Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3822627pxb; Mon, 30 Aug 2021 11:25:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzn4K6OJj6DHM0k4uBgZLJea6gVM+XoS5g0DE85MK7ZDocBOVKmcEmpmhFy/e8z/UTIbtyV X-Received: by 2002:a17:906:6403:: with SMTP id d3mr26572352ejm.37.1630347955692; Mon, 30 Aug 2021 11:25:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630347955; cv=none; d=google.com; s=arc-20160816; b=JF+2KIZZ/WpDYTNl2oP8+DQdsNT/yWjaky48EyD9N/jMNL7MbXtEpHfAN11hXKhELf o+f0AdoWbXHBMvHZtLDTd/d+tBHb5Yrs848FI+Rogd4x3G6jJh2n2ZxpVx8eXatjmCEv TkimVrPEr8DsxSyAFs/vZiZE87JXeQAqUSA+zROc+bbf5p0ltBAGGum4Tw8yYd1MiZSt RgY7UpTTeiNgvpXlZlSRKgD4LkXbJysUzNZAtb4tWpTSJzopKt8PLukvXyLfv70xZ61D 5bU5rjcNBzpNBer+unoAQgPNuYdk1xm38Hxbh4dCbOYKNV1g16TtfPeoHUmYxAYXF3kz V2pA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=r+6voH41o1lBPg08cLLJRhqVn6C1GGhmBPJJWrqgodI=; b=IRYJjIjJisLLQmpPJ4yaZ2DEsPV5nUvYK92YgkK+vmM+CL4704dj9wPjHaZ8tBXfvQ xgA1nH85G/S5SvNz4bXLXAO0+cXY7rM2OJQTkGmX6J9KzUqoyiZ5afHfhhfSghsmOMqI c283OqSoipJ9P4zY8F2hk7NetdExU22Fg2vIPTIyN2Sjum4/bencFuSChsFNcTY4z3Hw oOe0FS4UNYL1mH+Gj4PbMNhks2qjiroXboHOr4EEdlLTFWi0b83gHCs2xFdYu/EVe3OE rU9ppYnMtMHqXfPssCs3nfS/GPy26Z6QNgvDEAU7sAB9aIZY0i8JCLEa/WlOh8FVAS0J DFXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j23si18159942eje.501.2021.08.30.11.25.32; Mon, 30 Aug 2021 11:25:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238668AbhH3SYa (ORCPT + 99 others); Mon, 30 Aug 2021 14:24:30 -0400 Received: from mga05.intel.com ([192.55.52.43]:57614 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238519AbhH3SYE (ORCPT ); Mon, 30 Aug 2021 14:24:04 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10092"; a="303905712" X-IronPort-AV: E=Sophos;i="5.84,364,1620716400"; d="scan'208";a="303905712" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Aug 2021 11:23:09 -0700 X-IronPort-AV: E=Sophos;i="5.84,364,1620716400"; d="scan'208";a="540650949" Received: from yyu32-desk.sc.intel.com ([143.183.136.146]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Aug 2021 11:23:09 -0700 From: Yu-cheng Yu To: x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Dave Martin , Weijiang Yang , Pengfei Xu , Haitao Huang , Rick P Edgecombe Cc: Yu-cheng Yu Subject: [PATCH v30 03/10] x86/cet/ibt: Handle signals for Indirect Branch Tracking Date: Mon, 30 Aug 2021 11:22:14 -0700 Message-Id: <20210830182221.3535-4-yu-cheng.yu@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20210830182221.3535-1-yu-cheng.yu@intel.com> References: <20210830182221.3535-1-yu-cheng.yu@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org IBT state machine tracks CALL/JMP instructions. When a such instruction is executed and before arriving at an ENDBR, it is in WAIT_FOR_ENDBR state, which can be read from CET_WAIT_ENDBR bit of MSR_IA32_U_CET. Further details are described in Intel SDM Vol. 1, Sec. 18.3. In handling signals, WAIT_FOR_ENDBR state is saved/restored with a new UC_WAIT_ENDBR flag being introduced. A legacy IA32 signal frame does not have ucontext, and cannot be supported with a uc flag. Thus, IBT feature is not supported for ia32 app's, which is handled in a separate patch. Signed-off-by: Yu-cheng Yu Cc: Andy Lutomirski Cc: Cyrill Gorcunov Cc: Florian Weimer Cc: H. Peter Anvin Cc: Kees Cook Link: https://lore.kernel.org/linux-api/f6e61dae-9805-c855-8873-7481ceb7ea79@intel.com/ --- arch/x86/ia32/ia32_signal.c | 15 ++++++++-- arch/x86/include/asm/cet.h | 4 +++ arch/x86/include/uapi/asm/ucontext.h | 5 ++++ arch/x86/kernel/ibt.c | 41 ++++++++++++++++++++++++++++ arch/x86/kernel/signal.c | 6 ++++ 5 files changed, 68 insertions(+), 3 deletions(-) diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index d7a30bc98e66..77d0fa90cc19 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -129,6 +129,7 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn) { struct pt_regs *regs = current_pt_regs(); struct rt_sigframe_ia32 __user *frame; + unsigned int uc_flags; sigset_t set; frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); @@ -137,6 +138,11 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn) goto badframe; if (__get_user(set.sig[0], (__u64 __user *)&frame->uc.uc_sigmask)) goto badframe; + if (__get_user(uc_flags, &frame->uc.uc_flags)) + goto badframe; + + if (uc_flags & UC_WAIT_ENDBR) + ibt_set_wait_endbr(); set_current_blocked(&set); @@ -312,6 +318,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, compat_sigset_t *set, struct pt_regs *regs) { struct rt_sigframe_ia32 __user *frame; + unsigned int uc_flags = 0; void __user *restorer; void __user *fp = NULL; @@ -339,6 +346,9 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, if (setup_signal_shadow_stack(1, restorer)) return -EFAULT; + if (ibt_get_clear_wait_endbr()) + uc_flags |= UC_WAIT_ENDBR; + if (!user_access_begin(frame, sizeof(*frame))) return -EFAULT; @@ -348,9 +358,8 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, /* Create the ucontext. */ if (static_cpu_has(X86_FEATURE_XSAVE)) - unsafe_put_user(UC_FP_XSTATE, &frame->uc.uc_flags, Efault); - else - unsafe_put_user(0, &frame->uc.uc_flags, Efault); + uc_flags |= UC_FP_XSTATE; + unsafe_put_user(uc_flags, &frame->uc.uc_flags, Efault); unsafe_put_user(0, &frame->uc.uc_link, Efault); unsafe_compat_save_altstack(&frame->uc.uc_stack, regs->sp, Efault); diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h index bc04b2d3487d..152c717c9cdb 100644 --- a/arch/x86/include/asm/cet.h +++ b/arch/x86/include/asm/cet.h @@ -43,9 +43,13 @@ static inline int restore_signal_shadow_stack(void) { return 0; } #ifdef CONFIG_X86_IBT int ibt_setup(void); void ibt_disable(void); +int ibt_get_clear_wait_endbr(void); +int ibt_set_wait_endbr(void); #else static inline int ibt_setup(void) { return 0; } static inline void ibt_disable(void) {} +static inline int ibt_get_clear_wait_endbr(void) { return 0; } +static inline int ibt_set_wait_endbr(void) { return 0; } #endif #ifdef CONFIG_X86_SHADOW_STACK diff --git a/arch/x86/include/uapi/asm/ucontext.h b/arch/x86/include/uapi/asm/ucontext.h index 5657b7a49f03..905419de2cc7 100644 --- a/arch/x86/include/uapi/asm/ucontext.h +++ b/arch/x86/include/uapi/asm/ucontext.h @@ -51,6 +51,11 @@ #define UC_STRICT_RESTORE_SS 0x4 #endif +/* + * Indicates IBT WAIT-ENDBR status. + */ +#define UC_WAIT_ENDBR 0x08 + #include #endif /* _ASM_X86_UCONTEXT_H */ diff --git a/arch/x86/kernel/ibt.c b/arch/x86/kernel/ibt.c index 4ab7af33b274..5ab8632a1f7e 100644 --- a/arch/x86/kernel/ibt.c +++ b/arch/x86/kernel/ibt.c @@ -56,3 +56,44 @@ void ibt_disable(void) ibt_set_clear_msr_bits(0, CET_ENDBR_EN); current->thread.shstk.ibt = 0; } + +int ibt_get_clear_wait_endbr(void) +{ + u64 msr_val = 0; + + if (!current->thread.shstk.ibt) + return 0; + + fpregs_lock(); + + if (!test_thread_flag(TIF_NEED_FPU_LOAD)) { + if (!rdmsrl_safe(MSR_IA32_U_CET, &msr_val)) + wrmsrl(MSR_IA32_U_CET, msr_val & ~CET_WAIT_ENDBR); + } else { + struct cet_user_state *cet; + + /* + * If !TIF_NEED_FPU_LOAD and get_xsave_addr() returns zero, + * XFEATURE_CET_USER is in init state (cet is not active). + * Return zero status. + */ + cet = get_xsave_addr(¤t->thread.fpu.state.xsave, + XFEATURE_CET_USER); + if (cet) { + msr_val = cet->user_cet; + cet->user_cet = msr_val & ~CET_WAIT_ENDBR; + } + } + + fpregs_unlock(); + + return msr_val & CET_WAIT_ENDBR; +} + +int ibt_set_wait_endbr(void) +{ + if (!current->thread.shstk.ibt) + return 0; + + return ibt_set_clear_msr_bits(CET_WAIT_ENDBR, 0); +} diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 661e46803b84..a1285650852e 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -135,6 +135,9 @@ static int restore_sigcontext(struct pt_regs *regs, */ if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && user_64bit_mode(regs))) force_valid_ss(regs); + + if (uc_flags & UC_WAIT_ENDBR) + ibt_set_wait_endbr(); #endif return fpu__restore_sig((void __user *)sc.fpstate, @@ -455,6 +458,9 @@ static unsigned long frame_uc_flags(struct pt_regs *regs) if (likely(user_64bit_mode(regs))) flags |= UC_STRICT_RESTORE_SS; + if (ibt_get_clear_wait_endbr()) + flags |= UC_WAIT_ENDBR; + return flags; } -- 2.21.0