From patchwork Mon Feb 13 04:53:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56024 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175238wrn; Sun, 12 Feb 2023 20:55:12 -0800 (PST) X-Google-Smtp-Source: AK7set9/kQQC+wpjP6+WHYgq4X9db5ly/wvp8E4L2b+U40iNGbjUG/2qk++CZM97DiUSiHh4o+j2 X-Received: by 2002:a05:6a20:728b:b0:c5:99a2:cf7d with SMTP id o11-20020a056a20728b00b000c599a2cf7dmr5727614pzk.20.1676264112075; Sun, 12 Feb 2023 20:55:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264112; cv=none; d=google.com; s=arc-20160816; b=aVheYIz0K97IY/ipGZFRcu1NsCKWJzgspmkkprqeQgg+ALgvAps8OCLx7CKcu/u/yg nQo7JQ7UUj1R/PRjtw0R1JNFuApAkHG4JNvXOvhSkLXObSDvud4mCGNynpL+Tw7SBWhU eVGhk1ZxEZ5uFtQH0SWTEvNRTvxs6VOgwpbv6V5UtBabKF9h8ae6/PSTeDc2wvwjuv65 MPpQW5EtxLvslUWfHGCBIM70S53TOe3gDOnx5L3Zwjw3prFhuiEA5yK6T7keCa+KPD4C GPEqN7ZTmWg+v38bawoOG6G6hrkTvBNeqC68N6JaXReytmtTMPgLoCdYG2EC+qrn/c/N FBTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PDt2xtowm1vGovkYD2IOPyMg5XU+WITSemeLQt38+wk=; b=ku2MddPdSQ7CA09TggY6tvFqCeF+RLlyZoLDJEoxfpIiZEdKi4uEJSntweMe1C9ypl r4tUBW+vBeMFHYmFavmdT1Uli5LBf6GLIasFDcLmRJKMJx+AnHGZYj78YcRtL87nGLvo LsVSb1SRkU9Z6YiuEMtmrqxN7yNExF+Y3mBLeOqj+Oh+RGhth5mH0HXPhAhWaKhaeB8Y p4zJ1DyoGV2XwISqvpEGsLRE+nOM988ZNfBE0qNTIi4mQ0vEommsoaYMzYYCCxaODyhc jwvX9ots12pfN8nv5LJgTBAe57XqjPe/wQuAGr10CYgdun84xGhjx4/1D/9TnMGPHX1K sSQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=GCKt9Fdz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i76-20020a636d4f000000b004fb376d6a16si11484833pgc.696.2023.02.12.20.54.59; Sun, 12 Feb 2023 20:55:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=GCKt9Fdz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229720AbjBMEyI (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229698AbjBMEyF (ORCPT ); Sun, 12 Feb 2023 23:54:05 -0500 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FFC055BC for ; Sun, 12 Feb 2023 20:54:04 -0800 (PST) Received: by mail-pl1-x62c.google.com with SMTP id i18so3869955pli.3 for ; Sun, 12 Feb 2023 20:54:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PDt2xtowm1vGovkYD2IOPyMg5XU+WITSemeLQt38+wk=; b=GCKt9FdzGzyUdkocjCliMYjgCOa0QLOjiBhttAdZOxargwxJw4vxLJDmHp57SYMfvU df4SL6t3EB6DwCr+yMREIqZPNA8lH1KY/NmjCtwPh7RiF2sS7CiZ+NVMmais/oNJuTRH oG9Xrug0dghHSuhHhbgxN9qJXDUVlSZvObtB30dIISrsnoeeYB0xZZ+8gPVYP3YKnZCO dt88KRAfl30IBpKYZCytTsdN/Ze3ePYzwWGTvqiW7lM1M2AfAWANpaxMxFedjYeFVoMB HvpyZQbKyRm57FGGHC2NuTZLmtqE8+b7eRudJLnJAgLJFszO3O7vTBEFeEwvQCyU/ukk guYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PDt2xtowm1vGovkYD2IOPyMg5XU+WITSemeLQt38+wk=; b=csl00DskKcJwsXWIxB/+Xh+hgMSKC51CwlajrRn5zPGlWZIQt5yjWBZEnjLIC2K+4M EAmKTAbczKm7Sre2zX2Qy9/8VC7F/I2JASv7yNq0KBFUhmygiYZ9u+FVz3zBahxTgw38 tmaMlUwcCFiPpWitYLKiI3K0RvBZlvLfTBKVUY2G0TlcTbplWTRIfV41hc/NlPmp3dtj c6Zat+xmQqsGwMYaICl+VXElkhL73p5yTMNsAqK2LIn6sJ8j3mFH5qI/dAkNo3NrIFeH gCNE5tsn16DtR0Dqe3iNwpQjfU++GNHUFXdZVPwf6OBAZVhdwd64zOEX2eFxdB4qAGmZ RUHw== X-Gm-Message-State: AO0yUKWlS0Oq9bJkcPTIWLyaYr7zESMjSQ5q7oY77Xl5WQS/ZB7UyGMk q8/lGQAXI7kSvuom4h0ZPHrordl9hV9HAlaX X-Received: by 2002:a17:902:f809:b0:199:e58a:61c2 with SMTP id ix9-20020a170902f80900b00199e58a61c2mr13328153plb.29.1676264043302; Sun, 12 Feb 2023 20:54:03 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:02 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 01/20] sslp stubs: shadow stack and landing pad stubs Date: Sun, 12 Feb 2023 20:53:30 -0800 Message-Id: <20230213045351.3945824-2-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690317585014402?= X-GMAIL-MSGID: =?utf-8?q?1757690317585014402?= In absence of shadow stack config and landing pad instr config, stubs are needed to indicate whether shadow stack & landing pad instr is supported. In absence of config, these stubs return false (indicating no support) In presence of config, an extern declaration is added and arch specific implementation can choose to implement detection. Signed-off-by: Deepak Gupta --- include/linux/processor.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/linux/processor.h b/include/linux/processor.h index dc78bdc7079a..228aa95a7cd7 100644 --- a/include/linux/processor.h +++ b/include/linux/processor.h @@ -59,4 +59,21 @@ do { \ #endif +#ifndef CONFIG_USER_SHADOW_STACK +static inline bool arch_supports_shadow_stack(void) +{ + return false; +} +#else +extern bool arch_supports_shadow_stack(void); +#endif + +#ifndef CONFIG_USER_INDIRECT_BR_LP +static inline bool arch_supports_indirect_br_lp_instr(void) +{ + return false; +} +#else +extern bool arch_supports_indirect_br_lp_instr(void); +#endif #endif /* _LINUX_PROCESSOR_H */ From patchwork Mon Feb 13 04:53:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56025 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175246wrn; Sun, 12 Feb 2023 20:55:13 -0800 (PST) X-Google-Smtp-Source: AK7set8n3D8bP87HPX38tygyZloz8pv665TITnpGI5F0VSIlLR8mNVdWvtZc2toapyypSwupXNC+ X-Received: by 2002:a62:485:0:b0:5a8:52d5:3bc6 with SMTP id 127-20020a620485000000b005a852d53bc6mr10712638pfe.26.1676264113422; Sun, 12 Feb 2023 20:55:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264113; cv=none; d=google.com; s=arc-20160816; b=adntYbOM7YdddO5qVFt3yFVAw4QRZ+bSqPPWkFXfGZKuaUBbLKzRDBbnXBdIkRFfSQ 3VsrexS9NWPO5wz93WfvQNmBvFR+xkIc/kumfhw0Z6b2P0juPoMWyaZm6Klm9R/m576W D58NNhl5Gk7EipOOX8jNLtJ27ztVDeAICrbcYwyLWce+KSVmeot5jlzTHRp78Bh0GYos 5wl9UR+AGNemyhesFfzVKjPTqU7iF43IPf4ncV88ll9SlMkA3kb1jyy/oo7U/ITOyvty 2OByt3IsNANaFMhEJwQsiskwa5WH2g6NGeVOZjf+1X59ugsg4Pey3ZIb6zvXeHKgZnDJ QBmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ygm9hLpLL1KwyacXGpOOuca3iQf7LxxYrIQu5XdYYTM=; b=ZJ9aABx5nlvQlozbO2q9RTnZaNPWcbwSZParfbAPQBFARF13NcW01Aa8cVAJm9ksPB HvAAGtkzdwJrc1DsnJFU90w9YqkAScEYFXJoPHr+LVHXlNAlagQK4+Yp7zmuc8k1TUCo NMd16/188ZaukaAux9cDE8wE1N/Y8IUczW+FHc8HFPkS3YGykiGRi7B264Kg7FZ2gnOn 6XxtQU9RcQRbH+OM5zNyYi9sorwOVuAMXtWxjYL6STncVL3vh+ELerYhw9fxWe+atJc+ UrMf8sb4mm23Qu+a4WUyWF98q9dO4WQDwTJ8JZrOruKkGqtJ5QdDgSk4mKo/5ONm9zI7 mNrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=JmbKf5O4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p3-20020a625b03000000b005a84457ad1bsi10176061pfb.183.2023.02.12.20.55.00; Sun, 12 Feb 2023 20:55:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=JmbKf5O4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229748AbjBMEyL (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229709AbjBMEyG (ORCPT ); Sun, 12 Feb 2023 23:54:06 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8CA6469B for ; Sun, 12 Feb 2023 20:54:05 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id be8so12299079plb.7 for ; Sun, 12 Feb 2023 20:54:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ygm9hLpLL1KwyacXGpOOuca3iQf7LxxYrIQu5XdYYTM=; b=JmbKf5O4FW7VprGWzT6pTOJ6+XRdEoQ4K+BKlOUVtq85X7g+qzslXWNCPg42IUCWhU rw4+oyC8n0SztanJDULrL0G4HIT5Q6o7vob1J4OfyTnIEsl1YFKX11cOkOdy9uFegNwa x6igQ0OwD2KhxVFTGm59+14EXLtfxvRRr1Av1QGSCWfRbEuBt4TxWInNIgMZ226q7q9/ mmo1iJFG+ymYF8U6azYAqrHjWkWmn7/1v4j2+bnP97Jt2+z8SgCRNd94EPiNAI6ixCai zyDUdTGbuUYxA+xybA1iB80amQlKMk9SNsoRQEq8gcwMLoxLIaePp1DQ1hHVL5zeZHc4 wX6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ygm9hLpLL1KwyacXGpOOuca3iQf7LxxYrIQu5XdYYTM=; b=gD7tEh756MnLguKSFiZSY0ax8TKYvQOpTaS3eNjl8HT3eIHV/Aa1nfg+prEWe7GgsA efMpzjg/Y4J96WUnRG/4uGfgTy3tqXqMyUbtLJegjOPIOEJhvdpA6KgnT43JwKXZpdxf Uhg98pFJFb6GZI46s2HXV+LGOVSpvlWyo2y7Ey+5Zqa4UvO1ai3UQ8IgBbbG2Zuyhyzk vKOE0tfyTLkDAIfJCNj+Ug3Soi/HRmC2dIZwtWVGLE5fv6dtL6L75lVQ6UF+r75HtCGi hn1zCBoVbSwPAgNECAWNaTcqnKbMf24FCfzCAEadPq8jFPQKCpl+uIqEBtRdGbkt4iKi 42pQ== X-Gm-Message-State: AO0yUKU50W3D6ATrs/dndKxZFy5L9NUGA5xr3p6ujOGjrIuO+vx+qB2h CJnmlPj/jgV7v8sfpmF/DY10dwMTz6KkFZou X-Received: by 2002:a17:903:4091:b0:19a:73f7:675f with SMTP id z17-20020a170903409100b0019a73f7675fmr7653937plc.60.1676264044842; Sun, 12 Feb 2023 20:54:04 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:04 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 02/20] riscv: zisslpcfi enumeration Date: Sun, 12 Feb 2023 20:53:31 -0800 Message-Id: <20230213045351.3945824-3-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690318843104281?= X-GMAIL-MSGID: =?utf-8?q?1757690318843104281?= This patch adds support for detecting zisslpcfi. zisslpcfi stands for unprivleged integer spec extension to support shadow stack and landing pad instruction for indirect branch. This patch looks for "zisslpcfi" in device tree and accordinlgy lights up bit in cpu feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/hwcap.h | 6 +++++- arch/riscv/include/asm/processor.h | 12 ++++++++++++ arch/riscv/kernel/cpu.c | 1 + arch/riscv/kernel/cpufeature.c | 1 + 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/hwcap.h b/arch/riscv/include/asm/hwcap.h index 86328e3acb02..245fb7ffddd2 100644 --- a/arch/riscv/include/asm/hwcap.h +++ b/arch/riscv/include/asm/hwcap.h @@ -59,7 +59,8 @@ enum riscv_isa_ext_id { RISCV_ISA_EXT_ZIHINTPAUSE, RISCV_ISA_EXT_SSTC, RISCV_ISA_EXT_SVINVAL, - RISCV_ISA_EXT_ID_MAX + RISCV_ISA_EXT_ZCFI, + RISCV_ISA_EXT_ID_MAX, }; static_assert(RISCV_ISA_EXT_ID_MAX <= RISCV_ISA_EXT_MAX); @@ -72,6 +73,7 @@ enum riscv_isa_ext_key { RISCV_ISA_EXT_KEY_FPU, /* For 'F' and 'D' */ RISCV_ISA_EXT_KEY_ZIHINTPAUSE, RISCV_ISA_EXT_KEY_SVINVAL, + RISCV_ISA_EXT_KEY_ZCFI, RISCV_ISA_EXT_KEY_MAX, }; @@ -95,6 +97,8 @@ static __always_inline int riscv_isa_ext2key(int num) return RISCV_ISA_EXT_KEY_ZIHINTPAUSE; case RISCV_ISA_EXT_SVINVAL: return RISCV_ISA_EXT_KEY_SVINVAL; + case RISCV_ISA_EXT_ZCFI: + return RISCV_ISA_EXT_KEY_ZCFI; default: return -EINVAL; } diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index 94a0590c6971..bdebce2cc323 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -80,6 +80,18 @@ int riscv_of_parent_hartid(struct device_node *node, unsigned long *hartid); extern void riscv_fill_hwcap(void); extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); +#ifdef CONFIG_USER_SHADOW_STACK +static inline bool arch_supports_shadow_stack(void) +{ + return __riscv_isa_extension_available(NULL, RISCV_ISA_EXT_ZCFI); +} +#endif +#ifdef CONFIG_USER_INDIRECT_BR_LP +static inline bool arch_supports_indirect_br_lp_instr(void) +{ + return __riscv_isa_extension_available(NULL, RISCV_ISA_EXT_ZCFI); +} +#endif #endif /* __ASSEMBLY__ */ #endif /* _ASM_RISCV_PROCESSOR_H */ diff --git a/arch/riscv/kernel/cpu.c b/arch/riscv/kernel/cpu.c index 1b9a5a66e55a..fe2bb908d805 100644 --- a/arch/riscv/kernel/cpu.c +++ b/arch/riscv/kernel/cpu.c @@ -168,6 +168,7 @@ static struct riscv_isa_ext_data isa_ext_arr[] = { __RISCV_ISA_EXT_DATA(svpbmt, RISCV_ISA_EXT_SVPBMT), __RISCV_ISA_EXT_DATA(zicbom, RISCV_ISA_EXT_ZICBOM), __RISCV_ISA_EXT_DATA(zihintpause, RISCV_ISA_EXT_ZIHINTPAUSE), + __RISCV_ISA_EXT_DATA(zisslpcfi, RISCV_ISA_EXT_ZCFI), __RISCV_ISA_EXT_DATA("", RISCV_ISA_EXT_MAX), }; diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c index 93e45560af30..b44e258a7502 100644 --- a/arch/riscv/kernel/cpufeature.c +++ b/arch/riscv/kernel/cpufeature.c @@ -228,6 +228,7 @@ void __init riscv_fill_hwcap(void) SET_ISA_EXT_MAP("zihintpause", RISCV_ISA_EXT_ZIHINTPAUSE); SET_ISA_EXT_MAP("sstc", RISCV_ISA_EXT_SSTC); SET_ISA_EXT_MAP("svinval", RISCV_ISA_EXT_SVINVAL); + SET_ISA_EXT_MAP("zisslpcfi", RISCV_ISA_EXT_ZCFI); } #undef SET_ISA_EXT_MAP } From patchwork Mon Feb 13 04:53:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56026 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175252wrn; Sun, 12 Feb 2023 20:55:15 -0800 (PST) X-Google-Smtp-Source: AK7set82chYEPxfhQWdGMiY+upu+MNjV7SmeqZ2Erozg5O/h5hJuKBCfSSrM4dYhqhGBiG1q/B65 X-Received: by 2002:a05:6a20:6907:b0:bc:c205:de26 with SMTP id q7-20020a056a20690700b000bcc205de26mr26262190pzj.11.1676264115415; Sun, 12 Feb 2023 20:55:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264115; cv=none; d=google.com; s=arc-20160816; b=qG0jWc133VeX1xfAGvIFE3jRVGB2JBLUoYQbuAnux3kGFQUq9NG2FEo/JUCyOzNc6b XTnucGsjDze7hZn3Q2XBr4nP4Q5ZYbHTCiQiD/9m9X5KbGuUcZxy2Uas3yusGGvBRYKl DlfYfxeuqXWqBnlGf0eCXSAkWCwZFYB21QaDnQeHARN9awJQSgPhEiIvknWt83pdySoa DJvJU0pOLOIyLMeGS1wLGOaduUE1C1rqHYh5swi6rmjDn5gXc06WHwae+7bH9S+QxOqL NrB85ij2BAYPHS8WY+D9LA04sxlm/jMXhdaoWEWAG6YoPOS5KyQOlXyroL6ZELTJCS/J s9hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=BbXUylyxKACc1XsVanFRl3U39rfU1yL9GfB2/5jAyl8=; b=nfxL5RfakXDCQZ+7NBQ0sDvwojFH5UNmfjK74eYAMxWdteSV2vPElA6vzKT9kYhpJO 8pcqV05voDngP1wDTSaxaKGHuU74CroO4F8e6FRxPY1UOC9YKyWtB70y3Sc495ML0O2v Wt0P8bxGuyEnv8rpSKUEb6a6a2j1xtRLD3XrOmoykvSEkWysjaQ9CmzPckTL+mefZjhF K4vv8zNtvdCqg5Qk8xPpgtYL0Q67t/Ck7GZmVes2NO4epAiJsrkLzkEfm5si8XO1Qp32 3gdfpi01mTsWTwZg7B7uHIbr8JxBP07E5mTAIiQsQObd3O02dYriaC6HWPjQ0x0OvJTd 3VcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=qbWZJ8Bs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 127-20020a630185000000b004f21368e83fsi11294870pgb.127.2023.02.12.20.55.02; Sun, 12 Feb 2023 20:55:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=qbWZJ8Bs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229762AbjBMEyO (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229714AbjBMEyH (ORCPT ); Sun, 12 Feb 2023 23:54:07 -0500 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04CA3469B for ; Sun, 12 Feb 2023 20:54:07 -0800 (PST) Received: by mail-pj1-x1036.google.com with SMTP id bx22so10759435pjb.3 for ; Sun, 12 Feb 2023 20:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BbXUylyxKACc1XsVanFRl3U39rfU1yL9GfB2/5jAyl8=; b=qbWZJ8BsHCNFWj0dg8uujRetqC6jzLF98Qdv/TY62Y644xrA0UjPgnfpO72jXiPyG2 qA0e0Qb0k4kUsZptcYNMqeekJ/ZNdE/ea06joo5oBBO3u8UyiQQzx8gt7XiQozyObdBT 5S1fOKKeN6iFkPWI2/K55e5jV4CcFHx5d7+ztaIAS8Z/Xi2kVLIGMcO4+Og2jvtq4jPz RAzoR5jMvKxs+ewm1EgSWtxGFnJPdFTNlkKbcbfqa4+0ug61NJ9vJ3Wxhy+/QMypQuHt qlafd9m4kLvgvu8Ky98yI56IFExsd6VsJfAjUwdMf7xFelnAdTSwalMV6EmXiGgX4z4w oECA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BbXUylyxKACc1XsVanFRl3U39rfU1yL9GfB2/5jAyl8=; b=xcbpS/HdJJ9hVstfpsILTyKWk9/qodJ5arQgBcUYBlqD1AcYKyIhNJKW+Ooj1LM1Yp WvBO1wwyoXv4WWYOACvNpzW4FIGaqy51RxLXUMxs0NPTlspbmbwKozKzmKVFRhjhqajT RA08EHl97PVmzWQ7NzOWB4RMCaCuwAgWURD8eczqJIEQuKwkMpsYO/hmtclEZ5Sbt/Tc pn6IFoeaHekzc/A1QTDl7yxQJ3L46vmRtUWfGldtBacdqRn/o4H6v1pU1fri2zDV0re0 jlmVGyatd7ayUlNXAxahYP/7dS2tBkaXsE8WrcACJJ4o2PJlSNgWVjQOtI+BGOjj0jQK RRdQ== X-Gm-Message-State: AO0yUKXYMxZiJM6mhrRg/XCCDGaEtHFqaez4ASkdX0X1R/Xe2eRCPCgn LEis8wH7wvL8oSz0H35INtGwfZcE3sbs5d+N X-Received: by 2002:a17:903:11c3:b0:195:e2cc:6f35 with SMTP id q3-20020a17090311c300b00195e2cc6f35mr24707652plh.59.1676264046112; Sun, 12 Feb 2023 20:54:06 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:05 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 03/20] riscv: zisslpcfi extension csr and bit definitions Date: Sun, 12 Feb 2023 20:53:32 -0800 Message-Id: <20230213045351.3945824-4-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690321190934788?= X-GMAIL-MSGID: =?utf-8?q?1757690321190934788?= zisslpcfi extension extends xstatus CSR to hold enabling bits for shadow stack, forward cfi (landing pad instruction enforcement on indirect call/jmp) and recording current landing pad state of cpu. zisslpcfi adds two new CSRs - CSR_LPLR: Strict forward control flow can be implemented by compiler by doing label match on target with label generated on call-site. This CSR can be programmed with label (preserving current abi). New instrs are provided to place label values in this CSR. - CSR_SSP: Return control flow is protected via shadow stack. CSR_SSP contains current shadow stack pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 0e571f6483d9..243031d1d305 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -18,6 +18,23 @@ #define SR_MPP _AC(0x00001800, UL) /* Previously Machine */ #define SR_SUM _AC(0x00040000, UL) /* Supervisor User Memory Access */ +/* zisslpcfi status bits */ +#define SR_UFCFIEN _AC(0x00800000, UL) +#define SR_UBCFIEN _AC(0x01000000, UL) +#define SR_SPELP _AC(0x02000000, UL) +#define SR_MPELP _AC(0x04000000, UL) +#ifdef CONFIG_RISCV_M_MODE +#define SR_ELP SR_MPELP +#else +#define SR_ELP SR_SPELP +#endif + +#ifdef CONFIG_RISCV_M_MODE +#define CFISTATUS_MASK (SR_UFCFIEN | SR_UBCFIEN | SR_MPELP | SR_SPELP) +#else +#define CFISTATUS_MASK (SR_ELP | SR_UFCFIEN | SR_UBCFIEN) +#endif + #define SR_FS _AC(0x00006000, UL) /* Floating-point Status */ #define SR_FS_OFF _AC(0x00000000, UL) #define SR_FS_INITIAL _AC(0x00002000, UL) @@ -168,6 +185,14 @@ #define ENVCFG_CBIE_INV _AC(0x3, UL) #define ENVCFG_FIOM _AC(0x1, UL) +/* + * zisslpcfi user mode csrs + * CSR_LPLR is a label register which holds compiler generated label that must be checked on target. + * CSR_SSP holds current shadow stack pointer. + */ +#define CSR_LPLR 0x006 +#define CSR_SSP 0x020 + /* symbolic CSR names: */ #define CSR_CYCLE 0xc00 #define CSR_TIME 0xc01 From patchwork Mon Feb 13 04:53:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56027 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175303wrn; Sun, 12 Feb 2023 20:55:28 -0800 (PST) X-Google-Smtp-Source: AK7set//pNqIB/Oz72+9hPyJq4OybO2jW0AWRRcNCcMJzGd519Zz3/zdmhcGlXUHuWKoq7aj3PPS X-Received: by 2002:a17:90b:4a0d:b0:230:c723:f37d with SMTP id kk13-20020a17090b4a0d00b00230c723f37dmr25454190pjb.40.1676264128285; Sun, 12 Feb 2023 20:55:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264128; cv=none; d=google.com; s=arc-20160816; b=NZyVA0Kuuuw0SrAdEXQdPISEOet1qJ+NRA/xt5zeaXHb4XaqTVyIGiKMKV6r0+g9Bx VelLqIgNGjmh019hYyN+cTnUVSPj7E0zXr4bEKF/uDjO+MttDlGXVDunOcBWZ6TxPsuQ P5Qk/TdE1U9fEUBnnA7k/+nhuC6DySVXfpvTbB5IpuWU2hRLRyVWShPHQaLlIx3wUlbf 2s3G8yLB90zSqFGdDHT8OG1L/konvcaSrLyB6luDrUeC/TSUc8GaLhuCOayPECIpIj5t oM4yOZ6W/OKWaU0sF/LNEb8mxt0wt9lgm5XajX3zseUY5JAagTmzmIGzwYtHPZQMlCMW v4Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=iPcTKWGDPVSnaGv0xj2Ptv0rfddqsVuLBZ9aJFRMto4=; b=mdF07LawK2myMbUayS4f2sNH0FdXPwgWeNCN7XqHZ97LEq/0GIzMTPRVInBLSMFFS0 G9qv6Z7eV/92aumXgXuYOg5iBNd7frcEnWHE74Ee0yAov+scmvuYp2Hg2zQ5DasW77w4 VRgkBBrAuMayXrjyuCWT9e0Tc6nZKf8t4S4jBL5HYChP/SCJVhn3XHcfpO23xfigFhrd ZppqNcrcg0CsmwNTeV6X4MdhDZj/y6XALrjseRZ827KdvgqVfirR23E8plrXKfjzbSxj WYF/xRq5kniT7uggCMDWlrfrhsPtrmPmPke6vwMdHnMighZcMHwYL0VjwR6kIk5PTvFA Syig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=ubuWRUQI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bw20-20020a17090af61400b002300a60ef5esi13307078pjb.182.2023.02.12.20.55.16; Sun, 12 Feb 2023 20:55:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=ubuWRUQI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229779AbjBMEyR (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229698AbjBMEyJ (ORCPT ); Sun, 12 Feb 2023 23:54:09 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F3A946B5 for ; Sun, 12 Feb 2023 20:54:08 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id rm7-20020a17090b3ec700b0022c05558d22so10977622pjb.5 for ; Sun, 12 Feb 2023 20:54:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iPcTKWGDPVSnaGv0xj2Ptv0rfddqsVuLBZ9aJFRMto4=; b=ubuWRUQI6DO7BXFrAM9O2TncXqmRilKXfzowXV5xcve/F4+hWvI8bU1bI5sCYwrNov xWzsT6/qXeY2wz5ryX3qVeyqTsqVrRn/s3UW2DoOrYNf3MiUDDNou9CMk6L1/oz6H6WB dU9WOxrHlhzoqkkzZ3zk/+UppeNZ3tzBybM7gU1o59qToIXc3KlDQVgPX9EVQHkcfv8P pLfafwQFE3MEzcXXtOJWy7Ic+zdkXeZoKdOzIMMSnWK/NlAKj/jwFBpv0hi/KY5NiGY8 s+1hNqY4Wfbk6uEa34IyNOF/CuCjhHIbS4gNTmG0iU8hA3c/pOm7STbsvA06gX1ZwHSz TN/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iPcTKWGDPVSnaGv0xj2Ptv0rfddqsVuLBZ9aJFRMto4=; b=zMNfz23FZXYgWzGJMKfNOZYvI7nlfwFphKhQbKi95iwvZDC6iI8tMH6EyIdfXf9j/U 4AnrA/aeglK03OKIq8Bs6DuIFh7nFzFqxwPUnUq8i6GM7q++4EexTmm5bgMbsq0Kw+yr cRtoihia9CdV5BZaQwub5Cn9brggqr98nu9T7/woToPrhu3cCsgATPtFxyAuakfvh1Qr PupURzAROlqr6xxZvxJ5cOvKHd7p7ucw3YQMIE5nGfTt8QSQu+kWfO/Znb/2o+S+Pmnr EI1WCc0oFjEG8ERi/o/hSK63875cp2/1U4MyfuqgKavp/+sagEPG/+vylNDTnXF4WjhY pTMA== X-Gm-Message-State: AO0yUKXxPQmvHWooPf+yV5nLCKm7ezRK3M2GQa10YU3ISJxf5dVpICe0 HYFl5FudeMhpKurz82SYi4L1MtsbYr52wgO/ X-Received: by 2002:a17:903:22c9:b0:198:fded:3b69 with SMTP id y9-20020a17090322c900b00198fded3b69mr25993049plg.53.1676264047642; Sun, 12 Feb 2023 20:54:07 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:07 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 04/20] riscv: kernel enabling user code for shadow stack and landing pad Date: Sun, 12 Feb 2023 20:53:33 -0800 Message-Id: <20230213045351.3945824-5-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690334332925086?= X-GMAIL-MSGID: =?utf-8?q?1757690334332925086?= Enables architectural support for shadow stack and landing pad instr for user mode on riscv. This patch does following - Defines a new structure cfi_status - Includes cfi_status in thread_info - Defines offsets to new member fields in thread_info in asm-offsets.c - Saves and restore cfi state on trap entry (U --> S) and exit (S --> U) Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 11 ++++++++ arch/riscv/include/asm/thread_info.h | 5 ++++ arch/riscv/kernel/asm-offsets.c | 5 ++++ arch/riscv/kernel/entry.S | 40 ++++++++++++++++++++++++++++ 4 files changed, 61 insertions(+) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index bdebce2cc323..f065309927b1 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -41,6 +41,17 @@ struct thread_struct { unsigned long bad_cause; }; +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +struct cfi_status { + unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ + unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ + unsigned int rsvd1 : 30; + unsigned int lp_label; /* saved label value (25bit) */ + long user_shdw_stk; /* Current user shadow stack pointer */ + long shdw_stk_base; /* Base address of shadow stack */ +}; +#endif + /* Whitelist the fstate from the task_struct for hardened usercopy */ static inline void arch_thread_struct_whitelist(unsigned long *offset, unsigned long *size) diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h index 67322f878e0d..f74b8bd55d5b 100644 --- a/arch/riscv/include/asm/thread_info.h +++ b/arch/riscv/include/asm/thread_info.h @@ -65,6 +65,11 @@ struct thread_info { */ long kernel_sp; /* Kernel stack pointer */ long user_sp; /* User stack pointer */ +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + /* cfi_state only if config is defined */ + /* state of user cfi state. note this includes LPLR and SSP as well */ + struct cfi_status user_cfi_state; +#endif int cpu; }; diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c index df9444397908..340e6413cf3c 100644 --- a/arch/riscv/kernel/asm-offsets.c +++ b/arch/riscv/kernel/asm-offsets.c @@ -38,6 +38,11 @@ void asm_offsets(void) OFFSET(TASK_TI_KERNEL_SP, task_struct, thread_info.kernel_sp); OFFSET(TASK_TI_USER_SP, task_struct, thread_info.user_sp); +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + OFFSET(TASK_TI_USER_CFI_STATUS, task_struct, thread_info.user_cfi_state); + OFFSET(TASK_TI_USER_LPLR, task_struct, thread_info.user_cfi_state.lp_label); + OFFSET(TASK_TI_USER_SSP, task_struct, thread_info.user_cfi_state.user_shdw_stk); +#endif OFFSET(TASK_THREAD_F0, task_struct, thread.fstate.f[0]); OFFSET(TASK_THREAD_F1, task_struct, thread.fstate.f[1]); OFFSET(TASK_THREAD_F2, task_struct, thread.fstate.f[2]); diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S index 99d38fdf8b18..f283130c81ec 100644 --- a/arch/riscv/kernel/entry.S +++ b/arch/riscv/kernel/entry.S @@ -73,6 +73,31 @@ _save_context: REG_S x30, PT_T5(sp) REG_S x31, PT_T6(sp) +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + /* + * If U --> S, CSR_SCRATCH should be holding U TP + * If S --> S, CSR_SCRATCH should be holding S TP + * s2 == tp means, previous mode was S + * else previous mode U + * we need to save cfi status only when previous mode was U + */ + csrr s2, CSR_SCRATCH + xor s2, s2, tp + beqz s2, skip_bcfi_save + /* load cfi status word */ + lw s2, TASK_TI_USER_CFI_STATUS(tp) + andi s3, s2, 1 + beqz s3, skip_fcfi_save + /* fcfi is enabled, capture ELP and LPLR state and record it */ + csrr s3, CSR_LPLR /* record label register */ + sw s3, TASK_TI_USER_LPLR(tp) /* save it back in thread_info structure */ +skip_fcfi_save: + andi s3, s2, 2 + beqz s3, skip_bcfi_save + csrr s3, CSR_SSP + REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ +skip_bcfi_save: +#endif /* * Disable user-mode memory access as it should only be set in the * actual user copy routines. @@ -283,6 +308,21 @@ resume_userspace: */ csrw CSR_SCRATCH, tp +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + lw s2, TASK_TI_USER_CFI_STATUS(tp) + andi s3, s2, 1 + beqz s3, skip_fcfi_resume + xor s3, s3, s3 + lw s3, TASK_TI_USER_LPLR(tp) + csrw CSR_LPLR, s3 +skip_fcfi_resume: + andi s3, s2, 2 + beqz s3, skip_bcfi_resume + REG_L s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */ + csrw CSR_SSP, s3 +skip_bcfi_resume: +#endif + restore_all: #ifdef CONFIG_TRACE_IRQFLAGS REG_L s1, PT_STATUS(sp) From patchwork Mon Feb 13 04:53:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56035 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175458wrn; Sun, 12 Feb 2023 20:56:02 -0800 (PST) X-Google-Smtp-Source: AK7set+iz/ZvQtdkk06Wz8SZMUFqQvxn2QfyHUkcA3okx65OQ+uii7Q2HEQjovMBAaIIcsba5Pxe X-Received: by 2002:a05:6a21:3884:b0:be:a3b2:cc7d with SMTP id yj4-20020a056a21388400b000bea3b2cc7dmr17462168pzb.6.1676264161823; Sun, 12 Feb 2023 20:56:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264161; cv=none; d=google.com; s=arc-20160816; b=EOlZ3zS6nXmugtKQ5EIq9DwfMiqFm+KaVEE8bJ6tUF77Gj2s++H/K/ep29nv8dXyx7 DADBKbkkbNmYA2+mhBUMFQR3UcPO7M5yXxwnVHNMmkMm9+RjffVbf+BJr4BdyuDuAiAT D3y98+g9vXOiBbX0tjK66TB6eg5RDfrLFk2VT6bOiNNr0pC8xjzwzuuvoCNqL54ImQXy G2srYr+K6evFkBKY7bvlPuKm5uL7LHXdBezX6iEprd4EVMcsbuJpE73jfH5jeoLeONYT MSAq8T3MxH674SWt9IhXrl+dTs0laI5DlPx3P7P6vOr74+tpC+1fyQlDsXEu9ok4Sdli tprA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Lt6u6bYwhuTYMTt/YfubY13MWrPuafF8Y1u+P5cWyE8=; b=rd982alSara36xMP6tNsuAsqCkp7phFuoGVjbcbZNK1m3+mpmdZCZpdU5Vvybv4Y/5 pVJIwjR0UNaygAWt2tzIMFn0nlEZwggfp7JdVM0b1WqfZ9N16vnU073B8/QmKvt8F48Y 8b2BsqdqDSarUjEOgEbMCbY4txrYxyUA0KsW2eTyLQRuLpK7Zfr525DAx5hgGlZ2o66c BtdY6IOBRCpgj86ic2A4LsWMOYDzcat8muvtyY5vWKC3S6qokVCzFQvULOXvwXLZ52N6 VRtZ93N4QOhJAtXPJCMx5RapuKuuw/ASpGULMBkVcDfoRPBAqAAeMwZBvVYTfKlP3dDP a5xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=vt+qlNRD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n62-20020a622741000000b0058d97ce5372si10364234pfn.249.2023.02.12.20.55.49; Sun, 12 Feb 2023 20:56:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=vt+qlNRD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229768AbjBMEy2 (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229747AbjBMEyL (ORCPT ); Sun, 12 Feb 2023 23:54:11 -0500 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AEBAE072 for ; Sun, 12 Feb 2023 20:54:10 -0800 (PST) Received: by mail-pj1-x102a.google.com with SMTP id d2so10743416pjd.5 for ; Sun, 12 Feb 2023 20:54:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Lt6u6bYwhuTYMTt/YfubY13MWrPuafF8Y1u+P5cWyE8=; b=vt+qlNRDi7mRznlVUmbqj3O98hmw8TzQhEaLZE107DASJjh3mP5YoOhuFoE/yDgncn OCvZHgb1zW/hH2iTg9NRv5Wvr+diw7rZF11dNmNK02h8Eanq2/2oPPW05Ri4S37QtvJL 22/4YVAOYRBOGaZ1sF7hoskBSUqcx3veQeIhV7or5WE2e3hlEkKjqfifPGWWsd0kxu/j WAyBfRKGlvAkydGHT9alybIs4NM7Z4c5f3VlNPpGkMhJwjPyX420tB4sAm4543ChntNk KKPDv0GKHwLrhhldTsJrjzkPUijMNypauZOdcTMX5tonq3hrIgVD+1N6zaNBQE3PWR3U 6B0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Lt6u6bYwhuTYMTt/YfubY13MWrPuafF8Y1u+P5cWyE8=; b=U2YxEKezG1iR8Ia4a50YTVqxgbM0icy1XffPBa2Qit69rxPr++h1zVDbDUnv1WAQ/L 5SbWr9oMtFV+Xyu8YL4Bdk0I8O9QJywqPLRI1K3RQuu808h/lqSUVgVDd59NjTp6u1pN hwt9v8F4O//aFmoPAyKozrvz8MQOk9lBU4Up1WyQAgZ5gTO6XJI2nGmFI+LsllGdqtTF FHM0WuR7n1Jua2Qf8Omd7OL9EY2N7BmHDvhByief0u/ficb8BSpQXfegp2YIONnNnV4K 0WUV9/CEXZD6WFzeTpZmrgR1EUlUDQUwJHEKRyWDaSFCJnIQ9kB0KU2KZN5SwSof1oPz iIqA== X-Gm-Message-State: AO0yUKVwFNwrU+4Xj6L4vPzmJKPahutW8ZSPYxV+hzDSfjdPfD4fWI9g OwDrf+mHwgiDSr2wnU1cmtr4vQaOdJa7AEJM X-Received: by 2002:a17:902:dcc5:b0:199:482f:d4c4 with SMTP id t5-20020a170902dcc500b00199482fd4c4mr13241724pll.44.1676264049102; Sun, 12 Feb 2023 20:54:09 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:08 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Arnd Bergmann , Andrew Morton , Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta , linux-arch@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 05/20] mmap : Introducing new protection "PROT_SHADOWSTACK" for mmap Date: Sun, 12 Feb 2023 20:53:34 -0800 Message-Id: <20230213045351.3945824-6-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690369988965641?= X-GMAIL-MSGID: =?utf-8?q?1757690369988965641?= Major architectures (x86, arm, riscv) have introduced shadow stack support in their architecture for return control flow integrity ISA extensions have some special encodings to make sure this shadow stack page has special property in page table i.e a readonly page but still writeable under special scenarios. As an example x86 has `call` (or new shadow stack instructions) which can perform store on shadow stack but regular stores are disallowed. Similarly riscv has sspush & ssamoswap instruction which can perform stores but regular stores are not allowed. As evident a page which can only be writeable by certain special instructions but otherwise appear readonly to regular stores need a new protection flag. This patch introduces a new mmap protection flag to indicate such protection in generic manner. Architectures can implement such protection using arch specific encodings in page tables. Signed-off-by: Deepak Gupta --- include/uapi/asm-generic/mman-common.h | 6 ++++++ mm/mmap.c | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/include/uapi/asm-generic/mman-common.h b/include/uapi/asm-generic/mman-common.h index 6ce1f1ceb432..c8e549b29a24 100644 --- a/include/uapi/asm-generic/mman-common.h +++ b/include/uapi/asm-generic/mman-common.h @@ -11,6 +11,12 @@ #define PROT_WRITE 0x2 /* page can be written */ #define PROT_EXEC 0x4 /* page can be executed */ #define PROT_SEM 0x8 /* page may be used for atomic ops */ +/* + * Major architectures (x86, aarch64, riscv) have shadow stack now. Each architecture can + * choose to implement different PTE encodings. x86 encodings are PTE.R=0, PTE.W=1, PTE.D=1 + * riscv encodings are PTE.R=0, PTE.W=1. Aarch64 encodings are not published yet + */ +#define PROT_SHADOWSTACK 0x40 /* 0x10 reserved for arch-specific use */ /* 0x20 reserved for arch-specific use */ #define PROT_NONE 0x0 /* page can not be accessed */ diff --git a/mm/mmap.c b/mm/mmap.c index 425a9349e610..7e877c93d711 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -1251,6 +1252,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (!len) return -EINVAL; + /* If PROT_SHADOWSTACK is specified and arch doesn't support it, return -EINVAL */ + if ((prot & PROT_SHADOWSTACK) && !arch_supports_shadow_stack()) + return -EINVAL; /* * Does the application expect PROT_READ to imply PROT_EXEC? * From patchwork Mon Feb 13 04:53:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56028 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175324wrn; Sun, 12 Feb 2023 20:55:31 -0800 (PST) X-Google-Smtp-Source: AK7set+fJ4m22mOwRn9uVhZJJ73Jnovqe0wBJTABaZr6gLxi2ohBvobOxjvBP6SH75KBOkr2p9Yh X-Received: by 2002:a17:903:120e:b0:193:1fc5:f611 with SMTP id l14-20020a170903120e00b001931fc5f611mr26766417plh.38.1676264131572; Sun, 12 Feb 2023 20:55:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264131; cv=none; d=google.com; s=arc-20160816; b=pvGTkTBUgDBg6TSSGtlgAic+o5yF6iUyq7Gqjqq0ZuWQacetSGMmlHz5I4MbwCERjU oOVU4lLwpcnaVyAa6HhOdI87A9VoIUdXhufSQdzZxectU0IQGa0yTzvukH8gPEAvlZQN ZBd/4fqcLjrwQwR0cbpd8tvSEuQxVqc4DnBkfcyUtCUlsb8kCOivmrI7FUBOrYlUP8xl KY45a9rkV8MTOqRMzX9PFQvo7AoloUZ8pZo3uHig9N43+KeNBVTraUDl/uAr9kC10iaW gTRIQtqRPrDvXf0c39d9f+GoHpeZKTbjh+6KCycjbPOkzqDCI2lUXM1cS3dcp4vDmf+5 lSzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NtGFk1nMQnbVrTZQtdZEMWvYWxpeM1anGce2t/6Js4o=; b=UWYYTYq8LmB0njHk5uH4RBZ+8Xbc2KzhaDcw0DPw1+tY5OpUXZM/aK2iGV3VhogF02 tWknuF8ITx5FWiLrmscO8bJLvQ2qOZtMOOQ5YQQmpQZHZmyYTOhpLPLm3Y1OVB240s/U s6QlTGXBRJi//7NuJTzCI9VdD54DL108KxtliMfjcgxH/LI+YAH89XDNhz9MPYfPGn7R c99GRic/hFAcpEmKCbL5N8f/GfXJlvpbCKkJWPyipgbE8drzPuFLeSYfiv5YUmc7kicK ajwo5jbFDaFQnjNTj9FoM18Od2L+Z1li55YgeqwrzHuzxpDDtT9cBjqgPlHnbAbApl1i sNaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=XnLJLE7S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ji15-20020a170903324f00b0019a88115df0si4574882plb.37.2023.02.12.20.55.19; Sun, 12 Feb 2023 20:55:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=XnLJLE7S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229677AbjBMEyc (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229771AbjBMEyO (ORCPT ); Sun, 12 Feb 2023 23:54:14 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E84BE06C for ; Sun, 12 Feb 2023 20:54:11 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id rm7-20020a17090b3ec700b0022c05558d22so10977705pjb.5 for ; Sun, 12 Feb 2023 20:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NtGFk1nMQnbVrTZQtdZEMWvYWxpeM1anGce2t/6Js4o=; b=XnLJLE7Snc5+Dado4616bI2S9bt5BoOzPfFJwGy4sODs4id84UZRmeTgvHINl309vQ 14Su83K/zKRWWRUylX+LvkRt46rw/1NmQPiL7ZTYRBArkznoYvQmmpzl5Z1rM4XkHXqf rBcFShV4hBPXc5uzWruqviGPXly8kLMjn2buoQyVJ78MB0g/unbDmmax/ZZW+MA5RiWQ ogB0M9oUzUW0WJhaa+KIDOkbwCoO/Z1xc2lVmLfl1RBXdxIvi47/x8V3ynUmXwT9kABH Wq7UQVpnuXOK+7FT7G8jAwG2P+Mvs0HLCPCDYEFwFUpPExstyaOaxnJUASc2Rtwb889R YtNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NtGFk1nMQnbVrTZQtdZEMWvYWxpeM1anGce2t/6Js4o=; b=q0nywThvYoWuXcw2OUe6OOto0VsmBicTRFyzkpfuc0BnPDD3DuD5S0AC4YTKHmSR5J l6qLHpQzCL1etsnrLbWigfdhXt/F214rt4Wpnz5gke+y5jWhbNVQmyzMqqMhg6+uRFf4 FXZvRvMTWIbnwr2HdRSXEcSPoumS6Rszpr+Hzs/Yy9CwHcSEzNqQgW9c9NHKNBwPEnEw Fi3VHXXMD4NvuEmABV7HRLVDHoLF7RWzMNoSLTRo14++FunVth6b+XE+1O4GvyUri4TJ w+/JqUNri75U/CST5hTFL6LoM/HbppXMXj5PHM+JYxFjEGopti8qsJ3q0ZegFEsy2GLK b8eg== X-Gm-Message-State: AO0yUKWNmHQ9WPOP7aSJTGNA/57d4TZK2BPNkp9B+3K28vgfimzpDSWB Gj/+X4W/8wbGQeyawx37N4h8+HnWhEBisXTB X-Received: by 2002:a17:902:e545:b0:199:60:b9c8 with SMTP id n5-20020a170902e54500b001990060b9c8mr29757414plf.45.1676264050773; Sun, 12 Feb 2023 20:54:10 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:10 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 06/20] riscv: Implementing "PROT_SHADOWSTACK" on riscv Date: Sun, 12 Feb 2023 20:53:35 -0800 Message-Id: <20230213045351.3945824-7-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690337952843899?= X-GMAIL-MSGID: =?utf-8?q?1757690337952843899?= This patchimplements new mmap protection flag "PROT_SHADOWSTACK" on riscv Zisslpcfi extension on riscv uses R=0, W=1, X=0 as shadow stack PTE encoding. This encoding is reserved if Zisslpcfi is not implemented or backward cfi is not enabled for the respective mode. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h | 19 +++++++++++++++++++ arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c | 22 ++++++++++++++++++++++ arch/riscv/mm/init.c | 2 +- 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 arch/riscv/include/asm/mman.h diff --git a/arch/riscv/include/asm/mman.h b/arch/riscv/include/asm/mman.h new file mode 100644 index 000000000000..9c8499294a60 --- /dev/null +++ b/arch/riscv/include/asm/mman.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __ASM_MMAN_H__ +#define __ASM_MMAN_H__ + +#include +#include +#include + +static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot, + unsigned long pkey __always_unused) +{ + unsigned long ret = 0; + + ret = (prot & PROT_SHADOWSTACK)?VM_WRITE:0; + return ret; +} +#define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey) + +#endif /* ! __ASM_MMAN_H__ */ diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 4eba9a98d0e3..74dbe122f2fa 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -159,6 +159,7 @@ extern struct pt_alloc_ops pt_ops __initdata; #define PAGE_READ_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_EXEC) #define PAGE_WRITE_EXEC __pgprot(_PAGE_BASE | _PAGE_READ | \ _PAGE_EXEC | _PAGE_WRITE) +#define PAGE_SHADOWSTACK __pgprot(_PAGE_BASE | _PAGE_WRITE) #define PAGE_COPY PAGE_READ #define PAGE_COPY_EXEC PAGE_EXEC diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c index 5d3f2fbeb33c..c3cf6b94c710 100644 --- a/arch/riscv/kernel/sys_riscv.c +++ b/arch/riscv/kernel/sys_riscv.c @@ -18,6 +18,28 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) return -EINVAL; + /* + * If only PROT_WRITE is specified then extend that to PROT_READ + * protection_map[VM_WRITE] is now going to select shadow stack encodings. + * So specifying PROT_WRITE actually should select protection_map [VM_WRITE | VM_READ] + * If user wants to create shadow stack then they should specify PROT_SHADOWSTACK + * protection + */ + if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ))) + prot |= PROT_READ; + + /* + * PROT_SHADOWSTACK is new protection flag. If specified with other like PROT_WRITE or + * PROT_READ PROT_SHADOWSTACK takes precedence. We can do either of following + * - ensure no other protection flags are specified along with it and return EINVAL + * OR + * - ensure we clear other protection flags. + * Choosing to follow former, if any other bit is set in prot, we return EINVAL + * Other architectures can treat different combinations for PROT_SHADOWSTACK + */ + if (unlikely((prot & PROT_SHADOWSTACK) && (prot & ~PROT_SHADOWSTACK))) + return -EINVAL; + return ksys_mmap_pgoff(addr, len, prot, flags, fd, offset >> (PAGE_SHIFT - page_shift_offset)); } diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index 478d6763a01a..ba8138c90450 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -294,7 +294,7 @@ static pmd_t __maybe_unused early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAG static const pgprot_t protection_map[16] = { [VM_NONE] = PAGE_NONE, [VM_READ] = PAGE_READ, - [VM_WRITE] = PAGE_COPY, + [VM_WRITE] = PAGE_SHADOWSTACK, [VM_WRITE | VM_READ] = PAGE_COPY, [VM_EXEC] = PAGE_EXEC, [VM_EXEC | VM_READ] = PAGE_READ_EXEC, From patchwork Mon Feb 13 04:53:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56029 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175341wrn; Sun, 12 Feb 2023 20:55:35 -0800 (PST) X-Google-Smtp-Source: AK7set/vWxFt+XLfeTQMSMZ1cRMsv6kAPP4fu+/FXzPaiEVnqN6p7Jr/rFFNuAeAaJMSInMPSCsh X-Received: by 2002:aa7:9d1b:0:b0:5a8:b37e:bb5 with SMTP id k27-20020aa79d1b000000b005a8b37e0bb5mr2729683pfp.12.1676264135136; Sun, 12 Feb 2023 20:55:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264135; cv=none; d=google.com; s=arc-20160816; b=kdyvzPQIKVFnV9yR/93VU2AyKwwJEeR7MvmSmTwE1o/7TwsdqCJucdqR34m4+9KnPM 2zqR+VLwp5A/7bXQusyaqbJjqmKNxf6JSmUrPFgoU0csGeYiaZ0bQ02gCyD1ys0SbUCl 6HdXgGRBFs0DDIdFMxitceLmxoYQo3kFmRKKRmhUcw25WwEvz7XHmGLqyHNSNJm/48pO EVDbUQbRxMl9fpmx1AGhp6py/tb+X/EJMmI28nnCx83q4izWbdD8W2UkpmSJY0jZUK5U OvDClSUsM3rEUTfG8CyFQAz57r2/jsg7TuezwnvCH9Wm0vzUo4wSNJzUZJV/CMYyqzHP 9tRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=oP4wZ0K6nVayFSsIwI2M/qbAeCayW2BZaB6BdNSazd0=; b=G2t0t0pMgF1MehNW/ehYgUoZbNx1bLVsr6iiTFQrPp5BU6AO+QS5c6iozhR/DwUsqx 5cxu3LLW+luL4/lA+a/iO/xMgaMoMd++mW8n8XMWKLSY4sFngCLU3aZnTdPHpdXUvKs6 122Eag9ziBhpuVi1LniRPms8j95c1o6ZwZTrsD3CatSMwCH8VmJ+1ztRl+zeuZIyW6Nd IpqOhFJt587k1xf2qrNoiawLOTxZaW3fhmMNpP7bQQekiESnc4eKEnUPQQdu28SoFYDu 2EA/B4G7q60nV0fZcT3CP3iXXJdeJtyoC10JmV8IUxykEJLuZKayfZIIF89v94cOSJlq Ni9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=kQCkDlkh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w5-20020a626205000000b005925ce11f0asi10455939pfb.364.2023.02.12.20.55.23; Sun, 12 Feb 2023 20:55:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=kQCkDlkh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbjBMEyo (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229814AbjBMEy0 (ORCPT ); Sun, 12 Feb 2023 23:54:26 -0500 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E7CB10ABE for ; Sun, 12 Feb 2023 20:54:13 -0800 (PST) Received: by mail-pl1-x629.google.com with SMTP id r8so12328259pls.2 for ; Sun, 12 Feb 2023 20:54:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oP4wZ0K6nVayFSsIwI2M/qbAeCayW2BZaB6BdNSazd0=; b=kQCkDlkhAa4XVmRG1hxXFbpWGlXPMBYAGXgy0L0uPsR9g5pVZDofnEGhHEJYmp4t70 GThKDRHlZLQeCmf3sShq+tYAdJikORjaEoHzhV8XPsEC3fuBeKmrypEuXS7bnM4Hr1Mu ejAuWJdj4rylP7L48un2eYEoyEM3T/HgHUJ+XVCnMOro/vM0ja9j4XcrCb2wVTAb2ykU VVkETKJNdrlyLnPFCjstqmRxjQbAorY6hbHg6u7JiS4XZd2HNWZ+rc/s5B7cfxPqGP5E y7sCTgg87DvCTzj8NBBDe3V2Zk1icq2em5kbBEcbVFNjlxLiW6d6zxFc1ZAJ17l5bZV5 /rrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oP4wZ0K6nVayFSsIwI2M/qbAeCayW2BZaB6BdNSazd0=; b=i080UbwPAEig8D8zShLUOIUP2xS9NbJMj3L2lIz0THLouULhxAkP6h3KVb+qrzjzPh /lZTonafhu7PMEAjPoc6b95tshRepMYGLxn6cnb+FgR/xaEmlmA9MIHkA41D79ZUEsx1 /cMo12zGiLsV5DM4ayjRFYxju0AiqBgE4+SJ+ipXK0n0A+k4FZCjet7MH5laF0uvOuQ4 dQeB8FnKjhr28cbnavMIpVc5PJloOTNgIwf+u1AT/9xd2oL8Y2Eoud/eTA38fDcQcgDy V/Xl/cQGrqm2dx4ik6dK2aUQxkSbUG5wrG1RmRinhuxdBrvqPmkX9BNaJqbHJb4NrL6L Vhhw== X-Gm-Message-State: AO0yUKXmsDwF4OB/SdEYa9f8v9ZVKIAie+KcMfdeSk+kImI/MG8ViwEP EGZSbZ3kHpcFjKc3YBwuMvM4vmRE+6G4Pt5b X-Received: by 2002:a17:902:ce86:b0:19a:9580:750 with SMTP id f6-20020a170902ce8600b0019a95800750mr5863992plg.16.1676264052424; Sun, 12 Feb 2023 20:54:12 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:12 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Alexander Viro , Eric Biederman , Kees Cook , Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 07/20] elf: ELF header parsing in GNU property for cfi state Date: Sun, 12 Feb 2023 20:53:36 -0800 Message-Id: <20230213045351.3945824-8-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690341414845206?= X-GMAIL-MSGID: =?utf-8?q?1757690341414845206?= Binaries enabled with support for control-flow integrity will have new instructions that may fault on cpus which dont implement cfi mechanisms. This change adds - stub for setting up cfi state when loading a binary. Architecture specific implementation can choose to implement this stub and setup cfi state for program. - define riscv ELF flag marker for forward cfi and backward cfi in uapi/linux/elf.h Signed-off-by: Deepak Gupta --- fs/binfmt_elf.c | 5 +++++ include/linux/elf.h | 8 ++++++++ include/uapi/linux/elf.h | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 9a780fafc539..bb431052eb01 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1277,6 +1277,11 @@ static int load_elf_binary(struct linux_binprm *bprm) set_binfmt(&elf_format); +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + retval = arch_elf_setup_cfi_state(&arch_state); + if (retval < 0) + goto out; +#endif #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter); if (retval < 0) diff --git a/include/linux/elf.h b/include/linux/elf.h index c9a46c4e183b..106d28f065aa 100644 --- a/include/linux/elf.h +++ b/include/linux/elf.h @@ -109,4 +109,12 @@ static inline int arch_elf_adjust_prot(int prot, } #endif +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +extern int arch_elf_setup_cfi_state(const struct arch_elf_state *state); +#else +static inline int arch_elf_setup_cfi_state(const struct arch_elf_state *state) +{ + return 0; +} +#endif #endif /* _LINUX_ELF_H */ diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h index 4c6a8fa5e7ed..1cbd332061dc 100644 --- a/include/uapi/linux/elf.h +++ b/include/uapi/linux/elf.h @@ -468,4 +468,10 @@ typedef struct elf64_note { /* Bits for GNU_PROPERTY_AARCH64_FEATURE_1_BTI */ #define GNU_PROPERTY_AARCH64_FEATURE_1_BTI (1U << 0) +/* .note.gnu.property types for RISCV: */ +/* Bits for GNU_PROPERTY_RISCV_FEATURE_1_FCFI/BCFI */ +#define GNU_PROPERTY_RISCV_FEATURE_1_AND 0xc0000000 +#define GNU_PROPERTY_RISCV_FEATURE_1_FCFI (1u << 0) +#define GNU_PROPERTY_RISCV_FEATURE_1_BCFI (1u << 1) + #endif /* _UAPI_LINUX_ELF_H */ From patchwork Mon Feb 13 04:53:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56030 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175365wrn; Sun, 12 Feb 2023 20:55:40 -0800 (PST) X-Google-Smtp-Source: AK7set8kGPtw+qsN+1S4sOuRxDaz3QLHzD9b62hH4cYcfII7Lx7UEZAcF8TGWSBA+xZRewio7piY X-Received: by 2002:a05:6a20:8f0c:b0:be:b878:6d78 with SMTP id b12-20020a056a208f0c00b000beb8786d78mr30308469pzk.50.1676264139904; Sun, 12 Feb 2023 20:55:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264139; cv=none; d=google.com; s=arc-20160816; b=BWJWkdDvACkiKQHfpudCAVF4MtzAq95qu6l87TRpJ1SkKYP5j+xNWGBZdc7Gcs+qVb /k3re46QcwlPc/DX1oXo4Gn0W7UrzZV7UT3QAX7sUpaWoQ6qfSEVB1ljJz34fPAABXY+ WELl/JyCYs/ZDtf3/+dDi2r33XsbXdHxo2ffWG0OZZub2nXVGlJssLFiGZvdYX5OnLbp WKwwrqigybTUrOdqh3EOcLDXVWp7RR8RvxyjyjPt8s3fZu5h7EHoDxL9I+jzYvucJY7F izL5tR0RH0C51mmmGY9PIIqPB4Up9dpIoowULOxGi0zxP8yLI9+ylI4ygdocOtlghPTs 0kbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=WAwf1gBaHnNF5Lk37RGyHyXdTESD8YEAb/QMNC9zzTgg2s8+aeFr75hgierT78nMsD AkLB7BQ4Kf1Wj/IcWUillZ4+zAfbd731oMGCjjEmB78McUZ63RmJh3d0VOCrRsWrPOb9 +C//KRfBdUaDNDkgGtMM8FDgY9X1O5+KN9reXetEb/5cOiN1eYFn8pKaKoO90vML2Afe 7vRGxAIIbPvBwHCo0vdRdfO9stb6hwdhH7BxDI7WXe81OEl98ziZ/6RwkHE/wW4EK8QX Jp7+aS5pfo+mZzyHttmNTp2sNPco3rkYZEBKHdAy7FHAgMkqlu7d9ptwNdTejUyyJFBO Gsmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=qYf8FTmW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n1-20020a639701000000b004fb1515316bsi10540029pge.192.2023.02.12.20.55.27; Sun, 12 Feb 2023 20:55:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=qYf8FTmW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229925AbjBMEyr (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229769AbjBMEy1 (ORCPT ); Sun, 12 Feb 2023 23:54:27 -0500 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D023AE071 for ; Sun, 12 Feb 2023 20:54:14 -0800 (PST) Received: by mail-pj1-x1031.google.com with SMTP id nh19-20020a17090b365300b00233ceae8407so3451073pjb.3 for ; Sun, 12 Feb 2023 20:54:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=qYf8FTmWzIZq1sj/cRWNqkDlyaUrlHtAkUn706G2DjlsOFiB0iWKuqtT+MxmEI3t6T Ff0DhMKpSFR6ca05rAxMPooGPzA1kFOzhjYrqNY3J0Ka4Zz14ybBi+36q/CVw1rjCcJQ s21yu/DiDLNr4UUmwy6Wsgi9sOq9iax7KYKB0pZOhEhM5LpPkR5ngeHS/g47Fh7aN/AI cMC9Y8a3hzHTiL32AkRANplY0UlHrCUshHymlqQKPn6qaw5BdiwO3FgxJ0F1Iu/SSLhy 5pCenej/IO1VFA3WT/JAMOuCLszHyDZbQ8niFlM4YacqhxIEIz1YG6akTVFEeYQFxrxP 0ULQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=o6mU7eTgSI6j468x6JlFr8IfE22BslDPe1KItKKWUgQ=; b=37n2qT2X0kT4d2V8R8isr+Q+lJ3NtFDky45Nti/tS9vwLujMls/tZcYJHL2IY/zjQ2 mNM6grrZmhyaD0xzFvA0x2W75ktXPCSgF6KdpBLtj6RKjyepgNwjA9xQnDtTZYLxkN0J Ju399y89UvUpEpK7Ha7MKH3A+5VkJzGdMRh/cFjoF7TZHwf/yAmdFPoCyQTwbartp+sh PpG0QFyEac8yvKaoMpuEODzMA+oQ7TmnhUfirMfbpSeilvw008xZjAy9PsMGhqz9HdrF XUMrFruQPpahTJ7Uy3unZa/TMdWrwm9X4PKzgrDU0fKDpBufijfvd5U12s/HPd/oDe5i 70qQ== X-Gm-Message-State: AO0yUKVx2b0DB0RVQZW9bkf9zmbPbCbxmnHeRVDNHDFOvILQphDVfkPW w/oJ6ehEKbILGJI3/hCAjCyPj58DKPgDzsQ5 X-Received: by 2002:a17:903:1c2:b0:198:e1b8:9476 with SMTP id e2-20020a17090301c200b00198e1b89476mr29006123plh.15.1676264053898; Sun, 12 Feb 2023 20:54:13 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:13 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou , Eric Biederman , Kees Cook Cc: Deepak Gupta , linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 08/20] riscv: ELF header parsing in GNU property for riscv zisslpcfi Date: Sun, 12 Feb 2023 20:53:37 -0800 Message-Id: <20230213045351.3945824-9-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690346688903928?= X-GMAIL-MSGID: =?utf-8?q?1757690346688903928?= Binaries enabled for Zisslpcfi will have new instructions that may fault on risc-v cpus which dont implement Zimops or Zicfi. This change adds - support for parsing new backward and forward cfi flags in PT_GNU_PROPERTY - setting cfi state on recognizing cfi flags in ELF - enable back cfi and forward cfi in sstatus Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/elf.h | 54 +++++++++++++++++++++++++++++ arch/riscv/kernel/process.c | 67 ++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h index e7acffdf21d2..60ac2d2390ee 100644 --- a/arch/riscv/include/asm/elf.h +++ b/arch/riscv/include/asm/elf.h @@ -14,6 +14,7 @@ #include #include #include +#include /* * These are used to set parameters in the core dumps. @@ -140,4 +141,57 @@ extern int compat_arch_setup_additional_pages(struct linux_binprm *bprm, compat_arch_setup_additional_pages #endif /* CONFIG_COMPAT */ + +#define RISCV_ELF_FCFI (1 << 0) +#define RISCV_ELF_BCFI (1 << 1) + +#ifdef CONFIG_ARCH_BINFMT_ELF_STATE +struct arch_elf_state { + int flags; +}; + +#define INIT_ARCH_ELF_STATE { \ + .flags = 0, \ +} +#endif + +#ifdef CONFIG_ARCH_USE_GNU_PROPERTY +static inline int arch_parse_elf_property(u32 type, const void *data, + size_t datasz, bool compat, + struct arch_elf_state *arch) +{ + /* + * TODO: Do we want to support in 32bit/compat? + * may be return 0 for now. + */ + if (IS_ENABLED(CONFIG_COMPAT) && compat) + return 0; + if ((type & GNU_PROPERTY_RISCV_FEATURE_1_AND) == GNU_PROPERTY_RISCV_FEATURE_1_AND) { + const u32 *p = data; + + if (datasz != sizeof(*p)) + return -ENOEXEC; + if (arch_supports_indirect_br_lp_instr() && + (*p & GNU_PROPERTY_RISCV_FEATURE_1_FCFI)) + arch->flags |= RISCV_ELF_FCFI; + if (arch_supports_shadow_stack() && (*p & GNU_PROPERTY_RISCV_FEATURE_1_BCFI)) + arch->flags |= RISCV_ELF_BCFI; + } + return 0; +} + +static inline int arch_elf_pt_proc(void *ehdr, void *phdr, + struct file *f, bool is_interp, + struct arch_elf_state *state) +{ + return 0; +} + +static inline int arch_check_elf(void *ehdr, bool has_interp, + void *interp_ehdr, + struct arch_elf_state *state) +{ + return 0; +} +#endif #endif /* _ASM_RISCV_ELF_H */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index 8955f2432c2d..db676262e61e 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -24,6 +24,7 @@ #include #include #include +#include register unsigned long gp_in_global __asm__("gp"); @@ -135,6 +136,14 @@ void start_thread(struct pt_regs *regs, unsigned long pc, else regs->status |= SR_UXL_64; #endif +#ifdef CONFIG_USER_SHADOW_STACK + if (current_thread_info()->user_cfi_state.ufcfi_en) + regs->status |= SR_UFCFIEN; +#endif +#ifdef CONFIG_USER_INDIRECT_BR_LP + if (current_thread_info()->user_cfi_state.ubcfi_en) + regs->status |= SR_UBCFIEN; +#endif } void flush_thread(void) @@ -189,3 +198,61 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) p->thread.sp = (unsigned long)childregs; /* kernel sp */ return 0; } + + +int allocate_shadow_stack(unsigned long *shadow_stack_base, unsigned long *shdw_size) +{ + int flags = MAP_ANONYMOUS | MAP_PRIVATE; + struct mm_struct *mm = current->mm; + unsigned long addr, populate, size; + *shadow_stack = 0; + + if (!shdw_size) + return -EINVAL; + + size = *shdw_size; + + /* If size is 0, then try to calculate yourself */ + if (size == 0) + size = round_up(min_t(unsigned long long, rlimit(RLIMIT_STACK), SZ_4G), PAGE_SIZE); + mmap_write_lock(mm); + addr = do_mmap(NULL, 0, size, PROT_SHADOWSTACK, flags, 0, + &populate, NULL); + mmap_write_unlock(mm); + if (IS_ERR_VALUE(addr)) + return PTR_ERR((void *)addr); + *shadow_stack_base = addr; + *shdw_size = size; + return 0; +} + +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) +/* gets called from load_elf_binary(). This'll setup shadow stack and forward cfi enable */ +int arch_elf_setup_cfi_state(const struct arch_elf_state *state) +{ + int ret = 0; + unsigned long shadow_stack_base = 0; + unsigned long shadow_stk_size = 0; + struct thread_info *info = NULL; + + info = current_thread_info(); + /* setup back cfi state */ + /* setup cfi state only if implementation supports it */ + if (arch_supports_shadow_stack() && (state->flags & RISCV_ELF_BCFI)) { + info->user_cfi_state.ubcfi_en = 1; + ret = allocate_shadow_stack(&shadow_stack_base, &shadow_stk_size); + if (ret) + return ret; + + info->user_cfi_state.user_shdw_stk = (shadow_stack_base + shadow_stk_size); + info->user_cfi_state.shdw_stk_base = shadow_stack_base; + } + /* setup forward cfi state */ + if (arch_supports_indirect_br_lp_instr() && (state->flags & RISCV_ELF_FCFI)) { + info->user_cfi_state.ufcfi_en = 1; + info->user_cfi_state.lp_label = 0; + } + + return ret; +} +#endif \ No newline at end of file From patchwork Mon Feb 13 04:53:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56033 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175407wrn; Sun, 12 Feb 2023 20:55:53 -0800 (PST) X-Google-Smtp-Source: AK7set/2LU9bONio8YdqQL+igEGfT5crl7YE+56FLMpLDOg9pn28WXBQ8wSxb7l0C5W2ANqoqO9s X-Received: by 2002:a17:902:e546:b0:19a:9897:461 with SMTP id n6-20020a170902e54600b0019a98970461mr4531539plf.52.1676264153427; Sun, 12 Feb 2023 20:55:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264153; cv=none; d=google.com; s=arc-20160816; b=bEBTCTiczwoQPaMXgVjFEhrbI9Q+GJhCMK+BwYoBc7cGnFp7P8+cr9XtWEzQPOlW3+ mUJqrWtnEfhIyJfTlJgUKKW7SyDbu+aLEt8AmU43gpOtXr8i/rPOhcanEYLmYHwr4LzS nwZaXShWSNALmFwjgXc+EBSsR4BWnZuwDP8lNG/EXNXuV1YuaKZo4rhZ4wU5ujAzzAU3 5QPzDfeynq0IE94XklmKn8uVVvWkdE/eNIm8Qrggvd6YFsMr2O5MJ28/7wIUiwgAfOkE ttG1UB7RkgxKipeHIREkglYlun3TUTx+Fr3cN2rLDs12zg3R7m5OQiU4uWpR/2TsYwV3 RCww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=A0tnlLw6fm8swru7NUC7vHq8lZ6YBZhVkq/dODb8MznQPULn0QbKoA9spIwEJap0H4 fl9U67gqFnwtJTLjsXGMmilYuwY2EO91rPJDKXEPZ1XtFclTXZ/6nK1otdCnyNA/zz2U kSOyFLnuLnvEwLkYrGT2R7AhIH6WbBqbXBmPDeagGlJgU2ABgBbc07dW7OM2VjkTG2/q QfvsVLOtvy07CsEoL8+ySEOjw6/qqHyejiQP23oP7Gqepl1fqi3Wvl8+bjFm7+naZNdp ZMBE0FaldEAL4Pm2DLz8BO0GES3QyOaHhxZieQ7uvJnLSudaunCq+frA4MsKjaF70NmC +sZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=FGjJdoMr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jc2-20020a17090325c200b0019680715ea0si663476plb.392.2023.02.12.20.55.40; Sun, 12 Feb 2023 20:55:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=FGjJdoMr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229879AbjBMEy5 (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229773AbjBMEyd (ORCPT ); Sun, 12 Feb 2023 23:54:33 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5AE9113F3 for ; Sun, 12 Feb 2023 20:54:16 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id ja21so4709956plb.13 for ; Sun, 12 Feb 2023 20:54:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=FGjJdoMrQlppTBz+ObqT8luvhuIMwvfjvmkBZprc9HlYpoiSS1sA85FZnlrmeoeEgh SlSW2oU2EYk9KtAhXRm18M+PupNhB7PJwPtUNGXJcECNEGsnVdHApGyWg64SViYKipvg 76A+vJJvWrYRsBqZ5NpIAB/yexvjeXKgZYZluduj2LNgSueMGYFoy6UM6NpAbW54+uJv n80E0ec86qo5fTn+m5TpVEbZlOl8oMoq1dQ3t1CAp93yrTxg3gz0bUQfZSAdBr3s/OIu sMljApBWJCh4QonvYNxSCj45B5bFELOws2WJg2kb2PQukm27+t6Rb1njgf4IzZonV0W+ 2nJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PWWHkk0uRmCoQD1IDjmpM1K4crsMB3GryXLB1Ck58mM=; b=z8c3Ws7UZQYgsoprZr7sRGvmsz8xar1c4/qm65Kbuk3BEN67qFGSECVhqw+1F60uR/ Ftvpdg0/Jgh9YCT4MJUCTX2StzV3/3Uoj0zlaKkTsEP7EZBcXOx9KJJ0mWEsTvo+nJWB wdOXFg95MFY2WlaELt4SxUSyONRR59tYtweuiY3Ib0y0/LmWN/s18sqlCk6qH0Cx8gqd CV1sOYZBLk5jP50nqI/ElHJhNGQ4heEhG02IYlkprwrhgu1XDUsl0GMjrKaJS5RXion6 qzPjxS3q0T0R7pwn6FXk23EE5lf+V5x/Zmh3cKsyKYcBndqyJOjMILN1xi0idnBejkQs 2gog== X-Gm-Message-State: AO0yUKWhwgqG1iZSol99yHeU3URlUNcKym31E7tZdgPd8FN6fR4r/eDm biJBSHKOqtTNFY19emI79/+q6SoQdrKjqbkO X-Received: by 2002:a17:903:2448:b0:198:f027:5925 with SMTP id l8-20020a170903244800b00198f0275925mr25005204pls.64.1676264055395; Sun, 12 Feb 2023 20:54:15 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:14 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 09/20] riscv mmu: riscv shadow stack page fault handling Date: Sun, 12 Feb 2023 20:53:38 -0800 Message-Id: <20230213045351.3945824-10-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690360902031266?= X-GMAIL-MSGID: =?utf-8?q?1757690360902031266?= Shadow stack load/stores to valid non-shadow memory raise access faults. Regular store to shadow stack memory raise access fault as well. This patch implements load and store access handler. Load access handler reads faulting instruction and if it was an instruction issuing ss load, it'll invoke page fault handler with a synthetic cause (marked reserved in priv spec). Similarly store access hanlder reads faulting instruction and if it was an instruction issuing ss store, it'll invoke page fault handler with a synthetic cause (reserved in spec). All other cases in load/store access handler will lead to SIGSEV. There might be concerns that using a reserved exception code may create an issue because some riscv implementation might already using this code. However counter argument would be, linux kernel is not using this code and thus linux kernel should be able to use this exception code on such a hardware. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 3 ++ arch/riscv/kernel/traps.c | 99 ++++++++++++++++++++++++++++++++++++ arch/riscv/mm/fault.c | 23 ++++++++- 3 files changed, 124 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index 243031d1d305..828b1c2a74c2 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -104,6 +104,9 @@ #define EXC_SUPERVISOR_SYSCALL 10 #define EXC_INST_PAGE_FAULT 12 #define EXC_LOAD_PAGE_FAULT 13 +#ifdef CONFIG_USER_SHADOW_STACK +#define EXC_SS_ACCESS_PAGE_FAULT 14 +#endif #define EXC_STORE_PAGE_FAULT 15 #define EXC_INST_GUEST_PAGE_FAULT 20 #define EXC_LOAD_GUEST_PAGE_FAULT 21 diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 549bde5c970a..5553b8d48ba5 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -94,6 +94,85 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code, } } +/* Zisslpcfi instructions encodings */ +#define SS_PUSH_POP 0x81C04073 +#define SS_AMOSWAP 0x82004073 + +bool is_ss_load_store_insn(unsigned long insn) +{ + if ((insn & SS_PUSH_POP) == SS_PUSH_POP) + return true; + /* + * SS_AMOSWAP overlaps with LP_S_LL. + * But LP_S_LL can never raise access fault + */ + if ((insn & SS_AMOSWAP) == SS_AMOSWAP) + return true; + + return false; +} + +ulong get_instruction(ulong epc) +{ + ulong *epc_ptr = (ulong *) epc; + ulong insn = 0; + + __enable_user_access(); + insn = *epc_ptr; + __disable_user_access(); + return insn; +} + +#ifdef CONFIG_USER_SHADOW_STACK +extern asmlinkage void do_page_fault(struct pt_regs *regs); + +/* + * If CFI enabled then following then load access fault can occur if + * ssload (sspop/ssamoswap) happens on non-shadow stack memory. + * This is a valid case when we want to do COW on SS memory on `fork` or memory is swapped out. + * SS memory is marked as readonly and subsequent sspop or sspush will lead to + * load/store access fault. We need to decode instruction. If it's sspop or sspush + * Page fault handler is invoked. + */ +int handle_load_access_fault(struct pt_regs *regs) +{ + ulong insn = get_instruction(regs->epc); + + if (is_ss_load_store_insn(insn)) { + regs->cause = EXC_SS_ACCESS_PAGE_FAULT; + do_page_fault(regs); + return 0; + } + + return 1; +} +/* + * If CFI enabled then following then store access fault can occur if + * -- ssstore (sspush/ssamoswap) happens on non-shadow stack memory + * -- regular store happens on shadow stack memory + */ +int handle_store_access_fault(struct pt_regs *regs) +{ + ulong insn = get_instruction(regs->epc); + + /* + * if a shadow stack store insn, change cause to + * synthetic SS_ACCESS_PAGE_FAULT + */ + if (is_ss_load_store_insn(insn)) { + regs->cause = EXC_SS_ACCESS_PAGE_FAULT; + do_page_fault(regs); + return 0; + } + /* + * Reaching here means it was a regular store. + * A regular access fault anyways had been delivering SIGSEV + * A regular store to shadow stack anyways is also a SIGSEV + */ + return 1; +} +#endif + #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE) #define __trap_section __section(".xip.traps") #else @@ -113,8 +192,18 @@ DO_ERROR_INFO(do_trap_insn_fault, SIGSEGV, SEGV_ACCERR, "instruction access fault"); DO_ERROR_INFO(do_trap_insn_illegal, SIGILL, ILL_ILLOPC, "illegal instruction"); +#ifdef CONFIG_USER_SHADOW_STACK +asmlinkage void __trap_section do_trap_load_fault(struct pt_regs *regs) +{ + if (!handle_load_access_fault(regs)) + return; + do_trap_error(regs, SIGSEGV, SEGV_ACCERR, regs->epc, + "load access fault"); +} +#else DO_ERROR_INFO(do_trap_load_fault, SIGSEGV, SEGV_ACCERR, "load access fault"); +#endif #ifndef CONFIG_RISCV_M_MODE DO_ERROR_INFO(do_trap_load_misaligned, SIGBUS, BUS_ADRALN, "Oops - load address misaligned"); @@ -140,8 +229,18 @@ asmlinkage void __trap_section do_trap_store_misaligned(struct pt_regs *regs) "Oops - store (or AMO) address misaligned"); } #endif +#ifdef CONFIG_USER_SHADOW_STACK +asmlinkage void __trap_section do_trap_store_fault(struct pt_regs *regs) +{ + if (!handle_store_access_fault(regs)) + return; + do_trap_error(regs, SIGSEGV, SEGV_ACCERR, regs->epc, + "store (or AMO) access fault"); +} +#else DO_ERROR_INFO(do_trap_store_fault, SIGSEGV, SEGV_ACCERR, "store (or AMO) access fault"); +#endif DO_ERROR_INFO(do_trap_ecall_u, SIGILL, ILL_ILLTRP, "environment call from U-mode"); DO_ERROR_INFO(do_trap_ecall_s, diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c index d86f7cebd4a7..b5ecf36eba3d 100644 --- a/arch/riscv/mm/fault.c +++ b/arch/riscv/mm/fault.c @@ -18,6 +18,7 @@ #include #include +#include #include "../kernel/head.h" @@ -177,6 +178,7 @@ static inline void vmalloc_fault(struct pt_regs *regs, int code, unsigned long a static inline bool access_error(unsigned long cause, struct vm_area_struct *vma) { + unsigned long prot = 0, shdw_stk_mask = 0; switch (cause) { case EXC_INST_PAGE_FAULT: if (!(vma->vm_flags & VM_EXEC)) { @@ -194,6 +196,20 @@ static inline bool access_error(unsigned long cause, struct vm_area_struct *vma) return true; } break; +#ifdef CONFIG_USER_SHADOW_STACK + /* + * If a ss access page fault. vma must have only VM_WRITE. + * and page prot much match to PAGE_SHADOWSTACK. + */ + case EXC_SS_ACCESS_PAGE_FAULT: + prot = pgprot_val(vma->vm_page_prot); + shdw_stk_mask = pgprot_val(PAGE_SHADOWSTACK); + if (((vma->vm_flags & (VM_WRITE | VM_READ | VM_EXEC)) != VM_WRITE) || + ((prot & shdw_stk_mask) != shdw_stk_mask)) { + return true; + } + break; +#endif default: panic("%s: unhandled cause %lu", __func__, cause); } @@ -274,7 +290,12 @@ asmlinkage void do_page_fault(struct pt_regs *regs) perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); - if (cause == EXC_STORE_PAGE_FAULT) + if (cause == EXC_STORE_PAGE_FAULT +#ifdef CONFIG_USER_SHADOW_STACK + || cause == EXC_SS_ACCESS_PAGE_FAULT + /* if config says shadow stack and cause is ss access then indicate a write */ +#endif + ) flags |= FAULT_FLAG_WRITE; else if (cause == EXC_INST_PAGE_FAULT) flags |= FAULT_FLAG_INSTRUCTION; From patchwork Mon Feb 13 04:53:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56031 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175379wrn; Sun, 12 Feb 2023 20:55:44 -0800 (PST) X-Google-Smtp-Source: AK7set+xC4uNEKSsLENAHc8Aye/pJilWPdEX4FgXnHDs+N3gCvKqCG6n+NsXX8v4RjSZh2Y1wjTv X-Received: by 2002:a05:6a21:3889:b0:b9:6208:44e6 with SMTP id yj9-20020a056a21388900b000b9620844e6mr18074244pzb.7.1676264144671; Sun, 12 Feb 2023 20:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264144; cv=none; d=google.com; s=arc-20160816; b=aMzcV5AoX/8buYidoS+cMIfEpm9CIEQ8V6YiRAlM2bO9+v8tJZtw1uyfuntIO1FU6L GT5ooV/6ngY26L0ILJ+Tlb6635dISf6iBLA748PT2Axi12XseT6UAW0ei48wSGvhmogl JLh9YVvxqReVYdT2Bq+RzXmisOZukMdqF7Q7DFYI+1dSkxaPJYL6Rt0qca4teIcFSe3g VG51guXlA7l5Jo9QzGlJ3QGMA/Rd96qzhIEUmpsXHii7j0i61wpOf/otvTd+dDJOieRi baK8hx8irIILPp6AxLPFhStmsTd6XkyR9ZpY1H/JFGot1n6CzOW6zj54Kye3lKALenid PzAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+JFNUn7jw7XrbPRCSrUHiiAgppCfO2t4yElt5XDL04Q=; b=NWUnUvtGqX73WFSBrg+LrNNGmvSjzVHgXagjciKZ+CinNxJW9Wg8PCo6JXC97E23cq BAUYJ6g/OwZGhI9ZdZLo+v6sDU4Bg8adMTDcphIfPQmcBzs05e0NONH3Nak4ihD/HgjZ 6NLiGQA726erM5uIXY4b01J2N4DPAPz7/dMMwiiq9wiAX28P9IC8uSX254PDm+EnP75z kBsEGW93oa7pY8bM9i/+HpdHZC6bfxd35p5biCC08Y/t/fme2p2VQYS4x5Z5/gelG1RB qwffestEtI7X3GB0us3dwZiPaWUr4V0IG6zyT4O9/w5GFkeQktRne40KXrM7pgs+ljCz 8Zdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=MAtbG5JU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f21-20020a623815000000b00594356992a1si1587296pfa.108.2023.02.12.20.55.31; Sun, 12 Feb 2023 20:55:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=MAtbG5JU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229971AbjBMEy7 (ORCPT + 99 others); Sun, 12 Feb 2023 23:54:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229873AbjBMEym (ORCPT ); Sun, 12 Feb 2023 23:54:42 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 047D11205B for ; Sun, 12 Feb 2023 20:54:17 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id w5so12280340plg.8 for ; Sun, 12 Feb 2023 20:54:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+JFNUn7jw7XrbPRCSrUHiiAgppCfO2t4yElt5XDL04Q=; b=MAtbG5JUipDDMVBI03UWeY8vjoTpzFDhlMkb2IIUtB84hOxlG1WyPFh7MJnCD5jfl2 zjmODVBzL2cx3l1Qs7L7jfh8m/gnDVQInUF+dA+7OKyMVa5Haw7ygFvOQ8YMb5gB2b1K UlKt6Pk9ptqgZjApSwCfRHwT68TIIrfBzX5Jl6JawGXdE/pmQdzIpKLWutJX9BdixuK3 dEg5UDIWG8GC41lON9Ist+iD/fEydT5SZ0c9JGyjv3ArzJbqW9GX9L4shJ7ODsyF8FR3 RJbtROJ3z2YLeDw7UoqghirtDnhWaLX120PYm1FT5abaJBxaZZknC9F4Um67Xjgs0Ewy Rc6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+JFNUn7jw7XrbPRCSrUHiiAgppCfO2t4yElt5XDL04Q=; b=InlXifF59ZWUA5E7lt4Qm5YaeuhuGwpSphqNLLBbAKgk5vvN6SCR8a77xH+Nqscx2s I5hE/sWukyVoCUduOVgPZyu9Ho/abWOhXlUcc1KHOaEpC/7eDgZNmR4GjSLw6oghjiar xIRJIj5HYGwT+mtb74lLyIIwVx1e58686UU4PfGpXFppODCrCK4TCdidXgxxlRZrKA4Q 77jjUawfXiXYguxredKxR4i27zXCmJgQhFFNdSjdCneaB9A0YfMvNrl4KMVv2T/pw0He xrTYRXB5sPQjC9uopO6srt0dQH2m/vCdTiUZCNYHbAFWfZvdLqq9CxQ0xLqvf2wgCFgj NY2g== X-Gm-Message-State: AO0yUKW7XLlU9dbtZs1+vdl23qbSuoO1mvfDs6dixyye132duxk9F74w e6chbIZu7faOJBygrx0bloWQtFfferusCYjt X-Received: by 2002:a17:902:d0d1:b0:19a:7548:da30 with SMTP id n17-20020a170902d0d100b0019a7548da30mr8231577pln.3.1676264056763; Sun, 12 Feb 2023 20:54:16 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:16 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 10/20] riscv mmu: write protect and shadow stack Date: Sun, 12 Feb 2023 20:53:39 -0800 Message-Id: <20230213045351.3945824-11-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690351584505346?= X-GMAIL-MSGID: =?utf-8?q?1757690351584505346?= `fork` implements copy on write (COW) by making pages readonly in child and parent both. ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE. Assumption is that page is readable and on fault copy on write happens. To implement COW on such pages, clearing up W bit makes them XWR = 000. This will result in wrong PTE setting which says no perms but V=1 and PFN field pointing to final page. Instead desired behavior is to turn it into a readable page, take an access (load/store) fault on sspush/sspop (shadow stack) and then perform COW on such pages. This way regular reads would still be allowed and not lead to COW maintaining current behavior of COW on non-shadow stack but writeable memory. On the other hand it doesn't interfere with existing COW for read-write memory. Assumption is always that _PAGE_READ must have been set and thus setting _PAGE_READ is harmless. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 74dbe122f2fa..13b325253c99 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -334,7 +334,7 @@ static inline int pte_special(pte_t pte) static inline pte_t pte_wrprotect(pte_t pte) { - return __pte(pte_val(pte) & ~(_PAGE_WRITE)); + return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ)); } /* static inline pte_t pte_mkread(pte_t pte) */ @@ -509,7 +509,15 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long address, pte_t *ptep) { - atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)ptep); + volatile pte_t read_pte = *ptep; + /* + * ptep_set_wrprotect can be called for shadow stack ranges too. + * shadow stack memory is XWR = 010 and thus clearing _PAGE_WRITE will lead to + * encoding 000b which is wrong encoding with V = 1. This should lead to page fault + * but we dont want this wrong configuration to be set in page tables. + */ + atomic_long_set((atomic_long_t *)ptep, + ((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE) | _PAGE_READ)); } #define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH From patchwork Mon Feb 13 04:53:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56038 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175531wrn; Sun, 12 Feb 2023 20:56:23 -0800 (PST) X-Google-Smtp-Source: AK7set9y2YQ0MTkBlpQpCljV68i+mSBkZA3OJ4zEN8WrHwt5GPfWu+GkF5lYxv0+G7RInd4v2BGR X-Received: by 2002:a05:6a20:e489:b0:bf:1662:b2f4 with SMTP id ni9-20020a056a20e48900b000bf1662b2f4mr18885686pzb.49.1676264182959; Sun, 12 Feb 2023 20:56:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264182; cv=none; d=google.com; s=arc-20160816; b=uWUT0mHlEQaAc64tHB7r4gpfVUmSOk/IKosFlAOO+6EZZsArL3HfzSwVzhcwd4OJlu leZAfG/JtwMgI1pOkY0RhyhfJ/YpQ/AmEONOQKBZRfrn7P/iYMfGO0b1gv4YYGhB4Ph4 gnEI+sXs9DDMCg7xaM0+DStFoRarm5ECRmP6To02GEFcPPEB1iT1k5P7T97iVcuJhJhn ktLkftZds0WfEYhtJEplQbEgbeABxvVYjPAUEy2WX52/uNNgI8yn5jMT/QIRYf7M9HW8 43oWIw0JbEEfB37H8WnJ77F82IoY6Yc6hFjxWM2Ct5gVgBPH3QTzV1C9WK7oj06qx2OV WEsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=E2UjoF/agm9mfema7VLl9kpwAU0VGqvw3OzDxYZhWeaNs0klJbdtqmtKkFpNa36pi0 1mclLHfTuXU/IvBAM2kappR5Atik9qFr+7AZy0fqSNABrbCCqTD4NsKnzm5RN+aHGkjO LP17h4Ztuw9cFzXyjLkNawpY6hxxZ5x1AowO/D96LWkrG2csu6UUSAptDZp9qMi17T6b KML+WoQF995AAEV3kp8qAV0NVvz5iE1rn1FUM9BT+Y/3JgbKTQcNUybCgwB21d3Vfx0l 5Ly7GkNFHFWyDHbZjTEnGB34tMzWjF5MDXEP55jG9/tTJeNc9S8A5VeYA60MW/VKWAHW NtYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=K5WRT8kv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z18-20020a63b912000000b004fb96c08146si3238604pge.634.2023.02.12.20.56.10; Sun, 12 Feb 2023 20:56:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=K5WRT8kv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229892AbjBMEzB (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229897AbjBMEyo (ORCPT ); Sun, 12 Feb 2023 23:54:44 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29F1111EAC for ; Sun, 12 Feb 2023 20:54:19 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id k13so12361796plg.0 for ; Sun, 12 Feb 2023 20:54:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=K5WRT8kvkrTRnxFXNxNWmZZe1eWQeiMi1qunE1LIKywvna8j3v5SzYl1jChj3QeZjI oNQVdHcccQpG2WuR1gzQg9kq/+0VuzgdVWD7JtRLTBXEFTOX1GEgMl7e5WBjD6OfQPdd 71LTAu0tFhni4ZSn88ImId4fpVYObX1bY6JW37HXCp7hvg9l286KFURTu9ooi1NBKqLt u26MG8kM25n8svLfFhRQp8B3l5+xVXSXRfyHCQXaBio+kKCjC+Q8QLGXOyPk+PiaEIGE UxpBMq4IRtaJ3U/MEkWjmDf10E4N70sMBA71dAXlsLakRYCt8pcisJr17siP90QETbWq 4NMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8YCem4BrJJv8uMiBliK+eUgJsgA757fo9l+siWv19bQ=; b=4B/NpWzf0qtQkmkBRHHIBdGzh0rUvhQ6FToMZz1H4oQsTxjwVzvnABvCj3m6xI9VW5 OcDjJ5Mpj4AxNQrBaAMWHStwCzvO/MEONnXGAzbLhBhDl02yYXA/lUgiTo0dLHnekwHI I8YRbWsLc6IaZ9l6RHUm2OukUrVXbje86FOPr1RQIlZXzaD1Cib1KAScajLnIaGEwm4j GL7yi/EFjpcT9fYlM2hhRp5PvnTu+Wtzpz4+HZXtqUo3AEfe3IM+SQ+kRY/+tRUgIN6H QbXlvt3j+kc25xfnXRw1noFmgfIdDQXCn4vBZ07v0XG6MfixFzc1SmCmEas3Lb1xQ4h4 wFuQ== X-Gm-Message-State: AO0yUKXzataOCEysrZMbgx/btzY43IOB1Hw0d4ipn6f7a6fnPKRsVoUD 2RydXBrPwJyUTR+wC9270sK5J0yA/G9o+JVl X-Received: by 2002:a17:902:e74c:b0:199:2a36:6c3f with SMTP id p12-20020a170902e74c00b001992a366c3fmr27035701plf.6.1676264058174; Sun, 12 Feb 2023 20:54:18 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:17 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Andrew Morton Cc: Deepak Gupta , linux-mm@kvack.org Subject: [PATCH v1 RFC Zisslpcfi 11/20] mmu: maybe_mkwrite updated to manufacture shadow stack PTEs Date: Sun, 12 Feb 2023 20:53:40 -0800 Message-Id: <20230213045351.3945824-12-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690392160845635?= X-GMAIL-MSGID: =?utf-8?q?1757690392160845635?= maybe_mkwrite creates PTEs with WRITE encodings for underlying arch if VM_WRITE is turned on in vma->vm_flags. Shadow stack memory is a write- able memory except it can only be written by certain specific instructions. This patch allows maybe_mkwrite to create shadow stack PTEs if vma is shadow stack VMA. Each arch can define which combination of VMA flags means a shadow stack. Additionally pte_mkshdwstk must be provided by arch specific PTE construction headers to create shadow stack PTEs. (in arch specific pgtable.h). This patch provides dummy/stub pte_mkshdwstk if CONFIG_USER_SHADOW_STACK is not selected. Signed-off-by: Deepak Gupta --- include/linux/mm.h | 23 +++++++++++++++++++++-- include/linux/pgtable.h | 4 ++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 8f857163ac89..a7705bc49bfe 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1093,6 +1093,21 @@ static inline unsigned long thp_size(struct page *page) void free_compound_page(struct page *page); #ifdef CONFIG_MMU + +#ifdef CONFIG_USER_SHADOW_STACK +bool arch_is_shadow_stack_vma(struct vm_area_struct *vma); +#endif + +static inline bool +is_shadow_stack_vma(struct vm_area_struct *vma) +{ +#ifdef CONFIG_USER_SHADOW_STACK + return arch_is_shadow_stack_vma(vma); +#else + return false; +#endif +} + /* * Do pte_mkwrite, but only if the vma says VM_WRITE. We do this when * servicing faults for write access. In the normal case, do always want @@ -1101,8 +1116,12 @@ void free_compound_page(struct page *page); */ static inline pte_t maybe_mkwrite(pte_t pte, struct vm_area_struct *vma) { - if (likely(vma->vm_flags & VM_WRITE)) - pte = pte_mkwrite(pte); + if (likely(vma->vm_flags & VM_WRITE)) { + if (unlikely(is_shadow_stack_vma(vma))) + pte = pte_mkshdwstk(pte); + else + pte = pte_mkwrite(pte); + } return pte; } diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index 1159b25b0542..94b157218c73 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1736,4 +1736,8 @@ pgprot_t vm_get_page_prot(unsigned long vm_flags) \ } \ EXPORT_SYMBOL(vm_get_page_prot); +#ifndef CONFIG_USER_SHADOW_STACK +#define pte_mkshdwstk(pte) pte +#endif + #endif /* _LINUX_PGTABLE_H */ From patchwork Mon Feb 13 04:53:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56032 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175403wrn; Sun, 12 Feb 2023 20:55:52 -0800 (PST) X-Google-Smtp-Source: AK7set9qtKTBAy04NFQYiYjkM0s0JHrnTzwX2VrlPkhMrUtjCg72UT+iF5Zsge8c9AFsnAg6UiF2 X-Received: by 2002:a17:90b:1b07:b0:230:8956:79f1 with SMTP id nu7-20020a17090b1b0700b00230895679f1mr27070070pjb.36.1676264152003; Sun, 12 Feb 2023 20:55:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264151; cv=none; d=google.com; s=arc-20160816; b=MnEoYvF7om/o5NbRt1724dhURX4zoUvEQNcom/y3CIGw8Z87Rar3xW7+SKTTD4QwDB IqkvnNAGM5jIEKG6UhWO344hRo292t02Zekg21MIteaxYiisdhpLJ/Vdvfoun0GBF4f4 9opGq01HZ5AKbbWbBF1Aw/FbsOFG2wOUBWSdJqoQks8Suu5oJpfWcQ6Y53hIX9CpCwro nM90s9OQsjKsLpnEL4tQrupQzrF2Cx/FAj7tjjNsuxSDyY32D8Ts+C7WfJ87IKIrsSVa 1B3eDjmbyi5uqzU3fSo12WCmDLvPaRYJswg0mZPJmkiMO1RiKuTT4rYkQ763JecHS1OA 4bGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=aAzQKFN9fphLzkQzVxdl+t+n6lDoHdhoPqbxrAYfAdc=; b=Z8mBQel6w0vm+8CcO6ramzGOl1hG/UpWIOdjyD2dDCew6vqp8ktB5vwgN6EHGJybIy +ml7xkdRwH6B1+c/Zh+09O9QfdfSMSdUGfCE+lPt9NAlVe3Smi+SmRT+ViUO1K8DHaLD v6OleNSezTzs5j+t6K6CpTlRbeCdMXWrDXXpP/CnlzqPATX1OY/YPTzPLkWdH0x4bkPh FBmyFqE12BETI3kWeO76bEGJJ/f1C7/CRZkAt1toKBsRbdMH0RlsMCdUQju5Flk0DxLS e0jQeZClsTmEsLeZ8osERvtc1L5C91zf7nLM6sTLb6wy8wjeIMhmufon2sPNhENDowDM FXDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=kZrZu0bY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j71-20020a63804a000000b004fb9ce02dbdsi2684383pgd.6.2023.02.12.20.55.39; Sun, 12 Feb 2023 20:55:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=kZrZu0bY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229795AbjBMEzO (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229945AbjBMEyv (ORCPT ); Sun, 12 Feb 2023 23:54:51 -0500 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1551C12057 for ; Sun, 12 Feb 2023 20:54:23 -0800 (PST) Received: by mail-pj1-x1031.google.com with SMTP id w14-20020a17090a5e0e00b00233d3b9650eso3255889pjf.4 for ; Sun, 12 Feb 2023 20:54:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aAzQKFN9fphLzkQzVxdl+t+n6lDoHdhoPqbxrAYfAdc=; b=kZrZu0bYDptQxePaYYW5IiHENzLnR3Hl5Yn1XhJJL9GBA8lybF2jXV1FzNJJxICLkT a76RJFpXxug5ATjloRUOr8I8E6r1tLzdXjGJ0Qsl+Fq7DgOVfV1Tj2I18RmYVVGDny57 stTv0BaITP2dFVen5rv+DyWUSEmR4p/4j6Do5jXOkmSh2aCjXbc5cneDYp6VKgWxdYeR V/IITNgt28T1uNdrYT+/i9jvhEWnIFHLATtGzqhKDcK75PyIrKDukVVcIaz5/ofVGCtN JzG6CdfoohdOh1bR5skxW9jJEL8WNm6Yj/noVQmdJFlL81MDGK8ekdk5rZb7EPVZFOCh cRvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aAzQKFN9fphLzkQzVxdl+t+n6lDoHdhoPqbxrAYfAdc=; b=1NqsneeDsU7auUl/TEny1Pd/8//MCaiP82jyPm/jhJe0vhyOTEOMHMz/5iNlWc7wkv U+U1DTmAVR5A8yyio1WWk3hstMQb+tBI78B+9nn0mZkrQd7oCG8MYw1Uj21y/zZjp8SO iDr6rwJXP+Kh+KNn+iRtPu/dIdBjllMcWlIcr14kRUnRfWksKEHaaHFYBrAyNN5KqiOI gvHGNKUI/EMH2ebrSb8Oac5lsRz6nWKBDkzApikdbrGy2TjZkktwqT/0h0yvRsJbWNCi PCarMRdNVO7Kf9Me/naebmvN94mLQkfBLtSkLarermHwdFfte2ctjRT5mp2OZCgsRnxP jLwg== X-Gm-Message-State: AO0yUKWnkqeRvv7MAcQaxBcRXTx1ik7CS/YPBrAcadVlwVNWrwwRpvr1 9HFlbfIEnY4EgHUmyAgivYUdmVy1qML2h1Qo X-Received: by 2002:a17:902:ec82:b0:198:f145:504f with SMTP id x2-20020a170902ec8200b00198f145504fmr29915899plg.30.1676264059867; Sun, 12 Feb 2023 20:54:19 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:19 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 12/20] riscv mm: manufacture shadow stack pte and is vma shadowstack Date: Sun, 12 Feb 2023 20:53:41 -0800 Message-Id: <20230213045351.3945824-13-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690359207426509?= X-GMAIL-MSGID: =?utf-8?q?1757690359207426509?= This patch implements creating shadow stack pte (on riscv) if CONFIG_USER_SHADOW_STACK is selected. Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Additionally this patch implements `arch_is_shadow_stack_vma`. Each arch can decide which combination of VMA flags are treated as shadow stack. riscv is choosing to following PTE encodings for VMA flags as well i.e. VM_WRITE only (no VM_READ or VM_EXEC) means its a shadow stack vma on riscv. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 8 ++++++++ arch/riscv/mm/pageattr.c | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 13b325253c99..11a423e78d52 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -344,6 +344,14 @@ static inline pte_t pte_mkwrite(pte_t pte) return __pte(pte_val(pte) | _PAGE_WRITE); } +#ifdef CONFIG_USER_SHADOW_STACK +static inline pte_t pte_mkshdwstk(pte_t pte) +{ + /* shadow stack on risc-v is XWR = 010. Clear everything and only set _PAGE_WRITE */ + return __pte((pte_val(pte) & ~(_PAGE_LEAF)) | _PAGE_WRITE); +} +#endif + /* static inline pte_t pte_mkexec(pte_t pte) */ static inline pte_t pte_mkdirty(pte_t pte) diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c index 86c56616e5de..582e17c4dc28 100644 --- a/arch/riscv/mm/pageattr.c +++ b/arch/riscv/mm/pageattr.c @@ -233,3 +233,10 @@ bool kernel_page_present(struct page *page) pte = pte_offset_kernel(pmd, addr); return pte_present(*pte); } + +#ifdef CONFIG_USER_SHADOW_STACK +bool arch_is_shadow_stack_vma(struct vm_area_struct *vma) +{ + return ((vma->vm_flags & (VM_WRITE | VM_READ | VM_EXEC)) == VM_WRITE); +} +#endif \ No newline at end of file From patchwork Mon Feb 13 04:53:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56036 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175475wrn; Sun, 12 Feb 2023 20:56:05 -0800 (PST) X-Google-Smtp-Source: AK7set+u08MBLza1gZDKd0bAOkV/qA4TOqolYuXlcwIrUPccd/WO9yzv1fLEfaUGTBs5wbu/N5I9 X-Received: by 2002:a17:90b:1c11:b0:232:ed58:7aef with SMTP id oc17-20020a17090b1c1100b00232ed587aefmr14068058pjb.43.1676264164753; Sun, 12 Feb 2023 20:56:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264164; cv=none; d=google.com; s=arc-20160816; b=QNUoS1W3TT0VemXhoILhCJDqlTq9kSi2x/7mmCpf2gL1PM0b8NzBhSzJjBI2hmuW7Y f8/8wu9JmoBP7rMv1U7ax1IrnswL6ixSYOB0u65OAcAF1mFWj8bwihWjwCMCr6+rGuUM lmyL1ReP8nCetU5mllA9KLdKZwu2FXfczXGfaQXAy7ybwO52O6ngJ7r6AUTNvVHltFTm t7/1UCllFEIQSZz+dOL2hB6vcqnDyVNWG4Tn8eVf0XZxNX5O3fDS2msTqGOP45t+k4fi wdjWjJfFOLcaARrZ7taXncYrZlXexc/O9yJQDZU4RlC6oqq9BbjPiottzJWu9Qql0OJ+ L4OA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Jzh1F9dWgL9z5qWHfkyPDeO9BiBZZOuMNa7E/NQMYRA=; b=EfUtnZ0/NLQAB2X54vHqyXHBIqG350i5DzjxTYxaqa5yTfWDmRtM+u5tt+UX5KRkgf EymraMsCZhTM1x4OO93X5/r5XwsRYQnsN9Pc01vRuS/nAIFoFu1Eg5gqc52TyhLoP4SE z+slnP/lgAkv2FD/4Tj1J4UQcD/0B0tJknlFuQzxj8rtdwjnsSUPjHvqWO+RzCbaYD+F w85sOXmNQGz1EVmUF7YVm0R0bp5au3ROJ2ZlFCFoCE0i1U+3cv56X7HSRPWn6jcQSAS0 8JbzpOI8FV0w8LTdF3lgx1j+cyeg4j96vtCRpXBdYD7EloACBms+GWVMlDWNqLg7tG9e Rd+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=hBAMguZT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t62-20020a637841000000b004fb6aa26999si6795637pgc.232.2023.02.12.20.55.52; Sun, 12 Feb 2023 20:56:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=hBAMguZT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229845AbjBMEzW (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229837AbjBMEy4 (ORCPT ); Sun, 12 Feb 2023 23:54:56 -0500 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE77C10ABB for ; Sun, 12 Feb 2023 20:54:27 -0800 (PST) Received: by mail-pl1-x62c.google.com with SMTP id z1so12288729plg.6 for ; Sun, 12 Feb 2023 20:54:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Jzh1F9dWgL9z5qWHfkyPDeO9BiBZZOuMNa7E/NQMYRA=; b=hBAMguZTqz8mBO0i9eURw5EVnyTRjZI/TA0b+TvPmhimWAwoztTflfei++MGWOOhhp y9UQAG+6WEpmcozlhgFWPCfcNQEzazPzUc/BX/nwlV3/TfGY4oELgmwTzmcXbl8+8cLl YEyUj++v3tAMb1ug4pKO06rWe166GtjQy4/L6hNDTIxwdYO6Ph9pApQUVXelympLBY5P P2ApcmLSjc979qayu5Jclp/xPesWV0Ux6A2gskrj7yI7PMJAnA8Rupt6ysIl/wy30dGv MavO85rbflXHbv+JQi0NDSiLwIMFGmpAvYbubygtTeUtBxtynv9lE2AP/U0geTFdg9Iz T4Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Jzh1F9dWgL9z5qWHfkyPDeO9BiBZZOuMNa7E/NQMYRA=; b=Vjw6KVIDzXdfs6XW+RI8ui3/esW/dYhsM2No1Yr+tHwrGcJysCNpfVOy73Ro0jiVmu 6h3keYVxBMuaFg8AuDzfkFcttj37EpckeFwc5laO62k5UMsEqPqILJmm1TxFPmgR0o6Y JLaQNTOdx1P9hzCAGbhmi/CifQisid8eeIzb7J4ygkWu/HRVOWCAgQhxYsSZGc0tVj4x pjlFCYDzyuLZOfrmCc0CG04ktCcXQJe2MQNL0zbQw5yO1xVzBg47gQvUYcoodhB5q15a mUVA8pNNMgics4oFtjF9P3HhXBovp/x+OC9NUguxbb2JqUowxXn8lcz62CWdKj3FOBLd Njag== X-Gm-Message-State: AO0yUKUsPZ5yM1bwve8EAHeJP4mKXmB2+XtP5hQgW9IPu9ywERyx/4RN Y7jEewxftEddZgPureS3zuzwuf1wUNrdrN/8 X-Received: by 2002:a17:902:e40d:b0:19a:a2f3:e41c with SMTP id m13-20020a170902e40d00b0019aa2f3e41cmr1350325ple.35.1676264061243; Sun, 12 Feb 2023 20:54:21 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:20 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 13/20] riscv: illegal instruction handler for cfi violations Date: Sun, 12 Feb 2023 20:53:42 -0800 Message-Id: <20230213045351.3945824-14-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690372591246219?= X-GMAIL-MSGID: =?utf-8?q?1757690372591246219?= Zisslpcfi spec proposes that cfi violations are reported as illegal instruction exception. Following are the cases - elp missing: An indirect jmp/call landed on instruction which is not `lpcll` - label mismatch: Static label embedded in instr `lpcll/lpcml/lpcul` doesn't match with repsective label in CSR_LPLR - sscheckra: x1 and x5 don't match. Current changes run user code in audit mode. That means that any cfi violation is suppressed and app is allowed to continue. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/traps.c | 79 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 5553b8d48ba5..a292699f4f25 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -97,6 +97,10 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code, /* Zisslpcfi instructions encodings */ #define SS_PUSH_POP 0x81C04073 #define SS_AMOSWAP 0x82004073 +#define SS_CHECKRA 0x8A12C073 +#define LP_C_LL 0x83004073 +#define LP_C_ML 0x86804073 +#define LP_C_UL 0x8B804073 bool is_ss_load_store_insn(unsigned long insn) { @@ -112,6 +116,71 @@ bool is_ss_load_store_insn(unsigned long insn) return false; } +bool is_cfi_violation_insn(unsigned long insn) +{ + struct task_struct *task = current; + bool ss_exist = false, lp_exist = false; + + ss_exist = arch_supports_shadow_stack(); + lp_exist = arch_supports_indirect_br_lp_instr(); + + if (ss_exist && (insn == SS_CHECKRA)) { + pr_warn("cfi violation (sschkra): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_LL) == LP_C_LL)) { + pr_warn("cfi violation (lpcll): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_ML) == LP_C_ML)) { + pr_warn("cfi violation (lpcml): comm = %s, task = %p\n", task->comm, task); + return true; + } + if (lp_exist && ((insn & LP_C_UL) == LP_C_UL)) { + pr_warn("cfi violation (lpcul): comm = %s, task = %p\n", task->comm, task); + return true; + } + + return false; +} + +int handle_illegal_instruction(struct pt_regs *regs) +{ + /* stval should hold faulting opcode */ + unsigned long insn = csr_read(stval); + struct thread_info *info = NULL; + struct task_struct *task = current; + + info = current_thread_info(); + /* + * If CFI enabled then following instructions leads to illegal instruction fault + * -- sscheckra: x1 and x5 mismatch + * -- ELP = 1, Any instruction other than lpcll will fault + * -- lpcll will fault if lower label don't match with LPLR.LL + * -- lpcml will fault if lower label don't match with LPLR.ML + * -- lpcul will fault if lower label don't match with LPLR.UL + */ + + /* If fcfi enabled and ELP = 1, suppress ELP (audit mode) and resume */ + if (arch_supports_indirect_br_lp_instr() && +#ifdef CONFIG_USER_INDIRECT_BR_LP + info->user_cfi_state.ufcfi_en && +#endif + (regs->status & SR_ELP)) { + pr_warn("cfi violation (elp): comm = %s, task = %p\n", task->comm, task); + regs->status &= ~(SR_ELP); + return 0; + } + /* if faulting opcode is sscheckra/lpcll/lpcml/lpcll, advance PC and resume */ + if (is_cfi_violation_insn(insn)) { + /* no compressed form for zisslpcfi instructions */ + regs->epc += 4; + return 0; + } + + return 1; +} + ulong get_instruction(ulong epc) { ulong *epc_ptr = (ulong *) epc; @@ -190,8 +259,14 @@ DO_ERROR_INFO(do_trap_insn_misaligned, SIGBUS, BUS_ADRALN, "instruction address misaligned"); DO_ERROR_INFO(do_trap_insn_fault, SIGSEGV, SEGV_ACCERR, "instruction access fault"); -DO_ERROR_INFO(do_trap_insn_illegal, - SIGILL, ILL_ILLOPC, "illegal instruction"); + +asmlinkage void __trap_section do_trap_insn_illegal(struct pt_regs *regs) +{ + if (!handle_illegal_instruction(regs)) + return; + do_trap_error(regs, SIGILL, ILL_ILLOPC, regs->epc, + "illegal instruction"); +} #ifdef CONFIG_USER_SHADOW_STACK asmlinkage void __trap_section do_trap_load_fault(struct pt_regs *regs) { From patchwork Mon Feb 13 04:53:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56034 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175414wrn; Sun, 12 Feb 2023 20:55:55 -0800 (PST) X-Google-Smtp-Source: AK7set+gneghID0z3jxhyFwABW3GUU59KeV0RvWlrPQ4zB9lV8z0UnA5npH08d+Dl1U9JGYVA0Xq X-Received: by 2002:a05:6a20:a007:b0:af:7233:5bfc with SMTP id p7-20020a056a20a00700b000af72335bfcmr16067910pzj.8.1676264154743; Sun, 12 Feb 2023 20:55:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264154; cv=none; d=google.com; s=arc-20160816; b=kNr2m9nQ/bqhQgCJmcfGx+g787rKDtb5SjajWrkZtO5vRRnwJd6fgccFSCKyQVbGj7 XmUyOB++xuJyzPTxK3BjNIKvt1XmYx1vBsswC39BfMWEClyoNcczyW4IYJXfkg1NkyRW DZtl5x6T9yFVvdcIF8KSldYgDs0Rx+dwByFw4IZRki1cldSU3JvwGLMgfAROpP9dCro2 RR1/vSeQv1XbDCblYL8/9yI9fmsZZ6gJ0zXn3ditAf2W354w5bWHsVOTZpGxPPOz3IUl aI5EmC+8/hRTr2U9oT3b4DX1+Y0b0G79bc6FHuOsyKUChppfmp/CD2yt/fxjvfSJDhhs s/WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=C+FPHf6hRIJPFXwDXSpkdTEJ33J583V063C2UTppgJs=; b=Il5OhG5Y7aIHKmKJE5S2OOu2KQRzMJ6AbIkmBoZ3oBR42dJCl5pg0bByYM1J9+gBg/ y2kNTlbiX9YtZrkfnANDwKmisy5mOFcQRKQO6wPfJCGRLlMX3MRCeH+jban9pCHnFRhX qAooBOI6VTLuW5ZZxSnLSLUzt30NgMWuqNI/7imx4w7gBJQejfnYStvmgZ0RhY8gCNRY IYdQGE9cAK9Ti67dy073d2Ifcf2VfMiqkCqMsqnR6EUAnTXqtBpjP6XLBsaHkygM7QWW xt60W3jwpX+mr4JJfnOTbEwPL8Zn6J+zLymNruAf0cLyrcE2eLi00sec6dOYdU5KVKJk GxrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=PIc3jlcy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n12-20020a638f0c000000b004e541ab794dsi10590916pgd.668.2023.02.12.20.55.42; Sun, 12 Feb 2023 20:55:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=PIc3jlcy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229773AbjBMEzS (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229785AbjBMEyy (ORCPT ); Sun, 12 Feb 2023 23:54:54 -0500 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81FE9113EE for ; Sun, 12 Feb 2023 20:54:23 -0800 (PST) Received: by mail-pj1-x102b.google.com with SMTP id v6-20020a17090ad58600b00229eec90a7fso13050083pju.0 for ; Sun, 12 Feb 2023 20:54:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C+FPHf6hRIJPFXwDXSpkdTEJ33J583V063C2UTppgJs=; b=PIc3jlcyk7tBVDiMhDV7vQZElpm10o3G2cwhqlaW4z2UIEx5lX08doq/7HmwkcA5/B mXA4mD3Qibw1ZZXxBKWGnAHzkaBgpiPxYs3SSCxrss438iFkUzY+I1LbmCO0Wy7Qv4zy OaGCmO23kCrbduaQZBVgTYiLM/xSzD/oJvobRKtEDu6wJbbzlkleuglQwO3UeTxWhlgA fAtMy+u3iW8kehvHhqtC3eqchwEPIk5+4Fgy7oyU8w/+z6lfr5E2IZ2FvGNy0muTuG8G kF9cuzHt65MD3IYO5Qezafy2tL+DHy52TBkbL+mYMz2pP3AJNcMSZFeiBzRu8l1mioSD 7LlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C+FPHf6hRIJPFXwDXSpkdTEJ33J583V063C2UTppgJs=; b=qULw71cCl6jQDCj6MRpS/xQjuyZLWHLQiMf1mnef79ZqjiEJkPRMw+gFKLxHjVF8r0 /2uagkkFYbUgbf3IlaPIyDM1RM+ovTucoa7Dpbi8YkIegi7X8PFryN5vjxqPX3FYa83p ZKmJairBXQXpnRhSQw1H+BjO/SmvjIFdSvguyHWH23Rpy7Lju6VBfq11DxvfrPb4So/a J7fgN+EnJhSEb4n9mD0hne6OvMi73epVsVwcO+H55hEZWrZ7g7jw91OZNEMi/S+B6Ef0 DuZSnlL3omQ5Hvadk51tji2ueRsLxdrr7BojpU48IOTEhfxLLQp9SpCTJdYAMTwbGwNp OzSw== X-Gm-Message-State: AO0yUKWpAK1i+FTV4PHGkdr5jhw7hJnzzNNulYYl/rQac+5NROB3tt91 gEUk6kxnF1Cs70gc89oNJjlM5K5BBJoVPhMc X-Received: by 2002:a17:902:dad0:b0:199:1f42:8bed with SMTP id q16-20020a170902dad000b001991f428bedmr14338448plx.12.1676264062760; Sun, 12 Feb 2023 20:54:22 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:22 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 14/20] riscv: audit mode for cfi violations Date: Sun, 12 Feb 2023 20:53:43 -0800 Message-Id: <20230213045351.3945824-15-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690362619765375?= X-GMAIL-MSGID: =?utf-8?q?1757690362619765375?= Adding an audit mode per task which suppresses cfi violations reported as illegal instruction exception. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 3 ++- arch/riscv/kernel/process.c | 2 ++ arch/riscv/kernel/traps.c | 7 ++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index f065309927b1..39c36f739ebb 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -45,7 +45,8 @@ struct thread_struct { struct cfi_status { unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ - unsigned int rsvd1 : 30; + unsigned int audit_mode : 1; + unsigned int rsvd1 : 29; unsigned int lp_label; /* saved label value (25bit) */ long user_shdw_stk; /* Current user shadow stack pointer */ long shdw_stk_base; /* Base address of shadow stack */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index db676262e61e..bfd8511914d9 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -246,11 +246,13 @@ int arch_elf_setup_cfi_state(const struct arch_elf_state *state) info->user_cfi_state.user_shdw_stk = (shadow_stack_base + shadow_stk_size); info->user_cfi_state.shdw_stk_base = shadow_stack_base; + info->user_cfi_state.audit_mode = 1; } /* setup forward cfi state */ if (arch_supports_indirect_br_lp_instr() && (state->flags & RISCV_ELF_FCFI)) { info->user_cfi_state.ufcfi_en = 1; info->user_cfi_state.lp_label = 0; + info->user_cfi_state.audit_mode = 1; } return ret; diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index a292699f4f25..1901a8b73de5 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -165,6 +165,7 @@ int handle_illegal_instruction(struct pt_regs *regs) if (arch_supports_indirect_br_lp_instr() && #ifdef CONFIG_USER_INDIRECT_BR_LP info->user_cfi_state.ufcfi_en && + info->user_cfi_state.audit_mode && #endif (regs->status & SR_ELP)) { pr_warn("cfi violation (elp): comm = %s, task = %p\n", task->comm, task); @@ -172,7 +173,11 @@ int handle_illegal_instruction(struct pt_regs *regs) return 0; } /* if faulting opcode is sscheckra/lpcll/lpcml/lpcll, advance PC and resume */ - if (is_cfi_violation_insn(insn)) { + if (is_cfi_violation_insn(insn) +#if defined(CONFIG_USER_SHADOW_STACK) || defined(CONFIG_USER_INDIRECT_BR_LP) + && info->user_cfi_state.audit_mode +#endif + ) { /* no compressed form for zisslpcfi instructions */ regs->epc += 4; return 0; From patchwork Mon Feb 13 04:53:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56039 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175539wrn; Sun, 12 Feb 2023 20:56:24 -0800 (PST) X-Google-Smtp-Source: AK7set85vB6+Cl7BwerDWjEqIu5r1RjjpRin5K7d6R8DWlYt81GtZ5CQqc9MTBQAVMp7gLMikCEg X-Received: by 2002:a17:902:e383:b0:19a:703d:c1c6 with SMTP id g3-20020a170902e38300b0019a703dc1c6mr7555523ple.26.1676264184561; Sun, 12 Feb 2023 20:56:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264184; cv=none; d=google.com; s=arc-20160816; b=Rh5BoeoQOJb/eDRY+1oyWzhbg5x29hhz361VCIWDSyRqSFBYHj+C92LSgrJVi9SdRf ajZIADwKzLl3jQnK05adR1OQSKeq7Ch5PIMig8mu2wBp8md0IV2hcwt5xKq2RUb7WtsC p+TrEMMeKdm0w07HXXDDyUy9iTHkwgozJl6xr1J0bxyeI4YKjit6QyNrEYhZ2tmBAPOh SaUY3zlOrrMwLOeIe5H/aRZoiOnX8QYYTozKefrXIleU2zKoxA6tdH4kRzamKrgUxakf ao4E/WJ9fcHZ+GjLjjRvp6PmR7H8ne+Q15NydBsm2dJDzd7XEqoJVzU/5cDGaZlUWEb1 7VxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NyKgXXAf6eIxCQNqJDUpc+Bj2CrwyhmFgAHD2REeyJQ=; b=sylPB0Nyb/yn2hqACd56v2MnmeXY+LNjaMnLBRaU1WI0qV462KjFAJK8MQXu6f3rsO 1DymVIFsIqh7kdMCM0Oa6QYt6ffVr+pSCLZJHDvdJZfpMGRJYxcvOOzENisnIfVSy/aG 9cuuNByQlaMd1wgmfkBTfbIolaDn/NO3aEx8k19SgoFc2gq7wxTvrsAuDZmuErp7SM14 S3HNSjzINGUb98cVSSG0dMTlkbiO9VhGMCYr5etUn4fwP+643Tv6rmApujNc1Z3mruC8 O8XtFDyQyzZuXZyrjzNhCAZWIhp74DkOjOhK2oB4Ve+NZOGmwjSlzFOF9UuEQ/EV/95Z u7kQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b="EXvhS/Vn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l12-20020a170903244c00b001893b7f5ed7si11352306pls.205.2023.02.12.20.56.12; Sun, 12 Feb 2023 20:56:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b="EXvhS/Vn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230002AbjBMEz2 (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229817AbjBMEy5 (ORCPT ); Sun, 12 Feb 2023 23:54:57 -0500 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C43C011EB7 for ; Sun, 12 Feb 2023 20:54:31 -0800 (PST) Received: by mail-pj1-x1029.google.com with SMTP id z14-20020a17090abd8e00b00233bb9d6bdcso5816763pjr.4 for ; Sun, 12 Feb 2023 20:54:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NyKgXXAf6eIxCQNqJDUpc+Bj2CrwyhmFgAHD2REeyJQ=; b=EXvhS/VncGgKvwJ3Q0vZAYHmSdbk7Ij5M1B09iI7kQPmHIhtYw0rjfb6raSugnp38T RmNzvD40b33QG81EShtF2MT2OnlPOZTgPjpHaiOK24MRNbT55VmbG0wr5uOlczteExqe 7RyzXdUw1jdcb3u3wJdELeWUM43o7pNbFJcVOiNL1mEjeC1ZstyzXdFxHLminnErv+6t 5Gh0QI8ML2GvM2ZfYK5uGt1BPhOYeh2whz4oZIvrTreSdNvkkyj2I+Y//kj6Jiov3w3K Jk+yFBa6l72SXXXD2fakph5Hh2wqGj5Gb42T4I9/9BIeNQHqONbq+9UgRdavksLsUOeW yE7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NyKgXXAf6eIxCQNqJDUpc+Bj2CrwyhmFgAHD2REeyJQ=; b=u5RBVk+O3uEP46srEjbex8CjqmM7jPWqKJ3cffkv/Rpl5i7yOVwunUdyRh1kCea9M0 EOVeIpv+0+9VittvdnPKmpsFS8bXl3MsceH9M66MTmB9mM22PpM1jqyy1Q2LjXJEl5pS Yirg8hgmcnDsQD2+G/YV01ZnctfOV+AWbnbqeh86ucU/jV/l33dJ3GeLwyFVBdpANKlI RnUwmQIwlkNHohnV8G2pXKNAQjGAQf9ROWaOfVAD3+CnAMbXC0zIRi9vRa2UdQ6TtQ61 R/KObbuRNYMHSmfgVQvqLm1ZLcPAVczUlqKJ65jpzdtLUpsQfRt8bUgeolXdIjqWLPn5 seYg== X-Gm-Message-State: AO0yUKU7PXCUQdVzl5x0qFIbbFqJ1J5R0yhpJlYTHB6lVfjAB8kmYmxR m67/tEsdRV5CgWJ0S3dk0S3/1xUQqh9u8vII X-Received: by 2002:a17:903:1c2:b0:199:1d6f:3cab with SMTP id e2-20020a17090301c200b001991d6f3cabmr28540571plh.21.1676264064208; Sun, 12 Feb 2023 20:54:24 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:23 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 15/20] sslp prctl: arch-agnostic prctl for shadow stack and landing pad instr Date: Sun, 12 Feb 2023 20:53:44 -0800 Message-Id: <20230213045351.3945824-16-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690393628306979?= X-GMAIL-MSGID: =?utf-8?q?1757690393628306979?= Three architectures (x86, aarch64, riscv) have announced support for shadow stack and enforcing requirement of landing pad instructions on indirect call/jmp. This patch adds arch-agnostic prtcl support to enable /disable/get/set status of shadow stack and forward control (landing pad) flow cfi statuses. New prctls are - PR_GET_SHADOW_STACK_STATUS, PR_SET_SHADOW_STACK_STATUS - PR_GET_INDIRECT_BR_LP_STATUS, PR_SET_INDIRECT_BR_LP_STATUS Signed-off-by: Deepak Gupta Reviewed-by: Mark Brown --- include/uapi/linux/prctl.h | 26 +++++++++++++++++++++++++ kernel/sys.c | 40 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index a5e06dcbba13..0f401cb2d6d1 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -284,4 +284,30 @@ struct prctl_mm_map { #define PR_SET_VMA 0x53564d41 # define PR_SET_VMA_ANON_NAME 0 +/* + * get shadow stack status for current thread. Assumes shadow stack is min 4 byte aligned. + * Note shadow stack can be 8 byte aligned on 64bit. + * Lower 2 bits can give status of locked and enabled/disabled. + * size and address range can be obtained via /proc/maps. get_shadow_stack_status will + * return base of shadow stack. + */ +#define PR_GET_SHADOW_STACK_STATUS 65 +/* + * set shadow stack status for current thread (including enabling, disabling or locking) + * note that it will only set the status and setup of the shadow stack. Allocating shadow + * stack should be done separately using mmap. + */ +#define PR_SET_SHADOW_STACK_STATUS 66 +# define PR_SHADOW_STACK_LOCK (1UL << 0) +# define PR_SHADOW_STACK_ENABLE (1UL << 1) + +/* get status of requirement of a landing pad instruction for current thread */ +#define PR_GET_INDIRECT_BR_LP_STATUS 67 +/* + * set status of requirement of a landing pad instruction for current thread + * (including enabling, disabling or locking) + */ +#define PR_SET_INDIRECT_BR_LP_STATUS 68 +# define PR_INDIRECT_BR_LP_LOCK (1UL << 0) +# define PR_INDIRECT_BR_LP_ENABLE (1UL << 1) #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index 88b31f096fb2..da8c65d474df 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2284,6 +2284,26 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, return -EINVAL; } +int __weak arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_set_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + +int __weak arch_set_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + return -EINVAL; +} + #define PR_IO_FLUSHER (PF_MEMALLOC_NOIO | PF_LOCAL_THROTTLE) #ifdef CONFIG_ANON_VMA_NAME @@ -2628,6 +2648,26 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, case PR_SET_VMA: error = prctl_set_vma(arg2, arg3, arg4, arg5); break; + case PR_GET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_get_shadow_stack_status(me, (unsigned long __user *) arg2); + break; + case PR_SET_SHADOW_STACK_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_set_shadow_stack_status(me, (unsigned long __user *) arg2); + break; + case PR_GET_INDIRECT_BR_LP_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_get_indir_br_lp_status(me, (unsigned long __user *) arg2); + break; + case PR_SET_INDIRECT_BR_LP_STATUS: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = arch_set_indir_br_lp_status(me, (unsigned long __user *) arg2); + break; default: error = -EINVAL; break; From patchwork Mon Feb 13 04:53:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56040 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175602wrn; Sun, 12 Feb 2023 20:56:36 -0800 (PST) X-Google-Smtp-Source: AK7set9srMByGTLvHgrKhOa48K/S2NPoHyurQpJOesEnAHoIWnSHVFMFf1/UGFyBSOljnSFjB+U4 X-Received: by 2002:a17:90b:3508:b0:230:ac45:b4a with SMTP id ls8-20020a17090b350800b00230ac450b4amr24579447pjb.21.1676264196226; Sun, 12 Feb 2023 20:56:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264196; cv=none; d=google.com; s=arc-20160816; b=VAiUhcRwNwTzC2ZWZXxAPUR+XjkkJgpw1sCVNiSJi+Afn28RRlfJX4tSmlXkiAHixl DKOGjThxjjFRN3+RdfgE+ftNJSdQ2GnZSPuQVK3EjFrKdDAg3pNKEcqCU5LeF2l4yLzv UQLDawUJn7DlKUUsS44Ci2luDN76GCO0yqiI03/M+bQrlZgskpYRc5y4VsUsqfpAHylz Hr2OqWZm9chsf34z5qrz/V1nFOH2l3ZMwZleqDda4o3uQdAx3FDuUrPlYQYnThIRf2Hv vWZsgQmO6Xp3wWWEGbAtTwxG+E+j5VGUU7IUuSSNgIh8ZwiFJXq4H/WuZojnyNeOMKna r6ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=9sWo6wCd+6s/qv8qKQzFAIRIpzM1RXjpCLCKpSqwk7c=; b=gbGAqu+FHPpXbxl9xk0SRvIPtSvDJuC7GkmstLpqCqpywPdOvNNa1C27/dpKAjhdOf Bnvtx4tYwR4t9opD5KUOYF/ApyV63A5G3OAK0I4fo7O9Mj4SKTC70Cx53ziaN140+bjI b0RSFOxDLKHs2C17BulHej6QJjEO44OrW0eWGz8KWAsJC5wGVYPLHYaOrT7UvlmV9k1y 0UF4wOiHsy9eNyUk9Tvt9yWqT0LjLd8WL7EtUDO5wH5mCpiTgjEDrPXb0d92g5B2Lx/z 0mEynkliuzSlFeDtr8I17Xw5qDvdiGe05LoPWlEhlbGqQxOuQXle46+CCfjuhi6tnK1G Mgaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=wt3q+VJD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w6-20020a17090aad4600b00230a39e6303si4971141pjv.104.2023.02.12.20.56.24; Sun, 12 Feb 2023 20:56:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=wt3q+VJD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230023AbjBMEzb (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229884AbjBMEy5 (ORCPT ); Sun, 12 Feb 2023 23:54:57 -0500 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 803DB12075 for ; Sun, 12 Feb 2023 20:54:32 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id w5so12280535plg.8 for ; Sun, 12 Feb 2023 20:54:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9sWo6wCd+6s/qv8qKQzFAIRIpzM1RXjpCLCKpSqwk7c=; b=wt3q+VJD6Cp/b63Im6YhKcHv2i1AyapK9Tkrv/Lhww4i7czsTc+eUGnKJic8SCla3/ PZeWAHDzQcpwxfG87wj9siHJ53pcxmGJj0Al/qZsMz4b8wLG4BExSAIQ4Nh0yVWI8eA1 mdxKCUjoG1enCDnovmujulzh9ivudh8B7fewqOfdwU/ZGjXrEe0tnW65F6JP3I73DJ0O 2pC+POBx+yCDZm97cI3uisSvoGWjp5y005oxdW98wIerdHNjp+Fv0zqfuea3nWldQhEm 4GleUJiZnFqHyNc5rExalqnFx+zUnW254K9Y/BfKidu8I/uoOfcdaSt+6r9FSxD1x7yu usKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9sWo6wCd+6s/qv8qKQzFAIRIpzM1RXjpCLCKpSqwk7c=; b=ExZZu32YbwV/8h9JtlyYceJ7uYhpMhk4nLvtbOYFcF5i5NHcWqywjy/z0P+wnJigkO gI2NBAwl5JaxHxSPoXKoW7d2JEOZ2ZllJGO/QtvM4CTJE21TMnJLthb/OqmIsbNoPUin rV2r5oYzk2wgh3bgsdLfPhuNeTjRWAKDhl68kvXcJfRmLIl3CGPZ/BAfOonKDZR0WWiV QqWv7AFrcL32Ikgi95Uioa+609NmshCbNBH/4q1EbJJ1FupwZm3ME81Y/4covch788qB mbq295PrsddDBzDF6Y7iOX1HMDUgajcxbWDqiFnnKXxeKmSem6evloZVfs0OeEy5xbjH ZSrw== X-Gm-Message-State: AO0yUKWhjPkT+E7UTfuCvflheVpc5MFI2Z7ipuNJUuEUVg8hZo/zYMxE xzt54mUkBH6/GMkUIhnOImmrz+KUk5MNbD7G X-Received: by 2002:a17:903:124b:b0:19a:9406:b234 with SMTP id u11-20020a170903124b00b0019a9406b234mr5720720plh.45.1676264065599; Sun, 12 Feb 2023 20:54:25 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:25 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 16/20] riscv: Implements sslp prctls Date: Sun, 12 Feb 2023 20:53:45 -0800 Message-Id: <20230213045351.3945824-17-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690405767248614?= X-GMAIL-MSGID: =?utf-8?q?1757690405767248614?= New prctls are PR_GET_SHADOW_STACK_STATUS/PR_SET_SHADOW_STACK_STATUS and PR_GET_INDIRECT_BR_LP_STATUS/PR_SET_INDIRECT_BR_LP_STATUS are implemented on riscv in this patch. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 4 +- arch/riscv/kernel/process.c | 88 +++++++++++++++++++++++++++++- 2 files changed, 90 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h index 39c36f739ebb..c088584580b4 100644 --- a/arch/riscv/include/asm/processor.h +++ b/arch/riscv/include/asm/processor.h @@ -46,7 +46,9 @@ struct cfi_status { unsigned int ufcfi_en : 1; /* Enable for forward cfi. Note that ELP goes in sstatus */ unsigned int ubcfi_en : 1; /* Enable for backward cfi. */ unsigned int audit_mode : 1; - unsigned int rsvd1 : 29; + unsigned int ufcfi_locked : 1; + unsigned int ubcfi_locked : 1; + unsigned int rsvd1 : 27; unsigned int lp_label; /* saved label value (25bit) */ long user_shdw_stk; /* Current user shadow stack pointer */ long shdw_stk_base; /* Base address of shadow stack */ diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index bfd8511914d9..1218ed4fd29f 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -257,4 +257,90 @@ int arch_elf_setup_cfi_state(const struct arch_elf_state *state) return ret; } -#endif \ No newline at end of file +#endif + +#ifdef CONFIG_USER_SHADOW_STACK +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long bcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_shadow_stack()) + return -EINVAL; + + info = current_thread_info(); + bcfi_status |= info->user_cfi_state.ubcfi_locked ? (1UL << 0) : 0; + bcfi_status |= info->user_cfi_state.ubcfi_en ? ((1UL << 1) | + (info->user_cfi_state.user_shdw_stk)) : 0; + + return copy_to_user(status, &bcfi_status, sizeof(bcfi_status)) ? -EFAULT : 0; +} + +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long bcfi_status = 0; + struct thread_info *info = NULL; + unsigned long shdw_stk = 0; + + if (!arch_supports_shadow_stack()) + return -EINVAL; + + info = current_thread_info(); + /* bcfi status is locked and further can't be modified by user */ + if (info->user_cfi_state.ubcfi_locked) + return -EINVAL; + + if (copy_from_user(&bcfi_status, status, sizeof(bcfi_status))) + return -EFAULT; + /* clear two least significant bits. Always assume min 4 byte alignment */ + shdw_stk = (long) (bcfi_status & (~3)); + + if (shdw_stk >= TASK_SIZE) + return -EINVAL; + + info->user_cfi_state.ubcfi_en = (bcfi_status & (1UL << 1)) ? 1 : 0; + info->user_cfi_state.ubcfi_locked = (bcfi_status & (1UL << 0)) ? 1 : 0; + info->user_cfi_state.user_shdw_stk = (long) shdw_stk; + + return 0; +} +#endif + +#ifdef CONFIG_USER_INDIRECT_BR_LP +int arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long fcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_indirect_br_lp_instr()) + return -EINVAL; + + info = current_thread_info(); + fcfi_status |= info->user_cfi_state.ufcfi_locked ? (1UL << 0) : 0; + fcfi_status |= info->user_cfi_state.ufcfi_en ? (1UL << 1) : 0; + + return copy_to_user(status, &fcfi_status, sizeof(fcfi_status)) ? -EFAULT : 0; +} + +int arch_set_indir_br_lp_status(struct task_struct *t, unsigned long __user *status) +{ + unsigned long fcfi_status = 0; + struct thread_info *info = NULL; + + if (!arch_supports_indirect_br_lp_instr()) + return -EINVAL; + + info = current_thread_info(); + /* bcfi status is locked and further can't be modified by user */ + if (info->user_cfi_state.ufcfi_locked) + return -EINVAL; + + if (copy_from_user(&fcfi_status, status, sizeof(fcfi_status))) + return -EFAULT; + + info->user_cfi_state.ufcfi_en = (fcfi_status & (1UL << 1)) ? 1 : 0; + info->user_cfi_state.ufcfi_locked = (fcfi_status & (1UL << 0)) ? 1 : 0; + + return 0; +} +#endif From patchwork Mon Feb 13 04:53:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56041 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175796wrn; Sun, 12 Feb 2023 20:57:32 -0800 (PST) X-Google-Smtp-Source: AK7set/Jy5q8ka8OYLcEy20JogbmmUb+fhoo2GbUIvnzABNzCCGffkqRRmXYyo3thtav5N4udtfB X-Received: by 2002:a05:6a20:b91b:b0:bf:58d1:ce99 with SMTP id fe27-20020a056a20b91b00b000bf58d1ce99mr11169583pzb.24.1676264252161; Sun, 12 Feb 2023 20:57:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264252; cv=none; d=google.com; s=arc-20160816; b=dE4sZFitK91joqSsJt1vlP1y+TW2qH1uFL15TZcd5Sn66eX3Qj6AOsDhT/uQPIb8iU yyExGWdHddkVvUywpswYMMsVJPQL0l0v5A10tpR3wD4VqmzmJz7HwKtk3gW4H6Cp+FNM isdnCg1uWINugREb/jHjXbO1yWXN1nsqatF0MXhOIlDP0hhlMQ5smH3yO1pVeq41k7LI z693ZC3Yf65mizN2c71Op4pInmqDScJkYKIBfDPLjAdLVSsMNv4PtkrrSTigejATjAZA O08oSmyrlyOfUNWaBk5taJahZBAz3S8VYsoNzttbIdl9ScEWGolwqY0UuKNK6BXT7NBg v+NQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3kFxia6anvFekuQwjCC0QPCBdBTnfubmGffGfTpNbSM=; b=bZKlgJ3IQInq1poeqW+05ENd2ZkpOWniYdjC53AP2BwPbOPXhl93mRhK9FcOsKJa/u sLjig3NsSMFFaEHpYRYslVb4UOGVjUxLaE05nEoReALAR7BDOCSrGAcxAY3iS8KiBGDT kVk4sRzHsrUkEUL8o1cJAzHoCUvYbm6qwvoaBqEwTn2DJtNm8Jm3XFWn1hchJzlpQWMQ ItGR8UioFIRkXu6aF0HehVa2stLnkHAMoVjGi8lJZ4/7pc+ifIbBEVxlBe8hJ/9ItHpw gbT2bF3kYmdS6LywAK3GSfpY8zwLV2ZWhIjuiGmRrH/6Vda9rseCconqch5894p4NtuG gA5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=Afh0xW9u; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 125-20020a630183000000b004f9955d5831si10885615pgb.631.2023.02.12.20.57.19; Sun, 12 Feb 2023 20:57:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=Afh0xW9u; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230038AbjBMEzf (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229814AbjBMEzJ (ORCPT ); Sun, 12 Feb 2023 23:55:09 -0500 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 673B41258A for ; Sun, 12 Feb 2023 20:54:36 -0800 (PST) Received: by mail-pj1-x1031.google.com with SMTP id w20-20020a17090a8a1400b00233d7314c1cso3099188pjn.5 for ; Sun, 12 Feb 2023 20:54:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3kFxia6anvFekuQwjCC0QPCBdBTnfubmGffGfTpNbSM=; b=Afh0xW9utFfUPrEQU4hWTDRSLlXwhIpd8cKrKCCTb090OxZcC7+dw1lGI4WLigSRcR SlTrKyg46yjgyducZFlnzNgMFLW5ERNIE51qDZs52oKKqKeicOr0GQ+2vSpH+tMZHU2f xYrN3xaSDbe059vhC8YmE0Mo0lm4LvpwwnWJlS9G0hlCENclXKagmo2zWcBcb/mdENgY 1gAOJIewodgaQQlqmUK6bvaKGXX2/aGrqMFG9OmQDkZFfYSfsjHFpOrGmHNtyqkqNXHp spSkkxoNxWE3KUzm1/n3/sYW083aXMKfQdw4fAAEkBpyepXmSDGgPYoR/nS0jY3uaDuw o80A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3kFxia6anvFekuQwjCC0QPCBdBTnfubmGffGfTpNbSM=; b=HjELvOLvvmCruCvG9BwYML0DEwZ2KHzJMcsvSNGJ5KndrssaDcddsLyVkK75Ntb27t 1IW3wb3PQQQMjZ/y58dS3whZ2p7SIBqjcp+O60Gqeag6qg1k6DjalCC1lfbpnvHgVT38 R9oNY+gKT/+l59lGovEw8aCzMTR7RBPQJyFun4I9vJAXb+wBSb/IVqmFArAzE+440xPJ Q15/4fByaEg3HfaOmh/t7I+EJV6mXzvVQr63oOM9QaxRXgJMAbrY05HhueGp0eycr0Gx ETpW4Ac6Gsl6UI4iY3PkYS0sdSpKnYa76VYNeRbPmngLlM5w9ll5zF9zfvLpVlINSuvo TbDQ== X-Gm-Message-State: AO0yUKVMIU5qzbvvnSkPcnHS2Yud/NNQ+rNlyjqm79Vh66EQtWm3FKWU +7LiDSa13Zb23W4xjR2jajp7Sz7YO/fsgxc2 X-Received: by 2002:a17:902:f64f:b0:198:adc4:229f with SMTP id m15-20020a170902f64f00b00198adc4229fmr16162307plg.26.1676264066962; Sun, 12 Feb 2023 20:54:26 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:26 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 17/20] riscv ucontext: adding shadow stack pointer field in ucontext Date: Sun, 12 Feb 2023 20:53:46 -0800 Message-Id: <20230213045351.3945824-18-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690464358222964?= X-GMAIL-MSGID: =?utf-8?q?1757690464358222964?= Shadow stack needs to be saved and restored on signal delivery and signal return. ucontext structure on riscv has existing large padding for possible future extension of uc_sigmask. This patch steals XLEN/8 bytes from padding to keep structure size and offset of existing member fields same. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ucontext.h | 32 +++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/arch/riscv/include/uapi/asm/ucontext.h b/arch/riscv/include/uapi/asm/ucontext.h index 516bd0bb0da5..72303e5618a1 100644 --- a/arch/riscv/include/uapi/asm/ucontext.h +++ b/arch/riscv/include/uapi/asm/ucontext.h @@ -21,9 +21,12 @@ struct ucontext { * at the end of this structure and explicitly state it can be * expanded, so we didn't want to box ourselves in here. */ - __u8 __unused[1024 / 8 - sizeof(sigset_t)]; - /* - * We can't put uc_sigmask at the end of this structure because we need + __u8 __unused[1024 / 8 - sizeof(sigset_t) +#ifdef CONFIG_USER_SHADOW_STACK + - sizeof(unsigned long) +#endif + ]; + /* We can't put uc_sigmask at the end of this structure because we need * to be able to expand sigcontext in the future. For example, the * vector ISA extension will almost certainly add ISA state. We want * to ensure all user-visible ISA state can be saved and restored via a @@ -31,7 +34,30 @@ struct ucontext { * infinite extensibility. Since we know this will be extended and we * assume sigset_t won't be extended an extreme amount, we're * prioritizing this. + */ + + /* + * Zisslpcfi will need state in ucontext to save and restore across + * makecontext/setcontext. Such one state is shadow stack pointer. We may need + * to save label (of the target function) as well (but that's to be decided). + * Stealing 8 (64bit) / 4 (32bit) bytes from padding (__unused) reserved + * for expanding sigset_t. We could've expanded the size of ucontext. But + * shadow stack is something which by default would be enabled via ELF. + * ucontext expansion makes more sense for situations like vector where + * app is willingly opting in to get special functionality. Opt-in allows + * for enlightening in ucontext restore. Second reason is shadow stack + * doesn't need a lot of state and only shadow stack pointer. Tax on + * ecosystem due to a small size change (8 bytes) of ucontext is more than + * simply keeping the size same and shoving the ss pointer in here. Please + * note that shadow stack pointer is pointing to a shadow stack address. + * Shadow stack address has shadow stack restore token using which shadow + * stack should be restored. + * Please note that we're keeping uc_ss_ptr at that this location so that + * every other offsets are same and thus works for compatibility. */ +#ifdef CONFIG_USER_SHADOW_STACK + unsigned long uc_ss_ptr; +#endif struct sigcontext uc_mcontext; }; From patchwork Mon Feb 13 04:53:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56044 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2181762wrn; Sun, 12 Feb 2023 21:19:16 -0800 (PST) X-Google-Smtp-Source: AK7set/5oXNoI3F7oGvnQn4r6cL7h8CFfSnjF5+IYNo/JUqZdjMZj+tlRswbcfRNquUGGsQU6A3I X-Received: by 2002:a17:906:9b96:b0:8af:370a:c1f8 with SMTP id dd22-20020a1709069b9600b008af370ac1f8mr19289503ejc.23.1676265556208; Sun, 12 Feb 2023 21:19:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676265556; cv=none; d=google.com; s=arc-20160816; b=EoN/eM0Fhk7F9lnl8O2YrDwyVgWp5AAy7Vm0iVoKXP+oeQRlHxm1+Q57OKtjSZKWfb Q6uarLSStUFuIpDQkvoK73fg3Sr1q+XAXHJfqtFozKFjkGSWzgNAAwsE6od9DCkniPu7 YMQQ6aA1ps+m5oRpP48T8TXinr2T3qjfETlsFvdMpI8/GcTRICfuZYAGv5ZRbKoBd7Qe 5j5i5JNTV/+jxXqN580RZ3z4PK5hmcjGWVWzZXUzlMVEnUoDt6b6tsCFQaFVGxj0GaZ6 Yy1tk61sIZwwrfNorDiym8IGSCrqN9kVkLW69pS0DdoS7EnM3mitWUTaeDmgMjfRYL+l KfsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=mTrYbBltJMwc6NCWW7+9dHeMioNseymSZ+Q5vDTqqtVZSDFR+fsUw3o3XCwc8bLBLD XeKpzniYwsWgqFoQmahujPqshlI/550ZQq1lbZsRA0X56rBtW3OiNMF1aiZGCjZSBnYR svOEI+IY+YEbntGNrq7vEs3seN2EyBkoOjW537uXqjgweGWAlvZuYd89hwElHcLfQ1SP noyV/In4GrCCTB8QjpRzF/eKdGzYIuZIJklZfb+tKzVvhVX6TGjjfLGSC3Y9+vHiQQ4J tMsPOgu2nTQBCYundANTckF0Gisy58diwmDwm9GNvVE2dajra0HsjimDOwXW2E2naK1H 1jcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=7eSn2qdy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 6-20020a170906100600b0087bd3f33c31si14354346ejm.8.2023.02.12.21.18.53; Sun, 12 Feb 2023 21:19:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=7eSn2qdy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230050AbjBMEzm (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229983AbjBMEzJ (ORCPT ); Sun, 12 Feb 2023 23:55:09 -0500 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29ED31259C for ; Sun, 12 Feb 2023 20:54:37 -0800 (PST) Received: by mail-pj1-x1035.google.com with SMTP id mg23so4213183pjb.0 for ; Sun, 12 Feb 2023 20:54:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=7eSn2qdyORPNxiUoyovTXFhpXsZHqi8gnCLRE8GgSFK5tj4/mM+NE2BEscg9ShWtpB PzxBxeovnUU8KeQiZs+IWnuGNyAcMW1KXbhp2VQESntSd2LWuz+pzNCUJWIPxB0JU5Ab EesW3hY9NeyIHHfTNOmY/6BwGaMaUJiMo3GIx05W9NZJ0qvDJ0bluOBnu//KNpG2uyou 4SOQKrmR4F5ng8nIZLAVUY7neQXbZCIE2lfTveTDHH94wb4oRM14reOmS/4svizRqEPL rwqB8M6hauOSNhA0VumODFAY0bMXd/4v8bTFTh5K1IeqLZXyl0c6K01GuPfSNRRgUsul zsOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zsprz/VkYP6JnZQvaX4OtVPneKai8SEDj1BTi+BhY/U=; b=KWlesAxu7Vy7JaA/Nv+cRIDmhRRzj5URzy+6hr0aMpCAZdN1IAmVt1KyoSjaYCg2c4 E+deg93f/0h0ZRhjRBKnHloVUxGNgzy9md4Xrj199NPnT04OVXPZesqtRczr87DzJ92m HeaKA+JKI9JXdigEF1nn0WDJ25+W1qLBBB5YqVuIj9AjIOfC3y0xyckEkXMY112uAvQn R96X8AopmxlmelZUyKtbm1R6sXGB9KTVcXvxM1I9keUa8h1brb/Ors9I2nkk0buw6xDr lYNbhtVRNux5YbcMwKiAJGfTlIkDhdjUsYbHLXAGrTbWBuPUczRfSOpRvf1X+cVtq8DD inGA== X-Gm-Message-State: AO0yUKUEh9g4rve6uvYuS34Qh6CI58Vz9QBPK5zxnhVng5Pbq5EKkc17 tQOTdlsu2k1yoAS0fSV61ZQ0A0HM3Pq2yVgp X-Received: by 2002:a17:902:e545:b0:199:60:b9c8 with SMTP id n5-20020a170902e54500b001990060b9c8mr29757848plf.45.1676264068264; Sun, 12 Feb 2023 20:54:28 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:27 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 18/20] riscv signal: Save and restore of shadow stack for signal Date: Sun, 12 Feb 2023 20:53:47 -0800 Message-Id: <20230213045351.3945824-19-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757691832042657369?= X-GMAIL-MSGID: =?utf-8?q?1757691832042657369?= Save shadow stack pointer in ucontext structure while delivering signal. Restore shadow stack pointer from ucontext on sigreturn. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/signal.c | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c index bfb2afa4135f..b963bbce5879 100644 --- a/arch/riscv/kernel/signal.c +++ b/arch/riscv/kernel/signal.c @@ -103,6 +103,7 @@ SYSCALL_DEFINE0(rt_sigreturn) struct pt_regs *regs = current_pt_regs(); struct rt_sigframe __user *frame; struct task_struct *task; + struct thread_info *info = NULL; sigset_t set; /* Always make any pending restarted system calls return -EINTR */ @@ -124,6 +125,27 @@ SYSCALL_DEFINE0(rt_sigreturn) if (restore_altstack(&frame->uc.uc_stack)) goto badframe; +#if defined(CONFIG_USER_SHADOW_STACK) + /* + * TODO: Restore shadow stack as a form of token stored on shadow stack itself as a safe + * way to restore. + * A token on shadow gives following properties + * - Safe save and restore for shadow stack switching. Any save of shadow stack + * must have had saved a token on shadow stack. Similarly any restore of shadow + * stack must check the token before restore. Since writing to shadow stack with + * address of shadow stack itself is not easily allowed. A restore without a save + * is quite difficult for an attacker to perform. + * - A natural break. A token in shadow stack provides a natural break in shadow stack + * So a single linear range can be bucketed into different shadow stack segments. + * Any sspop; sscheckra will detect the condition and fault to kernel. + */ + info = current_thread_info(); + if (info->user_cfi_state.ubcfi_en && + __copy_from_user(&info->user_cfi_state.user_shdw_stk, &frame->uc.uc_ss_ptr, + sizeof(unsigned long))) + goto badframe; +#endif + regs->cause = -1UL; return regs->a0; @@ -180,6 +202,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs) { struct rt_sigframe __user *frame; + struct thread_info *info = NULL; long err = 0; frame = get_sigframe(ksig, regs, sizeof(*frame)); @@ -191,6 +214,23 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, /* Create the ucontext. */ err |= __put_user(0, &frame->uc.uc_flags); err |= __put_user(NULL, &frame->uc.uc_link); +#if defined(CONFIG_USER_SHADOW_STACK) + /* + * TODO: Save a pointer to shadow stack itself on shadow stack as a form of token. + * A token on shadow gives following properties + * - Safe save and restore for shadow stack switching. Any save of shadow stack + * must have had saved a token on shadow stack. Similarly any restore of shadow + * stack must check the token before restore. Since writing to shadow stack with + * address of shadow stack itself is not easily allowed. A restore without a save + * is quite difficult for an attacker to perform. + * - A natural break. A token in shadow stack provides a natural break in shadow stack + * So a single linear range can be bucketed into different shadow stack segments. Any + * sspop; sscheckra will detect the condition and fault to kernel. + */ + info = current_thread_info(); + if (info->user_cfi_state.ubcfi_en) + err |= __put_user(info->user_cfi_state.user_shdw_stk, &frame->uc.uc_ss_ptr); +#endif err |= __save_altstack(&frame->uc.uc_stack, regs->sp); err |= setup_sigcontext(frame, regs); err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); @@ -201,6 +241,11 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set, #ifdef CONFIG_MMU regs->ra = (unsigned long)VDSO_SYMBOL( current->mm->context.vdso, rt_sigreturn); +#if defined(CONFIG_USER_SHADOW_STACK) + /* if bcfi is enabled x1 (ra) and x5 (t0) must match */ + if (info->user_cfi_state.ubcfi_en) + regs->t0 = regs->ra; +#endif #else /* * For the nommu case we don't have a VDSO. Instead we push two From patchwork Mon Feb 13 04:53:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56037 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2175480wrn; Sun, 12 Feb 2023 20:56:07 -0800 (PST) X-Google-Smtp-Source: AK7set/FIgOl8bbL9mVNVXh9duMqSL+MNCWkj+Kun/cQCp5LVCG/3vTPdQQrjt25wRVjjbr/RC2s X-Received: by 2002:a17:903:244f:b0:199:a0c:1221 with SMTP id l15-20020a170903244f00b001990a0c1221mr24931129pls.14.1676264166686; Sun, 12 Feb 2023 20:56:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676264166; cv=none; d=google.com; s=arc-20160816; b=u27mWb5yA+eH2B1IMIVFlA6IeFZD38seMlrK8ms3o+gGjIr28KpZR6PbGxR3hRdlMe IQDLcunRqMsubxmL0TaQxS3k7K2VD9SXMP+waWc8thE1b9iIUsUL8bGxM8A+VYmLqy0d sS6/ZkQWXm156D/0Rs+csPy6HDydomlmcdzZozaJzMPmMVcBlj/d0gJWaNCstK25q0Lj 3UfUbnLtr9qpoFoOOWeba8rz+JFz9qTvEeVUom7z4qmAeFHID8YUlWbw/A4/GkGhWhwu /y1uNEVSVH/JB16Q3p30LzMIdgwrp9RdUuh82mI8clLuLBQY8n8Md9XQwXaSOm6caVki vZmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=lDjyP7yEpcpYGNskqAZEK8efZXDnU2IqKhKxr8CxvqJ9DFPBUNH1ATK12yKibWE9PG e4hfeedhzh2emTFgxfXfdlA7dQ16wk/5U/gEInPYs08pQwwZ+qmxdJ5xftOg6bRA+iBE /4RwhLPljcBLyjXT+q4+n/U6cDOB+C7j3VzrsoP8mouZXhqEYx/AP9M9NjlTRPjszs6F unbrRQesgQ4n7JvbzE/LcmE3LTwVvj+Dx1oVmxTMyerfICilvWa7vls6LtOpLkJo9cN7 xLPvesEKZwoTz3d4BqXImVq3xI8mxplXv6sYLecc0A3OW7fqo6rYa7dm0f/luHoK6sRi pCYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=wq1vjGt5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k4-20020a170902c40400b00189bbc95db1si12436642plk.11.2023.02.12.20.55.55; Sun, 12 Feb 2023 20:56:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=wq1vjGt5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229769AbjBMEz0 (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52598 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229959AbjBMEy4 (ORCPT ); Sun, 12 Feb 2023 23:54:56 -0500 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44847113F1 for ; Sun, 12 Feb 2023 20:54:30 -0800 (PST) Received: by mail-pl1-x62c.google.com with SMTP id i18so3870699pli.3 for ; Sun, 12 Feb 2023 20:54:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=wq1vjGt5Dk5GTt2uM2o1fsU4IewccIkdZiTiZ7Q6QROKj7XotzLnQnbGMt7mkKvcxn Uxr0y6xeaOCw0m3jmFx4LdilZxIzFkNBZUysklHVUGRQgJUL2fG/YYfw9ujVUppzfGLO K2+9aqLeM3PSle+L5sFQoNf3ArhkOzkMUImcbHjhQmj01b4KtjSLsZc0o27pdRVwgFoD gmJsi6NkemAEVMiZjtqLPqgGgv2Z5vh743ofDqsf+8HUhJwOQVi30lbfExMhXxuLElj8 xHOnKu08Ovp/uV/YddPhlNoEHhLPdW6MlLGLla9JQ4zUjud10AC/I0X8tPdayr8dpskh va1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H5RDh/4h33AXRCvzLgyL6r/ZYBcOU/v7pv8PufXaHhU=; b=XxC0CuBi5aO/iMmC2jTvZnmp0blR9hG6B3krn1lUuMgL4xRn14Sf9U9ri97sI2Dtmc SVGDcgL1f4xcTgM96tFECSCL4XzCw8uFcfA4k1DOFaCOkFymOZOXcVpfjq/MxZ+sPsz/ ByOeFf6xN0NN4n9/ozkFBeO7gq+bTVd/YxVBVzVJiOjU2VtZhKJibxE6pexXZegSiVcz 4o8c+dpXdNtWBhVetUQjgvgSHL1EYZb9PqYLx3u1u/Zq+pHPETjjlwqzM6y1LmTGM3Ef BiR5RNFwRGuhewgk4nw80FF2NQbBbfOC2HQjNmjZAVs2649AFATMnnk2VWDrtVhWQZqM Uxzg== X-Gm-Message-State: AO0yUKWaDeJfZb5YCEbRmS2PhKe524tlA6F4m3WHxJHVoP6BYlPgAgVR QYlTeZa01wF3f4ZAA9Z7yjG88x3d1TWTnf47 X-Received: by 2002:a17:902:f20b:b0:199:aae:7569 with SMTP id m11-20020a170902f20b00b001990aae7569mr17492690plc.28.1676264069586; Sun, 12 Feb 2023 20:54:29 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:29 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 19/20] config: adding two new config for control flow integrity Date: Sun, 12 Feb 2023 20:53:48 -0800 Message-Id: <20230213045351.3945824-20-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757690374991329884?= X-GMAIL-MSGID: =?utf-8?q?1757690374991329884?= To maintain control flow integrity of a program, integrity of indirect control transfers has to be maintained. Almost in all architectures there are two mechanisms for indirect control transfer - Indirect call relying on a memory operand. - Returns which pop an address from stack and return to caller. Control transfers relying on memory operands are inherently susceptible to memory corruption bugs and thus allowing attackers to perform code re-use attacks which eventually is used to inject attacker's payload. All major architectures (x86, aarch64 and riscv) have introduced hardware assistance in form of architectural extensions to protect returns (using alternate shadow/control stack) and forward control flow (by enforcing all indirect control transfers land on a landing pad instruction) This patch introduces two new CONFIGs - CONFIG_USER_SHADOW_STACK Config to enable kernel support for user mode shadow stacks - CONFIG_USER_INDIRECT_BR_LP Config to enable kernel support for enforcing landing pad instruction on target of an indirect control transfer. Signed-off-by: Deepak Gupta --- init/Kconfig | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/init/Kconfig b/init/Kconfig index 44e90b28a30f..8867ea4b074f 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -121,6 +121,25 @@ config THREAD_INFO_IN_TASK One subtle change that will be needed is to use try_get_task_stack() and put_task_stack() in save_thread_stack_tsk() and get_wchan(). +config USER_SHADOW_STACK + bool + help + Select this to enable kernel to support user mode shadow stack. Most + major architectures now support hardware assisted shadow stack. This + allows to enable non-arch specifics related to shadow stack in kernel. + Arch specific configuration options may also need to be enabled. + +config USER_INDIRECT_BR_LP + bool + help + Select this to allow user mode apps to opt-in to force requirement for + a landing pad instruction on indirect jumps or indirect calls in user mode. + Most major architectures now support hardware assistance for landing pad + instruction on indirect call or a jump. This config option allows non-arch + specifics related to landing pad instruction to be enabled separately from + arch specific implementations. Arch specific configuration options may also + need to be enabled. + menu "General setup" config BROKEN From patchwork Mon Feb 13 04:53:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Deepak Gupta X-Patchwork-Id: 56042 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2179440wrn; Sun, 12 Feb 2023 21:10:30 -0800 (PST) X-Google-Smtp-Source: AK7set9Dzs5s20qYU58NlwkPrknt7A0fIMpoDm4D8nobrbdhZhwZII/4wz1H7ICICwe78pB2fJjJ X-Received: by 2002:a17:90b:1d08:b0:230:c247:731b with SMTP id on8-20020a17090b1d0800b00230c247731bmr25419487pjb.7.1676265030715; Sun, 12 Feb 2023 21:10:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676265030; cv=none; d=google.com; s=arc-20160816; b=IMZP13s74CRUjmVeUOVMM7F9OPdN3CFTzsDqHIy6e9b3ZDwW3348ILbgFRPNeVCaDf 5/UkKitIbAIPXTrdAhYXiHkZ6FTR5vEiX166LOthm1XGsAu773EpMxGDugQDaAsVD8j3 gI0KLUJxUPGUqbEkCdRtQOUoPbRof4/OQ0YlBi1obyzW4M+K+LGtcIC/hIYy5mlUqbvl zsSAI17oGQ4qcekEiiwWHLcYe+2RqIK6zwYtACrSiwsDp4IteNol2UbaJZVT/4NiGeiu RUbLsgZxbpLh4fhS4c/a7VRv2yMhgblP9r8vQkocID0ShJb9y3yNzMr31hVlpcUPJnQe JjSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=FS9UXJLjFVEOOVU7b7FDWJngCSFZQ1Biev/5KMBcMKjRExdev/B5PZYtoIJPq1dDLr bWR+DhJy9pFhkvVYgRz1PeNHy3Y3GYX/xZdwPP/XxJfDsbJnqSWkJr+dpJ6lWoLf3rXQ 6baf6HPaugUlb0XZk+WHdk8jnnuWHJQlpmJ4EQ9wzkes7Gs7R4n3GTgOCioqiVCcTIjQ L0BWc/ZRFvPzTxCkAuJbjIECb6k1JJvCDZtOw7Z/xVUHfI0cU87FiU15iNxzTsd/Okm4 uTNA2/0hTgO1L6juuiesdc0vF3KwCgh/AnoU22TZh8H+hRspPoGeJPw7jRUsmB0rizfV zQ0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=31KnFLQ1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h8-20020a17090aea8800b00233c2c17d68si6317009pjz.171.2023.02.12.21.10.15; Sun, 12 Feb 2023 21:10:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=31KnFLQ1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230044AbjBMEzj (ORCPT + 99 others); Sun, 12 Feb 2023 23:55:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229909AbjBMEzL (ORCPT ); Sun, 12 Feb 2023 23:55:11 -0500 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C58C126CA for ; Sun, 12 Feb 2023 20:54:39 -0800 (PST) Received: by mail-pj1-x102b.google.com with SMTP id mg23so4213246pjb.0 for ; Sun, 12 Feb 2023 20:54:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=31KnFLQ1jXjMLjTchl1w4moDo9CD9TiKyNs+4OObUXS/bu6U2VBl4731Df6PD7Y9/g 2XNYNTjZyG7bXyvHEUioI3gERdD7LvSkrCK98xrIHVYmvA5asSACcG8DzwHY9Elw91gc KrYDDfbQ0WGQKLe3OQqMCXoSdQognrXbgKTQeLFi2du2ewZSoi8M3yoq4iVIAUO0iC8j c+HEm7ay6XzwKJD0dg054Mp6qh6jGMCArVxGFrAxDUUDqIrGtX7IhEKyTa8tCMlq6uPJ YpP8FzRMvT6ihcXz/hH1cCXAqlBEJCSPIWcmpziCZgstPBhZ07n1DnUYd6pvHpmuIT8C lNMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w7d4Qtypw6ksd0rXUCdfOWzkU5LDKwcQ9sGuN3ONcAw=; b=uphVc5LetU2O2THXc8NksRM3oDoPpEVeU/U3WTlHb2I8o60lEIW4cjFqgIMTTAkzGT 6QkNrHx3iWdW8wv3WDBMr5EsHzBZoVEP0tYalpYwdQOyKSMgSZg0kl+PmdytR+UHObim doQpunw1X4PvcA7YJMfhNNS9iN8oJ7y8Io0QS2rgCMbmU9xCN7cZuAAvqreH/MWAFxmM bLZrrFPu4YYn0qxv3xAT36oMVNJC/OR7g9NMJMBSjJ0FKRkIeDq3YzILojNSgq6piLxU 89nl9FPsxcaUpoBCiuQpiixQ8MlMwvebkXRCPcDttg/a/yLyLDo08gRncJRFXyLs6rAT 0Knw== X-Gm-Message-State: AO0yUKUswz0j4+UwyAF6havxgRJh9ASphjYe0vec5839ZN9HKiXAJNIF JWij3xMkTjrhcKwumboH5sDEUQbsxAQWgL+Q X-Received: by 2002:a17:902:e843:b0:199:2a89:f912 with SMTP id t3-20020a170902e84300b001992a89f912mr27069676plg.20.1676264070858; Sun, 12 Feb 2023 20:54:30 -0800 (PST) Received: from debug.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id e5-20020a170902784500b00189e7cb8b89sm7078303pln.127.2023.02.12.20.54.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 20:54:30 -0800 (PST) From: Deepak Gupta To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Deepak Gupta Subject: [PATCH v1 RFC Zisslpcfi 20/20] riscv: select config for shadow stack and landing pad instr support Date: Sun, 12 Feb 2023 20:53:49 -0800 Message-Id: <20230213045351.3945824-21-debug@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230213045351.3945824-1-debug@rivosinc.com> References: <20230213045351.3945824-1-debug@rivosinc.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757691281040289887?= X-GMAIL-MSGID: =?utf-8?q?1757691281040289887?= This patch selects config shadow stack support and landing pad instr support. Since shadow stack support and landing instr support relies on ELF header, this change also selects ARCH_USE_GNU_PROPERTY and ARCH_BINFMT_ELF_STATE. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index e2b656043abf..9a39ada1d9d0 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -132,6 +132,10 @@ config RISCV select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select TRACE_IRQFLAGS_SUPPORT + select USER_SHADOW_STACK + select USER_INDIRECT_BR_LP + select ARCH_USE_GNU_PROPERTY + select ARCH_BINFMT_ELF_STATE select UACCESS_MEMCPY if !MMU select ZONE_DMA32 if 64BIT select HAVE_DYNAMIC_FTRACE if !XIP_KERNEL && MMU && $(cc-option,-fpatchable-function-entry=8)