diff mbox series

[v8,06/40] x86/fpu: Add helper for modifying xstate

Message ID	20230319001535.23210-7-rick.p.edgecombe@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v8 06/40] x86/fpu: Add helper for modifying xstate Date: Sat, 18 Mar 2023 17:15:01 -0700 Message-Id: <20230319001535.23210-7-rick.p.edgecombe@intel.com> In-Reply-To: <20230319001535.23210-1-rick.p.edgecombe@intel.com> References: <20230319001535.23210-1-rick.p.edgecombe@intel.com> Precedence: bulk
Series	Shadow stacks for userspace \| [v8,00/40] Shadow stacks for userspace [v8,01/40] Documentation/x86: Add CET shadow stack description [v8,02/40] x86/shstk: Add Kconfig option for shadow stack [v8,03/40] x86/cpufeatures: Add CPU feature flags for shadow stacks [v8,04/40] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v8,05/40] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v8,06/40] x86/fpu: Add helper for modifying xstate [v8,07/40] x86/traps: Move control protection handler to separate file [v8,08/40] x86/shstk: Add user control-protection fault handler [v8,09/40] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v8,10/40] x86/mm: Move pmd_write(), pud_write() up in the file [v8,11/40] mm: Introduce pte_mkwrite_kernel() [v8,12/40] s390/mm: Introduce pmd_mkwrite_kernel() [v8,13/40] mm: Make pte_mkwrite() take a VMA [v8,14/40] x86/mm: Introduce _PAGE_SAVED_DIRTY [v8,15/40] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY [v8,16/40] x86/mm: Start actually marking _PAGE_SAVED_DIRTY [v8,17/40] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v8,18/40] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v8,19/40] x86/mm: Check shadow stack page fault errors [v8,20/40] x86/mm: Teach pte_mkwrite() about stack memory [v8,21/40] mm: Add guard pages around a shadow stack. [v8,22/40] mm/mmap: Add shadow stack pages to memory accounting [v8,23/40] mm: Re-introduce vm_flags to do_mmap() [v8,24/40] mm: Don't allow write GUPs to shadow stack memory [v8,25/40] x86/mm: Introduce MAP_ABOVE4G [v8,26/40] mm: Warn on shadow stack memory in wrong vma [v8,27/40] x86/mm: Warn if create Write=0,Dirty=1 with raw prot [v8,28/40] x86: Introduce userspace API for shadow stack [v8,29/40] x86/shstk: Add user-mode shadow stack support [v8,30/40] x86/shstk: Handle thread shadow stack [v8,31/40] x86/shstk: Introduce routines modifying shstk [v8,32/40] x86/shstk: Handle signals for shadow stack [v8,33/40] x86/shstk: Introduce map_shadow_stack syscall [v8,34/40] x86/shstk: Support WRSS for userspace [v8,35/40] x86: Expose thread features in /proc/$PID/status [v8,36/40] x86/shstk: Wire in shadow stack interface [v8,37/40] selftests/x86: Add shadow stack test [v8,38/40] x86: Add PTRACE interface for shadow stack [v8,39/40] x86/shstk: Add ARCH_SHSTK_UNLOCK [v8,40/40] x86/shstk: Add ARCH_SHSTK_STATUS

Commit Message

Edgecombe, Rick P March 19, 2023, 12:15 a.m. UTC

  Just like user xfeatures, supervisor xfeatures can be active in the
registers or present in the task FPU buffer. If the registers are
active, the registers can be modified directly. If the registers are
not active, the modification must be performed on the task FPU buffer.

When the state is not active, the kernel could perform modifications
directly to the buffer. But in order for it to do that, it needs
to know where in the buffer the specific state it wants to modify is
located. Doing this is not robust against optimizations that compact
the FPU buffer, as each access would require computing where in the
buffer it is.

The easiest way to modify supervisor xfeature data is to force restore
the registers and write directly to the MSRs. Often times this is just fine
anyway as the registers need to be restored before returning to userspace.
Do this for now, leaving buffer writing optimizations for the future.

Add a new function fpregs_lock_and_load() that can simultaneously call
fpregs_lock() and do this restore. Also perform some extra sanity
checks in this function since this will be used in non-fpu focused code.

Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>

---
v6:
 - Drop "but appear to work" (Boris)

v5:
 - Fix spelling error (Boris)
 - Don't export fpregs_lock_and_load() (Boris)

v3:
 - Rename to fpregs_lock_and_load() to match the unlocking
   fpregs_unlock(). (Kees)
 - Elaborate in comment about helper. (Dave)

v2:
 - Drop optimization of writing directly the buffer, and change API
   accordingly.
 - fpregs_lock_and_load() suggested by tglx
 - Some commit log verbiage from dhansen
---
 arch/x86/include/asm/fpu/api.h |  9 +++++++++
 arch/x86/kernel/fpu/core.c     | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+)

diff mbox series

Patch

diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
index 503a577814b2..aadc6893dcaa 100644
--- a/arch/x86/include/asm/fpu/api.h
+++ b/arch/x86/include/asm/fpu/api.h
@@ -82,6 +82,15 @@  static inline void fpregs_unlock(void)
 		preempt_enable();
 }
 
+/*
+ * FPU state gets lazily restored before returning to userspace. So when in the
+ * kernel, the valid FPU state may be kept in the buffer. This function will force
+ * restore all the fpu state to the registers early if needed, and lock them from
+ * being automatically saved/restored. Then FPU state can be modified safely in the
+ * registers, before unlocking with fpregs_unlock().
+ */
+void fpregs_lock_and_load(void);
+
 #ifdef CONFIG_X86_DEBUG_FPU
 extern void fpregs_assert_state_consistent(void);
 #else
diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
index caf33486dc5e..f851558b673f 100644
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -753,6 +753,24 @@  void switch_fpu_return(void)
 }
 EXPORT_SYMBOL_GPL(switch_fpu_return);
 
+void fpregs_lock_and_load(void)
+{
+	/*
+	 * fpregs_lock() only disables preemption (mostly). So modifying state
+	 * in an interrupt could screw up some in progress fpregs operation.
+	 * Warn about it.
+	 */
+	WARN_ON_ONCE(!irq_fpu_usable());
+	WARN_ON_ONCE(current->flags & PF_KTHREAD);
+
+	fpregs_lock();
+
+	fpregs_assert_state_consistent();
+
+	if (test_thread_flag(TIF_NEED_FPU_LOAD))
+		fpregs_restore_userregs();
+}
+
 #ifdef CONFIG_X86_DEBUG_FPU
 /*
  * If current FPU state according to its tracking (loaded FPU context on this