| Message ID | 20230218211433.26859-19-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp555292wrn;
Sat, 18 Feb 2023 13:20:46 -0800 (PST)
X-Google-Smtp-Source:
AK7set/ofQaHtu+SDR0h+D2gFSgpE/E77fhBTElJaMmxT5U8fx2vKAoc4PMgqSYyYEh6YYBJKTPl
X-Received: by 2002:a05:6a20:6929:b0:c7:2086:634b with SMTP id
q41-20020a056a20692900b000c72086634bmr11315842pzj.18.1676755245457;
Sat, 18 Feb 2023 13:20:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676755245; cv=none;
d=google.com; s=arc-20160816;
b=bcHNA+KPzAQU+NV1+RmbxvjVifuTOKwDxgOSlHsyLXAPKYS29C/pBjWGIzH6l0hXFZ
WE4xHDrcAZHJP2wlfOwXRg2yqJSSkE9VrSesogiuhsndWi+xAK6tBnPYfXMPWn/ism97
oBiOf5JMaJWEqzRGFEJEeShNmCoWLLiWIC+INf3RAkRjU/B3iX9BCvoVBVGd9PkkCPpV
iQQA7J/7MCRma8CuSqiL+WvgXTPdJ5pfHMJH9vRDmJbQGwel8g0f6m5xdNyeiGNO9I9y
o/nUewKCdYw9xCNLEd+mQvS83h31PkY89hb4iZ2djLooGni5+kQtlxZP0LVjP6i8ERIN
ka+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:references:in-reply-to:message-id:date:subject
:cc:to:from:dkim-signature;
bh=hZVQOPh5gsC4utlFQ0Ct33FH6ZCu3J+LIAtvRyiL4EQ=;
b=TtzXeys0EPHNtxuLgPmbfwpQ5EanmmmLv9PPY1y7yHH3+h+deKWx201rVQUbWqkkVK
vin0mkYdZc7QZhKOLNEYJlN0JzbrU0+RVjzCmw3/xih7qLA0PRudcJHrKjWH80n/ZfBu
/vpx9JQWhni+KW54I9xSCfN33BbrT1OM8fPJG2bkD0u7Do8CpgokTRI8fzSPyejrecjB
bL8GA7ewKJIKYO71ksR9oomViXz9Sw3e7BivRAUWGPuOKQCkKdMUcDn+Mz3Gq51WuWVd
ciw/00HYBmNmTm/+NtkPCAj3OTIzrL6D1ftQB/PeI3alXJRnQvGwAY2O+P4iFPoMhNoU
NATA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=mRp9a1DN;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
y129-20020a62ce87000000b005a8f259220asi8658143pfg.66.2023.02.18.13.20.32;
Sat, 18 Feb 2023 13:20:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=mRp9a1DN;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230039AbjBRVUH (ORCPT <rfc822;assdfgzxcv4@gmail.com>
+ 99 others); Sat, 18 Feb 2023 16:20:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42674 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229993AbjBRVTK (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 18 Feb 2023 16:19:10 -0500
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 050A11817B;
Sat, 18 Feb 2023 13:17:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1676755040; x=1708291040;
h=from:to:cc:subject:date:message-id:in-reply-to:
references;
bh=tPsImO1U6ZzFWnTQpJpFZiSIEfl+QZcqM1Ze+IYBtwc=;
b=mRp9a1DNVD8PjoR4ytvJc3tUtmfBMDHxbZ3COKbrmBl1U7xMvFXHJNgU
9JOVDaBTIiV3190L79RXx7Va0d52N9FxWeqTKthvIe99bhx86EXOJv2LI
AmDSOgxISIXsELu80hpvRSiztbow6xdrqzMzIk/GLeaoWUXhOzVQ8f89c
YADYjroVzkHZuWYNvPj3bFFiMTvS686XfYrgFyLAmS1LzuCAjYQpepuZr
dDJEU8FWHy8yC3ZaASB/Jfnn8HAeG18m1Jw/Z1qF9ehmbOCLrn46UeYF+
nU9CPIPLI2msyxC+VdjljP7DHC96E9A4Oby8v6GXKa+zEn59s0EDeZKQv
g==;
X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="418427479"
X-IronPort-AV: E=Sophos;i="5.97,309,1669104000";
d="scan'208";a="418427479"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
18 Feb 2023 13:16:11 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="664241659"
X-IronPort-AV: E=Sophos;i="5.97,309,1669104000";
d="scan'208";a="664241659"
Received: from adityava-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk.amr.corp.intel.com) ([10.209.80.223])
by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
18 Feb 2023 13:16:10 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Weijiang Yang <weijiang.yang@intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
John Allen <john.allen@amd.com>, kcc@google.com,
eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
dethoma@microsoft.com, akpm@linux-foundation.org,
Andrew.Cooper3@citrix.com, christina.schimpe@intel.com,
david@redhat.com, debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH v6 18/41] mm: Introduce VM_SHADOW_STACK for shadow stack
memory
Date: Sat, 18 Feb 2023 13:14:10 -0800
Message-Id: <20230218211433.26859-19-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com>
References: <20230218211433.26859-1-rick.p.edgecombe@intel.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758205308102706151?=
X-GMAIL-MSGID: =?utf-8?q?1758205308102706151?=
|
| Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Feb. 18, 2023, 9:14 p.m. UTC
From: Yu-cheng Yu <yu-cheng.yu@intel.com> The x86 Control-flow Enforcement Technology (CET) feature includes a new type of memory called shadow stack. This shadow stack memory has some unusual properties, which requires some core mm changes to function properly. A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However, read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These two cases are handled differently for page faults. Introduce VM_SHADOW_STACK to track shadow stack VMAs. Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Kees Cook <keescook@chromium.org> --- v6: - Add comment about VM_SHADOW_STACK not being allowed with VM_SHARED (David Hildenbrand) v3: - Drop arch specific change in arch_vma_name(). The memory can show as anonymous (Kirill) - Change CONFIG_ARCH_HAS_SHADOW_STACK to CONFIG_X86_USER_SHADOW_STACK in show_smap_vma_flags() (Boris) --- Documentation/filesystems/proc.rst | 1 + fs/proc/task_mmu.c | 3 +++ include/linux/mm.h | 8 ++++++++ 3 files changed, 12 insertions(+)
Comments
On 18.02.23 22:14, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > The x86 Control-flow Enforcement Technology (CET) feature includes a new > type of memory called shadow stack. This shadow stack memory has some > unusual properties, which requires some core mm changes to function > properly. > > A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However, > read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These > two cases are handled differently for page faults. Introduce > VM_SHADOW_STACK to track shadow stack VMAs. I suggest simplifying and abstracting that description. "New hardware extensions implement support for shadow stack memory, such as x86 Control-flow Enforcement Technology (CET). Let's add a new VM flag to identify these areas, for example, to be used to properly indicate shadow stack PTEs to the hardware." > > Reviewed-by: Kees Cook <keescook@chromium.org> > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Cc: Kees Cook <keescook@chromium.org> > > --- > v6: > - Add comment about VM_SHADOW_STACK not being allowed with VM_SHARED > (David Hildenbrand) Might want to add some more meat to the patch description why that is the case. > > v3: > - Drop arch specific change in arch_vma_name(). The memory can show as > anonymous (Kirill) > - Change CONFIG_ARCH_HAS_SHADOW_STACK to CONFIG_X86_USER_SHADOW_STACK > in show_smap_vma_flags() (Boris) > --- > Documentation/filesystems/proc.rst | 1 + > fs/proc/task_mmu.c | 3 +++ > include/linux/mm.h | 8 ++++++++ > 3 files changed, 12 insertions(+) > > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst > index e224b6d5b642..115843e8cce3 100644 > --- a/Documentation/filesystems/proc.rst > +++ b/Documentation/filesystems/proc.rst > @@ -564,6 +564,7 @@ encoded manner. The codes are the following: > mt arm64 MTE allocation tags are enabled > um userfaultfd missing tracking > uw userfaultfd wr-protect tracking > + ss shadow stack page > == ======================================= > > Note that there is no guarantee that every flag and associated mnemonic will > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > index af1c49ae11b1..9e2cefe47749 100644 > --- a/fs/proc/task_mmu.c > +++ b/fs/proc/task_mmu.c > @@ -711,6 +711,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma) > #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR > [ilog2(VM_UFFD_MINOR)] = "ui", > #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ > +#ifdef CONFIG_X86_USER_SHADOW_STACK > + [ilog2(VM_SHADOW_STACK)] = "ss", > +#endif > }; > size_t i; > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index e6f1789c8e69..76e0a09aeffe 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -315,11 +315,13 @@ extern unsigned int kobjsize(const void *objp); > #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64-bit architectures */ > +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit architectures */ > #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) > #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) > #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) > #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) > #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) > +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) > #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ > > #ifdef CONFIG_ARCH_HAS_PKEYS > @@ -335,6 +337,12 @@ extern unsigned int kobjsize(const void *objp); > #endif > #endif /* CONFIG_ARCH_HAS_PKEYS */ > > +#ifdef CONFIG_X86_USER_SHADOW_STACK Should we abstract this to CONFIG_ARCH_USER_SHADOW_STACK, seeing that other architectures might similarly need it?
On Mon, 2023-02-20 at 13:56 +0100, David Hildenbrand wrote: > On 18.02.23 22:14, Rick Edgecombe wrote: > > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > The x86 Control-flow Enforcement Technology (CET) feature includes > > a new > > type of memory called shadow stack. This shadow stack memory has > > some > > unusual properties, which requires some core mm changes to function > > properly. > > > > A shadow stack PTE must be read-only and have _PAGE_DIRTY set. > > However, > > read-only and Dirty PTEs also exist for copy-on-write (COW) pages. > > These > > two cases are handled differently for page faults. Introduce > > VM_SHADOW_STACK to track shadow stack VMAs. > > I suggest simplifying and abstracting that description. > > "New hardware extensions implement support for shadow stack memory, > such > as x86 Control-flow Enforcement Technology (CET). Let's add a new VM > flag to identify these areas, for example, to be used to properly > indicate shadow stack PTEs to the hardware." Ah yea, that top blurb was added to all the non-x86 arch patches after some feedback from Andrew Morton. He had said basically (in some more colorful language) that the changelogs (at the time) were written assuming the reader knows what a shadow stack is. So it might be worth keeping a little more info in the log? > > > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > > Tested-by: John Allen <john.allen@amd.com> > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > > Cc: Kees Cook <keescook@chromium.org> > > > > --- > > v6: > > - Add comment about VM_SHADOW_STACK not being allowed with > > VM_SHARED > > (David Hildenbrand) > > Might want to add some more meat to the patch description why that > is > the case. Sure. > > > > > v3: > > - Drop arch specific change in arch_vma_name(). The memory can > > show as > > anonymous (Kirill) > > - Change CONFIG_ARCH_HAS_SHADOW_STACK to > > CONFIG_X86_USER_SHADOW_STACK > > in show_smap_vma_flags() (Boris) > > --- > > Documentation/filesystems/proc.rst | 1 + > > fs/proc/task_mmu.c | 3 +++ > > include/linux/mm.h | 8 ++++++++ > > 3 files changed, 12 insertions(+) > > > > diff --git a/Documentation/filesystems/proc.rst > > b/Documentation/filesystems/proc.rst > > index e224b6d5b642..115843e8cce3 100644 > > --- a/Documentation/filesystems/proc.rst > > +++ b/Documentation/filesystems/proc.rst > > @@ -564,6 +564,7 @@ encoded manner. The codes are the following: > > mt arm64 MTE allocation tags are enabled > > um userfaultfd missing tracking > > uw userfaultfd wr-protect tracking > > + ss shadow stack page > > == ======================================= > > > > Note that there is no guarantee that every flag and associated > > mnemonic will > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > > index af1c49ae11b1..9e2cefe47749 100644 > > --- a/fs/proc/task_mmu.c > > +++ b/fs/proc/task_mmu.c > > @@ -711,6 +711,9 @@ static void show_smap_vma_flags(struct seq_file > > *m, struct vm_area_struct *vma) > > #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR > > [ilog2(VM_UFFD_MINOR)] = "ui", > > #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ > > +#ifdef CONFIG_X86_USER_SHADOW_STACK > > + [ilog2(VM_SHADOW_STACK)] = "ss", > > +#endif > > }; > > size_t i; > > > > diff --git a/include/linux/mm.h b/include/linux/mm.h > > index e6f1789c8e69..76e0a09aeffe 100644 > > --- a/include/linux/mm.h > > +++ b/include/linux/mm.h > > @@ -315,11 +315,13 @@ extern unsigned int kobjsize(const void > > *objp); > > #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64- > > bit architectures */ > > #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64- > > bit architectures */ > > #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64- > > bit architectures */ > > +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit > > architectures */ > > #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) > > #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) > > #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) > > #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) > > #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) > > +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) > > #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ > > > > #ifdef CONFIG_ARCH_HAS_PKEYS > > @@ -335,6 +337,12 @@ extern unsigned int kobjsize(const void > > *objp); > > #endif > > #endif /* CONFIG_ARCH_HAS_PKEYS */ > > > > +#ifdef CONFIG_X86_USER_SHADOW_STACK > > > Should we abstract this to CONFIG_ARCH_USER_SHADOW_STACK, seeing > that > other architectures might similarly need it? There was an ARCH_HAS_SHADOW_STACK but it got removed following this discussion: https://lore.kernel.org/lkml/d09e952d8ae696f687f0787dfeb7be7699c02913.camel@intel.com/ Now we have this new RFC for riscv as potentially a second implementation. But it is still very early, and I'm not sure anyone knows exactly what the similarities will be in a mature version. So I think it would be better to refactor in an ARCH_HAS_SHADOW_STACK later (and similar abstractions) once that series is more mature and we have an idea of what pieces will be shared. I don't have a problem in principle with an ARCH config, just don't think we should do it yet. >
On 20.02.23 23:08, Edgecombe, Rick P wrote: > On Mon, 2023-02-20 at 13:56 +0100, David Hildenbrand wrote: >> On 18.02.23 22:14, Rick Edgecombe wrote: >>> From: Yu-cheng Yu <yu-cheng.yu@intel.com> >>> >>> The x86 Control-flow Enforcement Technology (CET) feature includes >>> a new >>> type of memory called shadow stack. This shadow stack memory has >>> some >>> unusual properties, which requires some core mm changes to function >>> properly. >>> >>> A shadow stack PTE must be read-only and have _PAGE_DIRTY set. >>> However, >>> read-only and Dirty PTEs also exist for copy-on-write (COW) pages. >>> These >>> two cases are handled differently for page faults. Introduce >>> VM_SHADOW_STACK to track shadow stack VMAs. >> >> I suggest simplifying and abstracting that description. >> >> "New hardware extensions implement support for shadow stack memory, >> such >> as x86 Control-flow Enforcement Technology (CET). Let's add a new VM >> flag to identify these areas, for example, to be used to properly >> indicate shadow stack PTEs to the hardware." > > Ah yea, that top blurb was added to all the non-x86 arch patches after > some feedback from Andrew Morton. He had said basically (in some more > colorful language) that the changelogs (at the time) were written > assuming the reader knows what a shadow stack is. Okay. It's a bit repetitive, though. Ideally, we'd just explain it in the cover letter in detail and Andrews's script would include the cover letter in the first commit. IIRC, that's what usually happens. > > So it might be worth keeping a little more info in the log? Copying the same paragraph into each commit is IMHO a bit repetitive. But these are just my 2 cents. [...] >> Should we abstract this to CONFIG_ARCH_USER_SHADOW_STACK, seeing >> that >> other architectures might similarly need it? > > There was an ARCH_HAS_SHADOW_STACK but it got removed following this > discussion: > > https://lore.kernel.org/lkml/d09e952d8ae696f687f0787dfeb7be7699c02913.camel@intel.com/ > > Now we have this new RFC for riscv as potentially a second > implementation. But it is still very early, and I'm not sure anyone > knows exactly what the similarities will be in a mature version. So I > think it would be better to refactor in an ARCH_HAS_SHADOW_STACK later > (and similar abstractions) once that series is more mature and we have > an idea of what pieces will be shared. I don't have a problem in > principle with an ARCH config, just don't think we should do it yet. Okay, easy to factor out later. Acked-by: David Hildenbrand <david@redhat.com>
On Tue, Feb 21, 2023 at 09:34:35AM +0100, David Hildenbrand wrote: >On 20.02.23 23:08, Edgecombe, Rick P wrote: >>On Mon, 2023-02-20 at 13:56 +0100, David Hildenbrand wrote: >>>On 18.02.23 22:14, Rick Edgecombe wrote: >>>>From: Yu-cheng Yu <yu-cheng.yu@intel.com> >>>> >>>>The x86 Control-flow Enforcement Technology (CET) feature includes >>>>a new >>>>type of memory called shadow stack. This shadow stack memory has >>>>some >>>>unusual properties, which requires some core mm changes to function >>>>properly. >>>> >>>>A shadow stack PTE must be read-only and have _PAGE_DIRTY set. >>>>However, >>>>read-only and Dirty PTEs also exist for copy-on-write (COW) pages. >>>>These >>>>two cases are handled differently for page faults. Introduce >>>>VM_SHADOW_STACK to track shadow stack VMAs. >>> >>>I suggest simplifying and abstracting that description. >>> >>>"New hardware extensions implement support for shadow stack memory, >>>such >>>as x86 Control-flow Enforcement Technology (CET). Let's add a new VM >>>flag to identify these areas, for example, to be used to properly >>>indicate shadow stack PTEs to the hardware." >> >>Ah yea, that top blurb was added to all the non-x86 arch patches after >>some feedback from Andrew Morton. He had said basically (in some more >>colorful language) that the changelogs (at the time) were written >>assuming the reader knows what a shadow stack is. > >Okay. It's a bit repetitive, though. > >Ideally, we'd just explain it in the cover letter in detail and >Andrews's script would include the cover letter in the first commit. >IIRC, that's what usually happens. > >> >>So it might be worth keeping a little more info in the log? > >Copying the same paragraph into each commit is IMHO a bit repetitive. >But these are just my 2 cents. > >[...] > >>>Should we abstract this to CONFIG_ARCH_USER_SHADOW_STACK, seeing >>>that >>>other architectures might similarly need it? >> >>There was an ARCH_HAS_SHADOW_STACK but it got removed following this >>discussion: >> >>https://lore.kernel.org/lkml/d09e952d8ae696f687f0787dfeb7be7699c02913.camel@intel.com/ >> >>Now we have this new RFC for riscv as potentially a second >>implementation. But it is still very early, and I'm not sure anyone >>knows exactly what the similarities will be in a mature version. So I >>think it would be better to refactor in an ARCH_HAS_SHADOW_STACK later >>(and similar abstractions) once that series is more mature and we have >>an idea of what pieces will be shared. I don't have a problem in >>principle with an ARCH config, just don't think we should do it yet. > >Okay, easy to factor out later. I would be more than happy if this config name would've been abstracted out and arches can choose to implement. It's a bit sad that it was generic earlier and was later changed due to lack of support from other architectures. Now there are three architectures who either already support shadow stack (x86), announced the support (aarch64) or are planning to support (riscv). However given patch reduction I will get due to `pte_mkwrite` refactor, I am in favor of future refactor for config. > >Acked-by: David Hildenbrand <david@redhat.com> > >-- >Thanks, > >David / dhildenb >
diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst index e224b6d5b642..115843e8cce3 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -564,6 +564,7 @@ encoded manner. The codes are the following: mt arm64 MTE allocation tags are enabled um userfaultfd missing tracking uw userfaultfd wr-protect tracking + ss shadow stack page == ======================================= Note that there is no guarantee that every flag and associated mnemonic will diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index af1c49ae11b1..9e2cefe47749 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -711,6 +711,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma) #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR [ilog2(VM_UFFD_MINOR)] = "ui", #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ +#ifdef CONFIG_X86_USER_SHADOW_STACK + [ilog2(VM_SHADOW_STACK)] = "ss", +#endif }; size_t i; diff --git a/include/linux/mm.h b/include/linux/mm.h index e6f1789c8e69..76e0a09aeffe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -315,11 +315,13 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_BIT_2 34 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_3 35 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_BIT_4 36 /* bit only usable on 64-bit architectures */ +#define VM_HIGH_ARCH_BIT_5 37 /* bit only usable on 64-bit architectures */ #define VM_HIGH_ARCH_0 BIT(VM_HIGH_ARCH_BIT_0) #define VM_HIGH_ARCH_1 BIT(VM_HIGH_ARCH_BIT_1) #define VM_HIGH_ARCH_2 BIT(VM_HIGH_ARCH_BIT_2) #define VM_HIGH_ARCH_3 BIT(VM_HIGH_ARCH_BIT_3) #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) +#define VM_HIGH_ARCH_5 BIT(VM_HIGH_ARCH_BIT_5) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ #ifdef CONFIG_ARCH_HAS_PKEYS @@ -335,6 +337,12 @@ extern unsigned int kobjsize(const void *objp); #endif #endif /* CONFIG_ARCH_HAS_PKEYS */ +#ifdef CONFIG_X86_USER_SHADOW_STACK +# define VM_SHADOW_STACK VM_HIGH_ARCH_5 /* Should not be set with VM_SHARED */ +#else +# define VM_SHADOW_STACK VM_NONE +#endif + #if defined(CONFIG_X86) # define VM_PAT VM_ARCH_1 /* PAT reserves whole VMA at once (x86) */ #elif defined(CONFIG_PPC)