From: Petr Tesarik <petrtesarik@huaweicloud.com>
To: Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org (maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)),
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Peter Zijlstra <peterz@infradead.org>, Xin Li <xin3.li@intel.com>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Kees Cook <keescook@chromium.org>,
"Masami Hiramatsu (Google)" <mhiramat@kernel.org>,
Pengfei Xu <pengfei.xu@intel.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Ze Gao <zegao2021@gmail.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Kai Huang <kai.huang@intel.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Brian Gerst <brgerst@gmail.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Joerg Roedel <jroedel@suse.de>,
"Mike Rapoport (IBM)" <rppt@kernel.org>,
Tina Zhang <tina.zhang@intel.com>,
Jacob Pan <jacob.jun.pan@linux.intel.com>,
linux-doc@vger.kernel.org (open list:DOCUMENTATION),
linux-kernel@vger.kernel.org (open list)
Cc: Roberto Sassu <roberto.sassu@huaweicloud.com>,
petr@tesarici.cz,
Petr Tesarik <petr.tesarik1@huawei-partners.com>
Subject: [PATCH v1 2/8] sbm: x86: execute target function on sandbox mode stack
Date: Wed, 14 Feb 2024 12:35:10 +0100 [thread overview]
Message-ID: <20240214113516.2307-3-petrtesarik@huaweicloud.com> (raw)
In-Reply-To: <20240214113516.2307-1-petrtesarik@huaweicloud.com>
From: Petr Tesarik <petr.tesarik1@huawei-partners.com>
Allocate and map a separate stack for sandbox mode in arch_sbm_init().
Switch to this stack in arch_sbm_exec(). Store the address of the stack as
arch-specific state.
On X86_64, RSP is never used to locate thread-specific data, so it is safe
to change its value. If the sandbox is preempted by an interrupt, RSP is
saved by switch_to() and restored when the sandbox task is scheduled
again. The original kernel stack pointer is restored when the sandbox
function returns.
Since the stack switch mechanism is implemented only for 64-bit, make
CONFIG_HAVE_ARCH_SBM depend on X86_64 for now. Leave it under "config X86",
because it would be possible to implement a 32-bit variant.
Signed-off-by: Petr Tesarik <petr.tesarik1@huawei-partners.com>
---
arch/x86/Kconfig | 2 +-
arch/x86/include/asm/sbm.h | 2 ++
arch/x86/kernel/sbm/Makefile | 6 ++++++
arch/x86/kernel/sbm/call_64.S | 40 +++++++++++++++++++++++++++++++++++
arch/x86/kernel/sbm/core.c | 17 ++++++++++++++-
5 files changed, 65 insertions(+), 2 deletions(-)
create mode 100644 arch/x86/kernel/sbm/call_64.S
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 41fa4ab84c15..090d46c7ee7c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -188,7 +188,7 @@ config X86
select HAVE_ARCH_MMAP_RND_COMPAT_BITS if MMU && COMPAT
select HAVE_ARCH_COMPAT_MMAP_BASES if MMU && COMPAT
select HAVE_ARCH_PREL32_RELOCATIONS
- select HAVE_ARCH_SBM
+ select HAVE_ARCH_SBM if X86_64
select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_THREAD_STRUCT_WHITELIST
select HAVE_ARCH_STACKLEAK
diff --git a/arch/x86/include/asm/sbm.h b/arch/x86/include/asm/sbm.h
index 01c8d357550b..ed214c17af06 100644
--- a/arch/x86/include/asm/sbm.h
+++ b/arch/x86/include/asm/sbm.h
@@ -16,12 +16,14 @@
/**
* struct x86_sbm_state - Run-time state of the environment.
* @pgd: Sandbox mode page global directory.
+ * @stack: Sandbox mode stack.
*
* One instance of this union is allocated for each sandbox and stored as SBM
* instance private data.
*/
struct x86_sbm_state {
pgd_t *pgd;
+ unsigned long stack;
};
#endif /* defined(CONFIG_HAVE_ARCH_SBM) && defined(CONFIG_SANDBOX_MODE) */
diff --git a/arch/x86/kernel/sbm/Makefile b/arch/x86/kernel/sbm/Makefile
index 92d368b526cd..62c3e85c14a4 100644
--- a/arch/x86/kernel/sbm/Makefile
+++ b/arch/x86/kernel/sbm/Makefile
@@ -8,3 +8,9 @@
#
obj-y := core.o
+
+###
+# 64 bit specific files
+ifeq ($(CONFIG_X86_64),y)
+ obj-y += call_64.o
+endif
diff --git a/arch/x86/kernel/sbm/call_64.S b/arch/x86/kernel/sbm/call_64.S
new file mode 100644
index 000000000000..245d0dddce73
--- /dev/null
+++ b/arch/x86/kernel/sbm/call_64.S
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2023-2024 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Petr Tesarik <petr.tesarik1@huawei-partners.com>
+ *
+ * SandBox Mode (SBM) low-level x86_64 assembly.
+ */
+
+#include <linux/linkage.h>
+#include <asm/nospec-branch.h>
+
+.code64
+.section .entry.text, "ax"
+
+/*
+ * arguments:
+ * rdi .. SBM state (kernel address)
+ * rsi .. func
+ * rdx .. args
+ * rcx .. top of sandbox stack
+ */
+SYM_FUNC_START(x86_sbm_exec)
+ /*
+ * Set up the sandbox stack:
+ * 1. Store the old stack pointer at the top of the sandbox stack,
+ * where various unwinders can find it and link back to the
+ * kernel stack.
+ */
+ sub $8, %rcx
+ mov %rsp, (%rcx)
+ mov %rcx, %rsp
+
+ mov %rdx, %rdi /* args */
+ CALL_NOSPEC rsi
+
+ pop %rsp
+
+ RET
+SYM_FUNC_END(x86_sbm_exec)
diff --git a/arch/x86/kernel/sbm/core.c b/arch/x86/kernel/sbm/core.c
index b775e3b387b1..de6986801148 100644
--- a/arch/x86/kernel/sbm/core.c
+++ b/arch/x86/kernel/sbm/core.c
@@ -17,6 +17,9 @@
#define GFP_SBM_PGTABLE (GFP_KERNEL | __GFP_ZERO)
#define PGD_ORDER get_order(sizeof(pgd_t) * PTRS_PER_PGD)
+asmlinkage int x86_sbm_exec(struct x86_sbm_state *state, sbm_func func,
+ void *args, unsigned long sbm_tos);
+
static inline phys_addr_t page_to_ptval(struct page *page)
{
return PFN_PHYS(page_to_pfn(page)) | _PAGE_TABLE;
@@ -182,6 +185,15 @@ int arch_sbm_init(struct sbm *sbm)
if (err)
return err;
+ state->stack = __get_free_pages(GFP_KERNEL, THREAD_SIZE_ORDER);
+ if (!state->stack)
+ return -ENOMEM;
+
+ err = map_range(state, state->stack, state->stack + THREAD_SIZE,
+ PAGE_SHARED);
+ if (err)
+ return err;
+
return 0;
}
@@ -238,11 +250,14 @@ void arch_sbm_destroy(struct sbm *sbm)
free_pgd(state->pgd);
free_pages((unsigned long)state->pgd, PGD_ORDER);
}
+ free_pages(state->stack, THREAD_SIZE_ORDER);
free_page((unsigned long)state);
sbm->private = NULL;
}
int arch_sbm_exec(struct sbm *sbm, sbm_func func, void *args)
{
- return func(args);
+ struct x86_sbm_state *state = sbm->private;
+
+ return x86_sbm_exec(state, func, args, state->stack + THREAD_SIZE);
}
--
2.34.1
next prev parent reply other threads:[~2024-02-14 11:36 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-14 11:35 [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Petr Tesarik
2024-02-14 11:35 ` [PATCH v1 1/8] sbm: x86: page table " Petr Tesarik
2024-02-14 11:35 ` Petr Tesarik [this message]
2024-02-14 11:35 ` [PATCH v1 3/8] sbm: x86: map system data structures into the sandbox Petr Tesarik
2024-02-14 11:35 ` [PATCH v1 4/8] sbm: x86: allocate and map an exception stack Petr Tesarik
2024-02-14 11:35 ` [PATCH v1 5/8] sbm: x86: handle sandbox mode faults Petr Tesarik
2024-02-14 11:35 ` [PATCH v1 6/8] sbm: x86: switch to sandbox mode pages in arch_sbm_exec() Petr Tesarik
2024-02-14 11:35 ` [PATCH v1 7/8] sbm: documentation of the x86-64 SandBox Mode implementation Petr Tesarik
2024-02-14 18:37 ` Xin Li
2024-02-14 19:16 ` Petr Tesařík
2024-02-14 11:35 ` [PATCH v1 8/8] sbm: x86: lazy TLB flushing Petr Tesarik
2024-02-14 14:52 ` [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Dave Hansen
2024-02-14 15:28 ` H. Peter Anvin
2024-02-14 16:41 ` Petr Tesařík
2024-02-14 17:29 ` H. Peter Anvin
2024-02-14 19:14 ` Petr Tesařík
2024-02-14 18:14 ` Edgecombe, Rick P
2024-02-14 18:32 ` Petr Tesařík
2024-02-14 19:19 ` Edgecombe, Rick P
2024-02-14 19:35 ` Petr Tesařík
2024-02-14 18:22 ` Petr Tesařík
2024-02-14 18:42 ` Dave Hansen
2024-02-14 19:33 ` Petr Tesařík
2024-02-14 20:16 ` Dave Hansen
2024-02-16 15:24 ` [RFC 0/8] PGP key parser using SandBox Mode Petr Tesarik
2024-02-16 15:24 ` [RFC 1/8] mpi: Introduce mpi_key_length() Petr Tesarik
2024-02-16 15:24 ` [RFC 2/8] rsa: add parser of raw format Petr Tesarik
2024-02-16 15:24 ` [RFC 3/8] PGPLIB: PGP definitions (RFC 4880) Petr Tesarik
2024-02-16 15:24 ` [RFC 4/8] PGPLIB: Basic packet parser Petr Tesarik
2024-02-16 15:24 ` [RFC 5/8] PGPLIB: Signature parser Petr Tesarik
2024-02-16 15:24 ` [RFC 6/8] KEYS: PGP data parser Petr Tesarik
2024-02-16 16:44 ` Matthew Wilcox
2024-02-16 16:53 ` Roberto Sassu
2024-02-16 17:08 ` H. Peter Anvin
2024-02-16 17:13 ` Roberto Sassu
2024-02-20 10:55 ` Petr Tesarik
2024-02-21 14:02 ` H. Peter Anvin
2024-02-22 7:53 ` Petr Tesařík
2024-02-16 18:44 ` Matthew Wilcox
2024-02-16 19:54 ` Roberto Sassu
2024-02-28 17:58 ` Roberto Sassu
2024-02-16 15:24 ` [RFC 7/8] KEYS: Run PGP key parser in a sandbox Petr Tesarik
2024-02-18 6:07 ` kernel test robot
2024-02-18 8:02 ` kernel test robot
2024-02-16 15:24 ` [RFC 8/8] KEYS: Add intentional fault injection Petr Tesarik
2024-02-16 15:38 ` [RFC 0/8] PGP key parser using SandBox Mode Dave Hansen
2024-02-16 16:08 ` Petr Tesařík
2024-02-16 17:21 ` Jonathan Corbet
2024-02-16 18:24 ` Roberto Sassu
2024-02-22 13:12 ` [RFC 0/5] PoC: convert AppArmor parser to " Petr Tesarik
2024-02-22 13:12 ` [RFC 1/5] sbm: x86: fix SBM error entry path Petr Tesarik
2024-02-22 13:12 ` [RFC 2/5] sbm: enhance buffer mapping API Petr Tesarik
2024-02-22 13:12 ` [RFC 3/5] sbm: x86: infrastructure to fix up sandbox faults Petr Tesarik
2024-02-22 13:12 ` [RFC 4/5] sbm: fix up calls to dynamic memory allocators Petr Tesarik
2024-02-22 15:51 ` Dave Hansen
2024-02-22 17:57 ` Petr Tesařík
2024-02-22 18:03 ` Dave Hansen
2024-02-22 13:12 ` [RFC 5/5] apparmor: parse profiles in sandbox mode Petr Tesarik
2024-02-14 18:52 ` [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Xin Li
2024-02-15 6:59 ` Petr Tesařík
2024-02-15 8:16 ` H. Peter Anvin
2024-02-15 9:30 ` Petr Tesařík
2024-02-15 9:37 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240214113516.2307-3-petrtesarik@huaweicloud.com \
--to=petrtesarik@huaweicloud.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=hpa@zytor.com \
--cc=jacob.jun.pan@linux.intel.com \
--cc=jgg@ziepe.ca \
--cc=jpoimboe@kernel.org \
--cc=jroedel@suse.de \
--cc=kai.huang@intel.com \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=pengfei.xu@intel.com \
--cc=peterz@infradead.org \
--cc=petr.tesarik1@huawei-partners.com \
--cc=petr@tesarici.cz \
--cc=rick.p.edgecombe@intel.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=rppt@kernel.org \
--cc=tglx@linutronix.de \
--cc=tina.zhang@intel.com \
--cc=x86@kernel.org \
--cc=xin3.li@intel.com \
--cc=zegao2021@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.