Message ID | 20221203003606.6838-5-rick.p.edgecombe@intel.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1141860wrr; Fri, 2 Dec 2022 16:38:37 -0800 (PST) X-Google-Smtp-Source: AA0mqf6i2HJzNugoqnE8LkPr4a+ZNgBayOPRjjrGBI66PR+f9I5q2fiOK27F5XOEsTEZg9vZWNDD X-Received: by 2002:a17:902:ead4:b0:189:68ed:6c0d with SMTP id p20-20020a170902ead400b0018968ed6c0dmr37945531pld.140.1670027917424; Fri, 02 Dec 2022 16:38:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670027917; cv=none; d=google.com; s=arc-20160816; b=p+FG8o14ks1TK3klDXiiL2Yg1M90kxmc/2EQc4oxr0FyJZYTDk4WEd31ZDACgDuOZe 6rcknQ8jvXjTBaKegs+HIsh+NgooePVEVV1GW0TfSSxgg/ZGksbGGwIP62m5ncCu77zs WgA6AzGRj+803YloVmgZm3i5Ox6+RVBg/Z98YaUwgCnkyJgtvwKzD+O1PzNOFTRG3y7Z 5Uwiy+lehymGQRo0GpcdAfbKhEEvNoqWV7/xi7UwWg8cUrayltMalMz2ygna8T9L6ToU plKbB6imF1zjC9fHHFUjkjcT/ApGsvG7/4RSPhuaMl51LkXn+RcrCian0bIY+tf8b5+R 67bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=OXjHWeb/2fbr9UOSBxn/NfxjyzdA6H41u73mBZkhpgg=; b=Mibde57kTg2mb8Qm26+ELusnr4qq4Tp5gvLRXWXTao0reiWLXlEPgaOo9tAG+uD1qx GsZ+cphBAe8JNqvu8HEbsN8IxaVW7siqRCtQTF2EzOQl/gwjMUWDwhTxvtL8QoV+9Asw FZGavn2IB7MwWE8SpQJ44NUsYkFTLNMtA9LbNmOUg4nUnF/6bTrjuwiEDd9Uwvgmbw18 QojJP9o9p2FsjjRfcMGVZwNbUGI7hcx4xtvqn4O+HFvzfSXpNIc7QdSYk2xEL6cp90Hl WzPQ18dOndf9zcKxjAGIp5mUfo+H0XeXVwVJEnyVRYOA0Xiqiyos56C0PNaxDQKZWeVQ 5v6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jUeMQQfl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u1-20020a056a00158100b0056d89d8fba7si9691094pfk.154.2022.12.02.16.38.22; Fri, 02 Dec 2022 16:38:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jUeMQQfl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235060AbiLCAhJ (ORCPT <rfc822;lhua1029@gmail.com> + 99 others); Fri, 2 Dec 2022 19:37:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234983AbiLCAgk (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 2 Dec 2022 19:36:40 -0500 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B68E7F8195; Fri, 2 Dec 2022 16:36:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670027796; x=1701563796; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=1p8FHxMuOhfc16cs1vrqOb7DIxgTV33DBoFY9Xhugz0=; b=jUeMQQflHEcxsbs34tlNnqtrseFeJz+6SdzihZsC5LYQ1nglIecbPHJz YEJj6eqOwfumdgFmF4J0JlwqwzWQLLrtrdrse8Rse1s4iCXi2cymjhR14 9qN1TvHLrOV7p/ioi8+1Zqr4wwFhDJMt3ZpW6nFGoiSdVFyESBa523ipW QBaLW78TiOxPh3RT3wuQzMW4fK3PB9Ccnli/WorfsVWg4JsjRmjxb1MHz u9cc7yam7gEsGNOcQnLNlkN2NgHgauMlcLeXTt+PvXSu7Lh0qcv28hCj0 UvQp6Tp6GcYuWdH7C1FWd8wlKQQ95fl6DAO4GPm7vtbZWoh5y7ACKGj5k A==; X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="313710722" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="313710722" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 16:36:36 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="787479762" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="787479762" Received: from bgordon1-mobl1.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.212.211.211]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 16:36:34 -0800 From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com> Subject: [PATCH v4 04/39] x86/cpufeatures: Enable CET CR4 bit for shadow stack Date: Fri, 2 Dec 2022 16:35:31 -0800 Message-Id: <20221203003606.6838-5-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221203003606.6838-1-rick.p.edgecombe@intel.com> References: <20221203003606.6838-1-rick.p.edgecombe@intel.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751151193796401677?= X-GMAIL-MSGID: =?utf-8?q?1751151193796401677?= |
Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Dec. 3, 2022, 12:35 a.m. UTC
From: Yu-cheng Yu <yu-cheng.yu@intel.com> Setting CR4.CET is a prerequisite for utilizing any CET features, most of which also require setting MSRs. Kernel IBT already enables the CET CR4 bit when it detects IBT HW support and is configured with kernel IBT. However, future patches that enable userspace shadow stack support will need the bit set as well. So change the logic to enable it in either case. Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT. Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Kees Cook <keescook@chromium.org> --- v4: - Add back dedicated command line disable: "nousershtk" (Boris) v3: - Remove stay new line (Boris) - Simplify commit log (Andrew Cooper) v2: - In the shadow stack case, go back to only setting CR4.CET if the kernel is compiled with user shadow stack support. - Clear MSR_IA32_U_CET as well. (PeterZ) KVM refresh: - Set CR4.CET if SHSTK or IBT are supported by HW, so that KVM can support CET even if IBT is disabled. - Drop no_user_shstk (Dave Hansen) - Elaborate on what the CR4 bit does in the commit log - Integrate with Kernel IBT logic arch/x86/kernel/cpu/common.c | 37 ++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-)
Comments
On Fri, Dec 02, 2022 at 04:35:31PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > Setting CR4.CET is a prerequisite for utilizing any CET features, most of > which also require setting MSRs. > > Kernel IBT already enables the CET CR4 bit when it detects IBT HW support > and is configured with kernel IBT. However, future patches that enable > userspace shadow stack support will need the bit set as well. So change > the logic to enable it in either case. > > Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see > userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT. > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Fri, Dec 02, 2022 at 04:35:31PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > Setting CR4.CET is a prerequisite for utilizing any CET features, most of > which also require setting MSRs. ... > arch/x86/kernel/cpu/common.c | 37 ++++++++++++++++++++++++++++++------ > 1 file changed, 31 insertions(+), 6 deletions(-) Looks better. Let's get rid of the ifdeffery and simplify it even more. Diff ontop: --- diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 579f10222432..c364f3067121 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -597,12 +597,14 @@ __noendbr void ibt_restore(u64 save) #endif -#ifdef CONFIG_X86_CET static __always_inline void setup_cet(struct cpuinfo_x86 *c) { - bool kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT); - bool user_shstk; - u64 msr = 0; + bool kernel_ibt, user_shstk; + + if (!IS_ENABLED(CONFIG_X86_CET)) + return; + + kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT); /* * Enable user shadow stack only if the Linux defined user shadow stack @@ -618,21 +620,18 @@ static __always_inline void setup_cet(struct cpuinfo_x86 *c) set_cpu_cap(c, X86_FEATURE_USER_SHSTK); if (kernel_ibt) - msr = CET_ENDBR_EN; + wrmsrl(MSR_IA32_S_CET, CET_ENDBR_EN); + else + wrmsrl(MSR_IA32_S_CET, 0); - wrmsrl(MSR_IA32_S_CET, msr); cr4_set_bits(X86_CR4_CET); if (kernel_ibt && !ibt_selftest()) { pr_err("IBT selftest: Failed!\n"); wrmsrl(MSR_IA32_S_CET, 0); setup_clear_cpu_cap(X86_FEATURE_IBT); - return; } } -#else /* CONFIG_X86_CET */ -static inline void setup_cet(struct cpuinfo_x86 *c) {} -#endif __noendbr void cet_disable(void) {
On Wed, 2022-12-07 at 13:49 +0100, Borislav Petkov wrote: > On Fri, Dec 02, 2022 at 04:35:31PM -0800, Rick Edgecombe wrote: > > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > Setting CR4.CET is a prerequisite for utilizing any CET features, > > most of > > which also require setting MSRs. > > ... > > > arch/x86/kernel/cpu/common.c | 37 ++++++++++++++++++++++++++++++- > > ----- > > 1 file changed, 31 insertions(+), 6 deletions(-) > > Looks better. > > Let's get rid of the ifdeffery and simplify it even more. Diff ontop: Sure, thanks!
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 73cc546e024d..579f10222432 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -597,29 +597,51 @@ __noendbr void ibt_restore(u64 save) #endif +#ifdef CONFIG_X86_CET static __always_inline void setup_cet(struct cpuinfo_x86 *c) { - u64 msr = CET_ENDBR_EN; + bool kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT); + bool user_shstk; + u64 msr = 0; + + /* + * Enable user shadow stack only if the Linux defined user shadow stack + * cap was not cleared by command line. + */ + user_shstk = cpu_feature_enabled(X86_FEATURE_SHSTK) && + IS_ENABLED(CONFIG_X86_USER_SHADOW_STACK); - if (!HAS_KERNEL_IBT || - !cpu_feature_enabled(X86_FEATURE_IBT)) + if (!kernel_ibt && !user_shstk) return; + if (user_shstk) + set_cpu_cap(c, X86_FEATURE_USER_SHSTK); + + if (kernel_ibt) + msr = CET_ENDBR_EN; + wrmsrl(MSR_IA32_S_CET, msr); cr4_set_bits(X86_CR4_CET); - if (!ibt_selftest()) { + if (kernel_ibt && !ibt_selftest()) { pr_err("IBT selftest: Failed!\n"); wrmsrl(MSR_IA32_S_CET, 0); setup_clear_cpu_cap(X86_FEATURE_IBT); return; } } +#else /* CONFIG_X86_CET */ +static inline void setup_cet(struct cpuinfo_x86 *c) {} +#endif __noendbr void cet_disable(void) { - if (cpu_feature_enabled(X86_FEATURE_IBT)) - wrmsrl(MSR_IA32_S_CET, 0); + if (!(cpu_feature_enabled(X86_FEATURE_IBT) || + cpu_feature_enabled(X86_FEATURE_SHSTK))) + return; + + wrmsrl(MSR_IA32_S_CET, 0); + wrmsrl(MSR_IA32_U_CET, 0); } /* @@ -1470,6 +1492,9 @@ static void __init cpu_parse_early_param(void) if (cmdline_find_option_bool(boot_command_line, "noxsaves")) setup_clear_cpu_cap(X86_FEATURE_XSAVES); + if (cmdline_find_option_bool(boot_command_line, "nousershstk")) + setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK); + arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg)); if (arglen <= 0) return;