Message ID | 20230716-arm64-gcs-v1-21-bf567f93bba6@kernel.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp793402vqt; Sun, 16 Jul 2023 15:09:57 -0700 (PDT) X-Google-Smtp-Source: APBJJlGEsL3i88yz/KWr5+hLy74nGJBvSzSUPIwQ4GEXJ22tHKgr6iK16oSYoPGDcr9JGVV4pFU+ X-Received: by 2002:a17:902:eccd:b0:1ac:3605:97ec with SMTP id a13-20020a170902eccd00b001ac360597ecmr11618029plh.62.1689545397040; Sun, 16 Jul 2023 15:09:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689545397; cv=none; d=google.com; s=arc-20160816; b=x7Hk77IpbIUFjLgXaMnPnWQf5scm/yiLgxel6pXsHIwrbk7cWKrWRNwzRspDOQ1QVU LahYWSh6GYu77nJTflt2A21jcdncm+CfwVHE461xRC1SyU9Yj7xDrAYeKt2LAHgh5a00 3U+EJVN8qsWjFnAsL8Z5BZUXyXlCxAo1avIctIQ0qQxwXOjGLq0Sv7SBwzDzBl/8wEiF i56PjI2d8ex72VdKsQfIaa1w0KZI+Tm95VfUlBjwcH5cEA61FDZFp8fPrMFnwvVb8uT1 fMNVhFwKXYP8kj/Q4eLY2j5NPNF+hxXQQiZCZekXaGXJ8bIEzG50GMcAfT7jbR2dqbMP i7Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=ZDD/m+ln1j2SzQvwWsNWbTmVAJagg9C+GBom307Aznc=; fh=EdAFSmIgUzZTC6WCy4Jg1wBZ0/m6m2d/OjiRUJ3BsTI=; b=O8bKIRJYlAIHllRGVhWjRZId2y8wJc0Q6QEvwBB+pQM049z7WRqv4b146hvIjvXkAk LAfzzx4GjX1WH39Q8RdBUfOcDvrsrzWMcj+d965GyrGHzNFt3CZvN7MJyCAcJwYUivYc faqJVxqY2XR/7wwhakMdoQWB23i4NrLVZ4RwtIJ1LxMbs1Q+3R2aio9m70srAbFwy6hw Nwy4dLoouzqWsJzulNKZ0hDB4a+5rUIqz3ySS2U3CfGhKZjSn+CRkUvRqrNLDbQqf8DO 79xNK9wWB0UGf5lBv/MhcCciOXkO+xm733Vs8DFLDC3OeYd9C5+44e5xAXwRpEYfEXQu tueg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="KjXrfm/w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i18-20020a170902c95200b001b9d9212e2csi11252710pla.238.2023.07.16.15.09.42; Sun, 16 Jul 2023 15:09:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="KjXrfm/w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231358AbjGPV5G (ORCPT <rfc822;assdfgzxcv4@gmail.com> + 99 others); Sun, 16 Jul 2023 17:57:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231203AbjGPV43 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 16 Jul 2023 17:56:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25FD01701; Sun, 16 Jul 2023 14:55:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 072A660EC4; Sun, 16 Jul 2023 21:55:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1AC9C433CD; Sun, 16 Jul 2023 21:54:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689544502; bh=sCynytFiMn0HVRaCw9wATO/MQrUseepmFl+nT2jYk/s=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=KjXrfm/wSRDdF+7YCpEGZEO+lSs+OqgoSQgrfDj9DVQZpExsCZkfUKQnOJVXYoE7P PfkNIr2tSuxKaaNcHBG9NeHHpfhOSd2atGj6izLAif7Q+YYeuwfnFSG7gum7gDbZm2 QvxxHFaPdAYDUz3qiI2hZjYHGtBlt8SlAmXMu5nNgnYb2/cFvBWgDeYOyq9l/rOaRW N/g9cHAlpOjVSh6Bu0aNvQcLdlrK24PA5KHq9XuSuyaueqlrPX8b/yQw8c+JgGhSwo thBNYortK6za79ujqUOGOXut8DgdfS+5pXkJhCNIN8IqcACV9BWSmLG6W468TAJ/lf en3TjwAu0bUJQ== From: Mark Brown <broonie@kernel.org> Date: Sun, 16 Jul 2023 22:51:17 +0100 Subject: [PATCH 21/35] arm64/gcs: Implement shadow stack prctl() interface MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20230716-arm64-gcs-v1-21-bf567f93bba6@kernel.org> References: <20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org> In-Reply-To: <20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org> To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Jonathan Corbet <corbet@lwn.net>, Andrew Morton <akpm@linux-foundation.org>, Marc Zyngier <maz@kernel.org>, Oliver Upton <oliver.upton@linux.dev>, James Morse <james.morse@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Arnd Bergmann <arnd@arndb.de>, Oleg Nesterov <oleg@redhat.com>, Eric Biederman <ebiederm@xmission.com>, Kees Cook <keescook@chromium.org>, Shuah Khan <shuah@kernel.org>, "Rick P. Edgecombe" <rick.p.edgecombe@intel.com>, Deepak Gupta <debug@rivosinc.com>, Ard Biesheuvel <ardb@kernel.org>, Szabolcs Nagy <Szabolcs.Nagy@arm.com> Cc: "H.J. Lu" <hjl.tools@gmail.com>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Mark Brown <broonie@kernel.org> X-Mailer: b4 0.13-dev-099c9 X-Developer-Signature: v=1; a=openpgp-sha256; l=4126; i=broonie@kernel.org; h=from:subject:message-id; bh=sCynytFiMn0HVRaCw9wATO/MQrUseepmFl+nT2jYk/s=; b=owEBbQGS/pANAwAKASTWi3JdVIfQAcsmYgBktGafpYt4RHzf+znR2MMO8WH/q7lZQApjc5kZAGv8 bxNTw/6JATMEAAEKAB0WIQSt5miqZ1cYtZ/in+ok1otyXVSH0AUCZLRmnwAKCRAk1otyXVSH0IvWB/ 0eBO46ZWbi3FkEnPnLnNDUJL2rLooaAWsLABOPnXo+GV5miqbDIJqOX2yx7A4yvqRY1vX5rppQvQou UunGCboCgcdlOHMc1YkJgbMIZu+8uvqCzs78QLUdI5SVQLMX/Oek6Qfdnv/K+pg1GnJoxoDJuBg84L BGOrkPGtB2/EIXhAhWPzi/rWeJDPBNkE8bBb8BmcWPY1zBXQC+uV/VQKDsSRyukIHE1w5z8ED9+nnv ols7/RmacQ5LnVCzH6YJVy+STu1EWtNuoScWdMP5ZHVfYs2/kzZGmIOw9POUPAkiqDXia5RGkEjBaE nV1BQO10tqr9If6MxXuD60AdR2bAUx X-Developer-Key: i=broonie@kernel.org; a=openpgp; fpr=3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771616754100426378 X-GMAIL-MSGID: 1771616754100426378 |
Series |
arm64/gcs: Provide support for GCS at EL0
|
|
Commit Message
Mark Brown
July 16, 2023, 9:51 p.m. UTC
Implement the architecture neutral prtctl() interface for setting the
shadow stack status, this supports setting and reading the current GCS
configuration for the current thread.
Userspace can enable basic GCS functionality and additionally also
support for GCS pushes and arbatrary GCS stores. It is expected that
this prctl() will be called very early in application startup, for
example by the dynamic linker, and not subsequently adjusted during
normal operation. Users should carefully note that after enabling GCS
for a thread GCS will become active with no call stack so it is not
normally possible to return from the function that invoked the prctl().
State is stored per thread, enabling GCS for a thread causes a GCS to be
allocated for that thread.
Userspace may lock the current GCS configuration by specifying
PR_SHADOW_STACK_ENABLE_LOCK, this prevents any further changes to the
GCS configuration via any means.
If GCS is not being enabled then all flags other than _LOCK are ignored,
it is not possible to enable stores or pops without enabling GCS.
When disabling the GCS we do not free the allocated stack, this allows
for inspection of the GCS after disabling as part of fault reporting.
Since it is not an expected use case and since it presents some
complications in determining what to do with previously initialsed data
on the GCS attempts to reenable GCS after this are rejected. This can
be revisted if a use case arises.
Signed-off-by: Mark Brown <broonie@kernel.org>
---
arch/arm64/include/asm/gcs.h | 4 +++
arch/arm64/mm/gcs.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+)
Comments
On Sun, 2023-07-16 at 22:51 +0100, Mark Brown wrote: > +int arch_set_shadow_stack_status(struct task_struct *task, unsigned > long arg) > +{ > + unsigned long gcs, size; > + > + if (!system_supports_gcs()) > + return -EINVAL; > + > + if (is_compat_thread(task_thread_info(task))) > + return -EINVAL; > + > + /* Reject unknown flags */ > + if (arg & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK) > + return -EINVAL; > + > + /* If the task has been locked block any attempted changes */ > + if (task->thread.gcs_el0_mode & PR_SHADOW_STACK_LOCK) > + return -EBUSY; > + > + /* Drop flags other than lock if disabling */ > + if (!(arg & PR_SHADOW_STACK_ENABLE)) > + arg &= ~PR_SHADOW_STACK_LOCK; > + > + /* If we are enabling GCS then make sure we have a stack */ > + if (arg & PR_SHADOW_STACK_ENABLE) { > + if (!task_gcs_el0_enabled(task)) { > + /* Do not allow GCS to be reenabled */ > + if (task->thread.gcs_base) > + return -EINVAL; > + > + size = gcs_size(0); > + gcs = alloc_gcs(task->thread.gcspr_el0, size, > + 0, 0); > + if (!gcs) > + return -ENOMEM; > + > + task->thread.gcspr_el0 = gcs + size - > sizeof(u64); > + task->thread.gcs_base = gcs; > + task->thread.gcs_size = size; > + if (task == current) > + write_sysreg_s(task- > >thread.gcspr_el0, > + SYS_GCSPR_EL0); > + > + } > + } > + > + task->thread.gcs_el0_mode = arg; > + if (task == current) > + gcs_set_el0_mode(task); > + Ah! So does this task == current part mean this can be called from another task via ptrace? If so, then is the alloc_gcs() part on the wrong mm?
On Tue, Jul 18, 2023 at 05:51:54PM +0000, Edgecombe, Rick P wrote: > On Sun, 2023-07-16 at 22:51 +0100, Mark Brown wrote: > > + gcs = alloc_gcs(task->thread.gcspr_el0, size, > > + 0, 0); > > + if (!gcs) > > + return -ENOMEM; > > + task->thread.gcs_el0_mode = arg; > > + if (task == current) > > + gcs_set_el0_mode(task); > > + > Ah! So does this task == current part mean this can be called from > another task via ptrace? Ugh, right. So I had been worried about preemption rather than invoking prctl() via ptrace, though since ptrace can change the syscall invoked by a task it could cause prctl() to be invoked that way (but that should look like being run in the target process). I'm not aware of an interface specifically intended to remotely invoke prctls via ptrace but that doesn't mean there isn't one that I didn't find yet. I can't remember why I'm aware of the task != current case as a concern which is worrying me. > If so, then is the alloc_gcs() part on the wrong mm? Yes, it will be. I'll add a check in there to reject attempts to enable GCS when task != current.
diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h index 4371a2f99b4a..8655ba8054c7 100644 --- a/arch/arm64/include/asm/gcs.h +++ b/arch/arm64/include/asm/gcs.h @@ -48,6 +48,10 @@ static inline u64 gcsss2(void) return Xt; } +#define PR_SHADOW_STACK_SUPPORTED_STATUS_MASK \ + (PR_SHADOW_STACK_LOCK | PR_SHADOW_STACK_ENABLE | \ + PR_SHADOW_STACK_WRITE | PR_SHADOW_STACK_PUSH) + #ifdef CONFIG_ARM64_GCS static inline bool task_gcs_el0_enabled(struct task_struct *task) diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c index 1e059c37088d..b137493c594d 100644 --- a/arch/arm64/mm/gcs.c +++ b/arch/arm64/mm/gcs.c @@ -93,3 +93,67 @@ void gcs_free(struct task_struct *task) task->thread.gcs_base = 0; task->thread.gcs_size = 0; } + +int arch_set_shadow_stack_status(struct task_struct *task, unsigned long arg) +{ + unsigned long gcs, size; + + if (!system_supports_gcs()) + return -EINVAL; + + if (is_compat_thread(task_thread_info(task))) + return -EINVAL; + + /* Reject unknown flags */ + if (arg & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK) + return -EINVAL; + + /* If the task has been locked block any attempted changes */ + if (task->thread.gcs_el0_mode & PR_SHADOW_STACK_LOCK) + return -EBUSY; + + /* Drop flags other than lock if disabling */ + if (!(arg & PR_SHADOW_STACK_ENABLE)) + arg &= ~PR_SHADOW_STACK_LOCK; + + /* If we are enabling GCS then make sure we have a stack */ + if (arg & PR_SHADOW_STACK_ENABLE) { + if (!task_gcs_el0_enabled(task)) { + /* Do not allow GCS to be reenabled */ + if (task->thread.gcs_base) + return -EINVAL; + + size = gcs_size(0); + gcs = alloc_gcs(task->thread.gcspr_el0, size, + 0, 0); + if (!gcs) + return -ENOMEM; + + task->thread.gcspr_el0 = gcs + size - sizeof(u64); + task->thread.gcs_base = gcs; + task->thread.gcs_size = size; + if (task == current) + write_sysreg_s(task->thread.gcspr_el0, + SYS_GCSPR_EL0); + + } + } + + task->thread.gcs_el0_mode = arg; + if (task == current) + gcs_set_el0_mode(task); + + return 0; +} + +int arch_get_shadow_stack_status(struct task_struct *task, + unsigned long __user *arg) +{ + if (!system_supports_gcs()) + return -EINVAL; + + if (is_compat_thread(task_thread_info(task))) + return -EINVAL; + + return put_user(task->thread.gcs_el0_mode, arg); +}