| Message ID | 20221203003606.6838-4-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1142324wrr;
Fri, 2 Dec 2022 16:40:22 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf4BzvXo9ardAkvJnWPseSJCR9MAUaamtaRDqbyRON+e05wbuK7zoJPOL0H6IxHHzgyhIyEt
X-Received: by 2002:a17:906:3982:b0:7ad:8bc6:46e7 with SMTP id
h2-20020a170906398200b007ad8bc646e7mr7346756eje.28.1670028022205;
Fri, 02 Dec 2022 16:40:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670028022; cv=none;
d=google.com; s=arc-20160816;
b=Vmo98QHqbkd1c1TDNO5fkec554peWXZQiGS4+L2F1jA3AeSsL2XxkYqqwzore2l/sv
hxG9rvKqvTSktyekggMMkMzr4HknSobuNWqd8IVyZzQU47G2g34ouO744aJUtYwXRW5B
TXGTI9T+ZQEc8uiIWCHnpK+VZ5v20JDQZtgIqB+jSYZ52VhQNBdM+7v7Gd5mYEiS9erC
HbXEjaYfQvEF6gU14rB1Nb5sJClHtzKjeSyXQRp5FODgaTrJDRip3UTNA9JJM/zW7JOe
4x00v3QEJ1KAjXYTW08M4gq5KyQQuqX/8XScruD8Xrgsf+MbTX2JRCqi5wviO2oZTrd3
wNNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:references:in-reply-to:message-id:date:subject
:cc:to:from:dkim-signature;
bh=uy/NLZp8uHaoSQpf0GYzKQCUrCJ5dFITnDwoLJ7lJrI=;
b=BcVj/4R54tyZkE0f8nUbOlisYr/HUrTihOgsZ1tn7oF0pQh03H6yBW1MZ0R8H9RpCJ
4Z8fQNwXPmIwH/Xu1CyveJPpvbQjOFon+X+2fv+PWzevi5bw1VasC2eFr1GMm695PMZ1
i4TWpHU0aAnS2wrsPjkh3SdgZkuLh5+VrIvLv6LDuS6MYBP55s0pUlU5Aj1cw1L594hq
gX6zHtI1j4geATfYgWOdiamzWzxkrjOTWhER0VyWRujly7n+8oz+oeshA2IJpScRl5v+
lGxzmOwxHmKL81ExBzr0TnkGMXLjoYSP2Il4yCqlH49RuDSCtdLnHBUbSE/cSjQZLQgD
kRVA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=M3garLhX;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
qw41-20020a1709066a2900b0078c3197bf86si3280046ejc.533.2022.12.02.16.39.59;
Fri, 02 Dec 2022 16:40:22 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=M3garLhX;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234590AbiLCAgu (ORCPT <rfc822;lhua1029@gmail.com> + 99 others);
Fri, 2 Dec 2022 19:36:50 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41196 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234965AbiLCAgk (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 2 Dec 2022 19:36:40 -0500
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEDC0F7A3A;
Fri, 2 Dec 2022 16:36:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1670027794; x=1701563794;
h=from:to:cc:subject:date:message-id:in-reply-to:
references;
bh=ngQ/jKKoQl7UDYFjf+gMhARftHxTv2Bpvt3YS5XCfS4=;
b=M3garLhXFuSTnJhML8Nlm1GlM5leFyb4+EnBNZUyUOhkIi2Pznr7MOZ9
QToYhqKu9eZJyjNaaxfKfbDxegtIEbG2Lz1S73t2nDdVkOfcIsnB1Y7uL
LOc/WK1J3P5kJrJXnwJB4VwUBVo2xIMw11VcNUaIDYX6Yc2Un61b/yhK/
kMiS/hxy37aNSlTZL2+UTuxrzbVKqDi+kHwtMPwAKS2n2dlkjM3Clav2s
SgMGj5Risj0eYGUz52h8rNSH2ZTeBWn0OkNy/xR2xGSECuZ3s+cPl4rGD
mNk1xevr5db8cSpSvCfu2UsQYoVs/FlgnfDJCVwDbeDHAOLHLnhb5+7GS
w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="313710694"
X-IronPort-AV: E=Sophos;i="5.96,213,1665471600";
d="scan'208";a="313710694"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
02 Dec 2022 16:36:34 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="787479756"
X-IronPort-AV: E=Sophos;i="5.96,213,1665471600";
d="scan'208";a="787479756"
Received: from bgordon1-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk.amr.corp.intel.com) ([10.212.211.211])
by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
02 Dec 2022 16:36:32 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Weijiang Yang <weijiang.yang@intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
John Allen <john.allen@amd.com>, kcc@google.com,
eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
dethoma@microsoft.com, akpm@linux-foundation.org,
Andrew.Cooper3@citrix.com, christina.schimpe@intel.com
Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH v4 03/39] x86/cpufeatures: Add CPU feature flags for shadow
stacks
Date: Fri, 2 Dec 2022 16:35:30 -0800
Message-Id: <20221203003606.6838-4-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20221203003606.6838-1-rick.p.edgecombe@intel.com>
References: <20221203003606.6838-1-rick.p.edgecombe@intel.com>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1751151303303711232?=
X-GMAIL-MSGID: =?utf-8?q?1751151303303711232?=
|
| Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Dec. 3, 2022, 12:35 a.m. UTC
From: Yu-cheng Yu <yu-cheng.yu@intel.com> The Control-Flow Enforcement Technology contains two related features, one of which is Shadow Stacks. Future patches will utilize this feature for shadow stack support in KVM, so add a CPU feature flags for Shadow Stacks (CPUID.(EAX=7,ECX=0):ECX[bit 7]). To protect shadow stack state from malicious modification, the registers are only accessible in supervisor mode. This implementation context-switches the registers with XSAVES. Make X86_FEATURE_SHSTK depend on XSAVES. The shadow stack feature, enumerated by the CPUID bit described above, encompasses both supervisor and userspace support for shadow stack. In near future patches, only userspace shadow stack will be enabled. In expectation of future supervisor shadow stack support, create a software CPU capability to enumerate kernel utilization of userspace shadow stack support. This will also allow for userspace shadow stack to be disabled, while leaving the shadow stack hardware capability exposed in the cpuinfo proc. This user shadow stack bit should depend on the HW "shstk" capability and that logic will be implemented in future patches. Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Kees Cook <keescook@chromium.org> --- v3: - Add user specific shadow stack cpu cap (Andrew Cooper) - Drop reviewed-bys from Boris and Kees due to the above change. v2: - Remove IBT reference in commit log (Kees) - Describe xsaves dependency using text from (Dave) v1: - Remove IBT, can be added in a follow on IBT series. Yu-cheng v25: - Make X86_FEATURE_IBT depend on X86_FEATURE_SHSTK. arch/x86/include/asm/cpufeatures.h | 2 ++ arch/x86/include/asm/disabled-features.h | 8 +++++++- arch/x86/kernel/cpu/cpuid-deps.c | 1 + 3 files changed, 10 insertions(+), 1 deletion(-)
Comments
On Fri, Dec 02, 2022 at 04:35:30PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > The Control-Flow Enforcement Technology contains two related features, > one of which is Shadow Stacks. Future patches will utilize this feature > for shadow stack support in KVM, so add a CPU feature flags for Shadow > Stacks (CPUID.(EAX=7,ECX=0):ECX[bit 7]). > > To protect shadow stack state from malicious modification, the registers > are only accessible in supervisor mode. This implementation > context-switches the registers with XSAVES. Make X86_FEATURE_SHSTK depend > on XSAVES. > > The shadow stack feature, enumerated by the CPUID bit described above, > encompasses both supervisor and userspace support for shadow stack. In > near future patches, only userspace shadow stack will be enabled. In > expectation of future supervisor shadow stack support, create a software > CPU capability to enumerate kernel utilization of userspace shadow stack > support. This will also allow for userspace shadow stack to be disabled, > while leaving the shadow stack hardware capability exposed in the cpuinfo > proc. This user shadow stack bit should depend on the HW "shstk" > capability and that logic will be implemented in future patches. > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Fri, Dec 02, 2022 at 04:35:30PM -0800, Rick Edgecombe wrote: > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h > index 11a0e06362e4..aab7fa4104d7 100644 > --- a/arch/x86/include/asm/cpufeatures.h > +++ b/arch/x86/include/asm/cpufeatures.h > @@ -307,6 +307,7 @@ > #define X86_FEATURE_SGX_EDECCSSA (11*32+18) /* "" SGX EDECCSSA user leaf function */ > #define X86_FEATURE_CALL_DEPTH (11*32+19) /* "" Call depth tracking for RSB stuffing */ > #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ > +#define X86_FEATURE_USER_SHSTK (11*32+21) /* Shadow stack support for user mode applications */ > > /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ > #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ > @@ -369,6 +370,7 @@ > #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ > #define X86_FEATURE_WAITPKG (16*32+ 5) /* UMONITOR/UMWAIT/TPAUSE Instructions */ > #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional AVX512 Vector Bit Manipulation Instructions */ > +#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow Stack */ > #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field New Instructions */ > #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ > #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry-Less Multiplication Double Quadword */ What is the end goal here? To have X86_FEATURE_KERNEL_SHSTK or so someday too? If so, then the hardware bit X86_FEATURE_SHSTK should be hidden in /proc/cpuinfo, i.e., #define X86_FEATURE_SHSTK (16*32+ 7) /* "" Shadow Stack hardware support */ note the "", otherwise you'll have people go: "hey, I have "shstk" in /proc/cpuinfo on my machine. Why doesn't it do anything?" Or am I misreading where this is headed? Thx.
On Wed, 2022-12-07 at 12:00 +0100, Borislav Petkov wrote: > On Fri, Dec 02, 2022 at 04:35:30PM -0800, Rick Edgecombe wrote: > > diff --git a/arch/x86/include/asm/cpufeatures.h > > b/arch/x86/include/asm/cpufeatures.h > > index 11a0e06362e4..aab7fa4104d7 100644 > > --- a/arch/x86/include/asm/cpufeatures.h > > +++ b/arch/x86/include/asm/cpufeatures.h > > @@ -307,6 +307,7 @@ > > #define X86_FEATURE_SGX_EDECCSSA (11*32+18) /* "" SGX > > EDECCSSA user leaf function */ > > #define X86_FEATURE_CALL_DEPTH (11*32+19) /* "" > > Call depth tracking for RSB stuffing */ > > #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR > > IA32_TSX_CTRL (Intel) implemented */ > > +#define X86_FEATURE_USER_SHSTK (11*32+21) /* Shadow > > stack support for user mode applications */ > > > > /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), > > word 12 */ > > #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI > > instructions */ > > @@ -369,6 +370,7 @@ > > #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection > > Keys Enable */ > > #define X86_FEATURE_WAITPKG (16*32+ 5) /* > > UMONITOR/UMWAIT/TPAUSE Instructions */ > > #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional > > AVX512 Vector Bit Manipulation Instructions */ > > +#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow Stack */ > > #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field > > New Instructions */ > > #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ > > #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry- > > Less Multiplication Double Quadword */ > > What is the end goal here? > > To have X86_FEATURE_KERNEL_SHSTK or so someday too? > > If so, then the hardware bit X86_FEATURE_SHSTK should be hidden in > /proc/cpuinfo, i.e., > > #define X86_FEATURE_SHSTK (16*32+ 7) /* "" Shadow Stack > hardware support */ > > note the "", otherwise you'll have people go: > > "hey, I have "shstk" in /proc/cpuinfo on my machine. Why doesn't it > do > anything?" > > Or am I misreading where this is headed? Yes, the suggestion was to have one for kernel and one for user. But I was also thinking about how KVM could hypothetically support shadow stack in guests in the non !CONFIG_X86_USER_SHADOW_STACK case (it only needs CET_U xsave support). So that configuration wouldn't expose user_shstk and since KVM's guest feature support is retrieved programmatically, it could be nice to have some hint for KVM users that they could try. Maybe it's simpler to just tie KVM and host support together though. I'll remove "shstk".
On Wed, Dec 07, 2022 at 10:35:59PM +0000, Edgecombe, Rick P wrote: > Yes, the suggestion was to have one for kernel and one for user. But I > was also thinking about how KVM could hypothetically support shadow > stack in guests in the non !CONFIG_X86_USER_SHADOW_STACK case (it only > needs CET_U xsave support). So that configuration wouldn't expose > user_shstk and since KVM's guest feature support is retrieved > programmatically, it could be nice to have some hint for KVM users that > they could try. Maybe it's simpler to just tie KVM and host support > together though. I'll remove "shstk". Hmm, I don't have a clear idea how guest shstk support should do so maybe this is all way off but yeah, if the host supports CET - the *hardware* feature - then you can use the same logic to support that in a VM. I.e., if the guest sees CET - i.e., HV has advertized it - then guest kernel behaves exactly the same as on the host. But it is likely I'm missing something more involved... Thx.
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 11a0e06362e4..aab7fa4104d7 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -307,6 +307,7 @@ #define X86_FEATURE_SGX_EDECCSSA (11*32+18) /* "" SGX EDECCSSA user leaf function */ #define X86_FEATURE_CALL_DEPTH (11*32+19) /* "" Call depth tracking for RSB stuffing */ #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ +#define X86_FEATURE_USER_SHSTK (11*32+21) /* Shadow stack support for user mode applications */ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ @@ -369,6 +370,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* UMONITOR/UMWAIT/TPAUSE Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional AVX512 Vector Bit Manipulation Instructions */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* Shadow Stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field New Instructions */ #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry-Less Multiplication Double Quadword */ diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h index c44b56f7ffba..7a2954a16cb7 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -99,6 +99,12 @@ # define DISABLE_TDX_GUEST (1 << (X86_FEATURE_TDX_GUEST & 31)) #endif +#ifdef CONFIG_X86_USER_SHADOW_STACK +#define DISABLE_USER_SHSTK 0 +#else +#define DISABLE_USER_SHSTK (1 << (X86_FEATURE_USER_SHSTK & 31)) +#endif + /* * Make sure to add features to the correct mask */ @@ -114,7 +120,7 @@ #define DISABLED_MASK9 (DISABLE_SGX) #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ - DISABLE_CALL_DEPTH_TRACKING) + DISABLE_CALL_DEPTH_TRACKING|DISABLE_USER_SHSTK) #define DISABLED_MASK12 0 #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c index d95221117129..c3e4e5246df9 100644 --- a/arch/x86/kernel/cpu/cpuid-deps.c +++ b/arch/x86/kernel/cpu/cpuid-deps.c @@ -79,6 +79,7 @@ static const struct cpuid_dep cpuid_deps[] = { { X86_FEATURE_XFD, X86_FEATURE_XSAVES }, { X86_FEATURE_XFD, X86_FEATURE_XGETBV1 }, { X86_FEATURE_AMX_TILE, X86_FEATURE_XFD }, + { X86_FEATURE_SHSTK, X86_FEATURE_XSAVES }, {} };