From patchwork Mon Mar 20 16:39:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 72281 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp1321624wrt; Mon, 20 Mar 2023 09:52:56 -0700 (PDT) X-Google-Smtp-Source: AK7set91AWGfBIUjQc1ET0TBo5u2Y53bX4hF/Jho4RT9HSIzeV6e5hTglafG4zUDLIj0lyKJy1YB X-Received: by 2002:a05:6a20:2d94:b0:d9:84d2:7aae with SMTP id bf20-20020a056a202d9400b000d984d27aaemr4064773pzb.22.1679331176223; Mon, 20 Mar 2023 09:52:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679331176; cv=none; d=google.com; s=arc-20160816; b=ZT8EiyvQrzvifZ9+R8/1CKf5tflrymMC1q8PDfZpB5I0rex9AW83DYfErLL+hEVjAH ZsP+aJgwE3L8Pv8VmKuI8/vldHlOjTAEgt82F/SQFjfKE3FjJsPMqg24izvNdrkWcQsd MCmcJOepsn1q+6UXw5IE8+uEC3MCur9G5+zIHIh9r5kRLpVM7kWCtTOsJebe8pNdCfAb 16imouJ4+8VQK6DyCxdsztXHVVbbMj5xTBTcMQjxQLy/MG6xCRzfrJNgp//ez5/MfB5A dIHyhlZqT3QYFokl0PgqXGCTfuJgAOu2MywzqUfCZhfS64QGdftsOjQvo+aaOat/KQvE dl5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:cc:subject:to:reply-to:sender:from :dkim-signature:dkim-signature:date; bh=SYX4JrBzvsAozuT32nb5plzdVhVp9zTKH6jDVtQCFjE=; b=obcMZ8OLpGM7r5sLW7fqWWWZwjEBZaEyMeBGEvbe74U5Zlom5CEkO3QTdEiaXv00gA r0NkheU9vrSD/6fPkWbLQguj9NzAl7APpFJkLDdwXiK4h0cvXzXZRugexTYp4fcMHa/1 3OlfWFXlF/JL5AdvqdwvhD25cevtWj8PBe3rrFLUjiiXXY2gtQHlP7VPX6MrLZf4XckJ EYknA0tBwnM1vfw87d7MLgYhZTkqDnyWi+kOM0j66bUDaIL2se32kpb2XCvLruWsouTt G+RXgFyHn9P7Yh8uTigJQqfacG6kqUnnG9D0IrdlenjQTNEy0A2KO4pCJNCSWuF13+yt 6+1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Goivp7qQ; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 69-20020a630148000000b0050bf0f1b79bsi11447014pgb.629.2023.03.20.09.52.42; Mon, 20 Mar 2023 09:52:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Goivp7qQ; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232249AbjCTQpk (ORCPT + 99 others); Mon, 20 Mar 2023 12:45:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233119AbjCTQo7 (ORCPT ); Mon, 20 Mar 2023 12:44:59 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BC8893DF; Mon, 20 Mar 2023 09:39:48 -0700 (PDT) Date: Mon, 20 Mar 2023 16:39:22 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1679330362; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SYX4JrBzvsAozuT32nb5plzdVhVp9zTKH6jDVtQCFjE=; b=Goivp7qQyBo4Ma9nooMFVcTdpdMORyHk3zdgpKox/3XpUVuiloJ+FgKNJRlDJoMuXNv0cN dEGFm6Pu6OVHEJbqcbBDDUVvJJrQGia3d+DYbHQOnfFKRHEeU0dxhat4XCxRJxSu6SeTiS XsJyG941aMNxiaa0Nd8rrn9UI/kXD+N7yN/T8iP7OV5V/a5lgtEZji9GWyEI0jQH2ydNs/ 9LboHyyYJ48xi5Ue/wz/TkwSmdX8wD2i8I9z3fEW15wI0+4b3rZr4qdtA+db3WGnUGuBaX p5w4qfYgs6a93Zxdu9tmd309skJ1CITBQYk6UpYF9fzlZDoaIzfPoIFPKHDZBg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1679330362; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SYX4JrBzvsAozuT32nb5plzdVhVp9zTKH6jDVtQCFjE=; b=0IridW++BCfm7hffUPSec0l/YCgjH2/7bh+8YKhZxyYhaOxtXQ02HzvxBIGjSSQmFVsHaw /wNLgzE2fL0n6IBw== From: "tip-bot2 for Rick Edgecombe" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/shstk] x86/shstk: Support WRSS for userspace Cc: Rick Edgecombe , Dave Hansen , "Borislav Petkov (AMD)" , Kees Cook , "Mike Rapoport (IBM)" , Pengfei Xu , John Allen , x86@kernel.org, linux-kernel@vger.kernel.org MIME-Version: 1.0 Message-ID: <167933036208.5837.13674378381944912365.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760906367223629317?= X-GMAIL-MSGID: =?utf-8?q?1760906367223629317?= The following commit has been merged into the x86/shstk branch of tip: Commit-ID: 44600eec3f2b708c711e811339e1034d9f0d0680 Gitweb: https://git.kernel.org/tip/44600eec3f2b708c711e811339e1034d9f0d0680 Author: Rick Edgecombe AuthorDate: Sat, 18 Mar 2023 17:15:29 -07:00 Committer: Dave Hansen CommitterDate: Mon, 20 Mar 2023 09:01:12 -07:00 x86/shstk: Support WRSS for userspace For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook Link: https://lore.kernel.org/all/20230319001535.23210-35-rick.p.edgecombe%40intel.com --- arch/x86/include/uapi/asm/prctl.h | 1 +- arch/x86/kernel/shstk.c | 43 +++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 7dfd9dc..e314956 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -28,5 +28,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 6d2531c..01b4566 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -360,6 +360,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -376,7 +417,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; }