| Message ID | 20240125062739.1339782-8-debug@rivosinc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id
p19csp1454548dyi;
Wed, 24 Jan 2024 22:35:31 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IGZJ0R/Lm0QmyYtSNCi81U1+YxqHIxsOUNOuMCZvTuO+k7TVhUC41HPGRpRxgaH7JfYo8+j
X-Received: by 2002:a05:6a20:3954:b0:19a:e3c4:8677 with SMTP id
r20-20020a056a20395400b0019ae3c48677mr481098pzg.20.1706164530881;
Wed, 24 Jan 2024 22:35:30 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706164530; cv=pass;
d=google.com; s=arc-20160816;
b=uXSngT78cGNP1Xc2w1oGkJLR4uM269S+IhYEvNuQjNj5CyvNDPla69K81Ct5MafeLQ
njHg29GZnVMVYtQMNoTGNhjMAfA/4CbJXRtCpLUpVB2i/TanE1DSMjMFGiWqfNyv0b1s
UIrNTZtHcqtK4vcBD4Pdf6TFZQ9IwSBtl1/4jmHA31DqkHhgIW0Fj1fBPyCNAor/AhIg
vCzJm31/D7PlX0I01D18qF7ipNtzjkheXIC/Gcuv0JWHsBCAurV66Qfks+g1OTCw3uTE
ki406egmCcVaUnsqO1GEfT1MQIQ3Gg6+n+vgYWtV/RcGFyuHcUaQym7aGZdghOS2thKw
ERsw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=rs1o7FymY4gTUwXZVJx54t4Zjv5gF4CojhNG+aQW4Ms=;
fh=oy7V1wWqiaug32hsWRXm98kKNp5NFPTWbY7PiGr4deM=;
b=LuwFDX7igfSzSYUgzeH5s0GCayRj6Z7SLsDraiQxlT+Za3clBLlgo+AgL8sbWkFQXn
5v+k31MpZGqrqjJPKYemG5dWDJRjDBBKZ3Hticdz31YuUVXmEVrU+R2Ow8VtMvS41kzU
DikNcCdQZ6xuXG5aMdrVeSGO99hFmsJOix9m9CdXjUthrhvuYBXjemiJaiSi2V5dWWCM
glhuDRfmOvCfLEJMW2xeX+ElRnBAA2QlQ8JX3FHvkTPal7qJmRZ3d0ioLmeZGSpwdQgV
u/uaX1MaTZZW7NDI7jQyefmuqL52cBcF7Z7cnpp+Ez36ouev1rcTB1kDAL7RB+tA6vBR
4n7A==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com
header.s=20230601 header.b=WdefNKcq;
arc=pass (i=1 spf=pass spfdomain=rivosinc.com dkim=pass
dkdomain=rivosinc-com.20230601.gappssmtp.com);
spf=pass (google.com: domain of
linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org"
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
by mx.google.com with ESMTPS id
x14-20020a170902ec8e00b001d5e55b25cbsi7239162plg.16.2024.01.24.22.35.30
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 24 Jan 2024 22:35:30 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com
header.s=20230601 header.b=WdefNKcq;
arc=pass (i=1 spf=pass spfdomain=rivosinc.com dkim=pass
dkdomain=rivosinc-com.20230601.gappssmtp.com);
spf=pass (google.com: domain of
linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-38012-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sy.mirrors.kernel.org (Postfix) with ESMTPS id 32C54B24CDB
for <ouuuleilei@gmail.com>; Thu, 25 Jan 2024 06:31:05 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 220FD13FF2;
Thu, 25 Jan 2024 06:29:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
header.i=@rivosinc-com.20230601.gappssmtp.com header.b="WdefNKcq"
Received: from mail-oo1-f44.google.com (mail-oo1-f44.google.com
[209.85.161.44])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99664134BA
for <linux-kernel@vger.kernel.org>; Thu, 25 Jan 2024 06:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=209.85.161.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706164146; cv=none;
b=kbkNZhE+kCDrSj2mmBzWwcv3bqqVzZ2P2kOTVoz8yvwOo8Q/zEn0Qlu12DVr/JfwGzdketeWGpEB4f8TC9g/i3ySWClU/Iyxwz/0ytv26U6vtwbaouOlvo/F49XiX/x1m+oMyimTe8A0mic8B3MLOjydALODncigTGAwQuAVztc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706164146; c=relaxed/simple;
bh=EY/9qGQfEhM2RCcY1q+hRsq8ge3YefHtxwppIf8wECo=;
h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version;
b=HGmv+t4fzaw6RIpusVRdIp3dcvVODPBuIlx/toPL8iM6BlliO00SXIpuY3TPQKNns0l3m1APpziGirW+/WXhoEZphlau8AeP0TDV95OCqnTZI+nFMp9s+iO8hdH27xXx0twrVLer/96UAbqmrPGaKgnHwkdqB83JX+OmJncERro=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=rivosinc.com;
spf=pass smtp.mailfrom=rivosinc.com;
dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
header.i=@rivosinc-com.20230601.gappssmtp.com header.b=WdefNKcq;
arc=none smtp.client-ip=209.85.161.44
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=rivosinc.com
Received: by mail-oo1-f44.google.com with SMTP id
006d021491bc7-599a0f1dc7aso1269615eaf.0
for <linux-kernel@vger.kernel.org>;
Wed, 24 Jan 2024 22:29:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1706164143;
x=1706768943; darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=rs1o7FymY4gTUwXZVJx54t4Zjv5gF4CojhNG+aQW4Ms=;
b=WdefNKcqrRmMaXfXj3r8r20GS0w5P9mQozZd7DGtq9PCYWWZdwPRH6PaH5mMUFJmUs
OVZ3tWWrGv7Im74Eelioz3PllrmngY/GTWV6nfZazUhWGNnp95rzIUQDoysvCIdPoQ6F
UV4AohAaiwPmxD3P96W9USPhbGY+2KeZ0iotjfmEsT4IEMw7QumVzhvj4dQeMhQGuwH/
D+aWaHBx4qbQ8ITLKCM21yEzy4gdkC2sHfxXE/zBBHPsj8dB3qFjtkcz51kdAaAsLzTs
ea9prZO6xMiN/pPAFCEdg6Nuhh5yewpv0bozIZBz96SyFSdvODObAvSvsXO/3xTCnxEu
H6EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1706164143; x=1706768943;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=rs1o7FymY4gTUwXZVJx54t4Zjv5gF4CojhNG+aQW4Ms=;
b=D4vMq/jDyWhDMsen4VPddHJsFpl5odXyLrlqiSpaQfV3A4k+6jq8zAyl2jakDVW7Yu
C5zzHljNWeod2SZDYsrWXpYZo3ONQLCrOk6JAHiFwMtIxarycputxjR6zLnq0TLjBuKk
2eokhPKCAm4sCo8amE0HQlpgRpVtkyVE9Fp2wRucH7AZkg3QwLyesWBLqVSavHjb/rYN
HKCoxAmoLOmVDlDPZAuEt4hCN0HM41Gnb8JvtWC04HBT6/mg6nxbVi0G8n1eaXhWsFIK
1eYIPbSTMX9Q8EGHgBfXRYCEZUqjeHU114y+H4gllk0i32/5uhX+DQBXW8ef+g6xR0Am
Ki6Q==
X-Gm-Message-State: AOJu0Yx6MCo/i9j4cmTu0tnZ6ibtgjilRlw9wvYPdyjAxAbn5tzZ9Hfb
lZRFp00zZaI7e04E6gLVQ273K6kZnoZbrW/+neezjOoyBFDQWY9bosXlkiWW4FY=
X-Received: by 2002:a05:6358:d388:b0:176:5cad:5144 with SMTP id
mp8-20020a056358d38800b001765cad5144mr620289rwb.45.1706164142630;
Wed, 24 Jan 2024 22:29:02 -0800 (PST)
Received: from debug.ba.rivosinc.com ([64.71.180.162])
by smtp.gmail.com with ESMTPSA id
t19-20020a056a00139300b006dd870b51b8sm3201139pfg.126.2024.01.24.22.28.59
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 24 Jan 2024 22:29:02 -0800 (PST)
From: debug@rivosinc.com
To: rick.p.edgecombe@intel.com,
broonie@kernel.org,
Szabolcs.Nagy@arm.com,
kito.cheng@sifive.com,
keescook@chromium.org,
ajones@ventanamicro.com,
paul.walmsley@sifive.com,
palmer@dabbelt.com,
conor.dooley@microchip.com,
cleger@rivosinc.com,
atishp@atishpatra.org,
alex@ghiti.fr,
bjorn@rivosinc.com,
alexghiti@rivosinc.com
Cc: corbet@lwn.net,
aou@eecs.berkeley.edu,
oleg@redhat.com,
akpm@linux-foundation.org,
arnd@arndb.de,
ebiederm@xmission.com,
shuah@kernel.org,
brauner@kernel.org,
debug@rivosinc.com,
guoren@kernel.org,
samitolvanen@google.com,
evan@rivosinc.com,
xiao.w.wang@intel.com,
apatel@ventanamicro.com,
mchitale@ventanamicro.com,
waylingii@gmail.com,
greentime.hu@sifive.com,
heiko@sntech.de,
jszhang@kernel.org,
shikemeng@huaweicloud.com,
david@redhat.com,
charlie@rivosinc.com,
panqinglin2020@iscas.ac.cn,
willy@infradead.org,
vincent.chen@sifive.com,
andy.chiu@sifive.com,
gerg@kernel.org,
jeeheng.sia@starfivetech.com,
mason.huo@starfivetech.com,
ancientmodern4@gmail.com,
mathis.salmen@matsal.de,
cuiyunhui@bytedance.com,
bhe@redhat.com,
chenjiahao16@huawei.com,
ruscur@russell.cc,
bgray@linux.ibm.com,
alx@kernel.org,
baruch@tkos.co.il,
zhangqing@loongson.cn,
catalin.marinas@arm.com,
revest@chromium.org,
josh@joshtriplett.org,
joey.gouly@arm.com,
shr@devkernel.io,
omosnace@redhat.com,
ojeda@kernel.org,
jhubbard@nvidia.com,
linux-doc@vger.kernel.org,
linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-mm@kvack.org,
linux-arch@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: [RFC PATCH v1 07/28] riscv: kernel handling on trap entry/exit for
user cfi
Date: Wed, 24 Jan 2024 22:21:32 -0800
Message-ID: <20240125062739.1339782-8-debug@rivosinc.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240125062739.1339782-1-debug@rivosinc.com>
References: <20240125062739.1339782-1-debug@rivosinc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789043179094569892
X-GMAIL-MSGID: 1789043179094569892
|
| Series |
riscv control-flow integrity for usermode
|
|
Commit Message
Deepak Gupta
Jan. 25, 2024, 6:21 a.m. UTC
From: Deepak Gupta <debug@rivosinc.com> Carves out space in arch specific thread struct for cfi status and shadow stack in usermode on riscv. This patch does following - defines a new structure cfi_status with status bit for cfi feature - defines shadow stack pointer, base and size in cfi_status structure - defines offsets to new member fields in thread in asm-offsets.c - Saves and restore shadow stack pointer on trap entry (U --> S) and exit (S --> U) Signed-off-by: Deepak Gupta <debug@rivosinc.com> --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/thread_info.h | 3 +++ arch/riscv/include/asm/usercfi.h | 24 ++++++++++++++++++++++++ arch/riscv/kernel/asm-offsets.c | 5 ++++- arch/riscv/kernel/entry.S | 25 +++++++++++++++++++++++++ 5 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 arch/riscv/include/asm/usercfi.h
Comments
On Thu, Jan 25, 2024, at 1:21 AM, debug@rivosinc.com wrote: > From: Deepak Gupta <debug@rivosinc.com> > > Carves out space in arch specific thread struct for cfi status and shadow stack > in usermode on riscv. > > This patch does following > - defines a new structure cfi_status with status bit for cfi feature > - defines shadow stack pointer, base and size in cfi_status structure > - defines offsets to new member fields in thread in asm-offsets.c > - Saves and restore shadow stack pointer on trap entry (U --> S) and exit > (S --> U) > > Signed-off-by: Deepak Gupta <debug@rivosinc.com> > --- > arch/riscv/include/asm/processor.h | 1 + > arch/riscv/include/asm/thread_info.h | 3 +++ > arch/riscv/include/asm/usercfi.h | 24 ++++++++++++++++++++++++ > arch/riscv/kernel/asm-offsets.c | 5 ++++- > arch/riscv/kernel/entry.S | 25 +++++++++++++++++++++++++ > 5 files changed, 57 insertions(+), 1 deletion(-) > create mode 100644 arch/riscv/include/asm/usercfi.h > > diff --git a/arch/riscv/include/asm/processor.h > b/arch/riscv/include/asm/processor.h > index ee2f51787ff8..d4dc298880fc 100644 > --- a/arch/riscv/include/asm/processor.h > +++ b/arch/riscv/include/asm/processor.h > @@ -14,6 +14,7 @@ > > #include <asm/ptrace.h> > #include <asm/hwcap.h> > +#include <asm/usercfi.h> > > #ifdef CONFIG_64BIT > #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) > diff --git a/arch/riscv/include/asm/thread_info.h > b/arch/riscv/include/asm/thread_info.h > index 320bc899a63b..6a2acecec546 100644 > --- a/arch/riscv/include/asm/thread_info.h > +++ b/arch/riscv/include/asm/thread_info.h > @@ -58,6 +58,9 @@ struct thread_info { > int cpu; > unsigned long syscall_work; /* SYSCALL_WORK_ flags */ > unsigned long envcfg; > +#ifdef CONFIG_RISCV_USER_CFI > + struct cfi_status user_cfi_state; > +#endif > #ifdef CONFIG_SHADOW_CALL_STACK > void *scs_base; > void *scs_sp; > diff --git a/arch/riscv/include/asm/usercfi.h > b/arch/riscv/include/asm/usercfi.h > new file mode 100644 > index 000000000000..080d7077d12c > --- /dev/null > +++ b/arch/riscv/include/asm/usercfi.h > @@ -0,0 +1,24 @@ > +/* SPDX-License-Identifier: GPL-2.0 > + * Copyright (C) 2023 Rivos, Inc. > + * Deepak Gupta <debug@rivosinc.com> > + */ > +#ifndef _ASM_RISCV_USERCFI_H > +#define _ASM_RISCV_USERCFI_H > + > +#ifndef __ASSEMBLY__ > +#include <linux/types.h> > + > +#ifdef CONFIG_RISCV_USER_CFI > +struct cfi_status { > + unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ > + unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); > + unsigned long user_shdw_stk; /* Current user shadow stack pointer */ > + unsigned long shdw_stk_base; /* Base address of shadow stack */ > + unsigned long shdw_stk_size; /* size of shadow stack */ > +}; > + > +#endif /* CONFIG_RISCV_USER_CFI */ > + > +#endif /* __ASSEMBLY__ */ > + > +#endif /* _ASM_RISCV_USERCFI_H */ > diff --git a/arch/riscv/kernel/asm-offsets.c > b/arch/riscv/kernel/asm-offsets.c > index cdd8f095c30c..5e1f412e96ba 100644 > --- a/arch/riscv/kernel/asm-offsets.c > +++ b/arch/riscv/kernel/asm-offsets.c > @@ -43,8 +43,11 @@ void asm_offsets(void) > #ifdef CONFIG_SHADOW_CALL_STACK > OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); > #endif > - > OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu); > +#ifdef CONFIG_RISCV_USER_CFI > + OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state); > + OFFSET(TASK_TI_USER_SSP, task_struct, > thread_info.user_cfi_state.user_shdw_stk); > +#endif > OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); > OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); > OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); > diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S > index 63c3855ba80d..410659e2eadb 100644 > --- a/arch/riscv/kernel/entry.S > +++ b/arch/riscv/kernel/entry.S > @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception) > REG_S x5, PT_T0(sp) > save_from_x6_to_x31 > > +#ifdef CONFIG_RISCV_USER_CFI > + /* > + * we need to save cfi status only when previous mode was U > + */ > + csrr s2, CSR_STATUS > + andi s2, s2, SR_SPP > + bnez s2, skip_bcfi_save > + /* load cfi status word */ > + lw s3, TASK_TI_CFI_STATUS(tp) > + andi s3, s3, 1 > + beqz s3, skip_bcfi_save > + csrr s3, CSR_SSP > + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ > +skip_bcfi_save: > +#endif > /* > * Disable user-mode memory access as it should only be set in the > * actual user copy routines. > @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception) > * structures again. > */ > csrw CSR_SCRATCH, tp > + > +#ifdef CONFIG_RISCV_USER_CFI > + lw s3, TASK_TI_CFI_STATUS(tp) > + andi s3, s3, 1 > + beqz s3, skip_bcfi_resume > + REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */ > + csrw CSR_SSP, s3 > +skip_bcfi_resume: > +#endif > + We shouldn't need any of this in the entry/exit code, at least as long as the kernel itself is not using Zicfiss. ssp can keep its value in the kernel and swap it on task switches. Our entry/exit code is rather short and I'd like to keep it that way. -s > 1: > REG_L a0, PT_STATUS(sp) > /* > -- > 2.43.0 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
On Thu, Jan 25, 2024 at 02:29:01AM -0500, Stefan O'Rear wrote: >On Thu, Jan 25, 2024, at 1:21 AM, debug@rivosinc.com wrote: >> From: Deepak Gupta <debug@rivosinc.com> >> >> Carves out space in arch specific thread struct for cfi status and shadow stack >> in usermode on riscv. >> >> This patch does following >> - defines a new structure cfi_status with status bit for cfi feature >> - defines shadow stack pointer, base and size in cfi_status structure >> - defines offsets to new member fields in thread in asm-offsets.c >> - Saves and restore shadow stack pointer on trap entry (U --> S) and exit >> (S --> U) >> >> Signed-off-by: Deepak Gupta <debug@rivosinc.com> >> --- >> arch/riscv/include/asm/processor.h | 1 + >> arch/riscv/include/asm/thread_info.h | 3 +++ >> arch/riscv/include/asm/usercfi.h | 24 ++++++++++++++++++++++++ >> arch/riscv/kernel/asm-offsets.c | 5 ++++- >> arch/riscv/kernel/entry.S | 25 +++++++++++++++++++++++++ >> 5 files changed, 57 insertions(+), 1 deletion(-) >> create mode 100644 arch/riscv/include/asm/usercfi.h >> >> diff --git a/arch/riscv/include/asm/processor.h >> b/arch/riscv/include/asm/processor.h >> index ee2f51787ff8..d4dc298880fc 100644 >> --- a/arch/riscv/include/asm/processor.h >> +++ b/arch/riscv/include/asm/processor.h >> @@ -14,6 +14,7 @@ >> >> #include <asm/ptrace.h> >> #include <asm/hwcap.h> >> +#include <asm/usercfi.h> >> >> #ifdef CONFIG_64BIT >> #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) >> diff --git a/arch/riscv/include/asm/thread_info.h >> b/arch/riscv/include/asm/thread_info.h >> index 320bc899a63b..6a2acecec546 100644 >> --- a/arch/riscv/include/asm/thread_info.h >> +++ b/arch/riscv/include/asm/thread_info.h >> @@ -58,6 +58,9 @@ struct thread_info { >> int cpu; >> unsigned long syscall_work; /* SYSCALL_WORK_ flags */ >> unsigned long envcfg; >> +#ifdef CONFIG_RISCV_USER_CFI >> + struct cfi_status user_cfi_state; >> +#endif >> #ifdef CONFIG_SHADOW_CALL_STACK >> void *scs_base; >> void *scs_sp; >> diff --git a/arch/riscv/include/asm/usercfi.h >> b/arch/riscv/include/asm/usercfi.h >> new file mode 100644 >> index 000000000000..080d7077d12c >> --- /dev/null >> +++ b/arch/riscv/include/asm/usercfi.h >> @@ -0,0 +1,24 @@ >> +/* SPDX-License-Identifier: GPL-2.0 >> + * Copyright (C) 2023 Rivos, Inc. >> + * Deepak Gupta <debug@rivosinc.com> >> + */ >> +#ifndef _ASM_RISCV_USERCFI_H >> +#define _ASM_RISCV_USERCFI_H >> + >> +#ifndef __ASSEMBLY__ >> +#include <linux/types.h> >> + >> +#ifdef CONFIG_RISCV_USER_CFI >> +struct cfi_status { >> + unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ >> + unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); >> + unsigned long user_shdw_stk; /* Current user shadow stack pointer */ >> + unsigned long shdw_stk_base; /* Base address of shadow stack */ >> + unsigned long shdw_stk_size; /* size of shadow stack */ >> +}; >> + >> +#endif /* CONFIG_RISCV_USER_CFI */ >> + >> +#endif /* __ASSEMBLY__ */ >> + >> +#endif /* _ASM_RISCV_USERCFI_H */ >> diff --git a/arch/riscv/kernel/asm-offsets.c >> b/arch/riscv/kernel/asm-offsets.c >> index cdd8f095c30c..5e1f412e96ba 100644 >> --- a/arch/riscv/kernel/asm-offsets.c >> +++ b/arch/riscv/kernel/asm-offsets.c >> @@ -43,8 +43,11 @@ void asm_offsets(void) >> #ifdef CONFIG_SHADOW_CALL_STACK >> OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); >> #endif >> - >> OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu); >> +#ifdef CONFIG_RISCV_USER_CFI >> + OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state); >> + OFFSET(TASK_TI_USER_SSP, task_struct, >> thread_info.user_cfi_state.user_shdw_stk); >> +#endif >> OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); >> OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); >> OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); >> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S >> index 63c3855ba80d..410659e2eadb 100644 >> --- a/arch/riscv/kernel/entry.S >> +++ b/arch/riscv/kernel/entry.S >> @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception) >> REG_S x5, PT_T0(sp) >> save_from_x6_to_x31 >> >> +#ifdef CONFIG_RISCV_USER_CFI >> + /* >> + * we need to save cfi status only when previous mode was U >> + */ >> + csrr s2, CSR_STATUS >> + andi s2, s2, SR_SPP >> + bnez s2, skip_bcfi_save >> + /* load cfi status word */ >> + lw s3, TASK_TI_CFI_STATUS(tp) >> + andi s3, s3, 1 >> + beqz s3, skip_bcfi_save >> + csrr s3, CSR_SSP >> + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ >> +skip_bcfi_save: >> +#endif >> /* >> * Disable user-mode memory access as it should only be set in the >> * actual user copy routines. >> @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception) >> * structures again. >> */ >> csrw CSR_SCRATCH, tp >> + >> +#ifdef CONFIG_RISCV_USER_CFI >> + lw s3, TASK_TI_CFI_STATUS(tp) >> + andi s3, s3, 1 >> + beqz s3, skip_bcfi_resume >> + REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */ >> + csrw CSR_SSP, s3 >> +skip_bcfi_resume: >> +#endif >> + > >We shouldn't need any of this in the entry/exit code, at least as long as >the kernel itself is not using Zicfiss. ssp can keep its value in the >kernel and swap it on task switches. Our entry/exit code is rather short >and I'd like to keep it that way. I kept it here because sooner or later we will need to establish kernel shadow stack. Kernel shadow stack on riscv (compared to other arches) kernel actually will be easier to support and adopt because there is already support for shadow call stack (SCS, [1]). Difference between existing shadow call stack (SCS) and `zicfiss` based kernel shadow stack would be - In prolog instead of using `sd`, we will be inserting `sspush` to save ret addr - In epilog instead of using `ld` and compare, we will be inserting `sspopchk` So a lot underlying work and functional testing for shadow kernel stack is already carried out with SCS patches. It would be easier and faster to re-use SCS patches to support `zicfiss` based shadow stack. I don't have favorites here, if overwhelving opinion of community here is to take this logic into task switching and re-work this logic back into entry.S whenever shadow stack for kernel patches are posted, I can do that as well. [1] - https://lore.kernel.org/all/20230828195833.756747-8-samitolvanen@google.com/ > >-s > >> 1: >> REG_L a0, PT_STATUS(sp) >> /* >> -- >> 2.43.0 >> >> >> _______________________________________________ >> linux-riscv mailing list >> linux-riscv@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/linux-riscv
On Thu, Jan 25, 2024, at 12:30 PM, Deepak Gupta wrote: > On Thu, Jan 25, 2024 at 02:29:01AM -0500, Stefan O'Rear wrote: >>On Thu, Jan 25, 2024, at 1:21 AM, debug@rivosinc.com wrote: >>> From: Deepak Gupta <debug@rivosinc.com> >>> >>> Carves out space in arch specific thread struct for cfi status and shadow stack >>> in usermode on riscv. >>> >>> This patch does following >>> - defines a new structure cfi_status with status bit for cfi feature >>> - defines shadow stack pointer, base and size in cfi_status structure >>> - defines offsets to new member fields in thread in asm-offsets.c >>> - Saves and restore shadow stack pointer on trap entry (U --> S) and exit >>> (S --> U) >>> >>> Signed-off-by: Deepak Gupta <debug@rivosinc.com> >>> --- >>> arch/riscv/include/asm/processor.h | 1 + >>> arch/riscv/include/asm/thread_info.h | 3 +++ >>> arch/riscv/include/asm/usercfi.h | 24 ++++++++++++++++++++++++ >>> arch/riscv/kernel/asm-offsets.c | 5 ++++- >>> arch/riscv/kernel/entry.S | 25 +++++++++++++++++++++++++ >>> 5 files changed, 57 insertions(+), 1 deletion(-) >>> create mode 100644 arch/riscv/include/asm/usercfi.h >>> >>> diff --git a/arch/riscv/include/asm/processor.h >>> b/arch/riscv/include/asm/processor.h >>> index ee2f51787ff8..d4dc298880fc 100644 >>> --- a/arch/riscv/include/asm/processor.h >>> +++ b/arch/riscv/include/asm/processor.h >>> @@ -14,6 +14,7 @@ >>> >>> #include <asm/ptrace.h> >>> #include <asm/hwcap.h> >>> +#include <asm/usercfi.h> >>> >>> #ifdef CONFIG_64BIT >>> #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) >>> diff --git a/arch/riscv/include/asm/thread_info.h >>> b/arch/riscv/include/asm/thread_info.h >>> index 320bc899a63b..6a2acecec546 100644 >>> --- a/arch/riscv/include/asm/thread_info.h >>> +++ b/arch/riscv/include/asm/thread_info.h >>> @@ -58,6 +58,9 @@ struct thread_info { >>> int cpu; >>> unsigned long syscall_work; /* SYSCALL_WORK_ flags */ >>> unsigned long envcfg; >>> +#ifdef CONFIG_RISCV_USER_CFI >>> + struct cfi_status user_cfi_state; >>> +#endif >>> #ifdef CONFIG_SHADOW_CALL_STACK >>> void *scs_base; >>> void *scs_sp; >>> diff --git a/arch/riscv/include/asm/usercfi.h >>> b/arch/riscv/include/asm/usercfi.h >>> new file mode 100644 >>> index 000000000000..080d7077d12c >>> --- /dev/null >>> +++ b/arch/riscv/include/asm/usercfi.h >>> @@ -0,0 +1,24 @@ >>> +/* SPDX-License-Identifier: GPL-2.0 >>> + * Copyright (C) 2023 Rivos, Inc. >>> + * Deepak Gupta <debug@rivosinc.com> >>> + */ >>> +#ifndef _ASM_RISCV_USERCFI_H >>> +#define _ASM_RISCV_USERCFI_H >>> + >>> +#ifndef __ASSEMBLY__ >>> +#include <linux/types.h> >>> + >>> +#ifdef CONFIG_RISCV_USER_CFI >>> +struct cfi_status { >>> + unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ >>> + unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); >>> + unsigned long user_shdw_stk; /* Current user shadow stack pointer */ >>> + unsigned long shdw_stk_base; /* Base address of shadow stack */ >>> + unsigned long shdw_stk_size; /* size of shadow stack */ >>> +}; >>> + >>> +#endif /* CONFIG_RISCV_USER_CFI */ >>> + >>> +#endif /* __ASSEMBLY__ */ >>> + >>> +#endif /* _ASM_RISCV_USERCFI_H */ >>> diff --git a/arch/riscv/kernel/asm-offsets.c >>> b/arch/riscv/kernel/asm-offsets.c >>> index cdd8f095c30c..5e1f412e96ba 100644 >>> --- a/arch/riscv/kernel/asm-offsets.c >>> +++ b/arch/riscv/kernel/asm-offsets.c >>> @@ -43,8 +43,11 @@ void asm_offsets(void) >>> #ifdef CONFIG_SHADOW_CALL_STACK >>> OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); >>> #endif >>> - >>> OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu); >>> +#ifdef CONFIG_RISCV_USER_CFI >>> + OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state); >>> + OFFSET(TASK_TI_USER_SSP, task_struct, >>> thread_info.user_cfi_state.user_shdw_stk); >>> +#endif >>> OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); >>> OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); >>> OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); >>> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S >>> index 63c3855ba80d..410659e2eadb 100644 >>> --- a/arch/riscv/kernel/entry.S >>> +++ b/arch/riscv/kernel/entry.S >>> @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception) >>> REG_S x5, PT_T0(sp) >>> save_from_x6_to_x31 >>> >>> +#ifdef CONFIG_RISCV_USER_CFI >>> + /* >>> + * we need to save cfi status only when previous mode was U >>> + */ >>> + csrr s2, CSR_STATUS >>> + andi s2, s2, SR_SPP >>> + bnez s2, skip_bcfi_save >>> + /* load cfi status word */ >>> + lw s3, TASK_TI_CFI_STATUS(tp) >>> + andi s3, s3, 1 >>> + beqz s3, skip_bcfi_save >>> + csrr s3, CSR_SSP >>> + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ >>> +skip_bcfi_save: >>> +#endif >>> /* >>> * Disable user-mode memory access as it should only be set in the >>> * actual user copy routines. >>> @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception) >>> * structures again. >>> */ >>> csrw CSR_SCRATCH, tp >>> + >>> +#ifdef CONFIG_RISCV_USER_CFI >>> + lw s3, TASK_TI_CFI_STATUS(tp) >>> + andi s3, s3, 1 >>> + beqz s3, skip_bcfi_resume >>> + REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */ >>> + csrw CSR_SSP, s3 >>> +skip_bcfi_resume: >>> +#endif >>> + >> >>We shouldn't need any of this in the entry/exit code, at least as long as >>the kernel itself is not using Zicfiss. ssp can keep its value in the >>kernel and swap it on task switches. Our entry/exit code is rather short >>and I'd like to keep it that way. > > I kept it here because sooner or later we will need to establish kernel > shadow > stack. Kernel shadow stack on riscv (compared to other arches) kernel > actually will > be easier to support and adopt because there is already support for > shadow call stack > (SCS, [1]). Difference between existing shadow call stack (SCS) and > `zicfiss` based > kernel shadow stack would be > > - In prolog instead of using `sd`, we will be inserting `sspush` to > save ret addr > - In epilog instead of using `ld` and compare, we will be inserting > `sspopchk` > > So a lot underlying work and functional testing for shadow kernel stack > is already carried > out with SCS patches. It would be easier and faster to re-use SCS > patches to support > `zicfiss` based shadow stack. Do you think that realistically, after all the patches are merged, almost all kernel configurations that enable kernel Zicfiss will also enable userspace Zicfiss and vice versa? If not - if Zicfiss exclusively in user mode is likely to be a common configuration - then the kernel should handle that case in task switch. If kernel Zicfiss and user Zicfiss are overwhelmingly likely to be supported together, then I agree it makes sense to handle it in the same place in entry/exit, but I think what you have is more complicated than necessary. I'm picturing something like this: --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -32,6 +32,13 @@ SYM_CODE_START(handle_exception) csrr tp, CSR_SCRATCH REG_S sp, TASK_TI_KERNEL_SP(tp) +#ifdef CONFIG_SHADOW_CALL_STACK + ALTERNATIVE("scs_save_current\n\tnop\n\tnop", + "csrr sp, ssp\n\t" + "REG_S sp, TASK_TI_SCS_SP(tp)\n\t" + "REG_L sp, TASK_TI_KERNEL_SP(tp)") +#endif + #ifdef CONFIG_VMAP_STACK addi sp, sp, -(PT_SIZE_ON_STACK) srli sp, sp, THREAD_SHIFT @@ -80,8 +87,13 @@ SYM_CODE_START(handle_exception) /* Load the global pointer */ load_global_pointer - /* Load the kernel shadow call stack pointer if coming from userspace */ - scs_load_current_if_task_changed s5 + /* Load the kernel shadow call stack pointer (harmless if from kernel) */ +#ifdef CONFIG_SHADOW_CALL_STACK + ALTERNATIVE("scs_load_current\n\tnop\n\tnop", + "REG_L s0, TASK_TI_SCS_SP(tp)\n\t" + "csrrw s0, ssp, s0\n\t" + "REG_S s0, PT_SSP(sp)") +#endif move a0, sp /* pt_regs */ la ra, ret_from_exception @@ -130,7 +142,12 @@ SYM_CODE_START_NOALIGN(ret_from_exception) REG_S s0, TASK_TI_KERNEL_SP(tp) /* Save the kernel shadow call stack pointer */ - scs_save_current +#ifdef CONFIG_SHADOW_CALL_STACK + ALTERNATIVE("scs_save_current\n\tnop\n\tnop", + "REG_L s0, PT_SSP(sp)\n\t" + "csrrw s0, ssp, s0\n\t" + "REG_S s0, TASK_TI_SCS_SP(tp)") +#endif /* * Save TP into the scratch register , so we can find the kernel data I moved the shadow stack pointer into pt_regs because it's nearly a GPR and has a meaningfully different value on every trap; this allows us to talk about the ssp at the time of a trap in kernel mode. Saving both the sp and ssp in Lrestore_kernel_tpsp avoids adding conditional logic to Lsave_context. I believe the current code also has a bug: if the U-mode tp is, by chance or intentional exploit, equal to the thread_info address, kernel code will be executed with whatever value U-mode left in gp. I also notice that there is no check for overflow of the shadow stack. This may be intentional, since as long as the shadow stack is at least half the size of the main kernel stack the latter will always overflow first, barring deeper corruption of the control structures or assembly code issues. I expect that the result in that case would be an infinite loop of shadow stack overflows in handle_bad_stack and do_trap_software_check with occasional visits to handle_kernel_stack_overflow. I believe that "Save unwound kernel stack pointer in thread_info" and "Save the kernel shadow call stack pointer" are both no-ops in all cases other than ret_from_fork, since the ABI requires the C trap handler to return with the same sp and ssp it was entered with. Optimizing that would be a separate issue. -s > > I don't have favorites here, if overwhelving opinion of community here > is to take this > logic into task switching and re-work this logic back into entry.S > whenever shadow stack for > kernel patches are posted, I can do that as well. > > [1] - > https://lore.kernel.org/all/20230828195833.756747-8-samitolvanen@google.com/ > >> >>-s >> >>> 1: >>> REG_L a0, PT_STATUS(sp) >>> /* >>> -- >>> 2.43.0 >>> >>> >>> _______________________________________________ >>> linux-riscv mailing list >>> linux-riscv@lists.infradead.org >>> http://lists.infradead.org/mailman/listinfo/linux-riscv > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
On Thu, Jan 25, 2024 at 02:47:49PM -0500, Stefan O'Rear wrote: >On Thu, Jan 25, 2024, at 12:30 PM, Deepak Gupta wrote: >> On Thu, Jan 25, 2024 at 02:29:01AM -0500, Stefan O'Rear wrote: >>>On Thu, Jan 25, 2024, at 1:21 AM, debug@rivosinc.com wrote: >>>> From: Deepak Gupta <debug@rivosinc.com> >>>> >>>> Carves out space in arch specific thread struct for cfi status and shadow stack >>>> in usermode on riscv. >>>> >>>> This patch does following >>>> - defines a new structure cfi_status with status bit for cfi feature >>>> - defines shadow stack pointer, base and size in cfi_status structure >>>> - defines offsets to new member fields in thread in asm-offsets.c >>>> - Saves and restore shadow stack pointer on trap entry (U --> S) and exit >>>> (S --> U) >>>> >>>> Signed-off-by: Deepak Gupta <debug@rivosinc.com> >>>> --- >>>> arch/riscv/include/asm/processor.h | 1 + >>>> arch/riscv/include/asm/thread_info.h | 3 +++ >>>> arch/riscv/include/asm/usercfi.h | 24 ++++++++++++++++++++++++ >>>> arch/riscv/kernel/asm-offsets.c | 5 ++++- >>>> arch/riscv/kernel/entry.S | 25 +++++++++++++++++++++++++ >>>> 5 files changed, 57 insertions(+), 1 deletion(-) >>>> create mode 100644 arch/riscv/include/asm/usercfi.h >>>> >>>> diff --git a/arch/riscv/include/asm/processor.h >>>> b/arch/riscv/include/asm/processor.h >>>> index ee2f51787ff8..d4dc298880fc 100644 >>>> --- a/arch/riscv/include/asm/processor.h >>>> +++ b/arch/riscv/include/asm/processor.h >>>> @@ -14,6 +14,7 @@ >>>> >>>> #include <asm/ptrace.h> >>>> #include <asm/hwcap.h> >>>> +#include <asm/usercfi.h> >>>> >>>> #ifdef CONFIG_64BIT >>>> #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) >>>> diff --git a/arch/riscv/include/asm/thread_info.h >>>> b/arch/riscv/include/asm/thread_info.h >>>> index 320bc899a63b..6a2acecec546 100644 >>>> --- a/arch/riscv/include/asm/thread_info.h >>>> +++ b/arch/riscv/include/asm/thread_info.h >>>> @@ -58,6 +58,9 @@ struct thread_info { >>>> int cpu; >>>> unsigned long syscall_work; /* SYSCALL_WORK_ flags */ >>>> unsigned long envcfg; >>>> +#ifdef CONFIG_RISCV_USER_CFI >>>> + struct cfi_status user_cfi_state; >>>> +#endif >>>> #ifdef CONFIG_SHADOW_CALL_STACK >>>> void *scs_base; >>>> void *scs_sp; >>>> diff --git a/arch/riscv/include/asm/usercfi.h >>>> b/arch/riscv/include/asm/usercfi.h >>>> new file mode 100644 >>>> index 000000000000..080d7077d12c >>>> --- /dev/null >>>> +++ b/arch/riscv/include/asm/usercfi.h >>>> @@ -0,0 +1,24 @@ >>>> +/* SPDX-License-Identifier: GPL-2.0 >>>> + * Copyright (C) 2023 Rivos, Inc. >>>> + * Deepak Gupta <debug@rivosinc.com> >>>> + */ >>>> +#ifndef _ASM_RISCV_USERCFI_H >>>> +#define _ASM_RISCV_USERCFI_H >>>> + >>>> +#ifndef __ASSEMBLY__ >>>> +#include <linux/types.h> >>>> + >>>> +#ifdef CONFIG_RISCV_USER_CFI >>>> +struct cfi_status { >>>> + unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ >>>> + unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); >>>> + unsigned long user_shdw_stk; /* Current user shadow stack pointer */ >>>> + unsigned long shdw_stk_base; /* Base address of shadow stack */ >>>> + unsigned long shdw_stk_size; /* size of shadow stack */ >>>> +}; >>>> + >>>> +#endif /* CONFIG_RISCV_USER_CFI */ >>>> + >>>> +#endif /* __ASSEMBLY__ */ >>>> + >>>> +#endif /* _ASM_RISCV_USERCFI_H */ >>>> diff --git a/arch/riscv/kernel/asm-offsets.c >>>> b/arch/riscv/kernel/asm-offsets.c >>>> index cdd8f095c30c..5e1f412e96ba 100644 >>>> --- a/arch/riscv/kernel/asm-offsets.c >>>> +++ b/arch/riscv/kernel/asm-offsets.c >>>> @@ -43,8 +43,11 @@ void asm_offsets(void) >>>> #ifdef CONFIG_SHADOW_CALL_STACK >>>> OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); >>>> #endif >>>> - >>>> OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu); >>>> +#ifdef CONFIG_RISCV_USER_CFI >>>> + OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state); >>>> + OFFSET(TASK_TI_USER_SSP, task_struct, >>>> thread_info.user_cfi_state.user_shdw_stk); >>>> +#endif >>>> OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); >>>> OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); >>>> OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); >>>> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S >>>> index 63c3855ba80d..410659e2eadb 100644 >>>> --- a/arch/riscv/kernel/entry.S >>>> +++ b/arch/riscv/kernel/entry.S >>>> @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception) >>>> REG_S x5, PT_T0(sp) >>>> save_from_x6_to_x31 >>>> >>>> +#ifdef CONFIG_RISCV_USER_CFI >>>> + /* >>>> + * we need to save cfi status only when previous mode was U >>>> + */ >>>> + csrr s2, CSR_STATUS >>>> + andi s2, s2, SR_SPP >>>> + bnez s2, skip_bcfi_save >>>> + /* load cfi status word */ >>>> + lw s3, TASK_TI_CFI_STATUS(tp) >>>> + andi s3, s3, 1 >>>> + beqz s3, skip_bcfi_save >>>> + csrr s3, CSR_SSP >>>> + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ >>>> +skip_bcfi_save: >>>> +#endif >>>> /* >>>> * Disable user-mode memory access as it should only be set in the >>>> * actual user copy routines. >>>> @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception) >>>> * structures again. >>>> */ >>>> csrw CSR_SCRATCH, tp >>>> + >>>> +#ifdef CONFIG_RISCV_USER_CFI >>>> + lw s3, TASK_TI_CFI_STATUS(tp) >>>> + andi s3, s3, 1 >>>> + beqz s3, skip_bcfi_resume >>>> + REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */ >>>> + csrw CSR_SSP, s3 >>>> +skip_bcfi_resume: >>>> +#endif >>>> + >>> >>>We shouldn't need any of this in the entry/exit code, at least as long as >>>the kernel itself is not using Zicfiss. ssp can keep its value in the >>>kernel and swap it on task switches. Our entry/exit code is rather short >>>and I'd like to keep it that way. >> >> I kept it here because sooner or later we will need to establish kernel >> shadow >> stack. Kernel shadow stack on riscv (compared to other arches) kernel >> actually will >> be easier to support and adopt because there is already support for >> shadow call stack >> (SCS, [1]). Difference between existing shadow call stack (SCS) and >> `zicfiss` based >> kernel shadow stack would be >> >> - In prolog instead of using `sd`, we will be inserting `sspush` to >> save ret addr >> - In epilog instead of using `ld` and compare, we will be inserting >> `sspopchk` >> >> So a lot underlying work and functional testing for shadow kernel stack >> is already carried >> out with SCS patches. It would be easier and faster to re-use SCS >> patches to support >> `zicfiss` based shadow stack. > >Do you think that realistically, after all the patches are merged, almost all >kernel configurations that enable kernel Zicfiss will also enable userspace >Zicfiss and vice versa? > >If not - if Zicfiss exclusively in user mode is likely to be a common >configuration - then the kernel should handle that case in task switch. > >If kernel Zicfiss and user Zicfiss are overwhelmingly likely to be supported >together, then I agree it makes sense to handle it in the same place in >entry/exit, but I think what you have is more complicated than necessary. >I'm picturing something like this: I expect user mode would be the first target and even if kernel shadow stacks are enabled, it may not be as pervasive in adoption as I expect for user mode. I do expect it to be used in settings where both are enabled (if not overwhelmingly) Since that has to be supported, it's better to have it organized where we are saving/ restoring in a way which serves both needs rather than have two ways to save/restore depending on how user shadow stacks and kernel shadow stacks are configured. > >--- a/arch/riscv/kernel/entry.S >+++ b/arch/riscv/kernel/entry.S >@@ -32,6 +32,13 @@ SYM_CODE_START(handle_exception) > csrr tp, CSR_SCRATCH > REG_S sp, TASK_TI_KERNEL_SP(tp) > >+#ifdef CONFIG_SHADOW_CALL_STACK >+ ALTERNATIVE("scs_save_current\n\tnop\n\tnop", >+ "csrr sp, ssp\n\t" >+ "REG_S sp, TASK_TI_SCS_SP(tp)\n\t" >+ "REG_L sp, TASK_TI_KERNEL_SP(tp)") >+#endif >+ > #ifdef CONFIG_VMAP_STACK > addi sp, sp, -(PT_SIZE_ON_STACK) > srli sp, sp, THREAD_SHIFT >@@ -80,8 +87,13 @@ SYM_CODE_START(handle_exception) > /* Load the global pointer */ > load_global_pointer > >- /* Load the kernel shadow call stack pointer if coming from userspace */ >- scs_load_current_if_task_changed s5 >+ /* Load the kernel shadow call stack pointer (harmless if from kernel) */ >+#ifdef CONFIG_SHADOW_CALL_STACK >+ ALTERNATIVE("scs_load_current\n\tnop\n\tnop", >+ "REG_L s0, TASK_TI_SCS_SP(tp)\n\t" >+ "csrrw s0, ssp, s0\n\t" >+ "REG_S s0, PT_SSP(sp)") >+#endif > > move a0, sp /* pt_regs */ > la ra, ret_from_exception >@@ -130,7 +142,12 @@ SYM_CODE_START_NOALIGN(ret_from_exception) > REG_S s0, TASK_TI_KERNEL_SP(tp) > > /* Save the kernel shadow call stack pointer */ >- scs_save_current >+#ifdef CONFIG_SHADOW_CALL_STACK >+ ALTERNATIVE("scs_save_current\n\tnop\n\tnop", >+ "REG_L s0, PT_SSP(sp)\n\t" >+ "csrrw s0, ssp, s0\n\t" >+ "REG_S s0, TASK_TI_SCS_SP(tp)") >+#endif I've not used alternatives earlier. But yes along with kernel shadow stack this is much more appealing. Let me munch on it a bit. > > /* > * Save TP into the scratch register , so we can find the kernel data > > >I moved the shadow stack pointer into pt_regs because it's nearly a GPR and has a >meaningfully different value on every trap; this allows us to talk about the ssp >at the time of a trap in kernel mode. I had been under the impression that changing `pt_regs` is something that we don't do usually. If it doesn't require a high bar, I'll do that. Infact, one my earlier implementation had ssp in pt_regs. > >Saving both the sp and ssp in Lrestore_kernel_tpsp avoids adding conditional logic >to Lsave_context. I believe the current code also has a bug: if the U-mode tp is, >by chance or intentional exploit, equal to the thread_info address, kernel code >will be executed with whatever value U-mode left in gp. > >I also notice that there is no check for overflow of the shadow stack. This may be >intentional, since as long as the shadow stack is at least half the size of the >main kernel stack the latter will always overflow first, barring deeper corruption >of the control structures or assembly code issues. I expect that the result in that >case would be an infinite loop of shadow stack overflows in handle_bad_stack and >do_trap_software_check with occasional visits to handle_kernel_stack_overflow. > >I believe that "Save unwound kernel stack pointer in thread_info" and "Save the >kernel shadow call stack pointer" are both no-ops in all cases other than ret_from_fork, >since the ABI requires the C trap handler to return with the same sp and ssp it >was entered with. Optimizing that would be a separate issue. > >-s > >> >> I don't have favorites here, if overwhelving opinion of community here >> is to take this >> logic into task switching and re-work this logic back into entry.S >> whenever shadow stack for >> kernel patches are posted, I can do that as well. >> >> [1] - >> https://lore.kernel.org/all/20230828195833.756747-8-samitolvanen@google.com/ >> >>> >>>-s >>> >>>> 1: >>>> REG_L a0, PT_STATUS(sp) >>>> /* >>>> -- >>>> 2.43.0 >>>> >>>> >>>> _______________________________________________ >>>> linux-riscv mailing list >>>> linux-riscv@lists.infradead.org >>>> http://lists.infradead.org/mailman/listinfo/linux-riscv >> >> _______________________________________________ >> linux-riscv mailing list >> linux-riscv@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/linux-riscv
diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index ee2f51787ff8..d4dc298880fc 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -14,6 +14,7 @@ #include <asm/ptrace.h> #include <asm/hwcap.h> +#include <asm/usercfi.h> #ifdef CONFIG_64BIT #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h index 320bc899a63b..6a2acecec546 100644 --- a/arch/riscv/include/asm/thread_info.h +++ b/arch/riscv/include/asm/thread_info.h @@ -58,6 +58,9 @@ struct thread_info { int cpu; unsigned long syscall_work; /* SYSCALL_WORK_ flags */ unsigned long envcfg; +#ifdef CONFIG_RISCV_USER_CFI + struct cfi_status user_cfi_state; +#endif #ifdef CONFIG_SHADOW_CALL_STACK void *scs_base; void *scs_sp; diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h new file mode 100644 index 000000000000..080d7077d12c --- /dev/null +++ b/arch/riscv/include/asm/usercfi.h @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: GPL-2.0 + * Copyright (C) 2023 Rivos, Inc. + * Deepak Gupta <debug@rivosinc.com> + */ +#ifndef _ASM_RISCV_USERCFI_H +#define _ASM_RISCV_USERCFI_H + +#ifndef __ASSEMBLY__ +#include <linux/types.h> + +#ifdef CONFIG_RISCV_USER_CFI +struct cfi_status { + unsigned long ubcfi_en : 1; /* Enable for backward cfi. */ + unsigned long rsvd : ((sizeof(unsigned long)*8) - 1); + unsigned long user_shdw_stk; /* Current user shadow stack pointer */ + unsigned long shdw_stk_base; /* Base address of shadow stack */ + unsigned long shdw_stk_size; /* size of shadow stack */ +}; + +#endif /* CONFIG_RISCV_USER_CFI */ + +#endif /* __ASSEMBLY__ */ + +#endif /* _ASM_RISCV_USERCFI_H */ diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c index cdd8f095c30c..5e1f412e96ba 100644 --- a/arch/riscv/kernel/asm-offsets.c +++ b/arch/riscv/kernel/asm-offsets.c @@ -43,8 +43,11 @@ void asm_offsets(void) #ifdef CONFIG_SHADOW_CALL_STACK OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp); #endif - OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu); +#ifdef CONFIG_RISCV_USER_CFI + OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state); + OFFSET(TASK_TI_USER_SSP, task_struct, thread_info.user_cfi_state.user_shdw_stk); +#endif OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S index 63c3855ba80d..410659e2eadb 100644 --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception) REG_S x5, PT_T0(sp) save_from_x6_to_x31 +#ifdef CONFIG_RISCV_USER_CFI + /* + * we need to save cfi status only when previous mode was U + */ + csrr s2, CSR_STATUS + andi s2, s2, SR_SPP + bnez s2, skip_bcfi_save + /* load cfi status word */ + lw s3, TASK_TI_CFI_STATUS(tp) + andi s3, s3, 1 + beqz s3, skip_bcfi_save + csrr s3, CSR_SSP + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ +skip_bcfi_save: +#endif /* * Disable user-mode memory access as it should only be set in the * actual user copy routines. @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception) * structures again. */ csrw CSR_SCRATCH, tp + +#ifdef CONFIG_RISCV_USER_CFI + lw s3, TASK_TI_CFI_STATUS(tp) + andi s3, s3, 1 + beqz s3, skip_bcfi_resume + REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */ + csrw CSR_SSP, s3 +skip_bcfi_resume: +#endif + 1: REG_L a0, PT_STATUS(sp) /*