diff mbox series

[v4,02/39] x86/shstk: Add Kconfig option for Shadow Stack

Message ID	20221203003606.6838-3-rick.p.edgecombe@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com> Subject: [PATCH v4 02/39] x86/shstk: Add Kconfig option for Shadow Stack Date: Fri, 2 Dec 2022 16:35:29 -0800 Message-Id: <20221203003606.6838-3-rick.p.edgecombe@intel.com> In-Reply-To: <20221203003606.6838-1-rick.p.edgecombe@intel.com> References: <20221203003606.6838-1-rick.p.edgecombe@intel.com> Precedence: bulk
Series	Shadow stacks for userspace \| [v4,00/39] Shadow stacks for userspace [v4,01/39] Documentation/x86: Add CET shadow stack description [v4,02/39] x86/shstk: Add Kconfig option for Shadow Stack [v4,03/39] x86/cpufeatures: Add CPU feature flags for shadow stacks [v4,04/39] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v4,05/39] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v4,06/39] x86/fpu: Add helper for modifying xstate [v4,07/39] x86: Add user control-protection fault handler [v4,08/39] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v4,09/39] x86/mm: Move pmd_write(), pud_write() up in the file [v4,10/39] x86/mm: Introduce _PAGE_COW [v4,11/39] x86/mm: Update pte_modify for _PAGE_COW [v4,12/39] x86/mm: Update ptep_set_wrprotect() and pmdp_set_wrprotect() for transition from _PAGE_D… [v4,13/39] x86/mm: Start actually marking _PAGE_COW [v4,14/39] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v4,15/39] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v4,16/39] x86/mm: Check Shadow Stack page fault errors [v4,17/39] x86/mm: Update maybe_mkwrite() for shadow stack [v4,18/39] mm: Fixup places that call pte_mkwrite() directly [v4,19/39] mm: Add guard pages around a shadow stack. [v4,20/39] mm/mmap: Add shadow stack pages to memory accounting [v4,21/39] mm/mprotect: Exclude shadow stack from preserve_write [v4,22/39] mm: Re-introduce vm_flags to do_mmap() [v4,23/39] mm: Don't allow write GUPs to shadow stack memory [v4,24/39] mm: Warn on shadow stack memory in wrong vma [v4,25/39] x86: Introduce userspace API for shadow stack [v4,26/39] x86/shstk: Add user-mode shadow stack support [v4,27/39] x86/shstk: Handle thread shadow stack [v4,28/39] x86/shstk: Introduce routines modifying shstk [v4,29/39] x86/shstk: Handle signals for shadow stack [v4,30/39] x86/shstk: Introduce map_shadow_stack syscall [v4,31/39] x86/shstk: Support wrss for userspace [v4,32/39] x86: Expose thread features in /proc/$PID/status [v4,33/39] x86: Prevent 32 bit operations for 64 bit shstk tasks [v4,34/39] x86/shstk: Wire in shadow stack interface [v4,35/39] selftests/x86: Add shadow stack test [v4,36/39] x86/fpu: Add helper for initing features [v4,37/39] x86: Add PTRACE interface for shadow stack [v4,38/39] x86/shstk: Add ARCH_SHSTK_UNLOCK [v4,39/39] x86/shstk: Add ARCH_SHSTK_STATUS

Commit Message

Edgecombe, Rick P Dec. 3, 2022, 12:35 a.m. UTC

  From: Yu-cheng Yu <yu-cheng.yu@intel.com>

Shadow Stack provides protection for applications against function return
address corruption. It is active when the processor supports it, the
kernel has CONFIG_X86_SHADOW_STACK enabled, and the application is built
for the feature. This is only implemented for the 64-bit kernel. When it
is enabled, legacy non-Shadow Stack applications continue to work, but
without protection.

Since there is another feature that utilizes CET (Kernel IBT) that will
share implementation with Shadow Stacks, create CONFIG_CET to signify
that at least one CET feature is configured.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Kees Cook <keescook@chromium.org>
---

v3:
 - Add X86_CET (Kees)
 - Add back WRUSS dependency (Kees)
 - Fix verbiage (Dave)
 - Change from promt to bool (Kirill)
 - Add more to commit log

v2:
 - Remove already wrong kernel size increase info (tlgx)
 - Change prompt to remove "Intel" (tglx)
 - Update line about what CPUs are supported (Dave)

Yu-cheng v25:
 - Remove X86_CET and use X86_SHADOW_STACK directly.

Yu-cheng v24:
 - Update for the splitting X86_CET to X86_SHADOW_STACK and X86_IBT.

 arch/x86/Kconfig           | 24 ++++++++++++++++++++++++
 arch/x86/Kconfig.assembler |  5 +++++
 2 files changed, 29 insertions(+)

Comments

Kees Cook Dec. 3, 2022, 2:20 a.m. UTC | #1

On Fri, Dec 02, 2022 at 04:35:29PM -0800, Rick Edgecombe wrote:
> From: Yu-cheng Yu <yu-cheng.yu@intel.com>
> 
> Shadow Stack provides protection for applications against function return
> address corruption. It is active when the processor supports it, the
> kernel has CONFIG_X86_SHADOW_STACK enabled, and the application is built
> for the feature. This is only implemented for the 64-bit kernel. When it
> is enabled, legacy non-Shadow Stack applications continue to work, but
> without protection.
> 
> Since there is another feature that utilizes CET (Kernel IBT) that will
> share implementation with Shadow Stacks, create CONFIG_CET to signify
> that at least one CET feature is configured.
> 
> Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> Tested-by: John Allen <john.allen@amd.com>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

diff mbox series

Patch

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index ae36661cfd81..3c4a8e47cf19 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1853,6 +1853,11 @@  config CC_HAS_IBT
 		  (CC_IS_CLANG && CLANG_VERSION >= 140000)) && \
 		  $(as-instr,endbr64)
 
+config X86_CET
+	def_bool n
+	help
+	  CET features configured (Shadow Stack or IBT)
+
 config X86_KERNEL_IBT
 	prompt "Indirect Branch Tracking"
 	def_bool y
@@ -1860,6 +1865,7 @@  config X86_KERNEL_IBT
 	# https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
 	depends on !LD_IS_LLD || LLD_VERSION >= 140000
 	select OBJTOOL
+	select X86_CET
 	help
 	  Build the kernel with support for Indirect Branch Tracking, a
 	  hardware support course-grain forward-edge Control Flow Integrity
@@ -1954,6 +1960,24 @@  config X86_SGX
 
 	  If unsure, say N.
 
+config X86_USER_SHADOW_STACK
+	bool "X86 Userspace Shadow Stack"
+	depends on AS_WRUSS
+	depends on X86_64
+	select ARCH_USES_HIGH_VMA_FLAGS
+	select X86_CET
+	help
+	  Shadow Stack protection is a hardware feature that detects function
+	  return address corruption.  This helps mitigate ROP attacks.
+	  Applications must be enabled to use it, and old userspace does not
+	  get protection "for free".
+
+	  CPUs supporting shadow stacks were first released in 2020.
+
+	  See Documentation/x86/cet.rst for more information.
+
+	  If unsure, say N.
+
 config EFI
 	bool "EFI runtime service support"
 	depends on ACPI
diff --git a/arch/x86/Kconfig.assembler b/arch/x86/Kconfig.assembler
index 26b8c08e2fc4..00c79dd93651 100644
--- a/arch/x86/Kconfig.assembler
+++ b/arch/x86/Kconfig.assembler
@@ -19,3 +19,8 @@  config AS_TPAUSE
 	def_bool $(as-instr,tpause %ecx)
 	help
 	  Supported by binutils >= 2.31.1 and LLVM integrated assembler >= V7
+
+config AS_WRUSS
+	def_bool $(as-instr,wrussq %rax$(comma)(%rbx))
+	help
+	  Supported by binutils >= 2.31 and LLVM integrated assembler