Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp1785531lqe; Mon, 8 Apr 2024 23:13:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXYG+sWwbzbazjvmTqQphJdE/KQvbJW5ex3UfRmSotnx6/pyYuPc5lXbl6uJMQ3QBFZZLVuoMeIU1vzvueFN//CtuPAOIwMY/SaydpJVw== X-Google-Smtp-Source: AGHT+IGQVlmLeiYRqN3zvY1KH4zy6U6cKIQpVlvEnHW9jsgfLPLr2lGmdEJS4ua3YVpf9xy7lgiR X-Received: by 2002:a05:6358:980f:b0:183:6350:bfb6 with SMTP id y15-20020a056358980f00b001836350bfb6mr12531738rwa.13.1712643188056; Mon, 08 Apr 2024 23:13:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712643188; cv=pass; d=google.com; s=arc-20160816; b=AjCuwmZA1sqrH860hqr6zO02Z/Kg6ijX7er4jAKfUvqTATBgL7coeEcPAv+VSeOAYN lCWK4KUiECxkb9GBNpZrTEUbxybkzLDVptw+L5tSJjiiYRW9UhKc83h/VrS+dWjTvGyN D9nWpyJTNrjAdkbOIUwztmACZ7XMQjqbDENhblS/Q105bWSA74rAZmvOC4HlPD84o9AA 2vUIT7deGTbcWz2OzFAjI/C42qcCLTDGbGZh392I7ZXiTHdBL7SzncjrRF7DJfFFqh32 jjD/Fu6KHHV2jXvPzRuplzhM982+FlmEJqv6no7/jHTS80prKxZjnoPVs0pQHtwPiNdH r6Hg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=LNu+GMI0LnpE6OoNqPaNP2xIRA7y3ywXaMFD3+hEy+U=; fh=cynYcMrdhR/Mq5Ai7C2c25GCH/4AXliTZQxZYpIeSy0=; b=Ipf2Z0WH6fNYN0iBSwLxURMdE1bVhoSFTAfMa1h4P8ELP06wUDybP47eliNUaNoJ9/ f9kVIII5s35u+zo2P7y3d3CaiC/EFNdYbQEEKuOJTBOxg9xBUFXZy1EhyxyA62nhsB4P 3/HQMwEZMgGCWGbHcfL9rNdtyqzs0CQvwr16/6qCCB0qsqSCaRgWkkm4S4Dl5Lt0vzPN h7zZFOyHSNhP7nAQFuY9YlPuMRTUN50tRaXGLrypVTNnEMkxRZurhNPjxYzawf2rltYd +G5wTTiNCXXckoOMdnxOHNDhUcHf4D5aPms1vTV2W11cdD4JYWUk4J+EYCdwL5RNPhj9 dHew==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=fJynFljQ; arc=pass (i=1 spf=pass spfdomain=rivosinc.com dkim=pass dkdomain=rivosinc-com.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-136269-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136269-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id lp12-20020a056a003d4c00b006ed3a076cfasi3193017pfb.60.2024.04.08.23.13.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 23:13:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-136269-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=fJynFljQ; arc=pass (i=1 spf=pass spfdomain=rivosinc.com dkim=pass dkdomain=rivosinc-com.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-136269-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136269-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 73F98B22D59 for ; Tue, 9 Apr 2024 06:12:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 863D66EB7B; Tue, 9 Apr 2024 06:12:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b="fJynFljQ" Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8CE06EB72 for ; Tue, 9 Apr 2024 06:11:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712643119; cv=none; b=KeNOVn56Nee9GrKHwO17IlFhKwfb/tQ8AdQDEY+iSHIXjkvTSkaXJk33aGJsa2oJ8mowPAVGuAACSQ0oF5Wv5G38ynad6kk0/Vvt4zOp9YZU7pCW3kW+xWk5gNZgYPL7XtnUnMI1mfTygW2PZy3iWCdQ89u/VHVr/YZr5PjN5RI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712643119; c=relaxed/simple; bh=I9xVI12IPjLWrDdUcoDuZ65TsSjC6yYu8PIgdN/YZ0I=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=JGZO1dp3s9neLNwDEoQkeZq2DTqDJI7k4BWRgoi7VmJFNPMWraTipOgCZeKHMM5FIdd/sQwWqG3dTwBdZM7OgEQalaFtJpAeeG8pwV9DWrAszF6M6rlVWYGGGHy0C7OmME+J7iuKq1pW6Xd3KmPtLxiGz0tPRhFh7yfHexSqYgA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com; spf=pass smtp.mailfrom=rivosinc.com; dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b=fJynFljQ; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rivosinc.com Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1e36b7e7dd2so31353545ad.1 for ; Mon, 08 Apr 2024 23:11:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1712643117; x=1713247917; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LNu+GMI0LnpE6OoNqPaNP2xIRA7y3ywXaMFD3+hEy+U=; b=fJynFljQzLD46vIpZsXNf5UHdkkcaiZR3genPfSsleAJqy9yOxWWQ1h02DrYMC50hY OrAP+LswTnZ7K6zskTultFVXodIyR0vC/cPxo983CU0tKpgT3tN4YadllWGIFtWUgrSH RYQWqhxM5d04O7mbpmamjpJU6Flr1Oy75opkxR1d0+oiICG859672mYFXKV3QxSf1YCb LYdQLXJFi5ala29Pd0D0V+FHa6weAD5BG4gM1gGM7OvpBUym0cdKcMm7J4FYcGsW1z3z pMD+go6lBLAm8XtiJ4bmu+H6ZSQh7q3foSVt5kYohxuNw4NVpUF6+qoYKYv6he0iVdfs w6JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712643117; x=1713247917; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LNu+GMI0LnpE6OoNqPaNP2xIRA7y3ywXaMFD3+hEy+U=; b=DlEamZqAFu2CcL7wxKlAgUQlOZ4WT6/s4PoXoMa1BHYzYLJRh3B66ZtWNv/EDpLtuL Tn/0fAaaaChJMyZuDoPibQQmgsHwpdy6aS7vk0X585+pdGLxnNEQvJxWZooQiTolqhil l3si92IWjrIC49W5tvtsxMAJEKF7dAnq3gqFzsgoyiPC9wsjy89U7+kYSdfBfQwvOmev 6meoqiTTXru9WEstsVcNcNWmvpHuzmwcNP7/fBcDC99AZ8XrxJ1D5rlAvOFFTJT2ZCSz n69TUSMAdxgXlmbnPk1m3g5m68Sad8gAIOHJU/WE/tSG4AjsuNg/QT4zLc+AdEB30Epr 6Skw== X-Forwarded-Encrypted: i=1; AJvYcCVq1Ex4dCe87hYPJn0850ddYT1UtKL1galUmtiKXxs2tvXYIf7xM5rxzY5babqKdD6HrdmMCPBOUVTNXpso0uf/vDYQLcGklTeD55M4 X-Gm-Message-State: AOJu0Yxg9/fvcZfMizV+3/3oNBuBkevHi2ehiNeKCNVv4L+hhxsUL9q3 IWANtr4mivD+43vZxwbtzUWwkrFPF/egP1MYUZ6V8jnzO9qvYanoDirnk2kMCs8= X-Received: by 2002:a17:902:cecc:b0:1e2:ac38:2657 with SMTP id d12-20020a170902cecc00b001e2ac382657mr10867433plg.24.1712643117037; Mon, 08 Apr 2024 23:11:57 -0700 (PDT) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id n3-20020a170902e54300b001e3dd5972ccsm5775564plf.185.2024.04.08.23.11.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 23:11:56 -0700 (PDT) From: Deepak Gupta To: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Cc: paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, nathan@kernel.org, ndesaulniers@google.com, morbo@google.com, justinstitt@google.com, andy.chiu@sifive.com, debug@rivosinc.com, hankuan.chen@sifive.com, guoren@kernel.org, greentime.hu@sifive.com, samitolvanen@google.com, cleger@rivosinc.com, apatel@ventanamicro.com, ajones@ventanamicro.com, conor.dooley@microchip.com, mchitale@ventanamicro.com, dbarboza@ventanamicro.com, waylingii@gmail.com, sameo@rivosinc.com, alexghiti@rivosinc.com, akpm@linux-foundation.org, shikemeng@huaweicloud.com, rppt@kernel.org, charlie@rivosinc.com, xiao.w.wang@intel.com, willy@infradead.org, jszhang@kernel.org, leobras@redhat.com, songshuaishuai@tinylab.org, haxel@fzi.de, samuel.holland@sifive.com, namcaov@gmail.com, bjorn@rivosinc.com, cuiyunhui@bytedance.com, wangkefeng.wang@huawei.com, falcon@tinylab.org, viro@zeniv.linux.org.uk, bhe@redhat.com, chenjiahao16@huawei.com, hca@linux.ibm.com, arnd@arndb.de, kent.overstreet@linux.dev, boqun.feng@gmail.com, oleg@redhat.com, paulmck@kernel.org, broonie@kernel.org, rick.p.edgecombe@intel.com Subject: [RFC PATCH v1] riscv kernel control flow integrity Date: Mon, 8 Apr 2024 23:10:31 -0700 Message-Id: <20240409061043.3269676-1-debug@rivosinc.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Basic overview --------------- This is a RFC patch series for enabling kernel control flow integrity on riscv architecture. This patch series enables kernel control flow integrity using proposed riscv cpu extensions `zicfilp` and `zicfiss` [1]. `zicfilp` enforces that all indirect calls and jumps must land on a landing pad instruction (`lpad`). Additionally `lpad` has 20bit encoded value as part of instruction and cpu will check this 20bit value with t2/x7 register , if they mismatch then cpu will raise an exception `software check exception` (a new exception with cause=18). In this patch series, a constant label value of 0x1 is used. As series will mature, it will switch to a 20 bit truncated hash over function signature. Label based on function signature allows stricter control flow and fewer call/jmp locations from a callsite. `zicfiss` protects the return path from functions where return relies on obtaining return address from stack which is corruptible. `zicfiss` provides a shadow stack which can be used by software to place return addresses on shadow stack and while returning from function it can be used to compare against return address from regular stack. If they dont match, cpu will raise software check exception. `zicfiss` based shadow stack are protected against tampering using special page table encodings (please refer to [1]) To obtain more details about `zicfiss` and `zicfilp` ISA extension, please refer to [1]. There is an ongoing patchsets for enabling this feature for user mode software here [2] Enabling on kernel =================== This patch series introduces new riscv config `CONFIG_RISCV_KERNEL_CFI`. If this config is selected, it turns on - forward control flow for kernel using `zicfilp` - selects `CONFIG_SHADOW_CALL_STACK` /w `CONFIG_DYNAMIC_SCS` to enable backward control flow. forward control flow for kernel ================================ This patch series simply compiles kernel with `march=_zicfilp` compiler option. Currently toolchain uses constant label scheme of label = 0x1. This patch series manually fixes some of the assembly callsites and sequences to make sure they are not breaking rules setup by `zicfilp`. backward control flow for kernel ================================= There is an existing support for riscv kernel for shadow call stack [3], which is a software based shadow stack and uses clang /w instrumentation to push/pop return address in prolog and epilog of functions. Although software based shadow stack lacks memory protections and thus suffers from same issue of return address susceptible to hijacking. shadow call stack uses `CONFIG_SHADOW_CALL_STACK` /w option of `CONFIG_DYNAMIC_SCS` so that hardware vendors hook into the flow to provide stronger guarantees. This patch uses `CONFIG_SHADOW_CALL_STACK` flow along with `CONFIG_DYNAMIC_SCS` to enable return control flow integrity on riscv kernel. [1] - https://github.com/riscv/riscv-cfi [2] - https://lore.kernel.org/all/20240403234054.2020347-1-debug@rivosinc.com/ [3] - https://lore.kernel.org/all/20230927224757.1154247-8-samitolvanen@google.com/