Received: by 2002:a05:7412:bc1a:b0:d7:7d3a:4fe2 with SMTP id ki26csp805505rdb; Sun, 20 Aug 2023 03:52:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGVctU+x26Tr9lHgr/CZvfDSPtCGFQZgkhW5ypwzwt5wF6uowkysf7c2zFs/V8a8trbGMCq X-Received: by 2002:a05:6a21:2703:b0:13f:d171:fd6d with SMTP id rm3-20020a056a21270300b0013fd171fd6dmr4381492pzb.51.1692528759794; Sun, 20 Aug 2023 03:52:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692528759; cv=none; d=google.com; s=arc-20160816; b=Lqj1GlONZQFiIKFRBf44sL5KnO5JcJt53T7l6nSPelzEf6SDPWNY2H5c9NNRF3r10V 4lBUXn3b+bOKqQIDJgt+WfQwUmsJfjKDkzycbfZIu6CIuDa3Cm5btIS9vMuf0YXvnl7g 2dIBCVWbiRsZ5oUrcACC7zHTdf17wzhhqklOtIJ2IkugwayxjQbOHBlxRMIjBHL617oP Vojnjne4HInmMWX6ne9jJy9X3tvXZurLMa3uK+Sp5UOKhCWFUBHvNhtiGWibeqHTc5tG RNZMyZ/EqO6QzKLBbcMdqvsf3tYoM9Ty0JNSPZg7BiB0GLZpWigjasLfjnucsJh0vzIb 5pZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=oac1NakR4+HaQnJJS2KWoIl9BhM/PnITDXJaAOB1MhA=; fh=NeU9Qc/ar6aXvQrMssrULvBuBU5PMIXc5b5p8D3gnlU=; b=Da/XQcdaMMFv/fJSTcWarXjzDjIoNzedQSV1GN9F+ahxeCPYCG3gc5Dv4Uwd+jdRm0 nt3FrCNsAv8KCYNn8fWAP3LY+ZiDSV3IMsnKMBrUMw62uMRuJAMtnlA8kRqDvEsfkK2v r3REG8lZ0ehJb5+bItCcrpCJ5pDZ67hQNlBQTzCOnlFXP6Lb7HChBXMntBHEJj5VKvpr UG36BI+dHVk2Z4HQsZ9NlD9l6aSZP8L2/hnt/lHyZGT56CeRXjQeHupcc+qhq3Uu3Awt ituxqRQSFQEQ4prjF6Zc24N876ckyfKwclSPu8nN+z9FQHSj+KgBxUNYO8izn+kUYFMI 9YkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="KCQ/YHJE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id z16-20020a634c10000000b005639a610f7csi5022557pga.841.2023.08.20.03.52.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Aug 2023 03:52:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="KCQ/YHJE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9B6852FC13F; Sat, 19 Aug 2023 11:55:22 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229867AbjHNS6Z (ORCPT + 99 others); Mon, 14 Aug 2023 14:58:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58110 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229978AbjHNS6J (ORCPT ); Mon, 14 Aug 2023 14:58:09 -0400 Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8863DBC for ; Mon, 14 Aug 2023 11:58:08 -0700 (PDT) Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-64721b1bae3so4756576d6.1 for ; Mon, 14 Aug 2023 11:58:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692039487; x=1692644287; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=oac1NakR4+HaQnJJS2KWoIl9BhM/PnITDXJaAOB1MhA=; b=KCQ/YHJETF/2Df9lkPM1TTVA7PA0w1q72mWHR4hS1h41MeLVSVpKsp3CBY9hITwGqK ownUaLQqz1gUDeCDtbmGfbE/a/OjIJQAcWLh8rCeKOybhW79U5CuO8POtNnsvXt92dIc lL8oK3egA15RsuGjUwIAMd1M56ljwg19utRJjeaUrYJ6vVGPO2n/m941+3xHMdpoiLPM R51H+/aEvwWTbLtur1yzV+lqAeXW0UxHIFnSck7ADZg4PZLkuvl+IsYjRaVO9IAIlE8Z 6/wmM1SBVdZLB9EGtXTovRvQeJBM8n1y3DupVKEdzw0YeZRpn6FplAN+ktXOgmXTfiY6 Wokw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692039487; x=1692644287; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oac1NakR4+HaQnJJS2KWoIl9BhM/PnITDXJaAOB1MhA=; b=iGq2kPYErNADg5BER1nYcKZlbOv21nwWHACEoFvTBjlrjoqTFZGBFiOMKsUZNmD2uz qIUc/ZUrNuGnR9VZUYBweYCCKLRiRaduZEoSMOwgks0YA4fINyKjXJ6Oxg4rwnwYzXRp CjpoDPzZWpyZef6RtxjBt0S/TLKowaQY3J0xLwtLTC+Q3+Wra9Jyc9Mqyw+L5HvfQVcq rf8e79TlOoRfyPgVkTSvjaQ5STyt/dEXJcBdOcM4qGxY7+oCBUbSeWYfKsGwYXFyLB+d ur5ZmgjhskjQcV3+7E/o3lRTvweGz/sRjzOw5uGyoX3viuxTZT1M/EixG9+g1ct9PIe8 L/gw== X-Gm-Message-State: AOJu0Yzgk+SFlQSMrtYa3K+GWmDxVplcV/QctY4l+zWS2bKLNV3ukWZl KTee2OQZrgmZzjtjGRINwraNSt+FoxB13hKRUCMO3+uD8N8ead4tJD8gWg== X-Received: by 2002:a0c:b317:0:b0:63c:f0f9:fedf with SMTP id s23-20020a0cb317000000b0063cf0f9fedfmr6421263qve.4.1692039487497; Mon, 14 Aug 2023 11:58:07 -0700 (PDT) MIME-Version: 1.0 References: <20230811233556.97161-7-samitolvanen@google.com> <20230814175928.GA1028706@dev-arch.thelio-3990X> <202308141131.6B90A4205@keescook> In-Reply-To: <202308141131.6B90A4205@keescook> From: Sami Tolvanen Date: Mon, 14 Aug 2023 11:57:30 -0700 Message-ID: Subject: Re: [PATCH 0/5] riscv: SCS support To: Kees Cook Cc: Nathan Chancellor , Paul Walmsley , Palmer Dabbelt , Albert Ou , Guo Ren , Deepak Gupta , Nick Desaulniers , Fangrui Song , linux-riscv@lists.infradead.org, llvm@lists.linux.dev, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 14, 2023 at 11:33=E2=80=AFAM Kees Cook = wrote: > > On Mon, Aug 14, 2023 at 10:59:28AM -0700, Nathan Chancellor wrote: > > Hi Sami, > > > > On Fri, Aug 11, 2023 at 11:35:57PM +0000, Sami Tolvanen wrote: > > > Hi folks, > > > > > > This series adds Shadow Call Stack (SCS) support for RISC-V. SCS > > > uses compiler instrumentation to store return addresses in a > > > separate shadow stack to protect them against accidental or > > > malicious overwrites. More information about SCS can be found > > > here: > > > > > > https://clang.llvm.org/docs/ShadowCallStack.html > > > > > > Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow > > > handling by adding support for accessing per-CPU variables > > > directly in assembly. The patch is included in this series to > > > make IRQ stack switching cleaner with SCS, and I've simply > > > rebased it. Patch 2 uses this functionality to clean up the stack > > > switching by moving duplicate code into a single function. On > > > RISC-V, the compiler uses the gp register for storing the current > > > shadow call stack pointer, which is incompatible with global > > > pointer relaxation. Patch 3 moves global pointer loading into a > > > macro that can be easily disabled with SCS. Patch 4 implements > > > SCS register loading and switching, and allows the feature to be > > > enabled, and patch 5 adds separate per-CPU IRQ shadow call stacks > > > when CONFIG_IRQ_STACKS is enabled. > > > > > > Note that this series requires Clang 17. Earlier Clang versions > > > support SCS on RISC-V, but use the x18 register instead of gp, > > > which isn't ideal. gcc has SCS support for arm64, but I'm not > > > aware of plans to support RISC-V. Once the Zicfiss extension is > > > ratified, it's probably preferable to use hardware-backed shadow > > > stacks instead of SCS on hardware that supports the extension, > > > and we may want to consider implementing CONFIG_DYNAMIC_SCS to > > > patch between the implementation at runtime (similarly to the > > > arm64 implementation, which switches to SCS when hardware PAC > > > support isn't available). > > > > I took this series for a spin on top of 6.5-rc6 with both LLVM 18 (buil= t > > within the past couple of days) and LLVM 17.0.0-rc2 but it seems that > > the CFI_BACKWARDS LKDTM test does not pass with > > CONFIG_SHADOW_CALL_STACK=3Dy. > > > > [ 73.324652] lkdtm: Performing direct entry CFI_BACKWARD > > [ 73.324900] lkdtm: Attempting unchecked stack return address redir= ection ... > > [ 73.325178] lkdtm: Eek: return address mismatch! 0000000000000002 = !=3D ffffffff80614982 > > [ 73.325478] lkdtm: FAIL: stack return address manipulation failed! > > > > Does the test need to be adjusted or is there some other issue? > > Does it pass without the series? I tried to write it to be > arch-agnostic, but I never tested it on RISC-V. It's very possible that > test needs adjusting for the architecture. Besides the label horrors, > the use of __builtin_frame_address may not work there either... Looks like __builtin_frame_address behaves differently on RISC-V. After staring at the disassembly a bit, using __builtin_frame_address(0) - 1 instead of + 1 seems to yield correct results. WIth that change, here's the test without SCS: # echo CFI_BACKWARD > /sys/kernel/debug/provoke-crash/DIRECT [ 16.272028] lkdtm: Performing direct entry CFI_BACKWARD [ 16.272368] lkdtm: Attempting unchecked stack return address redirection= ... [ 16.272671] lkdtm: ok: redirected stack return address. [ 16.272885] lkdtm: Attempting checked stack return address redirection .= .. [ 16.273384] lkdtm: FAIL: stack return address was redirected! [ 16.273755] lkdtm: This is probably expected, since this kernel (6.5.0-rc5-00005-g5a1201f89265-dirty riscv64) was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=3Dy nor CONFIG_SHADOW_CALL_STACK=3Dy And with SCS: # echo CFI_BACKWARD > /sys/kernel/debug/provoke-crash/DIRECT [ 17.429551] lkdtm: Performing direct entry CFI_BACKWARD [ 17.430184] lkdtm: Attempting unchecked stack return address redirection= ... [ 17.431402] lkdtm: ok: redirected stack return address. [ 17.432031] lkdtm: Attempting checked stack return address redirection .= .. [ 17.432861] lkdtm: ok: control flow unchanged. Sami