* [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
@ 2021-11-02 7:58 Dan Li
2021-11-02 9:51 ` Miguel Ojeda
0 siblings, 1 reply; 7+ messages in thread
From: Dan Li @ 2021-11-02 7:58 UTC (permalink / raw)
To: catalin.marinas, will, nathan, ndesaulniers, keescook, tglx,
akpm, peterz, samitolvanen, masahiroy, rppt, mark.rutland,
frederic, yifeifz2, rostedt, viresh.kumar, andreyknvl,
colin.king, ojeda, arnd, luc.vanoostenryck, nivedita, elver
Cc: linux-hardening, Dan Li
I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
Kernel can enable SCS under gcc based on this patch, commands as follows:
make ARCH=arm64 defconfig
./scripts/config -e CONFIG_SHADOW_CALL_STACK
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
---
This function can be used to test whether the shadow stack is effective:
//noinline void __noscs scs_test(void)
noinline void scs_test(void)
{
register unsigned long *sp asm("sp");
unsigned long * lr = sp + 1;
asm volatile("":::"x30");
*lr = 0;
}
ffff800010012710 <scs_test>:
ffff800010012710: d503245f bti c
ffff800010012714: d503233f paciasp
ffff800010012718: a9bf7bfd stp x29, x30, [sp, #-16]!
ffff80001001271c: 910003fd mov x29, sp
ffff800010012720: 910003e0 mov x0, sp
ffff800010012724: f900041f str xzr, [x0, #8]
ffff800010012728: a8c17bfd ldp x29, x30, [sp], #16
ffff80001001272c: d50323bf autiasp
ffff800010012730: d65f03c0 ret
arch/Kconfig | 6 +++---
arch/arm64/Kconfig | 2 +-
include/linux/compiler-gcc.h | 6 ++++++
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index 98db63496bab..35b27be0d7ee 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -593,11 +593,11 @@ config ARCH_SUPPORTS_SHADOW_CALL_STACK
switching.
config SHADOW_CALL_STACK
- bool "Clang Shadow Call Stack"
- depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK
+ bool "Shadow Call Stack"
+ depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
help
- This option enables Clang's Shadow Call Stack, which uses a
+ This option enables Clang/GCC's Shadow Call Stack, which uses a
shadow stack to protect function return addresses from being
overwritten by an attacker. More information can be found in
Clang's documentation:
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 62c3c1d2190f..5d49c0c89645 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1062,7 +1062,7 @@ config ARCH_HAS_FILTER_PGPROT
# Supported by clang >= 7.0
config CC_HAVE_SHADOW_CALL_STACK
- def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
+ def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
config PARAVIRT
bool "Enable paravirtualization code"
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index cb9217fc60af..917c3bb6aa43 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -104,6 +104,12 @@
#define KASAN_ABI_VERSION 3
#endif
+#if __has_attribute(__no_sanitize_shadow_call_stack__)
+#define __noscs __attribute__((no_sanitize_shadow_call_stack))
+#else
+#define __noscs
+#endif
+
#if __has_attribute(__no_sanitize_address__)
#define __no_sanitize_address __attribute__((no_sanitize_address))
#else
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 7:58 [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support Dan Li
@ 2021-11-02 9:51 ` Miguel Ojeda
2021-11-02 16:03 ` Dan Li
2021-11-02 18:41 ` Nick Desaulniers
0 siblings, 2 replies; 7+ messages in thread
From: Miguel Ojeda @ 2021-11-02 9:51 UTC (permalink / raw)
To: Dan Li
Cc: Catalin Marinas, Will Deacon, Nathan Chancellor,
Nick Desaulniers, Kees Cook, Thomas Gleixner, Andrew Morton,
Peter Zijlstra, Sami Tolvanen, Masahiro Yamada, Mike Rapoport,
Mark Rutland, frederic, yifeifz2, Steven Rostedt, Viresh Kumar,
andreyknvl, Colin King, Miguel Ojeda, Arnd Bergmann,
Luc Van Oostenryck, Arvind Sankar, Marco Elver, linux-hardening
On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
>
> I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
This would go into GCC 12, right?
> [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
Nit: you can use the `Link: ` tag for this.
> # Supported by clang >= 7.0
We should add a comment here saying the minimum version too, e.g. GCC
>= 12 (assuming it will be merged)
> config CC_HAVE_SHADOW_CALL_STACK
> - def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
> + def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
This is changing the default for Clang (which looks fine due to our
minimum Clang version), but if the test for GCC works the same way,
why not just keep the line as it was since it covers both?
> +#if __has_attribute(__no_sanitize_shadow_call_stack__)
> +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
> +#else
> +#define __noscs
> +#endif
No need for the `else` branch here, it is done in `compiler_types.h`
(to be consistent with Clang).
Also, I hope one day GCC and Clang doing the same for these
sanitize-related bits...
Cheers,
Miguel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 9:51 ` Miguel Ojeda
@ 2021-11-02 16:03 ` Dan Li
2021-11-02 16:16 ` Miguel Ojeda
2021-11-02 18:41 ` Nick Desaulniers
1 sibling, 1 reply; 7+ messages in thread
From: Dan Li @ 2021-11-02 16:03 UTC (permalink / raw)
To: Miguel Ojeda
Cc: Catalin Marinas, Will Deacon, Nathan Chancellor,
Nick Desaulniers, Kees Cook, Thomas Gleixner, Andrew Morton,
Peter Zijlstra, Sami Tolvanen, Masahiro Yamada, Mike Rapoport,
Mark Rutland, frederic, yifeifz2, Steven Rostedt, Viresh Kumar,
andreyknvl, Colin King, Miguel Ojeda, Arnd Bergmann,
Luc Van Oostenryck, Arvind Sankar, Marco Elver, linux-hardening
On 11/2/21 5:51 PM, Miguel Ojeda wrote:
> On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
>>
>> I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
>
> This would go into GCC 12, right?
>
Oh, yes, gcc-11.1.0 is the version I used to test this patch.
>> [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
>
> Nit: you can use the `Link: ` tag for this.
>
Thanks, Miguel :)
>> # Supported by clang >= 7.0
>
> We should add a comment here saying the minimum version too, e.g. GCC
>> = 12 (assuming it will be merged)
>
Ok, I will add a comment in the next version, if this patch will be merged.
>> config CC_HAVE_SHADOW_CALL_STACK
>> - def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>> + def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>
> This is changing the default for Clang (which looks fine due to our
> minimum Clang version), but if the test for GCC works the same way,
> why not just keep the line as it was since it covers both?
>
That sounds reasonable, keep this line unchanged is fine.
>> +#if __has_attribute(__no_sanitize_shadow_call_stack__)
>> +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
>> +#else
>> +#define __noscs
>> +#endif
>
> No need for the `else` branch here, it is done in `compiler_types.h`
> (to be consistent with Clang).
>
Oh, I see, thanks.
> Also, I hope one day GCC and Clang doing the same for these
> sanitize-related bits...
>
> Cheers,
> Miguel
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 16:03 ` Dan Li
@ 2021-11-02 16:16 ` Miguel Ojeda
0 siblings, 0 replies; 7+ messages in thread
From: Miguel Ojeda @ 2021-11-02 16:16 UTC (permalink / raw)
To: Dan Li
Cc: Catalin Marinas, Will Deacon, Nathan Chancellor,
Nick Desaulniers, Kees Cook, Thomas Gleixner, Andrew Morton,
Peter Zijlstra, Sami Tolvanen, Masahiro Yamada, Mike Rapoport,
Mark Rutland, frederic, yifeifz2, Steven Rostedt, Viresh Kumar,
andreyknvl, Colin King, Miguel Ojeda, Arnd Bergmann,
Luc Van Oostenryck, Arvind Sankar, Marco Elver, linux-hardening
On Tue, Nov 2, 2021 at 5:03 PM Dan Li <ashimida@linux.alibaba.com> wrote:
>
> Thanks, Miguel :)
You're welcome! Thanks for your work on this! :)
With those changes and assuming your feature is merged to GCC 12:
Reviewed-by: Miguel Ojeda <ojeda@kernel.org>
Cheers,
Miguel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 9:51 ` Miguel Ojeda
2021-11-02 16:03 ` Dan Li
@ 2021-11-02 18:41 ` Nick Desaulniers
2021-11-02 18:51 ` Miguel Ojeda
1 sibling, 1 reply; 7+ messages in thread
From: Nick Desaulniers @ 2021-11-02 18:41 UTC (permalink / raw)
To: Miguel Ojeda
Cc: Dan Li, Catalin Marinas, Will Deacon, Nathan Chancellor,
Kees Cook, Thomas Gleixner, Andrew Morton, Peter Zijlstra,
Sami Tolvanen, Masahiro Yamada, Mike Rapoport, Mark Rutland,
frederic, yifeifz2, Steven Rostedt, Viresh Kumar, andreyknvl,
Colin King, Miguel Ojeda, Arnd Bergmann, Luc Van Oostenryck,
Arvind Sankar, Marco Elver, linux-hardening
On Tue, Nov 2, 2021 at 2:52 AM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
> >
> > I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
>
> This would go into GCC 12, right?
>
> > [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
>
> Nit: you can use the `Link: ` tag for this.
>
> > # Supported by clang >= 7.0
>
> We should add a comment here saying the minimum version too, e.g. GCC
> >= 12 (assuming it will be merged)
>
> > config CC_HAVE_SHADOW_CALL_STACK
> > - def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
> > + def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>
> This is changing the default for Clang (which looks fine due to our
> minimum Clang version), but if the test for GCC works the same way,
> why not just keep the line as it was since it covers both?
Yeah, let's just have the cc-option check used for both toolchains.
> > +#if __has_attribute(__no_sanitize_shadow_call_stack__)
> > +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
> > +#else
> > +#define __noscs
> > +#endif
>
> No need for the `else` branch here, it is done in `compiler_types.h`
> (to be consistent with Clang).
Do we want to move this to include/linux/compiler_attributes.h?
Respecifying these repeatedly in each include/linux/compiler-*.h feels
excessively redundant.
> Also, I hope one day GCC and Clang doing the same for these
> sanitize-related bits...
...
--
Thanks,
~Nick Desaulniers
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 18:41 ` Nick Desaulniers
@ 2021-11-02 18:51 ` Miguel Ojeda
2021-11-02 18:59 ` Nick Desaulniers
0 siblings, 1 reply; 7+ messages in thread
From: Miguel Ojeda @ 2021-11-02 18:51 UTC (permalink / raw)
To: Nick Desaulniers
Cc: Dan Li, Catalin Marinas, Will Deacon, Nathan Chancellor,
Kees Cook, Thomas Gleixner, Andrew Morton, Peter Zijlstra,
Sami Tolvanen, Masahiro Yamada, Mike Rapoport, Mark Rutland,
frederic, yifeifz2, Steven Rostedt, Viresh Kumar, andreyknvl,
Colin King, Miguel Ojeda, Arnd Bergmann, Luc Van Oostenryck,
Arvind Sankar, Marco Elver, linux-hardening
On Tue, Nov 2, 2021 at 7:42 PM Nick Desaulniers <ndesaulniers@google.com> wrote:
>
> Do we want to move this to include/linux/compiler_attributes.h?
> Respecifying these repeatedly in each include/linux/compiler-*.h feels
> excessively redundant.
Note that they are spelled differently, which is one of the reasons to
keep them separate (and why I invoked my hopes of Clang and GCC
agreeing).
I typically mention that we could start breaking this "rule" and it
would be also reasonable; but on the other hand, having it this way
makes the distinction clear and also gives an incentive for compilers
to agree ;)
For reference, the file explains this on the top:
```
* Any other "attributes" (i.e. those that depend on a configuration option,
* on a compiler, on an architecture, on plugins, on other attributes...)
* should be defined elsewhere (e.g. compiler_types.h or compiler-*.h).
* The intention is to keep this file as simple as possible, as well as
* compiler- and version-agnostic (e.g. avoiding GCC_VERSION checks).
```
Cheers,
Miguel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support
2021-11-02 18:51 ` Miguel Ojeda
@ 2021-11-02 18:59 ` Nick Desaulniers
0 siblings, 0 replies; 7+ messages in thread
From: Nick Desaulniers @ 2021-11-02 18:59 UTC (permalink / raw)
To: Miguel Ojeda
Cc: Dan Li, Catalin Marinas, Will Deacon, Nathan Chancellor,
Kees Cook, Thomas Gleixner, Andrew Morton, Peter Zijlstra,
Sami Tolvanen, Masahiro Yamada, Mike Rapoport, Mark Rutland,
frederic, yifeifz2, Steven Rostedt, Viresh Kumar, andreyknvl,
Colin King, Miguel Ojeda, Arnd Bergmann, Luc Van Oostenryck,
Arvind Sankar, Marco Elver, linux-hardening
On Tue, Nov 2, 2021 at 11:51 AM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 7:42 PM Nick Desaulniers <ndesaulniers@google.com> wrote:
> >
> > Do we want to move this to include/linux/compiler_attributes.h?
> > Respecifying these repeatedly in each include/linux/compiler-*.h feels
> > excessively redundant.
>
> Note that they are spelled differently, which is one of the reasons to
> keep them separate (and why I invoked my hopes of Clang and GCC
> agreeing).
Ah, that's right. The sanitizers differ here...I missed `__noscs`
definition in include/linux/compiler-clang.h during my initial code
review.
--
Thanks,
~Nick Desaulniers
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-02 18:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-02 7:58 [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support Dan Li
2021-11-02 9:51 ` Miguel Ojeda
2021-11-02 16:03 ` Dan Li
2021-11-02 16:16 ` Miguel Ojeda
2021-11-02 18:41 ` Nick Desaulniers
2021-11-02 18:51 ` Miguel Ojeda
2021-11-02 18:59 ` Nick Desaulniers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.