diff mbox series

[v9,35/42] x86/shstk: Support WRSS for userspace

Message ID	20230613001108.3040476-36-rick.p.edgecombe@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com, torvalds@linux-foundation.org, broonie@kernel.org Cc: rick.p.edgecombe@intel.com, Pengfei Xu <pengfei.xu@intel.com> Subject: [PATCH v9 35/42] x86/shstk: Support WRSS for userspace Date: Mon, 12 Jun 2023 17:11:01 -0700 Message-Id: <20230613001108.3040476-36-rick.p.edgecombe@intel.com> In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> References: <20230613001108.3040476-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Shadow stacks for userspace \| [v9,00/42] Shadow stacks for userspace [v9,01/42] mm: Rename arch pte_mkwrite()'s to pte_mkwrite_novma() [v9,02/42] mm: Move pte/pmd_mkwrite() callers with no VMA to _novma() [v9,03/42] mm: Make pte_mkwrite() take a VMA [v9,04/42] mm: Re-introduce vm_flags to do_mmap() [v9,05/42] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v9,06/42] x86/shstk: Add Kconfig option for shadow stack [v9,07/42] x86/traps: Move control protection handler to separate file [v9,08/42] x86/cpufeatures: Add CPU feature flags for shadow stacks [v9,09/42] x86/mm: Move pmd_write(), pud_write() up in the file [v9,10/42] x86/mm: Introduce _PAGE_SAVED_DIRTY [v9,11/42] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY [v9,12/42] x86/mm: Start actually marking _PAGE_SAVED_DIRTY [v9,13/42] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v9,14/42] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v9,15/42] x86/mm: Check shadow stack page fault errors [v9,16/42] mm: Add guard pages around a shadow stack. [v9,17/42] mm: Warn on shadow stack memory in wrong vma [v9,18/42] x86/mm: Warn if create Write=0,Dirty=1 with raw prot [v9,19/42] mm/mmap: Add shadow stack pages to memory accounting [v9,20/42] x86/mm: Introduce MAP_ABOVE4G [v9,21/42] x86/mm: Teach pte_mkwrite() about stack memory [v9,22/42] mm: Don't allow write GUPs to shadow stack memory [v9,23/42] Documentation/x86: Add CET shadow stack description [v9,24/42] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v9,25/42] x86/fpu: Add helper for modifying xstate [v9,26/42] x86: Introduce userspace API for shadow stack [v9,27/42] x86/shstk: Add user control-protection fault handler [v9,28/42] x86/shstk: Add user-mode shadow stack support [v9,29/42] x86/shstk: Handle thread shadow stack [v9,30/42] x86/shstk: Introduce routines modifying shstk [v9,31/42] x86/shstk: Handle signals for shadow stack [v9,32/42] x86/shstk: Check that SSP is aligned on sigreturn [v9,33/42] x86/shstk: Check that signal frame is shadow stack mem [v9,34/42] x86/shstk: Introduce map_shadow_stack syscall [v9,35/42] x86/shstk: Support WRSS for userspace [v9,36/42] x86: Expose thread features in /proc/$PID/status [v9,37/42] x86/shstk: Wire in shadow stack interface [v9,38/42] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v9,39/42] selftests/x86: Add shadow stack test [v9,40/42] x86: Add PTRACE interface for shadow stack [v9,41/42] x86/shstk: Add ARCH_SHSTK_UNLOCK [v9,42/42] x86/shstk: Add ARCH_SHSTK_STATUS

Commit Message

Edgecombe, Rick P June 13, 2023, 12:11 a.m. UTC

  For the current shadow stack implementation, shadow stacks contents can't
easily be provisioned with arbitrary data. This property helps apps
protect themselves better, but also restricts any potential apps that may
want to do exotic things at the expense of a little security.

The x86 shadow stack feature introduces a new instruction, WRSS, which
can be enabled to write directly to shadow stack memory from userspace.
Allow it to get enabled via the prctl interface.

Only enable the userspace WRSS instruction, which allows writes to
userspace shadow stacks from userspace. Do not allow it to be enabled
independently of shadow stack, as HW does not support using WRSS when
shadow stack is disabled.

>From a fault handler perspective, WRSS will behave very similar to WRUSS,
which is treated like a user access from a #PF err code perspective.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/include/uapi/asm/prctl.h |  1 +
 arch/x86/kernel/shstk.c           | 43 ++++++++++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index 6a8e0e1bff4a..eedfde3b63be 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -36,5 +36,6 @@ 
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
+#define ARCH_SHSTK_WRSS			(1ULL <<  1)
 
 #endif /* _ASM_X86_PRCTL_H */
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 04c37b33a625..ea0bf113f9cf 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -390,6 +390,47 @@  void shstk_free(struct task_struct *tsk)
 	unmap_shadow_stack(shstk->base, shstk->size);
 }
 
+static int wrss_control(bool enable)
+{
+	u64 msrval;
+
+	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+		return -EOPNOTSUPP;
+
+	/*
+	 * Only enable WRSS if shadow stack is enabled. If shadow stack is not
+	 * enabled, WRSS will already be disabled, so don't bother clearing it
+	 * when disabling.
+	 */
+	if (!features_enabled(ARCH_SHSTK_SHSTK))
+		return -EPERM;
+
+	/* Already enabled/disabled? */
+	if (features_enabled(ARCH_SHSTK_WRSS) == enable)
+		return 0;
+
+	fpregs_lock_and_load();
+	rdmsrl(MSR_IA32_U_CET, msrval);
+
+	if (enable) {
+		features_set(ARCH_SHSTK_WRSS);
+		msrval |= CET_WRSS_EN;
+	} else {
+		features_clr(ARCH_SHSTK_WRSS);
+		if (!(msrval & CET_WRSS_EN))
+			goto unlock;
+
+		msrval &= ~CET_WRSS_EN;
+	}
+
+	wrmsrl(MSR_IA32_U_CET, msrval);
+
+unlock:
+	fpregs_unlock();
+
+	return 0;
+}
+
 static int shstk_disable(void)
 {
 	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
@@ -406,7 +447,7 @@  static int shstk_disable(void)
 	fpregs_unlock();
 
 	shstk_free(current);
-	features_clr(ARCH_SHSTK_SHSTK);
+	features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS);
 
 	return 0;
 }