| Message ID | 20230811233556.97161-7-samitolvanen@google.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp1473930vqi;
Fri, 11 Aug 2023 19:16:50 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IE8tduC1JRPXGOMIS7ZNf7enVDbKK4PkrIRIllwHWVgv6FoaFen/clU6SI1ap4SGmzukTtl
X-Received: by 2002:a17:907:2bde:b0:997:e7d0:e26d with SMTP id
gv30-20020a1709072bde00b00997e7d0e26dmr3922568ejc.4.1691806609940;
Fri, 11 Aug 2023 19:16:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691806609; cv=none;
d=google.com; s=arc-20160816;
b=ug+rhlryHc95LZyEIMM7tRg5jdhTDNM7+PJ8x7vt5bLfx5jZlTA8YIxNwaK//3zMJG
viKg8p1p7gI5m6vrNVm85dGiozC50y+FdS4XDMMkEp51x3xABJVQT/zZiYrtmAHzUyvE
hrP0L07dZdQ6CVCkDe3LUzDWlXePPfh/MTl56pPmStLPBYkgL0DAR53siHwW1J/eLxU4
B5xpg2lC6fojcH7XwhWq/u4SgHBL2EsF19npfz2HN9H4YNXdAyVmy3Y+zy703tkc8/gy
G7+2Ot8GhKSucQZbgsptMVYks1qQu3w7JCap5qX/LYJe3fx0d+xDmzuaDsXSegrlf/Qs
UBKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
:dkim-signature;
bh=FJyrj6tK6yVbG9YTlwg97zBjNmUOI6qcixTijwM1454=;
fh=EU0TIckDJHUB8oxmYASKGRuQqUEMHHFj6AqpMEFrOc4=;
b=yjFb4ZVPKIoS0aCwVK7QEoanjforpQ9BVpvs6Qzmr4mcwa54wvXtEk+jw4Cq2R9azC
Ebvk9cP3czkHLiG65bC5tcmg+N0rCnbTLHudhVyX60Wbbyfj3xxJTblJdSam25hN3nju
oDAkn4CXwNrZRkkEZefo4t8GBOD7Z/8Ef6B+5soHUYX+kF5+hyo/CUpCiMswGf3R2y6o
nJQTqazTw98O4TNmvVEgerig3KH/SKmlgKTf6frnMih0+VcpHzOzaN8rSuYId7EuQR1I
mnwFP6eLh5V1ByJ4mPumqASPTZE3DpYHvjnIeuttzRr3W2gmhF3Zpjr84G4wFvW+qs6c
6MUQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=t4tQUrEr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k25-20020a1709065fd900b00986631b58d2si4353227ejv.837.2023.08.11.19.16.26;
Fri, 11 Aug 2023 19:16:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=t4tQUrEr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S237020AbjHKXgF (ORCPT <rfc822;lanlanxiyiji@gmail.com>
+ 99 others); Fri, 11 Aug 2023 19:36:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44098 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231685AbjHKXgC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 11 Aug 2023 19:36:02 -0400
Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com
[IPv6:2607:f8b0:4864:20::649])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FC0C10E6
for <linux-kernel@vger.kernel.org>;
Fri, 11 Aug 2023 16:36:01 -0700 (PDT)
Received: by mail-pl1-x649.google.com with SMTP id
d9443c01a7336-1bb8f751372so36468205ad.0
for <linux-kernel@vger.kernel.org>;
Fri, 11 Aug 2023 16:36:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20221208; t=1691796960; x=1692401760;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=FJyrj6tK6yVbG9YTlwg97zBjNmUOI6qcixTijwM1454=;
b=t4tQUrEr9br4jVUzCKEChkEGCVyX/w5GmiGPqeA0hD6O1Uy32gpVsvQDosKld/ygzA
0TIEMY46JnkMWWtV7PTnTn22KMDZFDNB16TlTWzBzXZrIIVMYCZ+KJyn8qL2MYV1pmwz
bZtTUUyEOEFC4EPmPS7znethsqbr0YoTsZnZqYv9QyHXjzC1P+VT5EYGHOKhDtmmM8Qu
Re2h+x75ggvqhrlD5VchlMI1Xu1GOMoUZiWLr4cZAYYBPGljIEFk8gKbQAK4K5tWq6Ue
hjPVDwQtRAgi492YOIlOR6RPVkVtiW6mKcEKW5Xjv2vzHd+Z0cMYTvdx1QR4v2xffK8D
c5pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1691796960; x=1692401760;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=FJyrj6tK6yVbG9YTlwg97zBjNmUOI6qcixTijwM1454=;
b=D/rkV9OTCkI3QvRGzz3cD57nqdxzC8XSb8HpY12d2eqPnOIWi11fwsrB+1qNENndEw
1HS1lHLWTJeEk/UIvNnNczclUFmruRPsEPXAZ6kdVfyCvTiLrv9RwjWymOyHCovRZzqP
nVywMx2NwNTDAWBCA7233LFk4n1T6aT6/7W6aqOjQGUlI6DKXxpqJguJ9d4D2tviKw4b
0NcKmwyEop4pDFkEd2UO4zaZsIw1LoKZMh8em0DdVJzkPp0sXGH1AXtF1LXZPKLXvWq9
MrRd/SHPfHHnOYyeJUeXzWX9HESPg8wOfqEFlPPa9FMuJyyCAh14vH8jgbqBQzf/bYjo
U/Qg==
X-Gm-Message-State: AOJu0Ywe11knNssEnUuJSTRAi1UHRzScsAxZDsruUKpdZIwd2YtmF/Gs
FzHwuBIrWUuq22D/clHTBifb7gYnLPPDiZOB6aI=
X-Received: from samitolvanen.c.googlers.com
([fda3:e722:ac3:cc00:7f:e700:c0a8:4f92])
(user=samitolvanen job=sendgmr) by 2002:a17:902:d491:b0:1bc:f6d:b2f1 with
SMTP id c17-20020a170902d49100b001bc0f6db2f1mr1221684plg.5.1691796960490;
Fri, 11 Aug 2023 16:36:00 -0700 (PDT)
Date: Fri, 11 Aug 2023 23:35:57 +0000
Mime-Version: 1.0
X-Developer-Key: i=samitolvanen@google.com; a=openpgp;
fpr=35CCFB63B283D6D3AEB783944CB5F6848BBC56EE
X-Developer-Signature: v=1; a=openpgp-sha256; l=2952;
i=samitolvanen@google.com;
h=from:subject; bh=SDgfUeek9bBfFH/GgjHWWomZBQ3jJ70oyZ3dQ6OElFU=;
b=owEB7QES/pANAwAKAUy19oSLvFbuAcsmYgBk1sXcOnbq6JZt3RU1sP5IFJKUw25LC2bv8yymB
W5paiN1ZL2JAbMEAAEKAB0WIQQ1zPtjsoPW0663g5RMtfaEi7xW7gUCZNbF3AAKCRBMtfaEi7xW
7tQFDACNDk8aAKLNu9rSXt5k9BB1l2H/kIELpE2MHU7dGXgGcUdXux+dC8a0NkC4eMhYyShjRBD
855vgltV0mRxmNIGnJ/T7tm7IrUCLEDJEig69lr1nVmkzaHdAhiLnYMNADHroqKRiT82oYUVjFC
o2543jVSzPAm6CKbx0eBx709zBvozpwYmxR7rUvg7T49jgFVT6uelJP6mMBK1Rge2cw78smfOi9
RG2Jhdohk0YNmUYpMpO0qa3O9KJCl6u3Ee6c9mfuqmX8Lto+vW5C45CwOZvTwed1vYzfsXfh7LC
0J+BixKgBvVxbOFuQ04mYuxugfwVm/6ZvdQV+LZn4ZOOvs4Ral3c4JpfthwfgYOW1nIND2bC4SN
RXrbNrh/QII1Tgze+kZrhJjbN4ze1dSYV+Y1SBEc+PtqNVdglNYtmfm9cSq152TctDoqNSq0jnr
5U3Ce6svaWc7k2zr5EDhv+SDQ8diCRpkSo72SRsnIchQUzaTCl00nv7W9xzmBDbF83cS4=
X-Mailer: git-send-email 2.41.0.640.ga95def55d0-goog
Message-ID: <20230811233556.97161-7-samitolvanen@google.com>
Subject: [PATCH 0/5] riscv: SCS support
From: Sami Tolvanen <samitolvanen@google.com>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Kees Cook <keescook@chromium.org>
Cc: Guo Ren <guoren@kernel.org>, Deepak Gupta <debug@rivosinc.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Fangrui Song <maskray@google.com>,
linux-riscv@lists.infradead.org, llvm@lists.linux.dev,
linux-kernel@vger.kernel.org,
Sami Tolvanen <samitolvanen@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1773987807853896798
X-GMAIL-MSGID: 1773987807853896798
|
| Series | riscv: SCS support | |
Message
Sami Tolvanen
Aug. 11, 2023, 11:35 p.m. UTC
Hi folks, This series adds Shadow Call Stack (SCS) support for RISC-V. SCS uses compiler instrumentation to store return addresses in a separate shadow stack to protect them against accidental or malicious overwrites. More information about SCS can be found here: https://clang.llvm.org/docs/ShadowCallStack.html Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow handling by adding support for accessing per-CPU variables directly in assembly. The patch is included in this series to make IRQ stack switching cleaner with SCS, and I've simply rebased it. Patch 2 uses this functionality to clean up the stack switching by moving duplicate code into a single function. On RISC-V, the compiler uses the gp register for storing the current shadow call stack pointer, which is incompatible with global pointer relaxation. Patch 3 moves global pointer loading into a macro that can be easily disabled with SCS. Patch 4 implements SCS register loading and switching, and allows the feature to be enabled, and patch 5 adds separate per-CPU IRQ shadow call stacks when CONFIG_IRQ_STACKS is enabled. Note that this series requires Clang 17. Earlier Clang versions support SCS on RISC-V, but use the x18 register instead of gp, which isn't ideal. gcc has SCS support for arm64, but I'm not aware of plans to support RISC-V. Once the Zicfiss extension is ratified, it's probably preferable to use hardware-backed shadow stacks instead of SCS on hardware that supports the extension, and we may want to consider implementing CONFIG_DYNAMIC_SCS to patch between the implementation at runtime (similarly to the arm64 implementation, which switches to SCS when hardware PAC support isn't available). Sami Deepak Gupta (1): riscv: VMAP_STACK overflow detection thread-safe Sami Tolvanen (4): riscv: Deduplicate IRQ stack switching riscv: Move global pointer loading to a macro riscv: Implement Shadow Call Stack riscv: Use separate IRQ shadow call stacks arch/riscv/Kconfig | 6 ++ arch/riscv/Makefile | 4 + arch/riscv/include/asm/asm.h | 35 ++++++++ arch/riscv/include/asm/irq_stack.h | 3 + arch/riscv/include/asm/scs.h | 54 ++++++++++++ arch/riscv/include/asm/thread_info.h | 16 +++- arch/riscv/kernel/asm-offsets.c | 4 + arch/riscv/kernel/entry.S | 126 +++++++++++++-------------- arch/riscv/kernel/head.S | 19 ++-- arch/riscv/kernel/irq.c | 53 ++++++----- arch/riscv/kernel/suspend_entry.S | 5 +- arch/riscv/kernel/traps.c | 65 ++------------ arch/riscv/kernel/vdso/Makefile | 2 +- arch/riscv/purgatory/Makefile | 4 + 14 files changed, 228 insertions(+), 168 deletions(-) create mode 100644 arch/riscv/include/asm/scs.h base-commit: 52a93d39b17dc7eb98b6aa3edb93943248e03b2f
Comments
Hi Sami, On Fri, Aug 11, 2023 at 11:35:57PM +0000, Sami Tolvanen wrote: > Hi folks, > > This series adds Shadow Call Stack (SCS) support for RISC-V. SCS > uses compiler instrumentation to store return addresses in a > separate shadow stack to protect them against accidental or > malicious overwrites. More information about SCS can be found > here: > > https://clang.llvm.org/docs/ShadowCallStack.html > > Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow > handling by adding support for accessing per-CPU variables > directly in assembly. The patch is included in this series to > make IRQ stack switching cleaner with SCS, and I've simply > rebased it. Patch 2 uses this functionality to clean up the stack > switching by moving duplicate code into a single function. On > RISC-V, the compiler uses the gp register for storing the current > shadow call stack pointer, which is incompatible with global > pointer relaxation. Patch 3 moves global pointer loading into a > macro that can be easily disabled with SCS. Patch 4 implements > SCS register loading and switching, and allows the feature to be > enabled, and patch 5 adds separate per-CPU IRQ shadow call stacks > when CONFIG_IRQ_STACKS is enabled. > > Note that this series requires Clang 17. Earlier Clang versions > support SCS on RISC-V, but use the x18 register instead of gp, > which isn't ideal. gcc has SCS support for arm64, but I'm not > aware of plans to support RISC-V. Once the Zicfiss extension is > ratified, it's probably preferable to use hardware-backed shadow > stacks instead of SCS on hardware that supports the extension, > and we may want to consider implementing CONFIG_DYNAMIC_SCS to > patch between the implementation at runtime (similarly to the > arm64 implementation, which switches to SCS when hardware PAC > support isn't available). I took this series for a spin on top of 6.5-rc6 with both LLVM 18 (built within the past couple of days) and LLVM 17.0.0-rc2 but it seems that the CFI_BACKWARDS LKDTM test does not pass with CONFIG_SHADOW_CALL_STACK=y. [ 73.324652] lkdtm: Performing direct entry CFI_BACKWARD [ 73.324900] lkdtm: Attempting unchecked stack return address redirection ... [ 73.325178] lkdtm: Eek: return address mismatch! 0000000000000002 != ffffffff80614982 [ 73.325478] lkdtm: FAIL: stack return address manipulation failed! Does the test need to be adjusted or is there some other issue? Cheers, Nathan
On Mon, Aug 14, 2023 at 10:59:28AM -0700, Nathan Chancellor wrote: > Hi Sami, > > On Fri, Aug 11, 2023 at 11:35:57PM +0000, Sami Tolvanen wrote: > > Hi folks, > > > > This series adds Shadow Call Stack (SCS) support for RISC-V. SCS > > uses compiler instrumentation to store return addresses in a > > separate shadow stack to protect them against accidental or > > malicious overwrites. More information about SCS can be found > > here: > > > > https://clang.llvm.org/docs/ShadowCallStack.html > > > > Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow > > handling by adding support for accessing per-CPU variables > > directly in assembly. The patch is included in this series to > > make IRQ stack switching cleaner with SCS, and I've simply > > rebased it. Patch 2 uses this functionality to clean up the stack > > switching by moving duplicate code into a single function. On > > RISC-V, the compiler uses the gp register for storing the current > > shadow call stack pointer, which is incompatible with global > > pointer relaxation. Patch 3 moves global pointer loading into a > > macro that can be easily disabled with SCS. Patch 4 implements > > SCS register loading and switching, and allows the feature to be > > enabled, and patch 5 adds separate per-CPU IRQ shadow call stacks > > when CONFIG_IRQ_STACKS is enabled. > > > > Note that this series requires Clang 17. Earlier Clang versions > > support SCS on RISC-V, but use the x18 register instead of gp, > > which isn't ideal. gcc has SCS support for arm64, but I'm not > > aware of plans to support RISC-V. Once the Zicfiss extension is > > ratified, it's probably preferable to use hardware-backed shadow > > stacks instead of SCS on hardware that supports the extension, > > and we may want to consider implementing CONFIG_DYNAMIC_SCS to > > patch between the implementation at runtime (similarly to the > > arm64 implementation, which switches to SCS when hardware PAC > > support isn't available). > > I took this series for a spin on top of 6.5-rc6 with both LLVM 18 (built > within the past couple of days) and LLVM 17.0.0-rc2 but it seems that > the CFI_BACKWARDS LKDTM test does not pass with > CONFIG_SHADOW_CALL_STACK=y. > > [ 73.324652] lkdtm: Performing direct entry CFI_BACKWARD > [ 73.324900] lkdtm: Attempting unchecked stack return address redirection ... > [ 73.325178] lkdtm: Eek: return address mismatch! 0000000000000002 != ffffffff80614982 > [ 73.325478] lkdtm: FAIL: stack return address manipulation failed! > > Does the test need to be adjusted or is there some other issue? Does it pass without the series? I tried to write it to be arch-agnostic, but I never tested it on RISC-V. It's very possible that test needs adjusting for the architecture. Besides the label horrors, the use of __builtin_frame_address may not work there either...
On Mon, Aug 14, 2023 at 10:59 AM Nathan Chancellor <nathan@kernel.org> wrote: > I took this series for a spin on top of 6.5-rc6 with both LLVM 18 (built > within the past couple of days) and LLVM 17.0.0-rc2 but it seems that > the CFI_BACKWARDS LKDTM test does not pass with > CONFIG_SHADOW_CALL_STACK=y. > > [ 73.324652] lkdtm: Performing direct entry CFI_BACKWARD > [ 73.324900] lkdtm: Attempting unchecked stack return address redirection ... > [ 73.325178] lkdtm: Eek: return address mismatch! 0000000000000002 != ffffffff80614982 > [ 73.325478] lkdtm: FAIL: stack return address manipulation failed! > > Does the test need to be adjusted or is there some other issue? The test doesn't work on RISC-V. set_return_addr_unchecked thinks 0x2 is the return address, so I assume the __builtin_frame_address logic isn't quite right here. Kees, any thoughts? Sami