From patchwork Wed Aug 2 22:19:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 130234 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9f41:0:b0:3e4:2afc:c1 with SMTP id v1csp808948vqx; Wed, 2 Aug 2023 17:11:16 -0700 (PDT) X-Google-Smtp-Source: APBJJlFJ+MDFlwiwS39OuAljgw59n9LLHZGLRk4UayH4kCJfsqCunyAF4CEze7DEbhNQz4FnNcdP X-Received: by 2002:a05:6a21:32a4:b0:134:76d6:7f7 with SMTP id yt36-20020a056a2132a400b0013476d607f7mr19111312pzb.4.1691021475875; Wed, 02 Aug 2023 17:11:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691021475; cv=none; d=google.com; s=arc-20160816; b=uAaF12L41P1tlBtmE6I6Q5IOp1d1pWUs32twRwRcBM0yF36ERNmRcVRP0LGYPKeJXS 7WGcPwC902sWy7P1bPY6FL9tVwh6Ou26E24y8AtWXrfF/ATcHZn9/0plUDEfUbhlYH2Q f48enJiCN3cdaTm14DO+i0XCgh97rQYDxch3/ePJYRbvzN6gE6f4cFSnuCyUlKt7UXUn K0f11tQBzbVaZnNLEwf03xTp8jnidnB5vQ5z4/5EZOdxzsNMrf4TsAmhUjFDK9AG6O34 7ToQGz6vVuAVZLkH5h7FnYhNxnmf68Q8Y1J13vVLNV16AiUBiulEWQbOpfln5vwLq/nP V5Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:cc:subject:to:reply-to:sender:from :dkim-signature:dkim-signature:date; bh=Qc8dc1TtOiTEmrN/QriOa6izinwXsZpTOnL3vHZnwlw=; fh=TP5hGXUss9NVznuLhHn29IY8s2b42GYJvI6UwvTtDG8=; b=EoyZ8QQ2Kw46DNA0YLUOvLuw7z99/n5R/XLoZEDt+ziBRz4tvu1Mm2TEjEm+dfVtAN iu58jfkql36pAyqjSGP+fBfvKc1WLGV30y808XyzC9r8HXjB73mBSg8zveXQr+0CnoC9 RmLBW34rJaMzUaxZQRCrXMU4M6g+s9Dm7Cn9nptiyhN0T4GjpK2CjKcZCagU3z4KnSuB s7nu7gg1ztwwN+p8dni8WNQWhXCQdIhPdypMfGxvm40U5eOahjaqqrrH4dhRVZod2FwR 7CtfgQkn4+TK391S8rE6rsP1Dfzxrle0SKvdqlmQKFy9HNTlW1VdLOkntvvSShvIVHHn Qf2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=bv1u3jp8; dkim=neutral (no key) header.i=@linutronix.de header.b=UgVV5Pp9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b26-20020a6567da000000b0056428dcea78si8401142pgs.17.2023.08.02.17.11.02; Wed, 02 Aug 2023 17:11:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=bv1u3jp8; dkim=neutral (no key) header.i=@linutronix.de header.b=UgVV5Pp9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233959AbjHBWUO (ORCPT + 99 others); Wed, 2 Aug 2023 18:20:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232708AbjHBWTf (ORCPT ); Wed, 2 Aug 2023 18:19:35 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A798272E; Wed, 2 Aug 2023 15:19:32 -0700 (PDT) Date: Wed, 02 Aug 2023 22:19:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1691014771; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qc8dc1TtOiTEmrN/QriOa6izinwXsZpTOnL3vHZnwlw=; b=bv1u3jp845xC/MG4rP6MggVWlwrfNg9B+o/LlEESH6FW/fnhPIE6Mk96zyqmbFeV/fBYKi CB6gVJT+co5dIhfPYknrmvFKYGM2oFQiIFBZvosejwWmdHeAKEQBHHMhRdQ3rFM3Parcwi 0aOOoOA9Szi5xBseNRnUpqBtXAe9XBD6OCQ1TpXNTPFC60mJF2ZU7Vwd/pE7mXfVKtAXH4 sZPKrwQMoksVjkdwK3Wq6XxGoJGHhLjBoZ35yD0xJ04JgXj2vXd2BSzr6aptt36mI5/TlX kMIehZZnbg9VQjRhFM9nQs3Nu6P1rgWl9dUch0zkTUQ8jLvfrmHCSAbq1lQK6Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1691014771; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qc8dc1TtOiTEmrN/QriOa6izinwXsZpTOnL3vHZnwlw=; b=UgVV5Pp9hV6jS1Vn+VtSG41LqGuQ7JbupYsvPUYpn+yNNusvCp36OGIQKJvi0JsSbIuRQp CKlAQfNJKMqG04Dg== From: "tip-bot2 for Rick Edgecombe" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/shstk] x86/shstk: Support WRSS for userspace Cc: Rick Edgecombe , Dave Hansen , "Borislav Petkov (AMD)" , Kees Cook , "Mike Rapoport (IBM)" , Pengfei Xu , John Allen , x86@kernel.org, linux-kernel@vger.kernel.org MIME-Version: 1.0 Message-ID: <169101477014.28540.12975244459079622614.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1773164535122972416 X-GMAIL-MSGID: 1773164535122972416 The following commit has been merged into the x86/shstk branch of tip: Commit-ID: 1d62c65372ab08599e4cf24af83d004434087ada Gitweb: https://git.kernel.org/tip/1d62c65372ab08599e4cf24af83d004434087ada Author: Rick Edgecombe AuthorDate: Mon, 12 Jun 2023 17:11:01 -07:00 Committer: Dave Hansen CommitterDate: Wed, 02 Aug 2023 15:01:51 -07:00 x86/shstk: Support WRSS for userspace For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook Link: https://lore.kernel.org/all/20230613001108.3040476-36-rick.p.edgecombe%40intel.com --- arch/x86/include/uapi/asm/prctl.h | 1 +- arch/x86/kernel/shstk.c | 43 +++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 6a8e0e1..eedfde3 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -36,5 +36,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 04c37b3..ea0bf11 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -390,6 +390,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -406,7 +447,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; }