From patchwork Sat Feb 18 21:14:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 59025 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp556754wrn; Sat, 18 Feb 2023 13:25:03 -0800 (PST) X-Google-Smtp-Source: AK7set9r/Ldq9InJ6P9O3VykLblSlYutH307OAcKvzEgldD3OVLp/g+ZOBKes62c8Y0YI3SrKyyl X-Received: by 2002:aa7:db86:0:b0:4ac:d42c:8be3 with SMTP id u6-20020aa7db86000000b004acd42c8be3mr936599edt.17.1676755503122; Sat, 18 Feb 2023 13:25:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676755503; cv=none; d=google.com; s=arc-20160816; b=VL1n1lrtXHhuz/YMUTr7P5vOmjNW/fyvUSGLLi581TE0FE9rXrMAbxBgxvCDOOqtJ/ CGPZ51ABO2emoSg82zHDnvz+GJ9Cayi3eiV6YOQcuDXTF/i9sZEtr8wERR80ltAjfIiH CcJLnYTD7b6v4kTwYpfWnw/8euRdx7UZxc2jRd1WCS63Jb5gjb8jLNf4KvKf8VZz7rry Cce8SbG2fQlXm9A2uAnitLOUmF+H+oeWNcNr/rp/mGrH1UAeLToBHGNPwmfHRaeHCvT/ TkA4IBgYCOeabooAmEErOFTyf1YLJE2iUiGGFTIyjxjSUTR6JiNg2/0BI67e6oTDr8IP GZaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=Sn4n7crmTxrbn/OIeUWT1Azd349YYKdcy9ub8HpHkYM=; b=N+rsipkmOC/0+0oZXTLMJ11b1BArPbqvUoMoAr2uoFmN/+g1aXDFuTcsxyBcHzLhxz wxAb+Q+BVaTqqQlx3jA9NOG20XyMqnqU9298CNAGWdiN9N1VkdH6Z7hE5Qf3x8chJFey NnrPm90cwkziXJUFda9ZCLI5pP9/SxzsuDoWriDAvhXQNQThkHz34VAX/35XEUYOgQum S8NHSLH5XR1ZtK2vIxygTNViMu0XBvNbGf1+e7NJWH70aOd/94j/Zoc5WvlKWW8WJVGg IjhjkmPZh0W7VYrDuFnnDrnMEf/p6SvoNIWdo8nGm/F86eORGeGbKvtrLX/fN46QQh2j y/Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jbknPCpM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n20-20020aa7d054000000b004ab0d0a4759si9997582edo.410.2023.02.18.13.24.39; Sat, 18 Feb 2023 13:25:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=jbknPCpM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230379AbjBRVXS (ORCPT + 99 others); Sat, 18 Feb 2023 16:23:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230350AbjBRVWq (ORCPT ); Sat, 18 Feb 2023 16:22:46 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7F231A499; Sat, 18 Feb 2023 13:19:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676755167; x=1708291167; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=PfOj46FKnOWR1PiqFiy1gLNlGQ5AfxHeduPbiAD9rSI=; b=jbknPCpMYe1Fy66kCoQr9cTjuCz98MRQjFXpwwIXDwwOzOcP8931pWzf MIFw4vLrPD7UzWlTWWBW81Wv4F4bT/QyCUg5elI4p5FZ5UOhIJ+cPLo5z kmJ0BOyWdxfEO4Rag8vHUZ4vPZ5xIDdsNqOie3J5UVhmLiLa3Ke5e42eD fMyKbc4xtYleM7aMWCCCq37fYaT19dm0hGR5vRAl+6uR+/t5PUsUuDcO/ XS+wbxAldE8Yw1RocTQ78A/+LDFHnxgXDlCzVRybRNrkCl5WX/jUTo6N2 gDwP5RLtbd22JFqBpTUGDtIQbvWt51elnA76KRVtii6TqHC4K2DCDnGo2 g==; X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="418427959" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="418427959" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:16:30 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="664241764" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="664241764" Received: from adityava-mobl1.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.209.80.223]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:16:29 -0800 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com, Mike Rapoport Subject: [PATCH v6 40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK Date: Sat, 18 Feb 2023 13:14:32 -0800 Message-Id: <20230218211433.26859-41-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com> References: <20230218211433.26859-1-rick.p.edgecombe@intel.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1758205577982041107?= X-GMAIL-MSGID: =?utf-8?q?1758205577982041107?= From: Mike Rapoport Userspace loaders may lock features before a CRIU restore operation has the chance to set them to whatever state is required by the process being restored. Allow a way for CRIU to unlock features. Add it as an arch_prctl() like the other shadow stack operations, but restrict it being called by the ptrace arch_pctl() interface. Reviewed-by: Kees Cook Tested-by: Pengfei Xu Tested-by: John Allen Signed-off-by: Mike Rapoport [Merged into recent API changes, added commit log and docs] Signed-off-by: Rick Edgecombe --- v4: - Add to docs that it is ptrace only. - Remove "CET" references v3: - Depend on CONFIG_CHECKPOINT_RESTORE (Kees) --- Documentation/x86/shstk.rst | 4 ++++ arch/x86/include/uapi/asm/prctl.h | 1 + arch/x86/kernel/process_64.c | 1 + arch/x86/kernel/shstk.c | 9 +++++++-- 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Documentation/x86/shstk.rst b/Documentation/x86/shstk.rst index f2e6f323cf68..e8ed5fc0f7ae 100644 --- a/Documentation/x86/shstk.rst +++ b/Documentation/x86/shstk.rst @@ -73,6 +73,10 @@ arch_prctl(ARCH_SHSTK_LOCK, unsigned long features) are ignored. The mask is ORed with the existing value. So any feature bits set here cannot be enabled or disabled afterwards. +arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long features) + Unlock features. 'features' is a mask of all features to unlock. All + bits set are processed, unset bits are ignored. Only works via ptrace. + The return values are as follows. On success, return 0. On error, errno can be:: diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index e31495668056..200efbbe5809 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -25,6 +25,7 @@ #define ARCH_SHSTK_ENABLE 0x5001 #define ARCH_SHSTK_DISABLE 0x5002 #define ARCH_SHSTK_LOCK 0x5003 +#define ARCH_SHSTK_UNLOCK 0x5004 /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 71094c8a305f..d368854fa9c4 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -835,6 +835,7 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) case ARCH_SHSTK_ENABLE: case ARCH_SHSTK_DISABLE: case ARCH_SHSTK_LOCK: + case ARCH_SHSTK_UNLOCK: return shstk_prctl(task, option, arg2); default: ret = -EINVAL; diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 2faf9b45ac72..3197ff824809 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -451,9 +451,14 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long features) return 0; } - /* Don't allow via ptrace */ - if (task != current) + /* Only allow via ptrace */ + if (task != current) { + if (option == ARCH_SHSTK_UNLOCK && IS_ENABLED(CONFIG_CHECKPOINT_RESTORE)) { + task->thread.features_locked &= ~features; + return 0; + } return -EINVAL; + } /* Do not allow to change locked features */ if (features & task->thread.features_locked)