From: Ard Biesheuvel <ardb@kernel.org>
To: linux-arm-kernel@lists.infradead.org
Cc: catalin.marinas@arm.com, will@kernel.org, mark.rutland@arm.com,
maz@kernel.org, Kees Cook <keescook@google.com>,
Sami Tolvanen <samitolvanen@google.com>,
Fangrui Song <maskray@google.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Dan Li <ashimida@linux.alibaba.com>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v3 2/3] scs: add support for dynamic shadow call stacks
Date: Tue, 14 Jun 2022 08:20:13 +0200 [thread overview]
Message-ID: <CAMj1kXHn-tO3C=fHRnvsKb4f6HA1YiH9EV95xzR9zK8SujKc1Q@mail.gmail.com> (raw)
In-Reply-To: <20220613134008.3760481-3-ardb@kernel.org>
On Mon, 13 Jun 2022 at 15:40, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> In order to allow arches to use code patching to conditionally emit the
> shadow stack pushes and pops, rather than always taking the performance
> hit even on CPUs that implement alternatives such as stack pointer
> authentication on arm64, add a Kconfig symbol that can be set by the
> arch to omit the SCS codegen itself, without otherwise affecting how
> support code for SCS and compiler options (for register reservation, for
> instance) are emitted.
>
> Also, add a static key and some plumbing to omit the allocation of
> shadow call stack for dynamic SCS configurations if SCS is disabled at
> runtime.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
This patch needs the following hunk applied on top to fix a build
error reported by the bots:
--- a/include/linux/scs.h
+++ b/include/linux/scs.h
@@ -57,6 +57,8 @@ DECLARE_STATIC_KEY_TRUE(dynamic_scs_enabled);
static inline bool scs_is_dynamic(void)
{
+ if (!IS_ENABLED(CONFIG_DYNAMIC_SCS))
+ return false;
return static_branch_likely(&dynamic_scs_enabled);
}
> ---
> Makefile | 2 ++
> arch/Kconfig | 7 +++++++
> include/linux/scs.h | 16 ++++++++++++++++
> kernel/scs.c | 14 ++++++++++++--
> 4 files changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index c43d825a3c4c..806b1dea1218 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -883,8 +883,10 @@ LDFLAGS_vmlinux += --gc-sections
> endif
>
> ifdef CONFIG_SHADOW_CALL_STACK
> +ifndef CONFIG_DYNAMIC_SCS
> CC_FLAGS_SCS := -fsanitize=shadow-call-stack
> KBUILD_CFLAGS += $(CC_FLAGS_SCS)
> +endif
> export CC_FLAGS_SCS
> endif
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index fcf9a41a4ef5..a6048d78f05d 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -636,6 +636,13 @@ config SHADOW_CALL_STACK
> reading and writing arbitrary memory may be able to locate them
> and hijack control flow by modifying the stacks.
>
> +config DYNAMIC_SCS
> + bool
> + help
> + Set by the arch code if it relies on code patching to insert the
> + shadow call stack push and pop instructions rather than on the
> + compiler.
> +
> config LTO
> bool
> help
> diff --git a/include/linux/scs.h b/include/linux/scs.h
> index 18122d9e17ff..c62134d89c7b 100644
> --- a/include/linux/scs.h
> +++ b/include/linux/scs.h
> @@ -53,6 +53,20 @@ static inline bool task_scs_end_corrupted(struct task_struct *tsk)
> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
> }
>
> +DECLARE_STATIC_KEY_TRUE(dynamic_scs_enabled);
> +
> +static inline bool scs_is_dynamic(void)
> +{
> + return static_branch_likely(&dynamic_scs_enabled);
> +}
> +
> +static inline bool scs_is_enabled(void)
> +{
> + if (!IS_ENABLED(CONFIG_DYNAMIC_SCS))
> + return true;
> + return scs_is_dynamic();
> +}
> +
> #else /* CONFIG_SHADOW_CALL_STACK */
>
> static inline void *scs_alloc(int node) { return NULL; }
> @@ -62,6 +76,8 @@ static inline void scs_task_reset(struct task_struct *tsk) {}
> static inline int scs_prepare(struct task_struct *tsk, int node) { return 0; }
> static inline void scs_release(struct task_struct *tsk) {}
> static inline bool task_scs_end_corrupted(struct task_struct *tsk) { return false; }
> +static inline bool scs_is_enabled(void) { return false; }
> +static inline bool scs_is_dynamic(void) { return false; }
>
> #endif /* CONFIG_SHADOW_CALL_STACK */
>
> diff --git a/kernel/scs.c b/kernel/scs.c
> index b7e1b096d906..8826794d2645 100644
> --- a/kernel/scs.c
> +++ b/kernel/scs.c
> @@ -12,6 +12,10 @@
> #include <linux/vmalloc.h>
> #include <linux/vmstat.h>
>
> +#ifdef CONFIG_DYNAMIC_SCS
> +DEFINE_STATIC_KEY_TRUE(dynamic_scs_enabled);
> +#endif
> +
> static void __scs_account(void *s, int account)
> {
> struct page *scs_page = vmalloc_to_page(s);
> @@ -101,14 +105,20 @@ static int scs_cleanup(unsigned int cpu)
>
> void __init scs_init(void)
> {
> + if (!scs_is_enabled())
> + return;
> cpuhp_setup_state(CPUHP_BP_PREPARE_DYN, "scs:scs_cache", NULL,
> scs_cleanup);
> }
>
> int scs_prepare(struct task_struct *tsk, int node)
> {
> - void *s = scs_alloc(node);
> + void *s;
>
> + if (!scs_is_enabled())
> + return 0;
> +
> + s = scs_alloc(node);
> if (!s)
> return -ENOMEM;
>
> @@ -148,7 +158,7 @@ void scs_release(struct task_struct *tsk)
> {
> void *s = task_scs(tsk);
>
> - if (!s)
> + if (!scs_is_enabled() || !s)
> return;
>
> WARN(task_scs_end_corrupted(tsk),
> --
> 2.30.2
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-06-14 6:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 13:40 [PATCH v3 0/3] arm64: dynamic shadow call stack support Ard Biesheuvel
2022-06-13 13:40 ` [PATCH v3 1/3] arm64: unwind: add asynchronous unwind tables to kernel and modules Ard Biesheuvel
2022-06-15 16:50 ` Sami Tolvanen
2022-06-15 16:53 ` Ard Biesheuvel
2022-06-15 21:29 ` Kees Cook
2022-06-15 21:52 ` Fangrui Song
2022-06-16 7:14 ` Ard Biesheuvel
2022-06-16 7:24 ` Fangrui Song
2022-06-13 13:40 ` [PATCH v3 2/3] scs: add support for dynamic shadow call stacks Ard Biesheuvel
2022-06-14 6:20 ` Ard Biesheuvel [this message]
2022-06-15 17:12 ` Sami Tolvanen
2022-06-16 7:14 ` Ard Biesheuvel
2022-06-13 13:40 ` [PATCH v3 3/3] arm64: implement dynamic shadow call stack for Clang Ard Biesheuvel
2022-06-13 16:30 ` Kees Cook
2022-06-13 16:50 ` Ard Biesheuvel
2022-06-15 21:32 ` Sami Tolvanen
2022-06-16 10:51 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMj1kXHn-tO3C=fHRnvsKb4f6HA1YiH9EV95xzR9zK8SujKc1Q@mail.gmail.com' \
--to=ardb@kernel.org \
--cc=ashimida@linux.alibaba.com \
--cc=catalin.marinas@arm.com \
--cc=keescook@chromium.org \
--cc=keescook@google.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=maskray@google.com \
--cc=maz@kernel.org \
--cc=ndesaulniers@google.com \
--cc=samitolvanen@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.