diff mbox series

[v6,28/41] x86: Introduce userspace API for shadow stack

Message ID	20230218211433.26859-29-rick.p.edgecombe@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v6 28/41] x86: Introduce userspace API for shadow stack Date: Sat, 18 Feb 2023 13:14:20 -0800 Message-Id: <20230218211433.26859-29-rick.p.edgecombe@intel.com> In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com> References: <20230218211433.26859-1-rick.p.edgecombe@intel.com> Precedence: bulk
Series	Shadow stacks for userspace \| [v6,00/41] Shadow stacks for userspace [v6,01/41] Documentation/x86: Add CET shadow stack description [v6,02/41] x86/shstk: Add Kconfig option for shadow stack [v6,03/41] x86/cpufeatures: Add CPU feature flags for shadow stacks [v6,04/41] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v6,05/41] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v6,06/41] x86/fpu: Add helper for modifying xstate [v6,07/41] x86: Move control protection handler to separate file [v6,08/41] x86/shstk: Add user control-protection fault handler [v6,09/41] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v6,10/41] x86/mm: Move pmd_write(), pud_write() up in the file [v6,11/41] mm: Introduce pte_mkwrite_kernel() [v6,12/41] s390/mm: Introduce pmd_mkwrite_kernel() [v6,13/41] mm: Make pte_mkwrite() take a VMA [v6,14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY [v6,15/41] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY [v6,16/41] x86/mm: Start actually marking _PAGE_SAVED_DIRTY [v6,17/41] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v6,18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v6,19/41] x86/mm: Check shadow stack page fault errors [v6,20/41] x86/mm: Teach pte_mkwrite() about stack memory [v6,21/41] mm: Add guard pages around a shadow stack. [v6,22/41] mm/mmap: Add shadow stack pages to memory accounting [v6,23/41] mm: Re-introduce vm_flags to do_mmap() [v6,24/41] mm: Don't allow write GUPs to shadow stack memory [v6,25/41] x86/mm: Introduce MAP_ABOVE4G [v6,26/41] mm: Warn on shadow stack memory in wrong vma [v6,27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot [v6,28/41] x86: Introduce userspace API for shadow stack [v6,29/41] x86/shstk: Add user-mode shadow stack support [v6,30/41] x86/shstk: Handle thread shadow stack [v6,31/41] x86/shstk: Introduce routines modifying shstk [v6,32/41] x86/shstk: Handle signals for shadow stack [v6,33/41] x86/shstk: Introduce map_shadow_stack syscall [v6,34/41] x86/shstk: Support WRSS for userspace [v6,35/41] x86: Expose thread features in /proc/$PID/status [v6,36/41] x86/shstk: Wire in shadow stack interface [v6,37/41] selftests/x86: Add shadow stack test [v6,38/41] x86/fpu: Add helper for initing features [v6,39/41] x86: Add PTRACE interface for shadow stack [v6,40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK [v6,41/41] x86/shstk: Add ARCH_SHSTK_STATUS

Commit Message

Edgecombe, Rick P Feb. 18, 2023, 9:14 p.m. UTC

  From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

Add three new arch_prctl() handles:

 - ARCH_SHSTK_ENABLE/DISABLE enables or disables the specified
   feature. Returns 0 on success or an error.

 - ARCH_SHSTK_LOCK prevents future disabling or enabling of the
   specified feature. Returns 0 on success or an error

The features are handled per-thread and inherited over fork(2)/clone(2),
but reset on exec().

This is preparation patch. It does not implement any features.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[tweaked with feedback from tglx]
Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

---
v4:
 - Remove references to CET and replace with shadow stack (Peterz)

v3:
 - Move shstk.c Makefile changes earlier (Kees)
 - Add #ifdef around features_locked and features (Kees)
 - Encapsulate features reset earlier in reset_thread_features() so
   features and features_locked are not referenced in code that would be
   compiled !CONFIG_X86_USER_SHADOW_STACK. (Kees)
 - Fix typo in commit log (Kees)
 - Switch arch_prctl() numbers to avoid conflict with LAM

v2:
 - Only allow one enable/disable per call (tglx)
 - Return error code like a normal arch_prctl() (Alexander Potapenko)
 - Make CET only (tglx)
---
 arch/x86/include/asm/processor.h  |  6 +++++
 arch/x86/include/asm/shstk.h      | 21 +++++++++++++++
 arch/x86/include/uapi/asm/prctl.h |  6 +++++
 arch/x86/kernel/Makefile          |  2 ++
 arch/x86/kernel/process_64.c      |  7 ++++-
 arch/x86/kernel/shstk.c           | 44 +++++++++++++++++++++++++++++++
 6 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 arch/x86/include/asm/shstk.h
 create mode 100644 arch/x86/kernel/shstk.c

Comments

Borislav Petkov Feb. 24, 2023, 12:20 p.m. UTC | #1

On Sat, Feb 18, 2023 at 01:14:20PM -0800, Rick Edgecombe wrote:
> diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
> index 500b96e71f18..b2b3b7200b2d 100644
> --- a/arch/x86/include/uapi/asm/prctl.h
> +++ b/arch/x86/include/uapi/asm/prctl.h
> @@ -20,4 +20,10 @@
>  #define ARCH_MAP_VDSO_32		0x2002
>  #define ARCH_MAP_VDSO_64		0x2003
>  
> +/* Don't use 0x3001-0x3004 because of old glibcs */

So where is this all new interface to userspace programs documented? Do
we have an agreement with all the involved parties that this is how
we're going to support shadow stacks and that this is what userspace
should do?

I'd like to avoid one more fiasco with glibc etc here...

Thx.

Edgecombe, Rick P Feb. 24, 2023, 6:37 p.m. UTC | #2

On Fri, 2023-02-24 at 13:20 +0100, Borislav Petkov wrote:
> On Sat, Feb 18, 2023 at 01:14:20PM -0800, Rick Edgecombe wrote:
> > diff --git a/arch/x86/include/uapi/asm/prctl.h
> > b/arch/x86/include/uapi/asm/prctl.h
> > index 500b96e71f18..b2b3b7200b2d 100644
> > --- a/arch/x86/include/uapi/asm/prctl.h
> > +++ b/arch/x86/include/uapi/asm/prctl.h
> > @@ -20,4 +20,10 @@
> >   #define ARCH_MAP_VDSO_32             0x2002
> >   #define ARCH_MAP_VDSO_64             0x2003
> >   
> > +/* Don't use 0x3001-0x3004 because of old glibcs */
> 
> So where is this all new interface to userspace programs documented? 

In the first patch:

https://lore.kernel.org/lkml/20230218211433.26859-2-rick.p.edgecombe@intel.com/

Then some more documentation is added about ARCH_SHSTK_UNLOCK and
ARCH_SHSTK_STATUS (which are for CRIU) in those patches.

> Do
> we have an agreement with all the involved parties that this is how
> we're going to support shadow stacks and that this is what userspace
> should do?
> 
> I'd like to avoid one more fiasco with glibc etc here...

There are glibc patches prepared by HJ to use the new interface and
it's my understanding that he has discussed the changes with the other
glibc folks. Those glibc patches are used for testing these kernel
patches, but will not get upstream until the kernel patches to avoid
repeating the past problems. So I think it's as prepared as it can be.

One future thing that might come up... Glibc has this mode called
"permissive mode". When glibc is configured this way (compile time or
env var), it is supposed to disable shadow stack when dlopen()ing any
DSO that doesn't have the shadow stack elf header bit. The problem is,
it doesn't really work as intended. It only turns off shadow stack for
the calling thread, leaving the other threads free to call into the DSO
with shadow stack enabled. It's not clear yet if they are going to be
able to fix it in userspace. So this prompted some thinking of if there
could be an additional kernel mode to help glibc in this scenario. But
for non-permissive mode, glibc is queued up to use the interface as is.

Borislav Petkov Feb. 28, 2023, 10:58 a.m. UTC | #3

On Fri, Feb 24, 2023 at 06:37:57PM +0000, Edgecombe, Rick P wrote:
> In the first patch:
> 
> https://lore.kernel.org/lkml/20230218211433.26859-2-rick.p.edgecombe@intel.com/
> 
> Then some more documentation is added about ARCH_SHSTK_UNLOCK and
> ARCH_SHSTK_STATUS (which are for CRIU) in those patches.

Right, I was thinking more about ARCH_PRCTL(2), the man page.

But you can send that to the manpages folks later. I.e., it should be
nearly impossible to be missed. :)

> There are glibc patches prepared by HJ to use the new interface and
> it's my understanding that he has discussed the changes with the other
> glibc folks. Those glibc patches are used for testing these kernel
> patches, but will not get upstream until the kernel patches to avoid
> repeating the past problems. So I think it's as prepared as it can be.

Good.

> One future thing that might come up... Glibc has this mode called
> "permissive mode". When glibc is configured this way (compile time or
> env var), it is supposed to disable shadow stack when dlopen()ing any
> DSO that doesn't have the shadow stack elf header bit.

Maybe I don't understand all the possible use cases but if I were
interested in using shadow stack, then I'd enable it for all objects.
And if I want permissive, I'd disable it for all. A mixed thing sounds
like a mixed can of worms waiting to be opened.

Edgecombe, Rick P Feb. 28, 2023, 10:35 p.m. UTC | #4

On Tue, 2023-02-28 at 11:58 +0100, Borislav Petkov wrote:
> On Fri, Feb 24, 2023 at 06:37:57PM +0000, Edgecombe, Rick P wrote:
> > In the first patch:
> > 
> > 
https://lore.kernel.org/lkml/20230218211433.26859-2-rick.p.edgecombe@intel.com/
> > 
> > Then some more documentation is added about ARCH_SHSTK_UNLOCK and
> > ARCH_SHSTK_STATUS (which are for CRIU) in those patches.
> 
> Right, I was thinking more about ARCH_PRCTL(2), the man page.
> 
> But you can send that to the manpages folks later. I.e., it should be
> nearly impossible to be missed. :)

Sure I can add something. Somewhere I have a man page for
map_shadow_stack written up as well.

> 
> > There are glibc patches prepared by HJ to use the new interface and
> > it's my understanding that he has discussed the changes with the
> > other
> > glibc folks. Those glibc patches are used for testing these kernel
> > patches, but will not get upstream until the kernel patches to
> > avoid
> > repeating the past problems. So I think it's as prepared as it can
> > be.
> 
> Good.
> 
> > One future thing that might come up... Glibc has this mode called
> > "permissive mode". When glibc is configured this way (compile time
> > or
> > env var), it is supposed to disable shadow stack when dlopen()ing
> > any
> > DSO that doesn't have the shadow stack elf header bit.
> 
> Maybe I don't understand all the possible use cases but if I were
> interested in using shadow stack, then I'd enable it for all objects.

Enabling for all objects is the ideal, but in practice distros don't
have that.

> And if I want permissive, I'd disable it for all. A mixed thing
> sounds
> like a mixed can of worms waiting to be opened.

It is definitely a can of worms.

diff mbox series

Patch

diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 8d73004e4cac..bd16e012b3e9 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -28,6 +28,7 @@  struct vm86;
 #include <asm/unwind_hints.h>
 #include <asm/vmxfeatures.h>
 #include <asm/vdso/processor.h>
+#include <asm/shstk.h>
 
 #include <linux/personality.h>
 #include <linux/cache.h>
@@ -475,6 +476,11 @@  struct thread_struct {
 	 */
 	u32			pkru;
 
+#ifdef CONFIG_X86_USER_SHADOW_STACK
+	unsigned long		features;
+	unsigned long		features_locked;
+#endif
+
 	/* Floating point and extended processor state */
 	struct fpu		fpu;
 	/*
diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h
new file mode 100644
index 000000000000..ec753809f074
--- /dev/null
+++ b/arch/x86/include/asm/shstk.h
@@ -0,0 +1,21 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_X86_SHSTK_H
+#define _ASM_X86_SHSTK_H
+
+#ifndef __ASSEMBLY__
+#include <linux/types.h>
+
+struct task_struct;
+
+#ifdef CONFIG_X86_USER_SHADOW_STACK
+long shstk_prctl(struct task_struct *task, int option, unsigned long features);
+void reset_thread_features(void);
+#else
+static inline long shstk_prctl(struct task_struct *task, int option,
+			       unsigned long arg2) { return -EINVAL; }
+static inline void reset_thread_features(void) {}
+#endif /* CONFIG_X86_USER_SHADOW_STACK */
+
+#endif /* __ASSEMBLY__ */
+
+#endif /* _ASM_X86_SHSTK_H */
diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index 500b96e71f18..b2b3b7200b2d 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -20,4 +20,10 @@ 
 #define ARCH_MAP_VDSO_32		0x2002
 #define ARCH_MAP_VDSO_64		0x2003
 
+/* Don't use 0x3001-0x3004 because of old glibcs */
+
+#define ARCH_SHSTK_ENABLE		0x5001
+#define ARCH_SHSTK_DISABLE		0x5002
+#define ARCH_SHSTK_LOCK			0x5003
+
 #endif /* _ASM_X86_PRCTL_H */
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 92446f1dedd7..b366641703e3 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -146,6 +146,8 @@  obj-$(CONFIG_CALL_THUNKS)		+= callthunks.o
 
 obj-$(CONFIG_X86_CET)			+= cet.o
 
+obj-$(CONFIG_X86_USER_SHADOW_STACK)	+= shstk.o
+
 ###
 # 64 bit specific files
 ifeq ($(CONFIG_X86_64),y)
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 4e34b3b68ebd..71094c8a305f 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -514,6 +514,8 @@  start_thread_common(struct pt_regs *regs, unsigned long new_ip,
 		load_gs_index(__USER_DS);
 	}
 
+	reset_thread_features();
+
 	loadsegment(fs, 0);
 	loadsegment(es, _ds);
 	loadsegment(ds, _ds);
@@ -830,7 +832,10 @@  long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
 	case ARCH_MAP_VDSO_64:
 		return prctl_map_vdso(&vdso_image_64, arg2);
 #endif
-
+	case ARCH_SHSTK_ENABLE:
+	case ARCH_SHSTK_DISABLE:
+	case ARCH_SHSTK_LOCK:
+		return shstk_prctl(task, option, arg2);
 	default:
 		ret = -EINVAL;
 		break;
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
new file mode 100644
index 000000000000..41ed6552e0a5
--- /dev/null
+++ b/arch/x86/kernel/shstk.c
@@ -0,0 +1,44 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * shstk.c - Intel shadow stack support
+ *
+ * Copyright (c) 2021, Intel Corporation.
+ * Yu-cheng Yu <yu-cheng.yu@intel.com>
+ */
+
+#include <linux/sched.h>
+#include <linux/bitops.h>
+#include <asm/prctl.h>
+
+void reset_thread_features(void)
+{
+	current->thread.features = 0;
+	current->thread.features_locked = 0;
+}
+
+long shstk_prctl(struct task_struct *task, int option, unsigned long features)
+{
+	if (option == ARCH_SHSTK_LOCK) {
+		task->thread.features_locked |= features;
+		return 0;
+	}
+
+	/* Don't allow via ptrace */
+	if (task != current)
+		return -EINVAL;
+
+	/* Do not allow to change locked features */
+	if (features & task->thread.features_locked)
+		return -EPERM;
+
+	/* Only support enabling/disabling one feature at a time. */
+	if (hweight_long(features) > 1)
+		return -EINVAL;
+
+	if (option == ARCH_SHSTK_DISABLE) {
+		return -EINVAL;
+	}
+
+	/* Handle ARCH_SHSTK_ENABLE */
+	return -EINVAL;
+}