From patchwork Fri Jun 16 19:16:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 109344 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1571253vqr; Fri, 16 Jun 2023 12:36:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ53zHitQ0BrCncstHc1OTDWFQ+2T35QIkhIcWzN3XPaRNBPaD/zYR/hd3h6oDkSeV226bll X-Received: by 2002:a05:6a20:54a2:b0:10f:d1d4:40d4 with SMTP id i34-20020a056a2054a200b0010fd1d440d4mr4037294pzk.14.1686944178951; Fri, 16 Jun 2023 12:36:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686944178; cv=none; d=google.com; s=arc-20160816; b=APi/Fa3jJLoTpuBBWKmcm4IsVaLWeTWhssPeBjQDQEPs8gnRioeUfVkW+5u+m0Mra1 H1Ua9TvJcZp2yWKiYQ7H+X82EM5JsNijToDMOameCku6H3eq+BtVZjZBobQn7xQEIvFX x063d6N1sbcpd06xbcHVYvuoR5pkjExkhhj5DPP8DsL5e6Y+nuyCRzVrwoLVWcJy7DyO oWWRViVUJHeN+oHnv96RwOQhOad/S016jy2XSjIPnI2rbKoggXbFsqDPSHHKFBQuzOJn KfnO/rkqp7JwYzfICF+8AuKAKY1U/EprAOfHtKPQtab7zS9bz3TFsISt8PFWsZCcSoVn CxcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:cc:subject:to:reply-to:sender:from :dkim-signature:dkim-signature:date; bh=fg90xzwqhwfYVIPKGMq8VUhCTAdLD9ipvJITez7mLqQ=; b=hseYpoNH80kTSiJbH3IT/LVNKL0a+3eE94j+u9RsTUmLT6NVTmRIOfsCkDz4WJZhLQ PdQ1tYrufuwkagCvV2XkPRmrLv1P+dkJmuKeOgKqaWO5qdelS/CZ9VHjUhXJgZImRVRv WiyXV+3N3cFXY3D437U2KoYoIXh0EDIwPJpFfmgNSxRkoU+l3RpnCOAt/NUlo0OBFHXT zYYDiC5QXSqEPQeXgEPdtJM/6trs70/ilfIzVmy1zMZX0YNqYEapxLkdG45+F4zbqdu/ WxCw5ayTRNSKmFAZMPpjcB22mYjYC6WW98vXCBjvX8F3FGSsr3gE03GDjRwTYZkWJJza BM3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Cc0HauoE; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=+zJRESr5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bv128-20020a632e86000000b0054f93b05b51si9915354pgb.96.2023.06.16.12.36.03; Fri, 16 Jun 2023 12:36:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Cc0HauoE; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=+zJRESr5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346021AbjFPTRL (ORCPT + 99 others); Fri, 16 Jun 2023 15:17:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229963AbjFPTQ5 (ORCPT ); Fri, 16 Jun 2023 15:16:57 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A65493AA0; Fri, 16 Jun 2023 12:16:55 -0700 (PDT) Date: Fri, 16 Jun 2023 19:16:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1686943014; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fg90xzwqhwfYVIPKGMq8VUhCTAdLD9ipvJITez7mLqQ=; b=Cc0HauoEgQna9gpuwnFp7fCeFzlvluvDxrBHStCnMox++e1urKjzK3aRQ3jkDU6sCK34Qi xaux28k9DvmTRtAgKdBhnwWeK2DzMPTysKgq+2jyEXYy7foHs85yI1ShFQou1WuqOiFT11 cm04/g/WYK8zV6lF9bTBASPERgVeyNLPS6kpl2LQ+lp87aTRwElcMSLgj+0TfkS6JoSe1I SuwGAjOOu+NaRmiVE2w0Rl9zjDfZBWGjDkwye6gQ3/cEsbQuSMeQttUWfKGHwr3gMzC7+U bal9+WH40MNnRCvEa7w/jdCVkG9r6N7h6wYIPb06RQdwzjkXTxIsptUxnBI/IA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1686943014; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fg90xzwqhwfYVIPKGMq8VUhCTAdLD9ipvJITez7mLqQ=; b=+zJRESr5p37FRdZ++23zW1topeMCS0zaGqYKnT9m8TJq9woP/x9tnqJqoOGP6CLpHaRL6m 75N8BfrHOyyvBUBA== From: "tip-bot2 for Rick Edgecombe" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/shstk] x86/shstk: Support WRSS for userspace Cc: Rick Edgecombe , Dave Hansen , "Borislav Petkov (AMD)" , Kees Cook , "Mike Rapoport (IBM)" , Pengfei Xu , John Allen , x86@kernel.org, linux-kernel@vger.kernel.org MIME-Version: 1.0 Message-ID: <168694301385.404.17157200972985440674.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768889179585759284?= X-GMAIL-MSGID: =?utf-8?q?1768889179585759284?= The following commit has been merged into the x86/shstk branch of tip: Commit-ID: 5dbdc4f10b8315d30f351ea6fdab1964374f8ca5 Gitweb: https://git.kernel.org/tip/5dbdc4f10b8315d30f351ea6fdab1964374f8ca5 Author: Rick Edgecombe AuthorDate: Mon, 12 Jun 2023 17:11:01 -07:00 Committer: Dave Hansen CommitterDate: Thu, 15 Jun 2023 16:31:34 -07:00 x86/shstk: Support WRSS for userspace For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook Link: https://lore.kernel.org/all/20230613001108.3040476-36-rick.p.edgecombe%40intel.com --- arch/x86/include/uapi/asm/prctl.h | 1 +- arch/x86/kernel/shstk.c | 43 +++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 6a8e0e1..eedfde3 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -36,5 +36,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 04c37b3..ea0bf11 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -390,6 +390,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -406,7 +447,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; }