Message ID | 20230119212317.8324-5-rick.p.edgecombe@intel.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp555229wrn; Thu, 19 Jan 2023 13:33:38 -0800 (PST) X-Google-Smtp-Source: AMrXdXvOBbquZDlzBDJ9DXU+chm6hsNqp/bJVPXvw6zrO3tbaMga7fCByplRoVUarDclIAoeaaXU X-Received: by 2002:a05:6a20:b289:b0:b8:77a6:5afb with SMTP id ei9-20020a056a20b28900b000b877a65afbmr12206484pzb.28.1674164018315; Thu, 19 Jan 2023 13:33:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674164018; cv=none; d=google.com; s=arc-20160816; b=rt4NqGZfIIRN1qghgr8JWgsl5blIlLZGNUyqKeZJcCuDe7dtsBCdJIKjnYR8dM4sxI 4rsyZUKdg6eLIBw3H/QKPbHlq054pL5InmlpQRCkRpbbDLJJTlWRrUeGt0IuNMMNuq2+ Rfl2a88LsdhIHtl8+LyLteieStBHSCrHXERnVWT/etle5w4Gi76exLGx64VIYVbKZ4qM wSrhX4PmFkMlnSlMx/H+9g1QHmRTvdjEFToCpEf+5DmIz/vWe9DO9mBZE/kdPdk4wYzg HujMomqKleNnZNSTJsS0hpLk7lyLAho0d+RfyN4eiFIcD4r1x7UF6QPyURgAjzCUNC4w UAqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=vxp0lIQdGnMd31RbCo3vuJaZKtAwgMarQuDGlKx2nuY=; b=XB9+7JlBafGoYB3fLTwrUMqEWKy0hEIsDR/5X373drG5lwm9Low2ShYJ1gO8vLfUxL fdusKwXkFUcadeSzxkkwAbz2M9AG6Gpda8VfSuljOK52vwFDyKI7y6SEPMiCbHl8lzE4 sY0Hm9385Gp2BVe1A4wEsuCNqbeKJxFNXcHIDSAfIaLqDMwfqt58peq2FgGDEyTG0Ok0 My4jsLamI/SxurPRT5gX6bcndYBGGFlx/r/SHkwaTADJZnA8u/Srj6vjZ3W7xssv3aNv D2HNS+1PquqU80BPxnovE1KO9eogabDN/0LCNMFGJrjhOwHHYIOL3D1YHaU22vCirpSk sUzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=koWs2Bbx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q131-20020a632a89000000b004772ea50c14si39689743pgq.171.2023.01.19.13.33.25; Thu, 19 Jan 2023 13:33:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=koWs2Bbx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229984AbjASVba (ORCPT <rfc822;pavtiger@gmail.com> + 99 others); Thu, 19 Jan 2023 16:31:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230426AbjASVaG (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 19 Jan 2023 16:30:06 -0500 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF5F9A7330; Thu, 19 Jan 2023 13:24:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674163490; x=1705699490; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=d7P5HLFSxYXgzr8kgfmXPsFqpuUUbCRpcWe/3LmTQFM=; b=koWs2BbxJ1+kgpMz+9gR6xYGNyqwMNcGteVIpZFV4KtIsbMzEVVAPkIe 0isSzIodvx8up5YkzJrZECmEh8dXAPwe/yw4r4N1G1KTwamA3+2nUBFhO pysxZzatDNSTPPOR0m5Lkz73VHvI+ARK5hu2mU4TbuD9BT8EoJ9uHU4eM GUfXroki3Xr/CY3IzIi0Z+pkSwYULsaYlHiULLpmlMBGi19knOLSnPayP gKKl0HG9j9ieXuVFr7Zx3+JKd5n7hGuyIIsuKbPz/GX9PCyBtjz/lM5YA Lh0PtoJAPpARNHImc1hB9Q5FwJZG7WUhv9xzkpziY6+nJ5T7rV4jPs4tt Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="323119244" X-IronPort-AV: E=Sophos;i="5.97,230,1669104000"; d="scan'208";a="323119244" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 13:23:31 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="989139002" X-IronPort-AV: E=Sophos;i="5.97,230,1669104000"; d="scan'208";a="989139002" Received: from hossain3-mobl.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.252.128.187]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 13:23:29 -0800 From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com> Subject: [PATCH v5 04/39] x86/cpufeatures: Enable CET CR4 bit for shadow stack Date: Thu, 19 Jan 2023 13:22:42 -0800 Message-Id: <20230119212317.8324-5-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230119212317.8324-1-rick.p.edgecombe@intel.com> References: <20230119212317.8324-1-rick.p.edgecombe@intel.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755488209844958853?= X-GMAIL-MSGID: =?utf-8?q?1755488209844958853?= |
Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Jan. 19, 2023, 9:22 p.m. UTC
From: Yu-cheng Yu <yu-cheng.yu@intel.com> Setting CR4.CET is a prerequisite for utilizing any CET features, most of which also require setting MSRs. Kernel IBT already enables the CET CR4 bit when it detects IBT HW support and is configured with kernel IBT. However, future patches that enable userspace shadow stack support will need the bit set as well. So change the logic to enable it in either case. Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT. Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Kees Cook <keescook@chromium.org> --- v5: - Remove #ifdeffery (Boris) v4: - Add back dedicated command line disable: "nousershtk" (Boris) v3: - Remove stay new line (Boris) - Simplify commit log (Andrew Cooper) v2: - In the shadow stack case, go back to only setting CR4.CET if the kernel is compiled with user shadow stack support. - Clear MSR_IA32_U_CET as well. (PeterZ) arch/x86/kernel/cpu/common.c | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-)
Comments
On Thu, Jan 19, 2023 at 01:22:42PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > Setting CR4.CET is a prerequisite for utilizing any CET features, most of > which also require setting MSRs. > > Kernel IBT already enables the CET CR4 bit when it detects IBT HW support > and is configured with kernel IBT. However, future patches that enable > userspace shadow stack support will need the bit set as well. So change > the logic to enable it in either case. > > Clear MSR_IA32_U_CET in cet_disable() so that it can't live to see > userspace in a new kexec-ed kernel that has CR4.CET set from kernel IBT. > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index cec654e674ff..80507a5ba0ca 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -599,27 +599,43 @@ __noendbr void ibt_restore(u64 save) static __always_inline void setup_cet(struct cpuinfo_x86 *c) { - u64 msr = CET_ENDBR_EN; + bool user_shstk, kernel_ibt; - if (!HAS_KERNEL_IBT || - !cpu_feature_enabled(X86_FEATURE_IBT)) + if (!IS_ENABLED(CONFIG_X86_CET)) return; - wrmsrl(MSR_IA32_S_CET, msr); + kernel_ibt = HAS_KERNEL_IBT && cpu_feature_enabled(X86_FEATURE_IBT); + user_shstk = cpu_feature_enabled(X86_FEATURE_SHSTK) && + IS_ENABLED(CONFIG_X86_USER_SHADOW_STACK); + + if (!kernel_ibt && !user_shstk) + return; + + if (user_shstk) + set_cpu_cap(c, X86_FEATURE_USER_SHSTK); + + if (kernel_ibt) + wrmsrl(MSR_IA32_S_CET, CET_ENDBR_EN); + else + wrmsrl(MSR_IA32_S_CET, 0); + cr4_set_bits(X86_CR4_CET); - if (!ibt_selftest()) { + if (kernel_ibt && !ibt_selftest()) { pr_err("IBT selftest: Failed!\n"); wrmsrl(MSR_IA32_S_CET, 0); setup_clear_cpu_cap(X86_FEATURE_IBT); - return; } } __noendbr void cet_disable(void) { - if (cpu_feature_enabled(X86_FEATURE_IBT)) - wrmsrl(MSR_IA32_S_CET, 0); + if (!(cpu_feature_enabled(X86_FEATURE_IBT) || + cpu_feature_enabled(X86_FEATURE_SHSTK))) + return; + + wrmsrl(MSR_IA32_S_CET, 0); + wrmsrl(MSR_IA32_U_CET, 0); } /* @@ -1476,6 +1492,9 @@ static void __init cpu_parse_early_param(void) if (cmdline_find_option_bool(boot_command_line, "noxsaves")) setup_clear_cpu_cap(X86_FEATURE_XSAVES); + if (cmdline_find_option_bool(boot_command_line, "nousershstk")) + setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK); + arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg)); if (arglen <= 0) return;