| Message ID | 20230227222957.24501-39-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2683896wrd;
Mon, 27 Feb 2023 14:37:55 -0800 (PST)
X-Google-Smtp-Source:
AK7set/A+xnWWjLxhOnFqPlohst6+wVapSztzFzAdPp+fyPZCyxOgGLDhd4PkXkNNc323O1irUXH
X-Received: by 2002:a17:90b:4b04:b0:237:9a13:5841 with SMTP id
lx4-20020a17090b4b0400b002379a135841mr845345pjb.3.1677537475278;
Mon, 27 Feb 2023 14:37:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677537475; cv=none;
d=google.com; s=arc-20160816;
b=TqoxONjIfil7i5TrurMRqzd7P7r5hgQFz2o/+g2e55RdE3V/Sov/k3EXpNYiJ1Z6cN
LCbjZuL0Owo+h3ROAFOmGoAM3XMT4mZQqoQLFmrfB6NdMut09w4JhIcsxR7rX6Ttq8Vx
BVeL9cNT43+mepb6VJQqr8CeTk866GF+gg6YhjsuC/LaRg6uQkcQHud8vLtdnFMAeWpG
PIo1Uyj/TjggXPMYbRsjx7cVPP5lIWPdUuNY3cduaeDioGIJdAv1F9Rcgf0M5rBJd+fp
AYmFz5T9OKIt3oYENrQy4UcwIYK2zHrn9GRChzb0Ai7RpYLIHGJQ6oldI1nPoJ6vpozS
qS6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:references:in-reply-to:message-id:date:subject
:cc:to:from:dkim-signature;
bh=U7hvfVf5QRzvGljNI8gpRe6+fyv2kVLnLmpYI7wD5/Q=;
b=N6q4okYERrU/UbnQpN3kbhSHly8ZTXDNDcwGqUheBA8TYFqNbx7Kfey4h3ZdOErMia
gSZGjvwUqHHb/apfH8UJVq8Tr27LV8xbHT7OS65bKrIztyV/WLbxtDCEP2msGju5TDnQ
8bjvmlPP75ybAKQAW0PdWNwNPhHeK6rooSrt7bp+E78RuaMVn34ZPwmy80OGmv5PNCZC
hfSj/mVIFbdkEqFI2aZQ/TFo83T5zoqNQJVpW5rU7Kmz4Japo7T4VlRYGnBSJ26EcWM9
lSkJAtFyKDWWR2yb8ZIxk4donwm4fk1Z/yrtZnxpMm6MJl4HOiqGhXtbprmqBkC4+12O
AoFQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=YWj26FDr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
lr9-20020a17090b4b8900b00234ba1cfad4si9403369pjb.182.2023.02.27.14.37.41;
Mon, 27 Feb 2023 14:37:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=YWj26FDr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230477AbjB0WhS (ORCPT <rfc822;wenzhi022@gmail.com> + 99 others);
Mon, 27 Feb 2023 17:37:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40140 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230378AbjB0Wgs (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 27 Feb 2023 17:36:48 -0500
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96CCD2B61C;
Mon, 27 Feb 2023 14:32:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1677537151; x=1709073151;
h=from:to:cc:subject:date:message-id:in-reply-to:
references;
bh=AW2ARGp5U2MHiLvxwUeTShQ2Nof5LT8uoV2neNfX8mg=;
b=YWj26FDrj4dspomjNFyAxrSXE54uUpRDDD0+lYMbmxzz7RFppPK0vQ6k
nmshYhQMROqOVxK4MOh14MtDLxjsM2NEi02WaxE/aMkdWvaJz06+bIg34
y1iTbzuM6IyMRxGTiJ+NzvBZ3Cypriiz60eI/PZy5Rz5/5WIuSCBMboIT
tG80PE7w+mTEpwPiPZ0o/w/AVURk944xbskYZdkUgNYDtxjOlVI7vHVnw
5IOJSYxy0zCP+qCs/U+gOeSwsHl0jZW/ffoA1QAFm8nlAm/KrPfABDy+e
wnxQtUjdsNlBb04+sVKT8craaAi/bWMSQSBYPM7JTtt0+2SOiIi/GNOB0
w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="313657932"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
d="scan'208";a="313657932"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Feb 2023 14:31:36 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="848024808"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
d="scan'208";a="848024808"
Received: from leonqu-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk.amr.corp.intel.com) ([10.209.72.19])
by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Feb 2023 14:31:35 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Weijiang Yang <weijiang.yang@intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
John Allen <john.allen@amd.com>, kcc@google.com,
eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
dethoma@microsoft.com, akpm@linux-foundation.org,
Andrew.Cooper3@citrix.com, christina.schimpe@intel.com,
david@redhat.com, debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com
Subject: [PATCH v7 38/41] x86/fpu: Add helper for initing features
Date: Mon, 27 Feb 2023 14:29:54 -0800
Message-Id: <20230227222957.24501-39-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759025535494443667?=
X-GMAIL-MSGID: =?utf-8?q?1759025535494443667?=
|
| Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Feb. 27, 2023, 10:29 p.m. UTC
If an xfeature is saved in a buffer, the xfeature's bit will be set in xsave->header.xfeatures. The CPU may opt to not save the xfeature if it is in it's init state. In this case the xfeature buffer address cannot be retrieved with get_xsave_addr(). Future patches will need to handle the case of writing to an xfeature that may not be saved. So provide helpers to init an xfeature in an xsave buffer. This could of course be done directly by reaching into the xsave buffer, however this would not be robust against future changes to optimize the xsave buffer by compacting it. In that case the xsave buffer would need to be re-arranged as well. So the logic properly belongs encapsulated in a helper where the logic can be unified. Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Tested-by: Kees Cook <keescook@chromium.org> Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> --- v2: - New patch --- arch/x86/kernel/fpu/xstate.c | 58 +++++++++++++++++++++++++++++------- arch/x86/kernel/fpu/xstate.h | 6 ++++ 2 files changed, 53 insertions(+), 11 deletions(-)
Comments
On Mon, Feb 27, 2023 at 02:29:54PM -0800, Rick Edgecombe wrote: > Subject: Re: [PATCH v7 38/41] x86/fpu: Add helper for initing features "initializing" > If an xfeature is saved in a buffer, the xfeature's bit will be set in > xsave->header.xfeatures. The CPU may opt to not save the xfeature if it > is in it's init state. In this case the xfeature buffer address cannot "its" > be retrieved with get_xsave_addr(). > > Future patches will need to handle the case of writing to an xfeature > that may not be saved. So provide helpers to init an xfeature in an > xsave buffer. > > This could of course be done directly by reaching into the xsave buffer, > however this would not be robust against future changes to optimize the > xsave buffer by compacting it. In that case the xsave buffer would need > to be re-arranged as well. So the logic properly belongs encapsulated > in a helper where the logic can be unified. > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Tested-by: Kees Cook <keescook@chromium.org> > Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> > Reviewed-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > > --- > v2: > - New patch > --- > arch/x86/kernel/fpu/xstate.c | 58 +++++++++++++++++++++++++++++------- > arch/x86/kernel/fpu/xstate.h | 6 ++++ > 2 files changed, 53 insertions(+), 11 deletions(-) > > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c > index 13a80521dd51..3ff80be0a441 100644 > --- a/arch/x86/kernel/fpu/xstate.c > +++ b/arch/x86/kernel/fpu/xstate.c > @@ -934,6 +934,24 @@ static void *__raw_xsave_addr(struct xregs_state *xsave, int xfeature_nr) > return (void *)xsave + xfeature_get_offset(xcomp_bv, xfeature_nr); > } > > +static int xsave_buffer_access_checks(int xfeature_nr) Function name needs a verb. > +{ > + /* > + * Do we even *have* xsave state? > + */ That comment is superfluous. > + if (!boot_cpu_has(X86_FEATURE_XSAVE)) check_for_deprecated_apis: WARNING: arch/x86/kernel/fpu/xstate.c:942: Do not use boot_cpu_has() - use cpu_feature_enabled() instead. > + return 1; > + > + /* > + * We should not ever be requesting features that we Please use passive voice in your commit message: no "we" or "I", etc, and describe your changes in imperative mood. > + * have not enabled. > + */ > + if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) > + return 1; > + > + return 0; > +} > + > /* > * Given the xsave area and a state inside, this function returns the > * address of the state. > @@ -954,17 +972,7 @@ static void *__raw_xsave_addr(struct xregs_state *xsave, int xfeature_nr) > */ > void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr) > { > - /* > - * Do we even *have* xsave state? > - */ > - if (!boot_cpu_has(X86_FEATURE_XSAVE)) > - return NULL; > - > - /* > - * We should not ever be requesting features that we > - * have not enabled. > - */ > - if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) > + if (xsave_buffer_access_checks(xfeature_nr)) > return NULL; > > /* > @@ -984,6 +992,34 @@ void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr) > return __raw_xsave_addr(xsave, xfeature_nr); > } > > +/* > + * Given the xsave area and a state inside, this function > + * initializes an xfeature in the buffer. s/this function initializes/initialize/ > + * > + * get_xsave_addr() will return NULL if the feature bit is > + * not present in the header. This function will make it so > + * the xfeature buffer address is ready to be retrieved by > + * get_xsave_addr(). So users of get_xsave_addr() would have to know that they would need to call init_xfeature()? I think the better approach would be: void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr, bool init) and then that @init controls whether get_xsave_addr() should init the buffer. And then you don't have to have a bunch of small functions here and there and know when to call what but get_xsave_addr() would simply DTRT. Thx.
On Sat, 2023-03-11 at 13:54 +0100, Borislav Petkov wrote: > On Mon, Feb 27, 2023 at 02:29:54PM -0800, Rick Edgecombe wrote: > > Subject: Re: [PATCH v7 38/41] x86/fpu: Add helper for initing > > features > > "initializing" Sure. > > > If an xfeature is saved in a buffer, the xfeature's bit will be set > > in > > xsave->header.xfeatures. The CPU may opt to not save the xfeature > > if it > > is in it's init state. In this case the xfeature buffer address > > cannot > > "its" I clearly need to be better about it's and its. > > > be retrieved with get_xsave_addr(). > > > > Future patches will need to handle the case of writing to an > > xfeature > > that may not be saved. So provide helpers to init an xfeature in an > > xsave buffer. > > > > This could of course be done directly by reaching into the xsave > > buffer, > > however this would not be robust against future changes to optimize > > the > > xsave buffer by compacting it. In that case the xsave buffer would > > need > > to be re-arranged as well. So the logic properly belongs > > encapsulated > > in a helper where the logic can be unified. > > > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > > Tested-by: John Allen <john.allen@amd.com> > > Tested-by: Kees Cook <keescook@chromium.org> > > Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> > > Reviewed-by: Kees Cook <keescook@chromium.org> > > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > > > > --- > > v2: > > - New patch > > --- > > arch/x86/kernel/fpu/xstate.c | 58 +++++++++++++++++++++++++++++--- > > ---- > > arch/x86/kernel/fpu/xstate.h | 6 ++++ > > 2 files changed, 53 insertions(+), 11 deletions(-) > > > > diff --git a/arch/x86/kernel/fpu/xstate.c > > b/arch/x86/kernel/fpu/xstate.c > > index 13a80521dd51..3ff80be0a441 100644 > > --- a/arch/x86/kernel/fpu/xstate.c > > +++ b/arch/x86/kernel/fpu/xstate.c > > @@ -934,6 +934,24 @@ static void *__raw_xsave_addr(struct > > xregs_state *xsave, int xfeature_nr) > > return (void *)xsave + xfeature_get_offset(xcomp_bv, > > xfeature_nr); > > } > > > > +static int xsave_buffer_access_checks(int xfeature_nr) > > Function name needs a verb. Right. > > > +{ > > + /* > > + * Do we even *have* xsave state? > > + */ > > That comment is superfluous. > > > + if (!boot_cpu_has(X86_FEATURE_XSAVE)) > > check_for_deprecated_apis: WARNING: arch/x86/kernel/fpu/xstate.c:942: > Do not use boot_cpu_has() - use cpu_feature_enabled() instead. > > > + return 1; > > + > > + /* > > + * We should not ever be requesting features that we > > Please use passive voice in your commit message: no "we" or "I", etc, > and describe your changes in imperative mood. These two are from the existing code. Basically they get extracted into a new function. > > > + * have not enabled. > > + */ > > + if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) > > + return 1; > > + > > + return 0; > > +} > > + > > /* > > * Given the xsave area and a state inside, this function returns > > the > > * address of the state. > > @@ -954,17 +972,7 @@ static void *__raw_xsave_addr(struct > > xregs_state *xsave, int xfeature_nr) > > */ > > void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr) > > { > > - /* > > - * Do we even *have* xsave state? > > - */ > > - if (!boot_cpu_has(X86_FEATURE_XSAVE)) > > - return NULL; > > - > > - /* > > - * We should not ever be requesting features that we > > - * have not enabled. > > - */ > > - if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) > > + if (xsave_buffer_access_checks(xfeature_nr)) > > return NULL; > > > > /* > > @@ -984,6 +992,34 @@ void *get_xsave_addr(struct xregs_state > > *xsave, int xfeature_nr) > > return __raw_xsave_addr(xsave, xfeature_nr); > > } > > > > +/* > > + * Given the xsave area and a state inside, this function > > + * initializes an xfeature in the buffer. > > s/this function initializes/initialize/ Sure. > > > + * > > + * get_xsave_addr() will return NULL if the feature bit is > > + * not present in the header. This function will make it so > > + * the xfeature buffer address is ready to be retrieved by > > + * get_xsave_addr(). > > So users of get_xsave_addr() would have to know that they would need > to > call init_xfeature()? That is the situation today. FWIW both of these functions are limited to the FPU internals, so I would think it's not a too unreasonable assumption. > > I think the better approach would be: > > void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr, bool > init) > > and then that @init controls whether get_xsave_addr() should init the > buffer. > > And then you don't have to have a bunch of small functions here and > there and know when to call what but get_xsave_addr() would simply > DTRT. It would have to actually copy the init state to the buffer from init_fpstate, because otherwise the caller couldn't know if get_xsave_addr() was returning valid data or some old data in the buffer. And I guess the `init` mean to initialize it only if it is in the init state, not to overwrite the current state with the init state. I did it up, and it makes the caller code cleaner. But I'm not sure what to think of it. Is this not mixing two operations together? Today get_xsave_addr() pretty much just gets a buffer offset with some checks. Now it would compute the offset and also silently go off and changes the buffer. I looked at this fpu code originally and thought I could add some useful abstractions, but this failed. I came away wondering if this was just an area with so many special cases and details, that abstractions just added confusion. I'm just bringing this up because the other option is to just do this in the regset code: xsave->header.xfeatures |= BIT_ULL(XFEATURE_CET_USER); Let me know if you think it would be better to just open code it. > > Thx. >
On Mon, Mar 13, 2023 at 02:45:08AM +0000, Edgecombe, Rick P wrote: > These two are from the existing code. Basically they get extracted into > a new function. I know but you can fix them while at it. > I did it up, and it makes the caller code cleaner. But I'm not sure > what to think of it. Is this not mixing two operations together? Today > get_xsave_addr() pretty much just gets a buffer offset with some > checks. Now it would compute the offset and also silently go off and > changes the buffer. Ok, so why don't you write the call site this way instead: cetregs = get_xsave_addr(xsave, XFEATURE_CET_USER); if (!cetregs) { if (xfeature_saved(xsave, XFEATURE_CET_USER)) { WARN("something's wrong with this buffer") return ...; } /* Not saved, initialize it */ init_xfeature(xsave, XFEATURE_CET_USER)); } cetregs = get_xsave_addr(xsave, XFEATURE_CET_USER); if (!cetregs) { WARN_ON("WTF") return -ENODEV; } Now it is clear what happens and it is a common code pattern of trying to get something and initializing it if it wasn't initialized yet, and then retrying... Hmm?
On Mon, 2023-03-13 at 12:03 +0100, Borislav Petkov wrote: > On Mon, Mar 13, 2023 at 02:45:08AM +0000, Edgecombe, Rick P wrote: > > These two are from the existing code. Basically they get extracted > > into > > a new function. > > I know but you can fix them while at it. Ok. > > > I did it up, and it makes the caller code cleaner. But I'm not sure > > what to think of it. Is this not mixing two operations together? > > Today > > get_xsave_addr() pretty much just gets a buffer offset with some > > checks. Now it would compute the offset and also silently go off > > and > > changes the buffer. > > Ok, so why don't you write the call site this way instead: > > cetregs = get_xsave_addr(xsave, XFEATURE_CET_USER); > if (!cetregs) { > if (xfeature_saved(xsave, XFEATURE_CET_USER)) { > WARN("something's wrong with this buffer") > return ...; > } > > /* Not saved, initialize it */ > init_xfeature(xsave, XFEATURE_CET_USER)); > } > > cetregs = get_xsave_addr(xsave, XFEATURE_CET_USER); > if (!cetregs) { > WARN_ON("WTF") > return -ENODEV; > } > > Now it is clear what happens and it is a common code pattern of > trying > to get something and initializing it if it wasn't initialized yet, > and > then retrying... > > Hmm? This seems more clear. I'm sorry for the noise here though, because this has made me realize that the initing logic should never be hit. We used to support the full CET_U state in ptrace, but then dropped it to just the SSP and only allowed it when shadow stack is active. This means that CET_U will always have at least the CET_SHSTK_EN bit set and so not be in the init state. So this can probably just warn and bail if it sees an init state. Unless the extra logic seems more robust? But it is always nice when the chance comes to drop a patch out of this thing...
On Mon, Mar 13, 2023 at 04:10:14PM +0000, Edgecombe, Rick P wrote: > This seems more clear. I'm sorry for the noise here though, because > this has made me realize that the initing logic should never be hit. We > used to support the full CET_U state in ptrace, but then dropped it to > just the SSP and only allowed it when shadow stack is active. Right, you do check that at function entry. > This means that CET_U will always have at least the CET_SHSTK_EN bit > set and so not be in the init state. So this can probably just warn > and bail if it sees an init state. I don't mind the additional checks as this is a security thing so sanity checks are good, especially if they're cheap. And you don't need to reinit the buffer - just scream loudly when get_xsave_addr() returns NULL.
On Mon, 2023-03-13 at 18:10 +0100, Borislav Petkov wrote: > > This means that CET_U will always have at least the CET_SHSTK_EN > > bit > > set and so not be in the init state. So this can probably just warn > > and bail if it sees an init state. > > I don't mind the additional checks as this is a security thing so > sanity checks are good, especially if they're cheap. > > And you don't need to reinit the buffer - just scream loudly when > get_xsave_addr() > returns NULL. Ok, will do this instead in "x86: Add PTRACE interface for shadow stack".
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index 13a80521dd51..3ff80be0a441 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -934,6 +934,24 @@ static void *__raw_xsave_addr(struct xregs_state *xsave, int xfeature_nr) return (void *)xsave + xfeature_get_offset(xcomp_bv, xfeature_nr); } +static int xsave_buffer_access_checks(int xfeature_nr) +{ + /* + * Do we even *have* xsave state? + */ + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return 1; + + /* + * We should not ever be requesting features that we + * have not enabled. + */ + if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) + return 1; + + return 0; +} + /* * Given the xsave area and a state inside, this function returns the * address of the state. @@ -954,17 +972,7 @@ static void *__raw_xsave_addr(struct xregs_state *xsave, int xfeature_nr) */ void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr) { - /* - * Do we even *have* xsave state? - */ - if (!boot_cpu_has(X86_FEATURE_XSAVE)) - return NULL; - - /* - * We should not ever be requesting features that we - * have not enabled. - */ - if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) + if (xsave_buffer_access_checks(xfeature_nr)) return NULL; /* @@ -984,6 +992,34 @@ void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr) return __raw_xsave_addr(xsave, xfeature_nr); } +/* + * Given the xsave area and a state inside, this function + * initializes an xfeature in the buffer. + * + * get_xsave_addr() will return NULL if the feature bit is + * not present in the header. This function will make it so + * the xfeature buffer address is ready to be retrieved by + * get_xsave_addr(). + * + * Inputs: + * xstate: the thread's storage area for all FPU data + * xfeature_nr: state which is defined in xsave.h (e.g. XFEATURE_FP, + * XFEATURE_SSE, etc...) + * Output: + * 1 if the feature cannot be inited, 0 on success + */ +int init_xfeature(struct xregs_state *xsave, int xfeature_nr) +{ + if (xsave_buffer_access_checks(xfeature_nr)) + return 1; + + /* + * Mark the feature inited. + */ + xsave->header.xfeatures |= BIT_ULL(xfeature_nr); + return 0; +} + #ifdef CONFIG_ARCH_HAS_PKEYS /* diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h index a4ecb04d8d64..dc06f63063ee 100644 --- a/arch/x86/kernel/fpu/xstate.h +++ b/arch/x86/kernel/fpu/xstate.h @@ -54,6 +54,12 @@ extern void fpu__init_cpu_xstate(void); extern void fpu__init_system_xstate(unsigned int legacy_size); extern void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr); +extern int init_xfeature(struct xregs_state *xsave, int xfeature_nr); + +static inline int xfeature_saved(struct xregs_state *xsave, int xfeature_nr) +{ + return xsave->header.xfeatures & BIT_ULL(xfeature_nr); +} static inline u64 xfeatures_mask_supervisor(void) {