From: Nick Desaulniers <ndesaulniers@google.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org,
linux-hardening@vger.kernel.org, mark.rutland@arm.com,
catalin.marinas@arm.com, will@kernel.org,
Kees Cook <keescook@google.com>,
Sami Tolvanen <samitolvanen@google.com>,
Fangrui Song <maskray@google.com>,
Dan Li <ashimida@linux.alibaba.com>,
linux-toolchains@vger.kernel.org
Subject: Re: [RFC PATCH 0/9] arm64: use unwind data on GCC for shadow call stack
Date: Wed, 13 Oct 2021 11:01:43 -0700 [thread overview]
Message-ID: <CAKwvOdkS1LuEEXOAUCDNBWJBbo-GPisf0s-BtL119Kfi7084kA@mail.gmail.com> (raw)
In-Reply-To: <20211013152243.2216899-1-ardb@kernel.org>
On Wed, Oct 13, 2021 at 8:22 AM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> This series is a proof of concept implementation of using unwind tables
> to locate PACIASP/AUTIASP instructions in the code, and patching them
> into shadow call stack pushes/pops at boot time if the platform in
> question does not support pointer authentication in hardware. This way,
> the overhead of the shadow call stack is only imposed if it actually
> gives any benefit. It also means that the compiler does not need to
> generate the code, so this works with GCC as well.
>
> In fact, it only works with GCC at the moment, as Clang does not seem to
> implement the DW_CFA_negate_ra_state correctly, which is emitted after
> each PACIASP or AUTIASP instruction (Clang only does the former).
> However, GCC does not appear to get it quite right either, as it emits
> the directive in the wrong place in some cases (but in a way that can be
> worked around).
Can we work on getting bug reports to the compiler vendors? Then we
can have something free of workarounds, and more toolchain portable.
>
> Note that this only implements it for the core kernel. Modules should be
> straight-forward, and most of the code can be reused. Also, the
> transformation is applied unconditionally, even if the hardware does
> implement PAC, but this does not really matter for a PoC.
>
> One obvious downside is the size of the unwind tables (3 MiB for
> defconfig), although there are plenty of use cases where this does not
> really matters (and I haven't checked the compressed size). However,
> there may be other reasons why we'd want to have access to these unwind
> tables (reliable stack traces), so this will need to be discussed before
> I intend to take this any further.
>
> Cc: Kees Cook <keescook@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Fangrui Song <maskray@google.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Dan Li <ashimida@linux.alibaba.com>
>
> Ard Biesheuvel (9):
> arm64: assembler: enable PAC for non-leaf assembler routines
> arm64: cache: use ALIAS version of linkage macros for local aliases
> arm64: crypto: avoid overlapping linkage definitions for AES-CBC
> arm64: aes-neonbs: move frame pop to end of function
> arm64: chacha-neon: move frame pop forward
> arm64: smccc: create proper stack frames for HVC/SMC calls
> arm64: assembler: add unwind annotations to frame push/pop macros
> arm64: unwind: add asynchronous unwind tables to the kernel proper
> arm64: implement dynamic shadow call stack for GCC
>
> Makefile | 4 +-
> arch/Kconfig | 4 +-
> arch/arm64/Kconfig | 11 +-
> arch/arm64/Makefile | 7 +-
> arch/arm64/crypto/aes-modes.S | 4 +-
> arch/arm64/crypto/aes-neonbs-core.S | 8 +-
> arch/arm64/crypto/chacha-neon-core.S | 9 +-
> arch/arm64/include/asm/assembler.h | 32 ++-
> arch/arm64/include/asm/linkage.h | 16 +-
> arch/arm64/kernel/Makefile | 2 +
> arch/arm64/kernel/head.S | 3 +
> arch/arm64/kernel/patch-scs.c | 223 ++++++++++++++++++++
> arch/arm64/kernel/smccc-call.S | 40 ++--
> arch/arm64/kernel/vmlinux.lds.S | 20 ++
> arch/arm64/mm/cache.S | 8 +-
> drivers/firmware/efi/libstub/Makefile | 1 +
> 16 files changed, 347 insertions(+), 45 deletions(-)
> create mode 100644 arch/arm64/kernel/patch-scs.c
>
> --
> 2.30.2
>
--
Thanks,
~Nick Desaulniers
WARNING: multiple messages have this Message-ID (diff)
From: Nick Desaulniers <ndesaulniers@google.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org,
linux-hardening@vger.kernel.org, mark.rutland@arm.com,
catalin.marinas@arm.com, will@kernel.org,
Kees Cook <keescook@google.com>,
Sami Tolvanen <samitolvanen@google.com>,
Fangrui Song <maskray@google.com>,
Dan Li <ashimida@linux.alibaba.com>,
linux-toolchains@vger.kernel.org
Subject: Re: [RFC PATCH 0/9] arm64: use unwind data on GCC for shadow call stack
Date: Wed, 13 Oct 2021 11:01:43 -0700 [thread overview]
Message-ID: <CAKwvOdkS1LuEEXOAUCDNBWJBbo-GPisf0s-BtL119Kfi7084kA@mail.gmail.com> (raw)
In-Reply-To: <20211013152243.2216899-1-ardb@kernel.org>
On Wed, Oct 13, 2021 at 8:22 AM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> This series is a proof of concept implementation of using unwind tables
> to locate PACIASP/AUTIASP instructions in the code, and patching them
> into shadow call stack pushes/pops at boot time if the platform in
> question does not support pointer authentication in hardware. This way,
> the overhead of the shadow call stack is only imposed if it actually
> gives any benefit. It also means that the compiler does not need to
> generate the code, so this works with GCC as well.
>
> In fact, it only works with GCC at the moment, as Clang does not seem to
> implement the DW_CFA_negate_ra_state correctly, which is emitted after
> each PACIASP or AUTIASP instruction (Clang only does the former).
> However, GCC does not appear to get it quite right either, as it emits
> the directive in the wrong place in some cases (but in a way that can be
> worked around).
Can we work on getting bug reports to the compiler vendors? Then we
can have something free of workarounds, and more toolchain portable.
>
> Note that this only implements it for the core kernel. Modules should be
> straight-forward, and most of the code can be reused. Also, the
> transformation is applied unconditionally, even if the hardware does
> implement PAC, but this does not really matter for a PoC.
>
> One obvious downside is the size of the unwind tables (3 MiB for
> defconfig), although there are plenty of use cases where this does not
> really matters (and I haven't checked the compressed size). However,
> there may be other reasons why we'd want to have access to these unwind
> tables (reliable stack traces), so this will need to be discussed before
> I intend to take this any further.
>
> Cc: Kees Cook <keescook@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Fangrui Song <maskray@google.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Dan Li <ashimida@linux.alibaba.com>
>
> Ard Biesheuvel (9):
> arm64: assembler: enable PAC for non-leaf assembler routines
> arm64: cache: use ALIAS version of linkage macros for local aliases
> arm64: crypto: avoid overlapping linkage definitions for AES-CBC
> arm64: aes-neonbs: move frame pop to end of function
> arm64: chacha-neon: move frame pop forward
> arm64: smccc: create proper stack frames for HVC/SMC calls
> arm64: assembler: add unwind annotations to frame push/pop macros
> arm64: unwind: add asynchronous unwind tables to the kernel proper
> arm64: implement dynamic shadow call stack for GCC
>
> Makefile | 4 +-
> arch/Kconfig | 4 +-
> arch/arm64/Kconfig | 11 +-
> arch/arm64/Makefile | 7 +-
> arch/arm64/crypto/aes-modes.S | 4 +-
> arch/arm64/crypto/aes-neonbs-core.S | 8 +-
> arch/arm64/crypto/chacha-neon-core.S | 9 +-
> arch/arm64/include/asm/assembler.h | 32 ++-
> arch/arm64/include/asm/linkage.h | 16 +-
> arch/arm64/kernel/Makefile | 2 +
> arch/arm64/kernel/head.S | 3 +
> arch/arm64/kernel/patch-scs.c | 223 ++++++++++++++++++++
> arch/arm64/kernel/smccc-call.S | 40 ++--
> arch/arm64/kernel/vmlinux.lds.S | 20 ++
> arch/arm64/mm/cache.S | 8 +-
> drivers/firmware/efi/libstub/Makefile | 1 +
> 16 files changed, 347 insertions(+), 45 deletions(-)
> create mode 100644 arch/arm64/kernel/patch-scs.c
>
> --
> 2.30.2
>
--
Thanks,
~Nick Desaulniers
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-10-13 18:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 15:22 [RFC PATCH 0/9] arm64: use unwind data on GCC for shadow call stack Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 1/9] arm64: assembler: enable PAC for non-leaf assembler routines Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 2/9] arm64: cache: use ALIAS version of linkage macros for local aliases Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 3/9] arm64: crypto: avoid overlapping linkage definitions for AES-CBC Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 4/9] arm64: aes-neonbs: move frame pop to end of function Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 5/9] arm64: chacha-neon: move frame pop forward Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 6/9] arm64: smccc: create proper stack frames for HVC/SMC calls Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:44 ` Mark Brown
2021-10-13 15:44 ` Mark Brown
2021-10-13 15:22 ` [RFC PATCH 7/9] arm64: assembler: add unwind annotations to frame push/pop macros Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 8/9] arm64: unwind: add asynchronous unwind tables to the kernel proper Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:22 ` [RFC PATCH 9/9] arm64: implement dynamic shadow call stack for GCC Ard Biesheuvel
2021-10-13 15:22 ` Ard Biesheuvel
2021-10-13 15:42 ` Mark Brown
2021-10-13 15:42 ` Mark Brown
2021-10-13 22:35 ` Dan Li
2021-10-13 22:35 ` Dan Li
2021-10-14 9:41 ` Ard Biesheuvel
2021-10-14 9:41 ` Ard Biesheuvel
2021-10-13 17:52 ` [RFC PATCH 0/9] arm64: use unwind data on GCC for shadow call stack Ard Biesheuvel
2021-10-13 17:52 ` Ard Biesheuvel
2021-10-13 18:01 ` Nick Desaulniers [this message]
2021-10-13 18:01 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKwvOdkS1LuEEXOAUCDNBWJBbo-GPisf0s-BtL119Kfi7084kA@mail.gmail.com \
--to=ndesaulniers@google.com \
--cc=ardb@kernel.org \
--cc=ashimida@linux.alibaba.com \
--cc=catalin.marinas@arm.com \
--cc=keescook@google.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-toolchains@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=maskray@google.com \
--cc=samitolvanen@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.