Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp690363pxm; Thu, 3 Mar 2022 02:38:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJzEf8V8U1R1QoKotJEq9CqqwILZ3jzPCMssrvfo+WEMqE5FKUat6o407Ls2n6v6W8zCLX1Y X-Received: by 2002:a17:907:608b:b0:6da:8fa8:27e8 with SMTP id ht11-20020a170907608b00b006da8fa827e8mr1748080ejc.168.1646303915249; Thu, 03 Mar 2022 02:38:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646303915; cv=none; d=google.com; s=arc-20160816; b=DM2g5h3bVfId2phiRn+ey/Psl3UrNgFno6q17lJmeKtPJNSJPjynW9VxujY9BWChXt tAraCcHyktQ77EBO7xWvWKfHAPF7ZjKiSA5nYFuZxAYnazEABI+a8SxMseERMYQWeKHh Lp8/nPOSwl4dA+69vDCZMMml9Bzbb17/eI639u4daproezWdfDyXX238/RayQMYlObHv Pa1qyKw6HUOzN6ADYzkdCL1nX7JyHrc2DzxgaEESWMfUJJmcrFZbc1/iboaY47h63CWY Yi95dDL2lnQqhSLBXwtfH9P5fzCjtJ1lWZZK3NoHoaU2jDHUUy1pQeazu7WlEsRwWJWo /7WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from; bh=0OzXvk+hEWtizKqZ64TaS2ghTNs8p15/Q6vuCqSP2ks=; b=GJ4R+fIQB+7bnpJbGS8sAcyBBD/E4nNyLbW08yxUmMPuUULYMa7clYZ7IFaSime8aB PUGtwijZ3FUxjPVcC+HMfv8GeKngOg963dFYk2uPwrf1wUICsnM/2qLUxh3MumrFeVXy IWFPb2y2XI8eVhaEAW5nFc6zwfm4Myn/2vmpJCg/ZQfpnbcXSBiRuQXsU8s65G+ej9U0 8L8YR5cMgKxUaPS8B8w6TohJrVQxM6NdGCpMX3kzJlVBzdXISDztdVOxkPUhrIyBKkzX tPy3CBPaqo8fENHrJ383bk9c1EHoCymvdHkl6wZRoeKFB5o88fp/3xsE+fULFp9YqwAl GsIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hs22-20020a1709073e9600b006da94d2e6c4si700006ejc.934.2022.03.03.02.38.11; Thu, 03 Mar 2022 02:38:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230252AbiCCHo0 (ORCPT + 99 others); Thu, 3 Mar 2022 02:44:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229588AbiCCHoZ (ORCPT ); Thu, 3 Mar 2022 02:44:25 -0500 Received: from out30-56.freemail.mail.aliyun.com (out30-56.freemail.mail.aliyun.com [115.124.30.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3257154D01; Wed, 2 Mar 2022 23:43:38 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R101e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=ashimida@linux.alibaba.com;NM=1;PH=DS;RN=24;SR=0;TI=SMTPD_---0V66atZ3_1646293404; Received: from localhost(mailfrom:ashimida@linux.alibaba.com fp:SMTPD_---0V66atZ3_1646293404) by smtp.aliyun-inc.com(127.0.0.1); Thu, 03 Mar 2022 15:43:33 +0800 From: Dan Li To: akpm@linux-foundation.org, arnd@arndb.de, catalin.marinas@arm.com, ashimida@linux.alibaba.com, gregkh@linuxfoundation.org, linux@roeck-us.net, keescook@chromium.org, luc.vanoostenryck@gmail.com, elver@google.com, mark.rutland@arm.com, masahiroy@kernel.org, ojeda@kernel.org, nathan@kernel.org, npiggin@gmail.com, ndesaulniers@google.com, samitolvanen@google.com, shuah@kernel.org, tglx@linutronix.de, will@kernel.org Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH v3 1/2] AARCH64: Add gcc Shadow Call Stack support Date: Wed, 2 Mar 2022 23:43:23 -0800 Message-Id: <20220303074323.86282-1-ashimida@linux.alibaba.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220303073340.86008-1-ashimida@linux.alibaba.com> References: <20220303073340.86008-1-ashimida@linux.alibaba.com> X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Shadow call stacks will be available in GCC >= 12, this patch makes the corresponding kernel configuration available when compiling the kernel with the gcc. Note that the implementation in GCC is slightly different from Clang. With SCS enabled, functions will only pop x30 once in the epilogue, like: str x30, [x18], #8 stp x29, x30, [sp, #-16]! ...... - ldp x29, x30, [sp], #16 //clang + ldr x29, [sp], #16 //GCC ldr x30, [x18, #-8]! Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e Reviewed-by: Nathan Chancellor Reviewed-by: Kees Cook Reviewed-by: Nick Desaulniers Signed-off-by: Dan Li --- arch/Kconfig | 19 ++++++++++--------- arch/arm64/Kconfig | 2 +- include/linux/compiler-gcc.h | 4 ++++ 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/arch/Kconfig b/arch/Kconfig index 678a80713b21..cbbe824fe8b2 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -599,21 +599,22 @@ config STACKPROTECTOR_STRONG config ARCH_SUPPORTS_SHADOW_CALL_STACK bool help - An architecture should select this if it supports Clang's Shadow - Call Stack and implements runtime support for shadow stack + An architecture should select this if it supports the compiler's + Shadow Call Stack and implements runtime support for shadow stack switching. config SHADOW_CALL_STACK - bool "Clang Shadow Call Stack" - depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK + bool "Shadow Call Stack" + depends on ARCH_SUPPORTS_SHADOW_CALL_STACK depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER help - This option enables Clang's Shadow Call Stack, which uses a - shadow stack to protect function return addresses from being - overwritten by an attacker. More information can be found in - Clang's documentation: + This option enables the compiler's Shadow Call Stack, which + uses a shadow stack to protect function return addresses from + being overwritten by an attacker. More information can be found + in the compiler's documentation: - https://clang.llvm.org/docs/ShadowCallStack.html + - Clang: https://clang.llvm.org/docs/ShadowCallStack.html + - GCC: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options Note that security guarantees in the kernel differ from the ones documented for user space. The kernel must store addresses diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 09b885cc4db5..b7145337efae 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1255,7 +1255,7 @@ config HW_PERF_EVENTS config ARCH_HAS_FILTER_PGPROT def_bool y -# Supported by clang >= 7.0 +# Supported by clang >= 7.0 or GCC >= 12.0.0 config CC_HAVE_SHADOW_CALL_STACK def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index ccbbd31b3aae..deff5b308470 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -97,6 +97,10 @@ #define KASAN_ABI_VERSION 4 #endif +#ifdef CONFIG_SHADOW_CALL_STACK +#define __noscs __attribute__((__no_sanitize__("shadow-call-stack"))) +#endif + #if __has_attribute(__no_sanitize_address__) #define __no_sanitize_address __attribute__((no_sanitize_address)) #else -- 2.17.1