Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1301378ybk; Sat, 16 May 2020 07:12:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEkY247WhrkpvKe8hp+J+cI0Vbri8Y0/2eUD+mQ+eLAu8Z6JIZz+yIZpG+gsbRyXlDfqZK X-Received: by 2002:a50:8d5e:: with SMTP id t30mr6836848edt.332.1589638325470; Sat, 16 May 2020 07:12:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589638325; cv=none; d=google.com; s=arc-20160816; b=XWIQ51/RsP4Mu3Cg+N+ByUBk+Fvsd5nJGKTYlkonTm4UWRsHY/12sjH0xJ0IRF6eUO GMmfbSUM2vBrV1ceP8YZJc1PLcEGmzEJQL4oZCqD3eVykI+4nq0JopIn0UZ9+qftMWFK PEdvSH8H3zGvM611bEr+hOP0gSeK5Q5ckpz0WduMeqnkiHRQiG2mGzRir4d2vNUfniKe kJFfQWk27Q5zimRIW/VST097vAKxWtCvKJW0UgVCHLUIkX41BLuWxNSaIQVUztAZg/NW JhsPRy4v0jWLUoXQVcLDSueR8SXesRAbDJqbQL7GgZ8pxEzT5oDFHdh6ysuiHLIBrH+N eIbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-sdr; bh=lbWlnNQmzSskUxF5iBUQhC3IplBr6VemYkp0/E/X8jg=; b=Gwap65vBGVGppdPxzKZmAQDmwXGN8LTcd+MLdhet33wZStgobxTlvFqaMVG+sCMXKE 1yMnSWzTvQXNkOf0slhU8UEgGa7GSu17eE5KOEzjfMQikxBiUMKBGRlSwjTLom+1f8r9 tON1kDt2zpnBmNL1af+pnVV982UsI2QQvjLbSn2nq7c8sDtnapdMmKVOQXosMYZFIAQl KVNvE+kp5TyxiEjzGECkmb2kjkpEWD1v9FvhYgxn74mpKbfIoL2DHnDYO9gzORP/njQK bXaGv0wBmHNTiHwv9r5oQZhwl5wSViYV+87+Q8qdToB0mdodH90jWl7zOw3gNDpcv/B7 ezsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si3126127eja.332.2020.05.16.07.11.41; Sat, 16 May 2020 07:12:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726537AbgEPOJg (ORCPT + 99 others); Sat, 16 May 2020 10:09:36 -0400 Received: from esa5.hc3370-68.iphmx.com ([216.71.155.168]:51750 "EHLO esa5.hc3370-68.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726266AbgEPOJg (ORCPT ); Sat, 16 May 2020 10:09:36 -0400 Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: hDidN96EUzAnOHMS55xkxs8WWGVq+5pBKthbrckMfVRSrIbE6S6mARR7e6iCmfxtRs+t6dZgOn ky111k+QuspRYuPHlo/+bvt29pmbSElOVJe4am+k+1tbPdGq/i+V24dJ3m99rHE8HATp2ZNRal knsFZmYHRfkpmlZjBldpccNopJkJ6lo0HltBZH+ddN3rfRQYUukAzDVjzrj80JOwNd+xhBnxBN 4I+HAvqcn84qN2FSgGa3aBcSWhG+FVqxNDKAS3eGl286pjYdRCihkiuh2RLGpNdST+isqSx6Wx l98= X-SBRS: None X-MesageID: 17965253 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.73,398,1583211600"; d="scan'208";a="17965253" Subject: Re: [PATCH v10 01/26] Documentation/x86: Add CET description To: "H.J. Lu" CC: Dave Hansen , Yu-cheng Yu , the arch/x86 maintainers , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , LKML , "open list:DOCUMENTATION" , Linux-MM , linux-arch , Linux API , "Arnd Bergmann" , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , "Eugene Syromiatnikov" , Florian Weimer , "Jann Horn" , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang References: <20200429220732.31602-1-yu-cheng.yu@intel.com> <20200429220732.31602-2-yu-cheng.yu@intel.com> <5cc163ff9058d1b27778e5f0a016c88a3b1a1598.camel@intel.com> <44c055342bda4fb4730703f987ae35195d1d0c38.camel@intel.com> <32235ffc-6e6c-fb3d-80c4-a0478e2d0e0f@intel.com> <6272c481-af90-05c5-7231-3ba44ff9bd02@citrix.com> From: Andrew Cooper Message-ID: Date: Sat, 16 May 2020 15:09:22 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Language: en-GB X-ClientProxiedBy: AMSPEX02CAS02.citrite.net (10.69.22.113) To AMSPEX02CL02.citrite.net (10.69.22.126) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16/05/2020 03:37, H.J. Lu wrote: > On Fri, May 15, 2020 at 5:13 PM Andrew Cooper wrote: >> Finally seeing as the question was asked but not answered, it is >> actually quite easy to figure out whether shadow stacks are enabled in >> the current thread. >> >> mov $1, %eax >> rdsspd %eax > This is for 32-bit mode. It actually works for both, if all you need is a shstk yes/no check. Usually, you also want SSP in the yes case, so substitute rdsspq %rax as appropriate. (On a tangent - binutils mandating the D/Q suffixes is very irritating with mixed 32/64bit code because you have to #ifdef your instructions despite the register operands being totally unambiguous.  Also, D is the wrong suffix for AT&T syntax, and should be L.  Frankly - the Intel manuals are wrong and should not have the operand size suffix included in the opcode name, as they are consistent with all the other instructions in this regard.) > I use > > /* Check if shadow stack is in use. */ > xorl %esi, %esi > rdsspq %rsi > testq %rsi, %rsi > /* Normal return if shadow stack isn't in use. */ > je L(no_shstk) This is probably fine for user code, as I don't think it would be legitimate for shstk to be enabled, with SSP being 0. Sadly, the same is not true for kernel shadow stacks. SSP is 0 after SYSCALL, SYSENTER and CLRSSBSY, and you've got to be careful to re-establish the shadow stack before a CALL, interrupt or exception tries pushing a word onto the shadow stack at 0xfffffffffffffff8. It is a very good (lucky?) thing that frame is unmapped for other reasons, because this corner case does not protect against multiple threads/cores using the same shadow stack concurrently. ~Andrew