From patchwork Sat Dec  3 00:35:58 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
X-Patchwork-Id: 29191
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1143277wrr;
        Fri, 2 Dec 2022 16:43:52 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf5RaqxOz1QA3hwt0STtjme+3N1t1VyeUssWANGRjNIQw3dDt0zkdiJgSOQPDEpmH4PTIL5x
X-Received: by 2002:a17:902:f2c5:b0:189:3c6e:d1b5 with SMTP id
 h5-20020a170902f2c500b001893c6ed1b5mr50313730plc.108.1670028232468;
        Fri, 02 Dec 2022 16:43:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670028232; cv=none;
        d=google.com; s=arc-20160816;
        b=t9qK8sgBwEXsGf0LaNiWksUMui97ql5MxOBXL0B/9oX5j6JpfGflHGV7nTeJXTIGtZ
         ngty8ckq+Zr/Wh8tD/EPW9+wM+2/QYH993ZlIlAa4fqDg/SlchUMrZA/+zhpYQPger+q
         6uODNax7XbKiuFR8w09ds5j2xdczEArl61xTm1G3rj+NpMTR8MMJgdYy4DLG3XVmxhG0
         ZwgRvGVUsdiSCMtGUaWc1pEjL0s99CTHRYoC8gDVSIMylKUowSBgEQUEmPs5t37KZGjt
         22LsmPXD14aFwbvjKc+fx+bN8Da5XIbhFnJczxhdj8aLBCmtGCG9R1Sip7W8dWo+Nu7j
         PGpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:references:in-reply-to:message-id:date:subject
         :cc:to:from:dkim-signature;
        bh=+IV+lVothT0cFefShR6Wcug5827g8qJoedoXIFDoBck=;
        b=vtyRpHiwkKnB2zBTOEHvLV6Fybnwpuqb2M0qBjpTkyKrOLrF2IOidRW9HAfWgilL+H
         axOKFHM6f4FkrFVL//lX+dJHFn2sQLDtz72pmU5GFz20oTOeiKwKDhSgP1j82LvkZKE/
         yQdFDekuLXh9PJZTPD5PrIozCm+eC6EdACdJFLfonqi5bqOBd0U9bYOOaOjBhIpGIVDE
         0icdujGSXjai8E/Qfu8SsB9kdInej6hj7Cnss4r6SVnVrhsy1osUM84+C6mpAo2VwtKp
         gNuhzMWLlc4BV2llsTNh4oikiWGXHcxSvNv0ZThQ5YLX4zXnCcO8/CoDDwvaXRmaLW5s
         y1LQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=gcGGXLNd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 ik24-20020a170902ab1800b00189005c48aesi8047937plb.108.2022.12.02.16.43.39;
        Fri, 02 Dec 2022 16:43:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=gcGGXLNd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235322AbiLCAnP (ORCPT <rfc822;lhua1029@gmail.com> + 99 others);
        Fri, 2 Dec 2022 19:43:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53936 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235255AbiLCAl5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Dec 2022 19:41:57 -0500
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CD02F9E37;
        Fri,  2 Dec 2022 16:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1670027905; x=1701563905;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=+3jRGl6sfkxrMwbNfEDKpByFMedHLcrmmY7U/T1bBrQ=;
  b=gcGGXLNd5gWJNugJxL1SZmh7+VEoC6sNysNRb5y/Hq6c8WseCfNTZ+a+
   GMOw7Y7lP2j00TYUAqb1m3UGitgWqKJU/iSIV0JX7JRhvcfMZ91M7UaZG
   vUdxvXcW1cZjwwGapDQumP76MhlGBjUQadbLqBzM6LjWYMlLehTnsCuGQ
   MbYRFjEyMjOGI3hEXYwqbgMev1bxlknKrT/r1T11WcJXRLshGPtjEpSwQ
   6yfpeW8Hk9bPgvSo1/p0P7f5BNbKAnnyDpoy6DsmaSrMTIGV3YSdxB7ue
   mBeQGf0lwKnMsReeSz22eBOWYAIuIXt6e/KVnUNNitQK1Gs60fca41drQ
   A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="313711452"
X-IronPort-AV: E=Sophos;i="5.96,213,1665471600";
   d="scan'208";a="313711452"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 02 Dec 2022 16:37:38 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="787479989"
X-IronPort-AV: E=Sophos;i="5.96,213,1665471600";
   d="scan'208";a="787479989"
Received: from bgordon1-mobl1.amr.corp.intel.com (HELO
 rpedgeco-desk.amr.corp.intel.com) ([10.212.211.211])
  by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 02 Dec 2022 16:37:37 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
        linux-doc@vger.kernel.org, linux-mm@kvack.org,
        linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
        Arnd Bergmann <arnd@arndb.de>,
        Andy Lutomirski <luto@kernel.org>,
        Balbir Singh <bsingharora@gmail.com>,
        Borislav Petkov <bp@alien8.de>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Eugene Syromiatnikov <esyr@redhat.com>,
        Florian Weimer <fweimer@redhat.com>,
        "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Mike Kravetz <mike.kravetz@oracle.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
        Peter Zijlstra <peterz@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        Weijiang Yang <weijiang.yang@intel.com>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        John Allen <john.allen@amd.com>, kcc@google.com,
        eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
        dethoma@microsoft.com, akpm@linux-foundation.org,
        Andrew.Cooper3@citrix.com, christina.schimpe@intel.com
Cc: rick.p.edgecombe@intel.com
Subject: [PATCH v4 31/39] x86/shstk: Support wrss for userspace
Date: Fri,  2 Dec 2022 16:35:58 -0800
Message-Id: <20221203003606.6838-32-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20221203003606.6838-1-rick.p.edgecombe@intel.com>
References: <20221203003606.6838-1-rick.p.edgecombe@intel.com>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1751151523707880091?=
X-GMAIL-MSGID: =?utf-8?q?1751151523707880091?=

For the current shadow stack implementation, shadow stacks contents can't
easily be provisioned with arbitrary data. This property helps apps
protect themselves better, but also restricts any potential apps that may
want to do exotic things at the expense of a little security.

The x86 shadow stack feature introduces a new instruction, wrss, which
can be enabled to write directly to shadow stack permissioned memory from
userspace. Allow it to get enabled via the prctl interface.

Only enable the userspace wrss instruction, which allows writes to
userspace shadow stacks from userspace. Do not allow it to be enabled
independently of shadow stack, as HW does not support using WRSS when
shadow stack is disabled.

From a fault handler perspective, WRSS will behave very similar to WRUSS,
which is treated like a user access from a #PF err code perspective.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---

v3:
 - Make wrss_control() static
 - Fix verbiage in commit log (Kees)

v2:
 - Add some commit log verbiage from (Dave Hansen)

v1:
 - New patch.

 arch/x86/include/uapi/asm/prctl.h |  1 +
 arch/x86/kernel/shstk.c           | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index fc97ca7c4884..f13751c6bae4 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -33,5 +33,6 @@
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
+#define ARCH_SHSTK_WRSS			(1ULL <<  1)
 
 #endif /* _ASM_X86_PRCTL_H */
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 8f329c22728a..e59544fec96d 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -364,6 +364,35 @@ void shstk_free(struct task_struct *tsk)
 	unmap_shadow_stack(shstk->base, shstk->size);
 }
 
+static int wrss_control(bool enable)
+{
+	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+		return -EOPNOTSUPP;
+
+	/*
+	 * Only enable wrss if shadow stack is enabled. If shadow stack is not
+	 * enabled, wrss will already be disabled, so don't bother clearing it
+	 * when disabling.
+	 */
+	if (!features_enabled(ARCH_SHSTK_SHSTK))
+		return -EPERM;
+
+	/* Already enabled/disabled? */
+	if (features_enabled(ARCH_SHSTK_WRSS) == enable)
+		return 0;
+
+	fpregs_lock_and_load();
+	if (enable) {
+		set_clr_bits_msrl(MSR_IA32_U_CET, CET_WRSS_EN, 0);
+		features_set(ARCH_SHSTK_WRSS);
+	} else {
+		set_clr_bits_msrl(MSR_IA32_U_CET, 0, CET_WRSS_EN);
+		features_clr(ARCH_SHSTK_WRSS);
+	}
+	fpregs_unlock();
+
+	return 0;
+}
 
 static int shstk_disable(void)
 {
@@ -381,7 +410,7 @@ static int shstk_disable(void)
 	fpregs_unlock();
 
 	shstk_free(current);
-	features_clr(ARCH_SHSTK_SHSTK);
+	features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS);
 
 	return 0;
 }