Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4862743rdb; Tue, 12 Dec 2023 11:17:39 -0800 (PST) X-Google-Smtp-Source: AGHT+IEquqkXUZjnbeY83OgFp6dloopgPASFDDJs3CUFac+sYhncYdJQR0ZZpjbpkfuvfkkoESBj X-Received: by 2002:a05:6a20:9495:b0:188:973c:ef84 with SMTP id hs21-20020a056a20949500b00188973cef84mr3394125pzb.9.1702408658619; Tue, 12 Dec 2023 11:17:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702408658; cv=none; d=google.com; s=arc-20160816; b=Mj2x2eWzI4vL9NfhvrSXvGITUcP4YxkvVHnZfqxiW5RUDLife7BodeC7Koi4JxXCf2 LUCSC3KKvUlbN7qZ26hbk8/ScLiEFnFy+CAlJxIpRM8LgD1JdZq8BRCW0aOwbxmuQwIz 6M+XtId0o4Zy0XjhY6hcTxFOcReuoaTcTuDvhBT6VtkvF4gBt6P0Wyzu9mBmlCn/VOJN J3UP3l5mA37Z+7phV/0iLffF8Zk8ZO435W1Ia3/tIiGl/TGhvyx/t709RdnbW2utteUW 173rMNW1YBOyISRz4W05TV6y8vUAaH6fjrNutefXiMCwIMConSXBE/nN0yPvMNwx69mp 7FKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=BXh6bur6LRnADXulivu2P72dN6ifPaK1xY/cKiFFTNI=; fh=txQbuk242FAPPEhu1HwwgZJLRYSPZEMBV0FwN7E4ncU=; b=KvhfYAt2oRVK9f0mHFrXLuhzh2simyrNW4kF1jtb4p5Xe3uj3ofK5+PzVoaByXseMQ K7KIQ/I8CI80DvjJiEhaRcnmUVfCWXHshT0FhnSvOki4FaOkCBRLev+wE1lVTS3XyzpM IlCiPBealzUhZWLRYkPHCmnaOEHlqqCSmOnIXOVWN5JTKyWNK7tqzc74Rtse2qfM4vXV lUhIy6/opmk2m4GaS6arS0Rjp7AIzLI8ADd0RJNcswiBH02pLS/GtiIlAinsc9FWs9PG KnitKTZqcvm6E5zoi0nKSKyntrSRWXSk8IqPnxxLNgpzxpuiSd9f1sk8P+JTGUu3iDCb OaJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=nKavvAYi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id bv192-20020a632ec9000000b005c65ed0f68fsi7976948pgb.375.2023.12.12.11.17.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 11:17:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=nKavvAYi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id AD89980AE530; Tue, 12 Dec 2023 11:17:35 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377219AbjLLTRU (ORCPT + 99 others); Tue, 12 Dec 2023 14:17:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235217AbjLLTRR (ORCPT ); Tue, 12 Dec 2023 14:17:17 -0500 Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3333A109 for ; Tue, 12 Dec 2023 11:17:23 -0800 (PST) Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-db53f8cf4afso4990925276.3 for ; Tue, 12 Dec 2023 11:17:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1702408642; x=1703013442; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=BXh6bur6LRnADXulivu2P72dN6ifPaK1xY/cKiFFTNI=; b=nKavvAYidvQ9w393bc3O1a4mlDsiGhjQJ/4lYL/qcziFXkDI45Yejvmo1XOc1GA/aq DmL6kVj+2k2MsnBVsfBXQ2fCbHHJn/UbwVYJk6a2+Vd1Zghoq287v3/sT6wVS0aRUznN rkEc5Vw8Ru+y58FfFbfO6ZNoJ6Uom8oeVUe+hqlQgugJjT2ERC+JJ5pXeGo7jaGJtg1K bT2xufqFBgQed3Z5szo7rZzQT81g1p1UpVvbocJXyTE7JgI/AOAFO/lG1nPQAU8HRmP+ hxHpFwQuMvFUZvyD2kxPIHDopIZjXN+rBWqw0B6oypvOfoyLo/yXFo/6DnKBHL49SBVE P/zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702408642; x=1703013442; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BXh6bur6LRnADXulivu2P72dN6ifPaK1xY/cKiFFTNI=; b=EwSlJGUTz56fUyJLsaqPUYt7OS2P42qbsmHlQVxe8ls5S+vbJqzz+exHyWIokTnRyt wf8qa2zkOccGOSQB4D8foT9wGPp6wZgNVR2fbCYcbEGTJYaAeC4kL/VHDFn/5Sruy3la bueMKNtAHVbaS61t8/7tvIigvEWO9MZgK+4f6ZFW8B58xtsAPN1SoKlXy7fMVGCrY49f zBbMjM/dgYryDhjws76qyqx0Z8zeSZ6PCF2MiDJ76FvkUDFI2kbC5kopWzu0vJFz8bTC goBx9l6R0dZfm5wmYvc1AGRDWRH9Y6rjj1l0a9aPzJgywJnAwzUQp912rskZ38G2V1FK eMOg== X-Gm-Message-State: AOJu0YwJtW10L/cxj5YZjjuV457K2zsXKPsgI+ckaxUInZeyttXoDXp6 8pa4jYTmkFoXL6MLpBl9YTBicCXwwTTX3+IbH/tCWg== X-Received: by 2002:a25:244b:0:b0:dbc:c4f2:612f with SMTP id k72-20020a25244b000000b00dbcc4f2612fmr698912ybk.34.1702408642045; Tue, 12 Dec 2023 11:17:22 -0800 (PST) MIME-Version: 1.0 References: <20231122-arm64-gcs-v7-0-201c483bd775@kernel.org> <20231122-arm64-gcs-v7-2-201c483bd775@kernel.org> In-Reply-To: <20231122-arm64-gcs-v7-2-201c483bd775@kernel.org> From: Deepak Gupta Date: Tue, 12 Dec 2023 11:17:11 -0800 Message-ID: Subject: Re: [PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack To: Mark Brown Cc: Catalin Marinas , Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Ard Biesheuvel , Szabolcs Nagy , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 12 Dec 2023 11:17:35 -0800 (PST) On Wed, Nov 22, 2023 at 1:43=E2=80=AFAM Mark Brown wro= te: > > Three architectures (x86, aarch64, riscv) have announced support for > shadow stacks with fairly similar functionality. While x86 is using > arch_prctl() to control the functionality neither arm64 nor riscv uses > that interface so this patch adds arch-agnostic prctl() support to > get and set status of shadow stacks and lock the current configuation to > prevent further changes, with support for turning on and off individual > subfeatures so applications can limit their exposure to features that > they do not need. The features are: > > - PR_SHADOW_STACK_ENABLE: Tracking and enforcement of shadow stacks, > including allocation of a shadow stack if one is not already > allocated. > - PR_SHADOW_STACK_WRITE: Writes to specific addresses in the shadow > stack. > - PR_SHADOW_STACK_PUSH: Push additional values onto the shadow stack. > > These features are expected to be inherited by new threads and cleared > on exec(), unknown features should be rejected for enable but accepted > for locking (in order to allow for future proofing). > > This is based on a patch originally written by Deepak Gupta but modified > fairly heavily, support for indirect landing pads is removed, additional > modes added and the locking interface reworked. The set status prctl() > is also reworked to just set flags, if setting/reading the shadow stack > pointer is required this could be a separate prctl. > > Signed-off-by: Mark Brown > --- > include/linux/mm.h | 4 ++++ > include/uapi/linux/prctl.h | 22 ++++++++++++++++++++++ > kernel/sys.c | 30 ++++++++++++++++++++++++++++++ > 3 files changed, 56 insertions(+) > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index 10462f354614..8b28483b4afa 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -4143,4 +4143,8 @@ static inline bool pfn_is_unaccepted_memory(unsigne= d long pfn) > return range_contains_unaccepted_memory(paddr, paddr + PAGE_SIZE)= ; > } > > +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __= user *status); > +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long st= atus); > +int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long s= tatus); > + > #endif /* _LINUX_MM_H */ > diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h > index 370ed14b1ae0..3c66ed8f46d8 100644 > --- a/include/uapi/linux/prctl.h > +++ b/include/uapi/linux/prctl.h > @@ -306,4 +306,26 @@ struct prctl_mm_map { > # define PR_RISCV_V_VSTATE_CTRL_NEXT_MASK 0xc > # define PR_RISCV_V_VSTATE_CTRL_MASK 0x1f > > +/* > + * Get the current shadow stack configuration for the current thread, > + * this will be the value configured via PR_SET_SHADOW_STACK_STATUS. > + */ > +#define PR_GET_SHADOW_STACK_STATUS 71 > + > +/* > + * Set the current shadow stack configuration. Enabling the shadow > + * stack will cause a shadow stack to be allocated for the thread. > + */ > +#define PR_SET_SHADOW_STACK_STATUS 72 > +# define PR_SHADOW_STACK_ENABLE (1UL << 0) Other architecture may require disabling shadow stack if glibc tunables is set to permissive mode. In permissive mode, if glibc encounters `dlopen` on an object which doesn't support shadow stack, glibc should be able to issue PR_SHADOW_STACK_DISABLE. Architectures can choose to implement or not but I think arch agnostic code should enumerate this. > +# define PR_SHADOW_STACK_WRITE (1UL << 1) > +# define PR_SHADOW_STACK_PUSH (1UL << 2) > + > +/* > + * Prevent further changes to the specified shadow stack > + * configuration. All bits may be locked via this call, including > + * undefined bits. > + */