Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp327994rdb; Thu, 22 Feb 2024 05:14:59 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXAhbuE5L+wyz3DKq97vsfvG1bhaTLb/cacLjAlJxaf5lpIxOGZFL8lYSr/9P52jwHxbxGA+KzZi4XjAhmZzib+au2RC0b+qvQIELPQ5g== X-Google-Smtp-Source: AGHT+IHWcZ06nyLL/mTQFlr5l/jW/NzT+nVCKuCX6IzQCyoxEY2zAebJR+BzIvFPyWJLxDo8aZdC X-Received: by 2002:a1f:ea84:0:b0:4bd:54d0:e6df with SMTP id i126-20020a1fea84000000b004bd54d0e6dfmr1906591vkh.1.1708607699365; Thu, 22 Feb 2024 05:14:59 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708607699; cv=pass; d=google.com; s=arc-20160816; b=DxClzaJ/6HTkLL5OeyadoJJC2IjHeI951Dp3sO+9Y6aXI7oelzynE3f1oN9ock9ivf u0yXgK26swZ4Vi7IF6eHsrQrLa/uFkZL5j8LzeLhYJNvR+LoyuJz+NMnrgDh18GZXomW 3nXHbPMnZuirVMWoL3HJ7B6tzowD+oskkVPC470g65DxZ1eirTz410iSI/T++jREv5BI qJCpijhdOeFcmiMwSypwV4P78/khbxfFJQtNlwNSfEL5oHJfTVmh9JECOIHmGseaEQoY DckD9xPST2hHqJBdLLsBSswjxFkGuB6+iJCV9egnvBuM2KhZbewCiX9ty/9byLVdF8U/ h3Bg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=kRP3fLRStCvoWW44GqhwaWyEdXaAGWQMl1Tk6df+PBM=; fh=OXORlsXUckX+pyxJQOg+QqdF4LdKaF3EeGCuNTKSFYQ=; b=jIfcQRXXTRmlvwCp8tdce3uTqFn69MgMgwA/QxeigiTaiPUruOfz4WtE51WPQNOcgG BKEhp+/F0y0aBhPb5V2Xpl+Qb7pfmck8d+RQ1rvciY0quEqJXjB2rwQTMrgQdn49ts/B uxc4MFiJ8oI68wAgR3bYeB7WK6MLOrRtpaTpguZBHPtK0VNIN+vzlcCi6BgWjzsdbCsL fTdH4NcmMq6knNbsE7tIO4PenJimMqecu03QZitWz4h/Qi8wdXrNcsSASS+x797G1lW5 SS2+eRIK/pTDqV5fcuv4bLCtbs6kSEuFd0Z+EnRtlDt/NErWAyZX5bgfvwZi6GwUViHP d5hQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-76571-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76571-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id j7-20020a056122090700b004cf21884e6bsi901549vka.306.2024.02.22.05.14.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 05:14:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-76571-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-76571-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76571-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 10E231C20DE4 for ; Thu, 22 Feb 2024 13:14:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5AE7C131E3D; Thu, 22 Feb 2024 13:14:22 +0000 (UTC) Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A51012EBC0; Thu, 22 Feb 2024 13:14:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708607661; cv=none; b=Gb4eCSXNTpuiHadIbzBNftclSRgMCn5i2Y9B/DD9K5ihldMYY+y8e3EkEXkmVGqUGHsHX4pQtaIhyaqgNuWP+vHN8n8pYx+q/Pxf7GhVymhwnzp6bMYhlNRwzCsZPwe3u1hEHvXTC5+z/EK4GBcm5D+lCylUUO35rbSRQrH04WY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708607661; c=relaxed/simple; bh=l1LXd2PtDa/poAjn4NuvIvrOvIKcsTgZXd2qiIvDP6E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=HKvw7lB1mPOSQOVDqQ/KkiZ8LFpUifqEeFWXJZKifdMCwE4yQpIJj8ELZ2+nEpinFmLzAhYQa2ndSzL8u6q7bQl/T7Ee/odaFjYJQH4pjv0ocpqqILbI6M8ti811dnIuh2AFgi9NpkBI9O+Ffd5GO4BYXsg55UAVTPKu+3Gax2E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.186.29]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4TgY9k4qxhz9xyNZ; Thu, 22 Feb 2024 20:58:50 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.47]) by mail.maildlp.com (Postfix) with ESMTP id 8C031140EF1; Thu, 22 Feb 2024 21:14:09 +0800 (CST) Received: from huaweicloud.com (unknown [10.45.157.235]) by APP1 (Coremail) with SMTP id LxC2BwDXzhdSSNdlhi4AAw--.34998S5; Thu, 22 Feb 2024 14:14:08 +0100 (CET) From: Petr Tesarik To: Dave Hansen Cc: =?UTF-8?B?UGV0ciBUZXNhxZnDrWs=?= , Petr Tesarik , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , "H. Peter Anvin" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , Roberto Sassu , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, Petr Tesarik Subject: [RFC 3/5] sbm: x86: infrastructure to fix up sandbox faults Date: Thu, 22 Feb 2024 14:12:28 +0100 Message-Id: <20240222131230.635-4-petrtesarik@huaweicloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240222131230.635-1-petrtesarik@huaweicloud.com> References: <20240222131230.635-1-petrtesarik@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:LxC2BwDXzhdSSNdlhi4AAw--.34998S5 X-Coremail-Antispam: 1UD129KBjvJXoW3Xw45Cr15Gry8Xr43Kr18Grg_yoW7uw4DpF srA3WDGF4jyFy7Ar9xJrs5Zr90yw18Kw1Fkr9rG34fZ3WUtw1fXr1vv3Zrtr1rA348KF4a yF4fZFy5uw15J37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPI14x267AKxVWrJVCq3wAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2048vs2IY020E87I2jVAFwI0_JrWl82xGYIkIc2 x26xkF7I0E14v26ryj6s0DM28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8wA2z4x0 Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j6F4UJw A2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8Jr0_Cr1U M2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjx v20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1l F7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2 IY04v7MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAF wI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWrXVW8Jr1lIx kGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAF wI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr 0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUd 8n5UUUUU= X-CM-SenderInfo: hshw23xhvd2x3n6k3tpzhluzxrxghudrp/ From: Petr Tesarik Since sandbox mode cannot modify kernel data, much of the core API cannot be used directly. Provide a method to call a known subset of kernel functions from the sandbox fault handler on behalf of the sandbox code. Since SBM permissions have page granularity, the code of an intercepted function must not be in the same page as another function running in sandbox mode. Provide a __nosbm marker to move the intercepted functions into a special ELF section, align it to page boundaries and map it so that it is not executable in sandbox mode. To minimize alignment padding, merge the __nosbm section with the kernel entry code. Signed-off-by: Petr Tesarik --- arch/x86/kernel/sbm/call_64.S | 20 +++++++++++ arch/x86/kernel/sbm/core.c | 65 +++++++++++++++++++++++++++++++++-- arch/x86/kernel/vmlinux.lds.S | 9 +++++ include/linux/sbm.h | 6 ++++ 4 files changed, 98 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/sbm/call_64.S b/arch/x86/kernel/sbm/call_64.S index 21edce5666bc..6d8ae30a0984 100644 --- a/arch/x86/kernel/sbm/call_64.S +++ b/arch/x86/kernel/sbm/call_64.S @@ -93,3 +93,23 @@ SYM_INNER_LABEL(x86_sbm_return, SYM_L_GLOBAL) pop %rbp RET SYM_FUNC_END(x86_sbm_exec) + +.text + +/* + * arguments: + * rdi .. state (ignored) + * rsi .. target function + * rdx .. struct pt_regs +*/ +SYM_FUNC_START(x86_sbm_proxy_call) + mov %rdx, %r10 + mov %rsi, %r11 + mov pt_regs_di(%r10), %rdi + mov pt_regs_si(%r10), %rsi + mov pt_regs_dx(%r10), %rdx + mov pt_regs_cx(%r10), %rcx + mov pt_regs_r8(%r10), %r8 + mov pt_regs_r9(%r10), %r9 + JMP_NOSPEC r11 +SYM_FUNC_END(x86_sbm_proxy_call) diff --git a/arch/x86/kernel/sbm/core.c b/arch/x86/kernel/sbm/core.c index 296f1fde3c22..c8ac7ecb08cc 100644 --- a/arch/x86/kernel/sbm/core.c +++ b/arch/x86/kernel/sbm/core.c @@ -28,6 +28,60 @@ asmlinkage int x86_sbm_exec(struct x86_sbm_state *state, sbm_func func, unsigned long exc_tos); extern char x86_sbm_return[]; +extern char __nosbm_text_start[], __nosbm_text_end[]; + +/************************************************************* + * HACK: PROOF-OF-CONCEPT FIXUP CODE STARTS HERE + */ + +typedef unsigned long (*sbm_proxy_call_fn)(struct x86_sbm_state *, + unsigned long func, + struct pt_regs *); + +asmlinkage unsigned long x86_sbm_proxy_call(struct x86_sbm_state *state, + unsigned long func, + struct pt_regs *regs); + +/** + * struct sbm_fixup - Describe a sandbox fault fixup. + * @target: Target function to be called. + * @proxy: Proxy call function. + */ +struct sbm_fixup { + void *target; + sbm_proxy_call_fn proxy; +}; + +static const struct sbm_fixup fixups[] = +{ + { } +}; + +/* Fix up a page fault if it is one of the known exceptions. */ +static bool fixup_sbm_call(struct x86_sbm_state *state, + struct pt_regs *regs, unsigned long address) +{ + const struct sbm_fixup *fixup; + + for (fixup = fixups; fixup->target; ++fixup) { + if (address == (unsigned long)fixup->target) { + regs->ax = fixup->proxy(state, address, regs); + return true; + } + } + + return false; +} + +/* Execution in sandbox mode continues here after fixup. */ +static void x86_sbm_continue(void) +{ +} + +/* + * HACK: PROOF-OF-CONCEPT FIXUP CODE ENDS HERE + *************************************************************/ + union { struct x86_sbm_state state; char page[PAGE_SIZE]; @@ -140,8 +194,8 @@ static int map_kernel(struct x86_sbm_state *state) if (err) return err; - err = map_range(state, (unsigned long)__entry_text_start, - (unsigned long)__entry_text_end, PAGE_KERNEL_ROX); + err = map_range(state, (unsigned long)__nosbm_text_start, + (unsigned long)__nosbm_text_end, PAGE_KERNEL_ROX); if (err) return err; @@ -482,6 +536,13 @@ void handle_sbm_fault(struct pt_regs *regs, unsigned long error_code, if (spurious_sbm_fault(state, error_code, address)) return; + if ((error_code & ~X86_PF_PROT) == (X86_PF_USER | X86_PF_INSTR) && + fixup_sbm_call(state, regs, address)) { + /* Return back to sandbox... */ + regs->ip = (unsigned long)x86_sbm_continue; + return; + } + /* * Force -EFAULT unless the fault was due to a user-mode instruction * fetch from the designated return address. diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index a349dbfc6d5a..c530a7faaa9a 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -139,8 +139,17 @@ SECTIONS STATIC_CALL_TEXT ALIGN_ENTRY_TEXT_BEGIN +#ifdef CONFIG_SANDBOX_MODE + . = ALIGN(PAGE_SIZE); + __nosbm_text_start = .; +#endif *(.text..__x86.rethunk_untrain) ENTRY_TEXT +#ifdef CONFIG_SANDBOX_MODE + *(.text.nosbm) + . = ALIGN(PAGE_SIZE); + __nosbm_text_end = .; +#endif #ifdef CONFIG_CPU_SRSO /* diff --git a/include/linux/sbm.h b/include/linux/sbm.h index dbdc0781349f..9d7eb525e489 100644 --- a/include/linux/sbm.h +++ b/include/linux/sbm.h @@ -267,6 +267,8 @@ int arch_sbm_map_writable(struct sbm *sbm, const struct sbm_buf *buf); */ int arch_sbm_exec(struct sbm *sbm, sbm_func func, void *data); +#define __nosbm __section(".text.nosbm") + #else /* !CONFIG_HAVE_ARCH_SBM */ static inline int arch_sbm_init(struct sbm *sbm) @@ -295,6 +297,8 @@ static inline int arch_sbm_exec(struct sbm *sbm, sbm_func func, void *data) return func(data); } +#define __nosbm + #endif /* CONFIG_HAVE_ARCH_SBM */ #else /* !CONFIG_SANDBOX_MODE */ @@ -340,6 +344,8 @@ static inline void *sbm_map_writable(struct sbm *sbm, const void *ptr, return (void *)ptr; } +#define __nosbm + #endif /* CONFIG_SANDBOX_MODE */ /** -- 2.34.1