Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10486604rwp; Thu, 20 Jul 2023 23:10:38 -0700 (PDT) X-Google-Smtp-Source: APBJJlH5I7aW5XGgUT1E2GpintPyNiI8arI1A45IXBr9XGfxJQB7l+z4PTAwFENhEYMzgqmFrRGR X-Received: by 2002:a17:906:101a:b0:98d:cd3e:c193 with SMTP id 26-20020a170906101a00b0098dcd3ec193mr807640ejm.46.1689919838463; Thu, 20 Jul 2023 23:10:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689919838; cv=none; d=google.com; s=arc-20160816; b=e+RgeFODcBGArzBqnRWod39t0a49VvVG+zPWN9sw7z8fmuzaDY3PhiVwswkPxnOAq/ kPrXmcOeNSKPBJHnib90zR8PcsIwPnOLZejX+q8F/hJncVboZcYI3y9Id3MwpsRe9v0A p+sEalEwtz/e3olSlcpAF3t/Hl+myv9T0mb08u07lWgLATvW/on2hh8NBKXSmepXgxVR x/GVzkSSBDzbRvXdzWKl0YyjVI2aMlqrd+lwX0wOnA2CJaKAH2voEIE32M9XQxNWZ1Nv 8aCPIl12C/P78OfHT1AVCKvucKcElsoYHmJl3h28+nEodqoIaxdLlibk4xUb1T9WEUzG bDEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=r/LBRsdLj4EGitSTVcLcdaBaArnzriACQGoqZaknGQA=; fh=X3NoYCvKx2+XHKossD6TJrCoCe/OZyD+mXj7Ft+vopw=; b=qgMXRpPMo9bw2gOH685mAeeDR8kwzNWK5VsubVPm6jWFFmtLqrWja3Bj6xlxkrjdYT ZoEuVSiund9WfIABynrppZCKWja9aFACuEMvlzgrpts93bNrhoHqc5RVrXOJGNV/Ijwj P18MzUpieTg2ONr+sXM8AfTiZ6Z3+1g+Pf3Fg3HR8/JRy1zNIpnxByIfhzZDBTmT5Ziw JHRO/xvvR2YJmn+t/MdSWQSA4rPZxfD7L4+vHms4CBaLqfAuRRva66wzP2/GaYDuEH87 8gvUNAtmwZPlO5n4atVOnjb5MvEB6gJYSo/suo1YaeGJbNI1+lfUxYjupUbnRKzSlcB4 Vxsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=UMEWyhlm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d3-20020a1709064c4300b00992f1a3b9cfsi1748438ejw.363.2023.07.20.23.10.14; Thu, 20 Jul 2023 23:10:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=UMEWyhlm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230217AbjGUGJJ (ORCPT + 99 others); Fri, 21 Jul 2023 02:09:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229936AbjGUGI4 (ORCPT ); Fri, 21 Jul 2023 02:08:56 -0400 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5DD17171D; Thu, 20 Jul 2023 23:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1689919734; x=1721455734; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=yO02CRQF4AAMWQEvtkx0QaFIZMCrH9uguSTnN7FlnyQ=; b=UMEWyhlmiErzUcMNL6naCW5+MMK5Q+5V4Y+10TCXLNpdBShwOAx7QXq0 5BzgJC1jRLGpSMi5onCyir3MR/moK7x6L7I7oR8goX9X9lGmDeK8J/36f escryvRnLq8ogbobj9DNk8W6XbPhV1ve/G2j4ke2f8AuK7jG4ZBc3S3w2 5/LWn4Nbybibtoibji/rYpmaLg7WX1RPDpNGi7ym7MeO0b0w4EpLY1m3b xSZk6cLEE4a/rp2n6W2RQDhpHhk/Co5Z4s9c8GCbcpYtt7ybCiQdwwwdu 0EQz7xkL/j72qNFzbdKnhGAm7tPYaP/Bx8E09Ma46dsdB9szHtJ4pSW1L g==; X-IronPort-AV: E=McAfee;i="6600,9927,10777"; a="370547526" X-IronPort-AV: E=Sophos;i="6.01,220,1684825200"; d="scan'208";a="370547526" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jul 2023 23:08:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10777"; a="848721870" X-IronPort-AV: E=Sophos;i="6.01,220,1684825200"; d="scan'208";a="848721870" Received: from embargo.jf.intel.com ([10.165.9.183]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jul 2023 23:08:40 -0700 From: Yang Weijiang To: seanjc@google.com, pbonzini@redhat.com, peterz@infradead.org, john.allen@amd.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: rick.p.edgecombe@intel.com, chao.gao@intel.com, binbin.wu@linux.intel.com, weijiang.yang@intel.com, Yu-cheng Yu , Borislav Petkov , Kees Cook , Mike Rapoport , Pengfei Xu Subject: [PATCH v4 01/20] x86/cpufeatures: Add CPU feature flags for shadow stacks Date: Thu, 20 Jul 2023 23:03:33 -0400 Message-Id: <20230721030352.72414-2-weijiang.yang@intel.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230721030352.72414-1-weijiang.yang@intel.com> References: <20230721030352.72414-1-weijiang.yang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DATE_IN_PAST_03_06, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rick Edgecombe The Control-Flow Enforcement Technology contains two related features, one of which is Shadow Stacks. Future patches will utilize this feature for shadow stack support in KVM, so add a CPU feature flags for Shadow Stacks (CPUID.(EAX=7,ECX=0):ECX[bit 7]). To protect shadow stack state from malicious modification, the registers are only accessible in supervisor mode. This implementation context-switches the registers with XSAVES. Make X86_FEATURE_SHSTK depend on XSAVES. The shadow stack feature, enumerated by the CPUID bit described above, encompasses both supervisor and userspace support for shadow stack. In near future patches, only userspace shadow stack will be enabled. In expectation of future supervisor shadow stack support, create a software CPU capability to enumerate kernel utilization of userspace shadow stack support. This user shadow stack bit should depend on the HW "shstk" capability and that logic will be implemented in future patches. Co-developed-by: Yu-cheng Yu Signed-off-by: Yu-cheng Yu Signed-off-by: Rick Edgecombe Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook Link: https://lore.kernel.org/all/20230613001108.3040476-9-rick.p.edgecombe%40intel.com --- arch/x86/include/asm/cpufeatures.h | 2 ++ arch/x86/include/asm/disabled-features.h | 8 +++++++- arch/x86/kernel/cpu/cpuid-deps.c | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index cb8ca46213be..d7215c8b7923 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -308,6 +308,7 @@ #define X86_FEATURE_MSR_TSX_CTRL (11*32+20) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ #define X86_FEATURE_SMBA (11*32+21) /* "" Slow Memory Bandwidth Allocation */ #define X86_FEATURE_BMEC (11*32+22) /* "" Bandwidth Monitoring Event Configuration */ +#define X86_FEATURE_USER_SHSTK (11*32+23) /* Shadow stack support for user mode applications */ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ @@ -380,6 +381,7 @@ #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ #define X86_FEATURE_WAITPKG (16*32+ 5) /* UMONITOR/UMWAIT/TPAUSE Instructions */ #define X86_FEATURE_AVX512_VBMI2 (16*32+ 6) /* Additional AVX512 Vector Bit Manipulation Instructions */ +#define X86_FEATURE_SHSTK (16*32+ 7) /* "" Shadow stack */ #define X86_FEATURE_GFNI (16*32+ 8) /* Galois Field New Instructions */ #define X86_FEATURE_VAES (16*32+ 9) /* Vector AES */ #define X86_FEATURE_VPCLMULQDQ (16*32+10) /* Carry-Less Multiplication Double Quadword */ diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h index fafe9be7a6f4..b9c7eae2e70f 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -105,6 +105,12 @@ # define DISABLE_TDX_GUEST (1 << (X86_FEATURE_TDX_GUEST & 31)) #endif +#ifdef CONFIG_X86_USER_SHADOW_STACK +#define DISABLE_USER_SHSTK 0 +#else +#define DISABLE_USER_SHSTK (1 << (X86_FEATURE_USER_SHSTK & 31)) +#endif + /* * Make sure to add features to the correct mask */ @@ -120,7 +126,7 @@ #define DISABLED_MASK9 (DISABLE_SGX) #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ - DISABLE_CALL_DEPTH_TRACKING) + DISABLE_CALL_DEPTH_TRACKING|DISABLE_USER_SHSTK) #define DISABLED_MASK12 (DISABLE_LAM) #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c index f6748c8bd647..e462c1d3800a 100644 --- a/arch/x86/kernel/cpu/cpuid-deps.c +++ b/arch/x86/kernel/cpu/cpuid-deps.c @@ -81,6 +81,7 @@ static const struct cpuid_dep cpuid_deps[] = { { X86_FEATURE_XFD, X86_FEATURE_XSAVES }, { X86_FEATURE_XFD, X86_FEATURE_XGETBV1 }, { X86_FEATURE_AMX_TILE, X86_FEATURE_XFD }, + { X86_FEATURE_SHSTK, X86_FEATURE_XSAVES }, {} }; -- 2.27.0