Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3279962rwb; Mon, 3 Oct 2022 12:22:16 -0700 (PDT) X-Google-Smtp-Source: AMsMyM63JQBlnU/dc+ekeoP6nU3z9iReXY6+J33tYMmufcBaNyWkbdcKedVucK2J1XAxOQI8w3J4 X-Received: by 2002:a63:e806:0:b0:44b:d45b:b8a2 with SMTP id s6-20020a63e806000000b0044bd45bb8a2mr8299357pgh.14.1664824936681; Mon, 03 Oct 2022 12:22:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664824936; cv=none; d=google.com; s=arc-20160816; b=ZhHPymEUAe7AeXQV4zN0Vk5MWUuow0bNJyCyKCzrS0Lu5aq9RKITe3xWoXEctaWV4+ oLuqxmu0d6PDZvsEVRA2gD2r85yKOPipJ1MBaKMZBRsyuVqYL+1pvez3v3l8u3v78mvc H/1C3HBSTZ+G5rRdPHyP5smhrakVQl031mvd+HmKiQe1+7pUi8/Ii1fXpgvikTEzYMKI UAYNQoAGdXDUZipv7ASFpFDYlTTlFukdK7T/CbPEvcaCVGO0nK92DRWUYf4+7Yvbl1vc vX1unY7iiFzcJqG0Ygt1GjDNEk/betlOQcyE/+U/gwMgxmayl/NS+lJh8WhvQpCDT4B9 17KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jpaG3SrEmgSBAm16nhnpNwprOxeW2H3keLquV2/wBXQ=; b=RegIZ2Qo/45KQQyT+MpXy6jy8kT8odPsKEDr6SmZNx57l0WQLQhIht0nN32wp2uzXT M144NSk3HhX1/11t7Ax4wZR/3C9NBDHKqIW/I6hetQbD/jdbouKDlpC67Qtst7DInRYy 6edm+8uA1+mMZvsaI1LJLzUMyzolC830Hv0M+iB/GXsdCr99lxBJq7yExlPNRNdb22KJ HDvzT9QCun3feKp8WnoXr37FvO+/+VYZoj3Dyy4GJkjn/QoTicffID77J0qpDFNmWTsa S+AQmYOW5YiGi/lMNGT3P+9vkJk3XLEEYdnGdpHLI/I3/pU77Y0KeTkvhvKYp4l3STDf 5RdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gEE5lkKG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j14-20020a170903024e00b001789f67b56bsi13533646plh.504.2022.10.03.12.22.02; Mon, 03 Oct 2022 12:22:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gEE5lkKG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229683AbiJCTCH (ORCPT + 99 others); Mon, 3 Oct 2022 15:02:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229609AbiJCTCE (ORCPT ); Mon, 3 Oct 2022 15:02:04 -0400 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 062752CE2C for ; Mon, 3 Oct 2022 12:02:02 -0700 (PDT) Received: by mail-pl1-x633.google.com with SMTP id d11so10497303pll.8 for ; Mon, 03 Oct 2022 12:02:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=jpaG3SrEmgSBAm16nhnpNwprOxeW2H3keLquV2/wBXQ=; b=gEE5lkKG7BExD++0qu/8MiwYA2SzP1xrc3xdMYGJ1kuzuMHTVOAP1I1fgKeMZMdIgO fjwcaKbKXaJuAOkAhjE9NgnG53BafRqFmKTVcg0QW8EknJ2kwabXqVFJxiVqBom2y3t3 IMeZGnsbBh1FGNURLn+pM7KSOLcfZzJycr5do= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=jpaG3SrEmgSBAm16nhnpNwprOxeW2H3keLquV2/wBXQ=; b=hDf6NQzNUCDCDvz/hf4DO8kjzxjjotTrvvyufOfIxZwtBLdvzsHkb4+W/xGn7YQp+V 34nNH1I5+6i10kXHEX1b0IVNV4P1CmlN/lZhPBynbhJ6Lm33jIrVe9g4fbTyjlm+dplX fINq2clskTYVw5zQeCOLRegnx6qnHEWd9wjeobmgtNPLYdQjDi3+mEHRtBZ5g+6qigAF ogXMij1idiMwP+0uwoi5hQddhJCZ17/kX+WGYgtUj/gzlWZhZoiYzuL3/esS1gcw6AZS 2aLGDDOiTwgdil/ueAbWMX3jugG+5/u4uo618BlLnqqu7u4+NJqI7Zyyf7V2a2mg8aWN 4hYw== X-Gm-Message-State: ACrzQf11bB/HMxKVkoIMjkcACsolvpfhtmIrZ61tntZLzgpysVtseOm6 o1TnYyRqnvSCUsI/QsHJtFIHXw== X-Received: by 2002:a17:902:d2c6:b0:17f:592b:35dd with SMTP id n6-20020a170902d2c600b0017f592b35ddmr6935870plc.172.1664823721399; Mon, 03 Oct 2022 12:02:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s17-20020a170903215100b00173411a4385sm7536367ple.43.2022.10.03.12.02.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Oct 2022 12:02:00 -0700 (PDT) Date: Mon, 3 Oct 2022 12:01:59 -0700 From: Kees Cook To: Rick Edgecombe Cc: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V . Shankar" , Weijiang Yang , "Kirill A . Shutemov" , joao.moreira@intel.com, John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com Subject: Re: [PATCH v2 23/39] x86: Introduce userspace API for CET enabling Message-ID: <202210031141.0E0DE2CAEE@keescook> References: <20220929222936.14584-1-rick.p.edgecombe@intel.com> <20220929222936.14584-24-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220929222936.14584-24-rick.p.edgecombe@intel.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 29, 2022 at 03:29:20PM -0700, Rick Edgecombe wrote: > From: "Kirill A. Shutemov" > > Add three new arch_prctl() handles: > > - ARCH_CET_ENABLE/DISABLE enables or disables the specified > feature. Returns 0 on success or an error. > > - ARCH_CET_LOCK prevents future disabling or enabling of the > specified feature. Returns 0 on success or an error > > The features are handled per-thread and inherited over fork(2)/clone(2), > but reset on exec(). > > This is preparation patch. It does not impelement any features. typo: "implement" > > Signed-off-by: Kirill A. Shutemov > [tweaked with feedback from tglx] > Co-developed-by: Rick Edgecombe > Signed-off-by: Rick Edgecombe > > --- > > v2: > - Only allow one enable/disable per call (tglx) > - Return error code like a normal arch_prctl() (Alexander Potapenko) > - Make CET only (tglx) > > arch/x86/include/asm/cet.h | 20 ++++++++++++++++ > arch/x86/include/asm/processor.h | 3 +++ > arch/x86/include/uapi/asm/prctl.h | 6 +++++ > arch/x86/kernel/process.c | 4 ++++ > arch/x86/kernel/process_64.c | 5 +++- > arch/x86/kernel/shstk.c | 38 +++++++++++++++++++++++++++++++ > 6 files changed, 75 insertions(+), 1 deletion(-) > create mode 100644 arch/x86/include/asm/cet.h > create mode 100644 arch/x86/kernel/shstk.c > > diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h > new file mode 100644 > index 000000000000..0fa4dbc98c49 > --- /dev/null > +++ b/arch/x86/include/asm/cet.h > @@ -0,0 +1,20 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#ifndef _ASM_X86_CET_H > +#define _ASM_X86_CET_H > + > +#ifndef __ASSEMBLY__ > +#include > + > +struct task_struct; > + > +#ifdef CONFIG_X86_SHADOW_STACK > +long cet_prctl(struct task_struct *task, int option, > + unsigned long features); > +#else > +static inline long cet_prctl(struct task_struct *task, int option, > + unsigned long features) { return -EINVAL; } > +#endif /* CONFIG_X86_SHADOW_STACK */ > + > +#endif /* __ASSEMBLY__ */ > + > +#endif /* _ASM_X86_CET_H */ > diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h > index 356308c73951..a92bf76edafe 100644 > --- a/arch/x86/include/asm/processor.h > +++ b/arch/x86/include/asm/processor.h > @@ -530,6 +530,9 @@ struct thread_struct { > */ > u32 pkru; > > + unsigned long features; > + unsigned long features_locked; Should these be wrapped in #ifdef CONFIG_X86_SHADOW_STACK (or CONFIG_X86_CET) ? Also, just named "features"? Is this expected to be more than CET? > + > /* Floating point and extended processor state */ > struct fpu fpu; > /* > diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h > index 500b96e71f18..028158e35269 100644 > --- a/arch/x86/include/uapi/asm/prctl.h > +++ b/arch/x86/include/uapi/asm/prctl.h > @@ -20,4 +20,10 @@ > #define ARCH_MAP_VDSO_32 0x2002 > #define ARCH_MAP_VDSO_64 0x2003 > > +/* Don't use 0x3001-0x3004 because of old glibcs */ > + > +#define ARCH_CET_ENABLE 0x4001 > +#define ARCH_CET_DISABLE 0x4002 > +#define ARCH_CET_LOCK 0x4003 > + > #endif /* _ASM_X86_PRCTL_H */ > diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c > index 58a6ea472db9..034880311e6b 100644 > --- a/arch/x86/kernel/process.c > +++ b/arch/x86/kernel/process.c > @@ -367,6 +367,10 @@ void arch_setup_new_exec(void) > task_clear_spec_ssb_noexec(current); > speculation_ctrl_update(read_thread_flags()); > } > + > + /* Reset thread features on exec */ > + current->thread.features = 0; > + current->thread.features_locked = 0; Same ifdef question here. > } > > #ifdef CONFIG_X86_IOPL_IOPERM > diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c > index 1962008fe743..8fa2c2b7de65 100644 > --- a/arch/x86/kernel/process_64.c > +++ b/arch/x86/kernel/process_64.c > @@ -829,7 +829,10 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) > case ARCH_MAP_VDSO_64: > return prctl_map_vdso(&vdso_image_64, arg2); > #endif > - > + case ARCH_CET_ENABLE: > + case ARCH_CET_DISABLE: > + case ARCH_CET_LOCK: > + return cet_prctl(task, option, arg2); > default: > ret = -EINVAL; > break; I remain annoyed that prctl interfaces didn't use -ENOTSUP for "unknown option". :P > diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c > new file mode 100644 > index 000000000000..e3276ac9e9b9 > --- /dev/null > +++ b/arch/x86/kernel/shstk.c I think the Makefile addition should be moved from "x86/cet/shstk: Add user-mode shadow stack support" to here, yes? Otherwise, there is a bisectability randconfig-with-CONFIG_X86_SHADOW_STACK risk here (nothing will implement "cet_prctl"). > @@ -0,0 +1,38 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * shstk.c - Intel shadow stack support > + * > + * Copyright (c) 2021, Intel Corporation. > + * Yu-cheng Yu > + */ > + > +#include > +#include > +#include > + > +long cet_prctl(struct task_struct *task, int option, unsigned long features) > +{ > + if (option == ARCH_CET_LOCK) { > + task->thread.features_locked |= features; > + return 0; > + } > + > + /* Don't allow via ptrace */ > + if (task != current) > + return -EINVAL; ... but locking _is_ allowed via ptrace? If that intended, it should be explicitly mentioned in the commit log and in a comment here. Also, perhaps -ESRCH ? > + > + /* Do not allow to change locked features */ > + if (features & task->thread.features_locked) > + return -EPERM; > + > + /* Only support enabling/disabling one feature at a time. */ > + if (hweight_long(features) > 1) > + return -EINVAL; Perhaps -E2BIG ? > + if (option == ARCH_CET_DISABLE) { > + return -EINVAL; > + } > + > + /* Handle ARCH_CET_ENABLE */ > + return -EINVAL; > +} > -- > 2.17.1 > -- Kees Cook