Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp8300771ybl; Thu, 16 Jan 2020 14:12:06 -0800 (PST) X-Google-Smtp-Source: APXvYqxyTpFf+siVLEGl1MlSz9/wYSq5iU00BDjAvs/spkq3C02ZXM8sGeinB00gnGZ+S2COeXF9 X-Received: by 2002:a05:6830:151a:: with SMTP id k26mr4057288otp.74.1579212726044; Thu, 16 Jan 2020 14:12:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579212726; cv=none; d=google.com; s=arc-20160816; b=K36U+ytwhABEfjkgW1pELkJEknM1Gkbf68sktECGNbwBNTOHc4vHbu8TG38KP0lQ7G H+z3oDEzz1wdLoOTBJ9cvLI6XOSBqex/noPjHo0C7FcnBdc49NzzT7TL6m90HJxGh5fx HgMxzZPSs5jhM7XCSbmt0JoARRRF1qnSJaDpqS1LpR0pIpqSfdTNLNSLmyk3l7fhI40j JJ26gKyQX2x/lsbRkom6MSPUe+uRpCtevJAmqewbQizeZ0sdb2U8DwGdk40TcPUJ/xze A8ju70ixCS6EEThp+uOadLTZQY/ydlCWYsvzSgHYAUwLuxavkhB79D+wCTcb0WFh8Mk7 jkFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=G/j6WMhn8BNRNQNuOcMub9VLk66ER9XF5cOKw6UOQw0=; b=WxmecoHRFsHm3pNWgLFwZoiJycT9+3aa8wvAQOOEu6yMhdR7rkis3++W5dl3VDdb78 NKdl7fjxwi5lZPXIeHaxqV/HjR5NbBpUHg59fp5N2ffa55Zdyi7OuMZKQ0DJuzj5Lz+6 X34r6rOkvTF+thVkEyGIgshxdKeuYD/m4gxF7pICzjPn8PCStLKe1FWV79zyOSqxCriO LPaEf+MIi+SEzo0mIneeqRySmDzXweEV+YbLvpCkFwP8dUlTb5raZODAI/OHlHm10lIH 4odsypOw3icgOeN2QmBRsr1A50JhInfrAwgJPLg/k1hFvOQPTUkDbf0ofDSr+l/AoKeI wZOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zlHbDbVJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l204si585350oif.261.2020.01.16.14.11.54; Thu, 16 Jan 2020 14:12:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zlHbDbVJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394431AbgAPRxm (ORCPT + 99 others); Thu, 16 Jan 2020 12:53:42 -0500 Received: from mail.kernel.org ([198.145.29.99]:36294 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406021AbgAPRo6 (ORCPT ); Thu, 16 Jan 2020 12:44:58 -0500 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D46112477B; Thu, 16 Jan 2020 17:44:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579196697; bh=eZc1L4+pca2HQRZ4NlFHXHq40yJapRdOmzlFzQ/cknQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=zlHbDbVJTAEzMxf/SUtdxJAXgWWsPwuJLkj5y/dsFpdWk6r25yTkB4U8bYfo9zX64 84fLlEQVbP4jGLbiOgOA8O5xtVXhKMTROUWezOITnG+sEvonw9zZ2G1XCxQxKBbcNo IIkiMjs9fllhsIEfoPhk17Sc1+ru8i2vFwMMaDwY= Date: Thu, 16 Jan 2020 17:44:51 +0000 From: Will Deacon To: Sami Tolvanen Cc: Catalin Marinas , Steven Rostedt , Masami Hiramatsu , Ard Biesheuvel , Mark Rutland , Dave Martin , Kees Cook , Laura Abbott , Marc Zyngier , Nick Desaulniers , Jann Horn , Miguel Ojeda , Masahiro Yamada , clang-built-linux@googlegroups.com, kernel-hardening@lists.openwall.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v6 11/15] arm64: efi: restore x18 if it was corrupted Message-ID: <20200116174450.GD21396@willie-the-truck> References: <20191018161033.261971-1-samitolvanen@google.com> <20191206221351.38241-1-samitolvanen@google.com> <20191206221351.38241-12-samitolvanen@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191206221351.38241-12-samitolvanen@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 06, 2019 at 02:13:47PM -0800, Sami Tolvanen wrote: > If we detect a corrupted x18 and SCS is enabled, restore the register > before jumping back to instrumented code. This is safe, because the > wrapper is called with preemption disabled and a separate shadow stack > is used for interrupt handling. > > Signed-off-by: Sami Tolvanen > Reviewed-by: Kees Cook > --- > arch/arm64/kernel/efi-rt-wrapper.S | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/kernel/efi-rt-wrapper.S b/arch/arm64/kernel/efi-rt-wrapper.S > index 3fc71106cb2b..62f0260f5c17 100644 > --- a/arch/arm64/kernel/efi-rt-wrapper.S > +++ b/arch/arm64/kernel/efi-rt-wrapper.S > @@ -34,5 +34,14 @@ ENTRY(__efi_rt_asm_wrapper) > ldp x29, x30, [sp], #32 > b.ne 0f > ret > -0: b efi_handle_corrupted_x18 // tail call > +0: > +#ifdef CONFIG_SHADOW_CALL_STACK > + /* > + * Restore x18 before returning to instrumented code. This is > + * safe because the wrapper is called with preemption disabled and > + * a separate shadow stack is used for interrupts. > + */ > + mov x18, x2 > +#endif Why not restore it regardless of CONFIG_SHADOW_CALL_STACK? Will