[RFC,v1,11/28] riscv: Implementing "PROT_SHADOWSTACK" on riscv
Commit Message
From: Deepak Gupta <debug@rivosinc.com>
This patch implements new risc-v specific protection flag
`PROT_SHADOWSTACK` (only for kernel) on riscv.
`PROT_SHADOWSTACK` protection flag is only limited to kernel and not exposed
to userspace. Shadow stack is a security construct to prevent against ROP attacks.
`map_shadow_stack` is a new syscall to manufacture shadow stack. In order to avoid
multiple methods to create shadow stack, `PROT_SHADOWSTACK` is not allowed for user
space `mmap` call. `mprotect` wouldn't allow because `arch_validate_prot` already
takes care of this for risc-v.
`arch_calc_vm_prot_bits` is implemented on risc-v to return VM_SHADOW_STACK (alias
for VM_WRITE) if PROT_SHADOWSTACK is supplied (such as call to `do_mmap` will) and
underlying CPU supports shadow stack. `PROT_WRITE` will be converted to `VM_READ |
`VM_WRITE` so that existing case where `PROT_WRITE` is specified keep working but
don't collide with `VM_WRITE` only encoding which now denotes a shadow stack.
risc-v `mmap` wrapper enforces if PROT_WRITE is specified and PROT_READ is left out
then PROT_READ is enforced.
Earlier `protection_map[VM_WRITE]` used to pick read-write (and copy on write) PTE
encodings. Now all non-shadow stack writeable mappings will pick `protection_map[VM_WRITE
| VM_READ] PTE encodings. `protection[VM_WRITE]` are programmed to pick PAGE_SHADOWSTACK
PTE encordings.
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
arch/riscv/include/asm/mman.h | 17 +++++++++++++++++
arch/riscv/include/asm/pgtable.h | 1 +
arch/riscv/kernel/sys_riscv.c | 19 +++++++++++++++++++
arch/riscv/mm/init.c | 2 +-
4 files changed, 38 insertions(+), 1 deletion(-)
Comments
On Wed, 2024-01-24 at 22:21 -0800, debug@rivosinc.com wrote:
> + /*
> + * PROT_SHADOWSTACK is a kernel only protection flag on risc-
> v.
> + * mmap doesn't expect PROT_SHADOWSTACK to be set by user
> space.
> + * User space can rely on `map_shadow_stack` syscall to
> create
> + * shadow stack pages.
> + */
> + if (unlikely(prot & PROT_SHADOWSTACK))
> + return -EINVAL;
Are you sure you need PROT_SHADOWSTACK? Since you are passing
VM_SHADOW_STACK into do_mmap() directly.
On Fri, Feb 09, 2024 at 08:44:35PM +0000, Edgecombe, Rick P wrote:
>On Wed, 2024-01-24 at 22:21 -0800, debug@rivosinc.com wrote:
>> + /*
>> + * PROT_SHADOWSTACK is a kernel only protection flag on risc-
>> v.
>> + * mmap doesn't expect PROT_SHADOWSTACK to be set by user
>> space.
>> + * User space can rely on `map_shadow_stack` syscall to
>> create
>> + * shadow stack pages.
>> + */
>> + if (unlikely(prot & PROT_SHADOWSTACK))
>> + return -EINVAL;
>
>Are you sure you need PROT_SHADOWSTACK? Since you are passing
>VM_SHADOW_STACK into do_mmap() directly.
Sorry for (very) late response.
In this patch series since VM_SHADOW_STACK was an alias to VM_WRITE.
And that's why I needed PROT_SHADOWSTACK to disambiguate.
I am updating my patches and going with ARCH_5 bit (and thus only 64bit support).
So x86, aarch64 and risc-v will be using same bit position.
@@ -22,4 +22,21 @@
*/
#define PROT_SHADOWSTACK 0x40
+static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot,
+ unsigned long pkey __always_unused)
+{
+ unsigned long ret = 0;
+
+ if (cpu_supports_shadow_stack())
+ ret = (prot & PROT_SHADOWSTACK) ? VM_SHADOW_STACK : 0;
+ /*
+ * If PROT_WRITE was specified, force it to VM_READ | VM_WRITE.
+ * Only VM_WRITE means shadow stack.
+ */
+ if (prot & PROT_WRITE)
+ ret = (VM_READ | VM_WRITE);
+ return ret;
+}
+#define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey)
+
#endif /* ! __ASM_MMAN_H__ */
@@ -184,6 +184,7 @@ extern struct pt_alloc_ops pt_ops __initdata;
#define PAGE_READ_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_EXEC)
#define PAGE_WRITE_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | \
_PAGE_EXEC | _PAGE_WRITE)
+#define PAGE_SHADOWSTACK __pgprot(_PAGE_BASE | _PAGE_WRITE)
#define PAGE_COPY PAGE_READ
#define PAGE_COPY_EXEC PAGE_READ_EXEC
@@ -16,6 +16,7 @@
#include <asm/unistd.h>
#include <asm-generic/mman-common.h>
#include <vdso/vsyscall.h>
+#include <asm/mman.h>
static long riscv_sys_mmap(unsigned long addr, unsigned long len,
unsigned long prot, unsigned long flags,
@@ -25,6 +26,24 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len,
if (unlikely(offset & (~PAGE_MASK >> page_shift_offset)))
return -EINVAL;
+ /*
+ * If only PROT_WRITE is specified then extend that to PROT_READ
+ * protection_map[VM_WRITE] is now going to select shadow stack encodings.
+ * So specifying PROT_WRITE actually should select protection_map [VM_WRITE | VM_READ]
+ * If user wants to create shadow stack then they should use `map_shadow_stack` syscall.
+ */
+ if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ)))
+ prot |= PROT_READ;
+
+ /*
+ * PROT_SHADOWSTACK is a kernel only protection flag on risc-v.
+ * mmap doesn't expect PROT_SHADOWSTACK to be set by user space.
+ * User space can rely on `map_shadow_stack` syscall to create
+ * shadow stack pages.
+ */
+ if (unlikely(prot & PROT_SHADOWSTACK))
+ return -EINVAL;
+
return ksys_mmap_pgoff(addr, len, prot, flags, fd,
offset >> (PAGE_SHIFT - page_shift_offset));
}
@@ -296,7 +296,7 @@ pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE);
static const pgprot_t protection_map[16] = {
[VM_NONE] = PAGE_NONE,
[VM_READ] = PAGE_READ,
- [VM_WRITE] = PAGE_COPY,
+ [VM_WRITE] = PAGE_SHADOWSTACK,
[VM_WRITE | VM_READ] = PAGE_COPY,
[VM_EXEC] = PAGE_EXEC,
[VM_EXEC | VM_READ] = PAGE_READ_EXEC,