From patchwork Wed Jul 19 22:47:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 122878 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp2757458vqt; Wed, 19 Jul 2023 15:59:00 -0700 (PDT) X-Google-Smtp-Source: APBJJlE4FM/2b5y/eYdobvnycVfjoCVDhZkbryUEZB2w2YrZrxJ6eVDkFHY7UEEn8T8buiOcTjZd X-Received: by 2002:aa7:dac4:0:b0:51e:da3:1585 with SMTP id x4-20020aa7dac4000000b0051e0da31585mr4063494eds.9.1689807540516; Wed, 19 Jul 2023 15:59:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689807540; cv=none; d=google.com; s=arc-20160816; b=jpsKo7E+DlTty/26BvU/p19E7dOo4HX6afSVD6NTIUWZVdF9BxKzapTnbXeI+lZxxZ Umlag7TnzYYV2hKkvzr4ss6QlwiQLBOJHyjtXG/0pTcYVN0HyBdc/Jf0JgVkaTTWpESL 0/IpyOSKCmg4A0aE2M6caGXkH0Xad85GGsPy4gFsPMt4gOhB7SVqMUpkPGbDW6REj7Jz 4bQ2xnx+fIbcGYD6VBvJg8XjHs9IO0o4ghkO68oqjH+2g/Dk7vCTKdLmKiF+iU8QvBMu VATxLNRpwRazxo9P0n1efAOLcJXdOg+XUW/a6EZywDxXWQ+6HtrZIO0K6PikMoc36hqn 19jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:cc:subject:to:reply-to:sender:from :dkim-signature:dkim-signature:date; bh=l4RWhdAWwsWIa+mFZoxytst7jOZo6c9Bbjl4iU8esLI=; fh=TP5hGXUss9NVznuLhHn29IY8s2b42GYJvI6UwvTtDG8=; b=le+S1igu87X3JU2JxJO++8Hc6QPqhQFyZQS6Kd0pgwrnglUL4XDTMtBxrK8iSCHthg YS0291VHo45UP+tTHR01Upu2r3D8axhaaLFTxiXVbmm8ChsVlx3sfegmq4CxLSH6wpni 0fJFq44Sszd6B63oTPpWcbloj7+bd384FljZickhxRPU9zNDyWqmp9ogY7j9NpLZTGV7 fNf7O1x/K7vsK+Ui3LLOnQxTeHsg5KApVojiRMxlnN5QVKsXXmyF7xMxew4Xr4VDStpp XaGHrMwhd0PlyA94gxM+38AAevf0g4AhcLDO86Co5In/1ifo2+DhgZgxVXwkFawEgSbF 4R+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=VGLkbx8b; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bq2-20020a056402214200b0052177c07802si3682568edb.482.2023.07.19.15.58.37; Wed, 19 Jul 2023 15:59:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=VGLkbx8b; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231210AbjGSWrx (ORCPT + 99 others); Wed, 19 Jul 2023 18:47:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230008AbjGSWrc (ORCPT ); Wed, 19 Jul 2023 18:47:32 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BA0D2100; Wed, 19 Jul 2023 15:47:31 -0700 (PDT) Date: Wed, 19 Jul 2023 22:47:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1689806849; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=l4RWhdAWwsWIa+mFZoxytst7jOZo6c9Bbjl4iU8esLI=; b=VGLkbx8baCev3l2k0sZMtCq2NIRl7h7ilf90PliOJk3Gc/RPxC/5jArSeQQTd1nf01+T2I GZKT3hsA82gcv+UVSflsRyz6H63+DkC+ANrEso9oN6QvEo1hzwOlLSvX0Cctubm0/Zt36k VaPWYvU/6k6W0mtj4fewrbvbQ4gTGb+MkD6rJDQJfhsBYLTt4ntxE7bF0lcBYmePGxTHtr 0KmdRUcBa98IktxvmYk6GkrN65xRBlb55ei7QhHoBnwtBMhQc6oa2TqpV+WlStir947QSf ZgRWnPNIK/wgfVx3KxQbww2mvYq2nldX0N2jL56NbYysJl6PA7mL/ZYlolI81A== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1689806849; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=l4RWhdAWwsWIa+mFZoxytst7jOZo6c9Bbjl4iU8esLI=; b=AKvzT7gRTnPseYdiAv0ZPYWMU5CWRSTaMghqrNiRLyw6WY5egFzcAw4XpONxa1T4e7EH+b rOHlqfOK38hRrsBw== From: "tip-bot2 for Rick Edgecombe" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/shstk] x86/shstk: Support WRSS for userspace Cc: Rick Edgecombe , Dave Hansen , "Borislav Petkov (AMD)" , Kees Cook , "Mike Rapoport (IBM)" , Pengfei Xu , John Allen , x86@kernel.org, linux-kernel@vger.kernel.org MIME-Version: 1.0 Message-ID: <168980684880.28540.2080492141070689370.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771891631745888236 X-GMAIL-MSGID: 1771891631745888236 The following commit has been merged into the x86/shstk branch of tip: Commit-ID: 6f0f8bc06e6a0da3b5e23423fe9633820d99bf95 Gitweb: https://git.kernel.org/tip/6f0f8bc06e6a0da3b5e23423fe9633820d99bf95 Author: Rick Edgecombe AuthorDate: Mon, 12 Jun 2023 17:11:01 -07:00 Committer: Rick Edgecombe CommitterDate: Tue, 11 Jul 2023 14:13:24 -07:00 x86/shstk: Support WRSS for userspace For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook Link: https://lore.kernel.org/all/20230613001108.3040476-36-rick.p.edgecombe%40intel.com --- arch/x86/include/uapi/asm/prctl.h | 1 +- arch/x86/kernel/shstk.c | 43 +++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 6a8e0e1..eedfde3 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -36,5 +36,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 04c37b3..ea0bf11 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -390,6 +390,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -406,7 +447,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; }