| Message ID | 20231212235003.2036221-1-debug@rivosinc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp8074130vqy;
Tue, 12 Dec 2023 15:51:33 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IEtMYmcVeG2+3updjKF1hPPUn+3W+7Gfp+gZL0rrSImep6WZFxMjrviH2c2wMwB/85bl+5C
X-Received: by 2002:a17:90b:23c4:b0:286:6cc0:62b2 with SMTP id
md4-20020a17090b23c400b002866cc062b2mr7486048pjb.49.1702425090316;
Tue, 12 Dec 2023 15:51:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702425090; cv=none;
d=google.com; s=arc-20160816;
b=e5jt5CdZ9iqdVQqKGJYEEqKZVbuuhSLwEW+DnA1lL0XfDOWzlJMaTQUdYh1eakaDq4
LeplEp3KykxpWOhZ48CREK+cajgry4UHSuGvHepibM0ALhho1KZ6glkZs8MQ0+5MI8C9
xxBgw7cXNZXhXAZUwSuW/CS5lNhnkZyp61lY65wbjGlM0KcuM8WqVhS4/NCwhJ0GNJVV
t7BJdNzkvTncjzievzc+kUbPffkob4YME+J7aU0HFTgaV8AJyKZBDRGiuLfkWLrROcVY
+BG669H6nKqONGqIK+lJ0/yy4fTc9K7Z00B2ruwXnVcZMDutB4uZw2LK7kcrBHTtD1q5
7e/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:to:content-transfer-encoding:mime-version
:message-id:date:subject:cc:from:dkim-signature;
bh=SDRVUnCHqVBNMGZhqCPohfXcgegTHPBlvp76ltshrAo=;
fh=lWWlujeSB2THWvfgaTkUGk8ba8+Clrjjecwa7Dr7zH0=;
b=hpyKLfy6Iihs94UpANcIYbRhAzu0KL6ama/QrEzmEJaFHk9j9QRhKa2AuGuXr+tdxv
INA/ZsXSy2R5FotRI2rnEpEHVPKx9XQBKgqGgEpZEYw2EE7ISnAR2GGh9E08MgSUTIcZ
4O+Q9Wp64+MgehS4hNXl+rLPUTZeol5YRwvh6zGaRN1kMzMcsb6/7AUU7BAm5P7wGi59
DPoZz3JaD6ED/1pyhcpopXfydIRwj1M5UfTleLzAuWSDWT8grgNbwajbyseGW8zdtibC
pHurMJsRBzvBoMRU4k9CQ4XXOSr2xZeH/i2nBIc+9giQ8pkj8PdgFUzqsm2VwI6yzjZ1
LY6g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@rivosinc-com.20230601.gappssmtp.com
header.s=20230601 header.b=K4RE5qal;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
by mx.google.com with ESMTPS id
b12-20020a17090a800c00b002859d83de02si8630116pjn.139.2023.12.12.15.51.29
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 12 Dec 2023 15:51:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
dkim=fail header.i=@rivosinc-com.20230601.gappssmtp.com
header.s=20230601 header.b=K4RE5qal;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id 06F5180B81C8;
Tue, 12 Dec 2023 15:51:28 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232512AbjLLXvK (ORCPT <rfc822;dexuan.linux@gmail.com>
+ 99 others); Tue, 12 Dec 2023 18:51:10 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58512 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1377494AbjLLXvC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 12 Dec 2023 18:51:02 -0500
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com
[IPv6:2607:f8b0:4864:20::332])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C6D19C
for <linux-kernel@vger.kernel.org>;
Tue, 12 Dec 2023 15:50:47 -0800 (PST)
Received: by mail-ot1-x332.google.com with SMTP id
46e09a7af769-6da2db096bcso370195a34.0
for <linux-kernel@vger.kernel.org>;
Tue, 12 Dec 2023 15:50:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1702425046;
x=1703029846; darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=SDRVUnCHqVBNMGZhqCPohfXcgegTHPBlvp76ltshrAo=;
b=K4RE5qalWc+CitC1XvAzzuV4uZQ22vzhZUqu3mFlzbctLLCkP2xiB5pu+Vz9r2qOa8
9uReUXVkZoj7qy0gIEGRZN2wyMWcO4fxv59V02fVAQRNjDSUxXtzinGkLZAUOVDUKAFN
LtHy2WxBsIcfPVGarQqCO9NmBk2aEaF7yooRjdapgdCc3KGK/XIHNx/4aoeQxP8G4b5F
WocJx5qWvJvPz7KsATWhWVW66IBGgutyOMVvsg9mAF8+SbKn8oKmZe7tjLf5DrYCAMb1
ZIotDg6sjxAppbW+/fodaRh4o3HTNUz+kfSE8733nfKSXQOEGSaasfpSSUT/E7Or0yxG
uQhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1702425046; x=1703029846;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=SDRVUnCHqVBNMGZhqCPohfXcgegTHPBlvp76ltshrAo=;
b=g4tXUe0Acyu3XJoH9qVeBeY3YsPhPuFZn0s3eEsxvI6tZHFfAJITfsWAsSPApIPvxK
nj7iRkODH5rPuLM1ljsKFT1FK8frjLXkw4K0r1R6717Cc+Dn3cwF87nMdCCl12k6PCfI
PFP6Wvmfp1PgN7Hb8YkC8tNDz91wf5DcSNR0OlqVHzvA4TG10hS/ziXK1Cf5yXjwBMWx
l72V8PuKY0/bCdseIe2z/J2Z0xKRUd1KHEFYo2gq9mfAhjOB4vXsqrQxR49bN3b5uAdn
/brxJHLPXbTgdKiEwAC/9o465a75avhMYnsAuLQEAb7h/AHDdM+QbOYFWnxTCkB9s9K6
Kr3g==
X-Gm-Message-State: AOJu0YzI0dBhpTlv4PmJnqnBsix8h7UP0fLd+6AbgmMke8BGdon9/cGz
2myuG1b/aWPHafMzsLXG+Ty4UQ==
X-Received: by 2002:a05:6830:1b65:b0:6ce:271a:5fd0 with SMTP id
d5-20020a0568301b6500b006ce271a5fd0mr3948835ote.4.1702425046465;
Tue, 12 Dec 2023 15:50:46 -0800 (PST)
Received: from debug.ba.rivosinc.com ([64.71.180.162])
by smtp.gmail.com with ESMTPSA id
m19-20020a0568301e7300b006b9cc67386fsm2487295otr.66.2023.12.12.15.50.44
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 12 Dec 2023 15:50:46 -0800 (PST)
From: Deepak Gupta <debug@rivosinc.com>
Cc: Deepak Gupta <debug@rivosinc.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>,
Anup Patel <apatel@ventanamicro.com>, Andrew Jones <ajones@ventanamicro.com>,
Guo Ren <guoren@kernel.org>, Mayuresh Chitale <mchitale@ventanamicro.com>,
wchen <waylingii@gmail.com>, Greentime Hu <greentime.hu@sifive.com>,
Sami Tolvanen <samitolvanen@google.com>,
=?utf-8?b?QmrDtnJuIFTDtnBlbA==?= <bjorn@rivosinc.com>,
Conor Dooley <conor.dooley@microchip.com>,
Sia Jee Heng <jeeheng.sia@starfivetech.com>,
Heiko Stuebner <heiko@sntech.de>, Evan Green <evan@rivosinc.com>,
Jisheng Zhang <jszhang@kernel.org>,
=?utf-8?b?Q2zDqW1lbnQgTMOpZ2Vy?= <cleger@rivosinc.com>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v1 2/2] riscv: envcfg save and restore on trap entry/exit
Date: Tue, 12 Dec 2023 15:49:25 -0800
Message-ID: <20231212235003.2036221-1-debug@rivosinc.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Tue, 12 Dec 2023 15:51:28 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785122091705849073
X-GMAIL-MSGID: 1785122091705849073
|
| Series |
[v1,1/2] riscv: abstract envcfg CSR
|
|
Commit Message
Deepak Gupta
Dec. 12, 2023, 11:49 p.m. UTC
envcfg CSR defines enabling bits for cache management instructions and soon
will control enabling for control flow integrity and pointer masking features.
Control flow integrity and pointer masking features need to be enabled on per
thread basis. Additionally, I believe cache management instructions need to be
enabled on per thread basis. As an example a seccomped task on riscv may be
restricted to not use cache management instructions
This patch creates a place holder for envcfg CSR in `thread_info` and adds
logic to save and restore on trap entry and exits. This allows such isa feature
to be enabled on per thread basis.
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
arch/riscv/include/asm/thread_info.h | 1 +
arch/riscv/kernel/asm-offsets.c | 1 +
arch/riscv/kernel/entry.S | 6 ++++++
3 files changed, 8 insertions(+)
Comments
On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote: > envcfg CSR defines enabling bits for cache management instructions and soon > will control enabling for control flow integrity and pointer masking features. > > Control flow integrity and pointer masking features need to be enabled on per > thread basis. Additionally, I believe cache management instructions need to be > enabled on per thread basis. As an example a seccomped task on riscv may be > restricted to not use cache management instructions Do we have anything in the kernel that actually does that? Generally we need some use, I couldn't find any user-mode writable envcfg bits in any extesions I looked at (admittidly just CFI and pointer masking), and unless I'm missing something there's no per-thread state in the kernel. > This patch creates a place holder for envcfg CSR in `thread_info` and adds > logic to save and restore on trap entry and exits. This allows such isa feature > to be enabled on per thread basis. > > Signed-off-by: Deepak Gupta <debug@rivosinc.com> > --- > arch/riscv/include/asm/thread_info.h | 1 + > arch/riscv/kernel/asm-offsets.c | 1 + > arch/riscv/kernel/entry.S | 6 ++++++ > 3 files changed, 8 insertions(+) > > diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h > index 574779900bfb..320bc899a63b 100644 > --- a/arch/riscv/include/asm/thread_info.h > +++ b/arch/riscv/include/asm/thread_info.h > @@ -57,6 +57,7 @@ struct thread_info { > long user_sp; /* User stack pointer */ > int cpu; > unsigned long syscall_work; /* SYSCALL_WORK_ flags */ > + unsigned long envcfg; > #ifdef CONFIG_SHADOW_CALL_STACK > void *scs_base; > void *scs_sp; > diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c > index a03129f40c46..cdd8f095c30c 100644 > --- a/arch/riscv/kernel/asm-offsets.c > +++ b/arch/riscv/kernel/asm-offsets.c > @@ -39,6 +39,7 @@ void asm_offsets(void) > OFFSET(TASK_TI_PREEMPT_COUNT, task_struct, thread_info.preempt_count); > OFFSET(TASK_TI_KERNEL_SP, task_struct, thread_info.kernel_sp); > OFFSET(TASK_TI_USER_SP, task_struct, thread_info.user_sp); > + OFFSET(TASK_TI_ENVCFG, task_struct, thread_info.envcfg); > #ifdef CONFIG_SHADOW_CALL_STACK > OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); > #endif > diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S > index 54ca4564a926..a1d87013f15a 100644 > --- a/arch/riscv/kernel/entry.S > +++ b/arch/riscv/kernel/entry.S > @@ -64,12 +64,14 @@ SYM_CODE_START(handle_exception) > csrr s3, CSR_TVAL > csrr s4, CSR_CAUSE > csrr s5, CSR_SCRATCH > + csrr s6, CSR_ENVCFG > REG_S s0, PT_SP(sp) > REG_S s1, PT_STATUS(sp) > REG_S s2, PT_EPC(sp) > REG_S s3, PT_BADADDR(sp) > REG_S s4, PT_CAUSE(sp) > REG_S s5, PT_TP(sp) > + REG_S s6, TASK_TI_ENVCFG(tp) > > /* > * Set the scratch register to 0, so that if a recursive exception > @@ -129,6 +131,10 @@ SYM_CODE_START_NOALIGN(ret_from_exception) > addi s0, sp, PT_SIZE_ON_STACK > REG_S s0, TASK_TI_KERNEL_SP(tp) > > + /* restore envcfg bits for current thread */ > + REG_L s0, TASK_TI_ENVCFG(tp) > + csrw CSR_ENVCFG, s0 > + > /* Save the kernel shadow call stack pointer */ > scs_save_current
On Tue, Dec 12, 2023 at 04:53:48PM -0800, Palmer Dabbelt wrote: >On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote: >>envcfg CSR defines enabling bits for cache management instructions and soon >>will control enabling for control flow integrity and pointer masking features. >> >>Control flow integrity and pointer masking features need to be enabled on per >>thread basis. Additionally, I believe cache management instructions need to be >>enabled on per thread basis. As an example a seccomped task on riscv may be >>restricted to not use cache management instructions > >Do we have anything in the kernel that actually does that? Generally >we need some use, I couldn't find any user-mode writable envcfg bits >in any extesions I looked at (admittidly just CFI and pointer >masking), and unless I'm missing something there's no per-thread state >in the kernel. > Cache management operations? As of now kernel blindly enables that for all the user mode. It will be good if that is enabled on per-thread basis. Sure, all threads can have it enabled by default. But if strict seccomp is enabled, I would argue that cache management operations for that thread to be disabled as is done on other arches. As an example x86 disable rdtsc on strict seccomp. RISCV allows this CMO extension and I expect CMO to leverage this (currently it doesn't). I was being opportunistic here so that I can reduce number of patches on CFI enabling patchset. Will it be okay if I revise this patch to include with a usecase to restrict CMO (say for case of strict seccomp on risc-v)?
On Tue, Dec 12, 2023 at 05:02:43PM -0800, Deepak Gupta wrote: > On Tue, Dec 12, 2023 at 04:53:48PM -0800, Palmer Dabbelt wrote: > > On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote: > > > envcfg CSR defines enabling bits for cache management instructions and soon > > > will control enabling for control flow integrity and pointer masking features. > > > > > > Control flow integrity and pointer masking features need to be enabled on per > > > thread basis. Additionally, I believe cache management instructions need to be > > > enabled on per thread basis. As an example a seccomped task on riscv may be > > > restricted to not use cache management instructions > > > > Do we have anything in the kernel that actually does that? Generally we > > need some use, I couldn't find any user-mode writable envcfg bits in any > > extesions I looked at (admittidly just CFI and pointer masking), and > > unless I'm missing something there's no per-thread state in the kernel. > > > > Cache management operations? > As of now kernel blindly enables that for all the user mode. It will be good if > that is enabled on per-thread basis. Sure, all threads can have it enabled by > default. But if strict seccomp is enabled, I would argue that cache management > operations for that thread to be disabled as is done on other arches. As an > example x86 disable rdtsc on strict seccomp. RISCV allows this CMO extension > and I expect CMO to leverage this (currently it > doesn't). > > I was being opportunistic here so that I can reduce number of patches on CFI > enabling patchset. > > Will it be okay if I revise this patch to include with a usecase to restrict CMO > (say for case of strict seccomp on risc-v)? I opted to only expose cache block zero since giving userspace the ability to invalidate cache blocks seems risky from a side-channel attack perspective. I'm no security expert, so feedback welcome, but I don't see a risk with userspace being granted cbo.zero, even for strict seccomp processes. Thanks, drew
On Wed, Dec 13, 2023 at 4:24 AM Andrew Jones <ajones@ventanamicro.com> wrote: > > On Tue, Dec 12, 2023 at 05:02:43PM -0800, Deepak Gupta wrote: > > On Tue, Dec 12, 2023 at 04:53:48PM -0800, Palmer Dabbelt wrote: > > > On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote: > > > > envcfg CSR defines enabling bits for cache management instructions and soon > > > > will control enabling for control flow integrity and pointer masking features. > > > > > > > > Control flow integrity and pointer masking features need to be enabled on per > > > > thread basis. Additionally, I believe cache management instructions need to be > > > > enabled on per thread basis. As an example a seccomped task on riscv may be > > > > restricted to not use cache management instructions > > > > > > Do we have anything in the kernel that actually does that? Generally we > > > need some use, I couldn't find any user-mode writable envcfg bits in any > > > extesions I looked at (admittidly just CFI and pointer masking), and > > > unless I'm missing something there's no per-thread state in the kernel. > > > > > > > Cache management operations? > > As of now kernel blindly enables that for all the user mode. It will be good if > > that is enabled on per-thread basis. Sure, all threads can have it enabled by > > default. But if strict seccomp is enabled, I would argue that cache management > > operations for that thread to be disabled as is done on other arches. As an > > example x86 disable rdtsc on strict seccomp. RISCV allows this CMO extension > > and I expect CMO to leverage this (currently it > > doesn't). > > > > I was being opportunistic here so that I can reduce number of patches on CFI > > enabling patchset. > > > > Will it be okay if I revise this patch to include with a usecase to restrict CMO > > (say for case of strict seccomp on risc-v)? > > I opted to only expose cache block zero since giving userspace the > ability to invalidate cache blocks seems risky from a side-channel attack > perspective. I didn't pay attention. You're right, it's only cbo.zero that's exposed. I will roll up my patch with cfi set then. > > I'm no security expert, so feedback welcome, but I don't see a risk with > userspace being granted cbo.zero, even for strict seccomp processes. Yeah I don't see a risk with cbo.zero to strict seccomp thread either. > > Thanks, > drew
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h index 574779900bfb..320bc899a63b 100644 --- a/arch/riscv/include/asm/thread_info.h +++ b/arch/riscv/include/asm/thread_info.h @@ -57,6 +57,7 @@ struct thread_info { long user_sp; /* User stack pointer */ int cpu; unsigned long syscall_work; /* SYSCALL_WORK_ flags */ + unsigned long envcfg; #ifdef CONFIG_SHADOW_CALL_STACK void *scs_base; void *scs_sp; diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c index a03129f40c46..cdd8f095c30c 100644 --- a/arch/riscv/kernel/asm-offsets.c +++ b/arch/riscv/kernel/asm-offsets.c @@ -39,6 +39,7 @@ void asm_offsets(void) OFFSET(TASK_TI_PREEMPT_COUNT, task_struct, thread_info.preempt_count); OFFSET(TASK_TI_KERNEL_SP, task_struct, thread_info.kernel_sp); OFFSET(TASK_TI_USER_SP, task_struct, thread_info.user_sp); + OFFSET(TASK_TI_ENVCFG, task_struct, thread_info.envcfg); #ifdef CONFIG_SHADOW_CALL_STACK OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); #endif diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S index 54ca4564a926..a1d87013f15a 100644 --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -64,12 +64,14 @@ SYM_CODE_START(handle_exception) csrr s3, CSR_TVAL csrr s4, CSR_CAUSE csrr s5, CSR_SCRATCH + csrr s6, CSR_ENVCFG REG_S s0, PT_SP(sp) REG_S s1, PT_STATUS(sp) REG_S s2, PT_EPC(sp) REG_S s3, PT_BADADDR(sp) REG_S s4, PT_CAUSE(sp) REG_S s5, PT_TP(sp) + REG_S s6, TASK_TI_ENVCFG(tp) /* * Set the scratch register to 0, so that if a recursive exception @@ -129,6 +131,10 @@ SYM_CODE_START_NOALIGN(ret_from_exception) addi s0, sp, PT_SIZE_ON_STACK REG_S s0, TASK_TI_KERNEL_SP(tp) + /* restore envcfg bits for current thread */ + REG_L s0, TASK_TI_ENVCFG(tp) + csrw CSR_ENVCFG, s0 + /* Save the kernel shadow call stack pointer */ scs_save_current