ez+Q4Q8M/qnciOrVOf KNfcrOMSo1EtJcYzW3TR2pMeJ5m2fmNkiGgC/qGC/1mbXe/kwbF7t0BSYNILf+H8h/Ljaevmm8b JkiBgac+k3XCuZMRK59/xOpTrYl22a7HAwYW6hPdm3Ca2W6Y3O3EvAXXzT5gId7vYGo05iGLyYK wFDUIb2j886cBr0U7uZQ37b/x3wCTwF1iUcPlbNwodFIZuibDcFtx03CUsYAm5Tqvfiys= X-Mailer: git-send-email 2.42.0.515.g380fc7ccd1-goog Message-ID: <20230927224757.1154247-8-samitolvanen@google.com> Subject: [PATCH v4 0/6] riscv: SCS support From: Sami Tolvanen To: Paul Walmsley , Palmer Dabbelt , Albert Ou , Kees Cook Cc: Clement Leger , Guo Ren , Deepak Gupta , Nathan Chancellor , Nick Desaulniers , Fangrui Song , linux-riscv@lists.infradead.org, llvm@lists.linux.dev, linux-kernel@vger.kernel.org, Sami Tolvanen X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230927_154806_925465_9DF39CA8 X-CRM114-Status: GOOD ( 17.46 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org Hi folks, This series adds Shadow Call Stack (SCS) support for RISC-V. SCS uses compiler instrumentation to store return addresses in a separate shadow stack to protect them against accidental or malicious overwrites. More information about SCS can be found here: https://clang.llvm.org/docs/ShadowCallStack.html Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow handling by adding support for accessing per-CPU variables directly in assembly. The patch is included in this series to make IRQ stack switching cleaner with SCS, and I've simply rebased it and fixed a couple of minor issues. Patch 2 uses this functionality to clean up the stack switching by moving duplicate code into a single function. On RISC-V, the compiler uses the gp register for storing the current shadow call stack pointer, which is incompatible with global pointer relaxation. Patch 3 moves global pointer loading into a macro that can be easily disabled with SCS. Patch 4 implements SCS register loading and switching, and allows the feature to be enabled, and patch 5 adds separate per-CPU IRQ shadow call stacks when CONFIG_IRQ_STACKS is enabled. Patch 6 fixes the backward-edge CFI test in lkdtm for RISC-V. Note that this series requires Clang 17. Earlier Clang versions support SCS on RISC-V, but use the x18 register instead of gp, which isn't ideal. gcc has SCS support for arm64, but I'm not aware of plans to support RISC-V. Once the Zicfiss extension is ratified, it's probably preferable to use hardware-backed shadow stacks instead of SCS on hardware that supports the extension, and we may want to consider implementing CONFIG_DYNAMIC_SCS to patch between the implementation at runtime (similarly to the arm64 implementation, which switches to SCS when hardware PAC support isn't available). Sami --- Changes in v4: - Fixed the C environment setup in head.S to use scs_load_current (patch 4). - Rebased to -rc3 to fix merge conflicts. Changes in v3: - Dropped a now unneeded function declaration (patch 1). - Refactored call_on_irq_stack to use stack frame offsets based on Clément's suggestion (patch 2). - Rebased on top of v6.5. Changes in v2: - Fixed asm_per_cpu with !CONFIG_SMP (patch 1). - Added a fix to the CFI_BACKWARD lkdtm test (patch 6). - Rebased on top of -rc6. --- Deepak Gupta (1): riscv: VMAP_STACK overflow detection thread-safe Sami Tolvanen (5): riscv: Deduplicate IRQ stack switching riscv: Move global pointer loading to a macro riscv: Implement Shadow Call Stack riscv: Use separate IRQ shadow call stacks lkdtm: Fix CFI_BACKWARD on RISC-V arch/riscv/Kconfig | 6 ++ arch/riscv/Makefile | 4 + arch/riscv/include/asm/asm-prototypes.h | 1 - arch/riscv/include/asm/asm.h | 41 ++++++++ arch/riscv/include/asm/irq_stack.h | 3 + arch/riscv/include/asm/scs.h | 54 +++++++++++ arch/riscv/include/asm/thread_info.h | 16 ++- arch/riscv/kernel/asm-offsets.c | 9 ++ arch/riscv/kernel/entry.S | 124 ++++++++++++------------ arch/riscv/kernel/head.S | 19 ++-- arch/riscv/kernel/irq.c | 56 +++++------ arch/riscv/kernel/suspend_entry.S | 5 +- arch/riscv/kernel/traps.c | 68 +------------ arch/riscv/kernel/vdso/Makefile | 2 +- arch/riscv/purgatory/Makefile | 4 + drivers/misc/lkdtm/cfi.c | 13 ++- 16 files changed, 248 insertions(+), 177 deletions(-) create mode 100644 arch/riscv/include/asm/scs.h base-commit: 6465e260f48790807eef06b583b38ca9789b6072