[PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Dan Li]

I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.

Kernel can enable SCS under gcc based on this patch, commands as follows:

make ARCH=arm64 defconfig
./scripts/config -e CONFIG_SHADOW_CALL_STACK
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-

[1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html

Signed-off-by: Dan Li <ashimida@linux.alibaba.com>

---
This function can be used to test whether the shadow stack is effective:
//noinline void __noscs scs_test(void)
noinline void scs_test(void)
{
            register unsigned long *sp asm("sp");
                unsigned long * lr = sp + 1;

                    asm volatile("":::"x30");
                        *lr = 0;
}

ffff800010012710 <scs_test>:
ffff800010012710:       d503245f        bti     c
ffff800010012714:       d503233f        paciasp
ffff800010012718:       a9bf7bfd        stp     x29, x30, [sp, #-16]!
ffff80001001271c:       910003fd        mov     x29, sp
ffff800010012720:       910003e0        mov     x0, sp
ffff800010012724:       f900041f        str     xzr, [x0, #8]
ffff800010012728:       a8c17bfd        ldp     x29, x30, [sp], #16
ffff80001001272c:       d50323bf        autiasp
ffff800010012730:       d65f03c0        ret

 arch/Kconfig                 | 6 +++---
 arch/arm64/Kconfig           | 2 +-
 include/linux/compiler-gcc.h | 6 ++++++
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/arch/Kconfig b/arch/Kconfig
index 98db63496bab..35b27be0d7ee 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -593,11 +593,11 @@ config ARCH_SUPPORTS_SHADOW_CALL_STACK
 	  switching.
 
 config SHADOW_CALL_STACK
-	bool "Clang Shadow Call Stack"
-	depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK
+	bool "Shadow Call Stack"
+	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
 	depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
 	help
-	  This option enables Clang's Shadow Call Stack, which uses a
+	  This option enables Clang/GCC's Shadow Call Stack, which uses a
 	  shadow stack to protect function return addresses from being
 	  overwritten by an attacker. More information can be found in
 	  Clang's documentation:
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 62c3c1d2190f..5d49c0c89645 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1062,7 +1062,7 @@ config ARCH_HAS_FILTER_PGPROT
 
 # Supported by clang >= 7.0
 config CC_HAVE_SHADOW_CALL_STACK
-	def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
+	def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
 
 config PARAVIRT
 	bool "Enable paravirtualization code"
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index cb9217fc60af..917c3bb6aa43 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -104,6 +104,12 @@
 #define KASAN_ABI_VERSION 3
 #endif
 
+#if __has_attribute(__no_sanitize_shadow_call_stack__)
+#define __noscs __attribute__((no_sanitize_shadow_call_stack))
+#else
+#define __noscs
+#endif
+
 #if __has_attribute(__no_sanitize_address__)
 #define __no_sanitize_address __attribute__((no_sanitize_address))
 #else
-- 
2.17.1

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Miguel Ojeda]

On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
>
> I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.

This would go into GCC 12, right?

> [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html

Nit: you can use the `Link: ` tag for this.

>  # Supported by clang >= 7.0

We should add a comment here saying the minimum version too, e.g. GCC
>= 12 (assuming it will be merged)

>  config CC_HAVE_SHADOW_CALL_STACK
> -       def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
> +       def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)

This is changing the default for Clang (which looks fine due to our
minimum Clang version), but if the test for GCC works the same way,
why not just keep the line as it was since it covers both?

> +#if __has_attribute(__no_sanitize_shadow_call_stack__)
> +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
> +#else
> +#define __noscs
> +#endif

No need for the `else` branch here, it is done in `compiler_types.h`
(to be consistent with Clang).

Also, I hope one day GCC and Clang doing the same for these
sanitize-related bits...

Cheers,
Miguel

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Dan Li]

On 11/2/21 5:51 PM, Miguel Ojeda wrote:
> On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
>>
>> I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
> 
> This would go into GCC 12, right?
>
Oh, yes, gcc-11.1.0 is the version I used to test this patch.

>> [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
> 
> Nit: you can use the `Link: ` tag for this.
>
Thanks, Miguel :)

>>   # Supported by clang >= 7.0
> 
> We should add a comment here saying the minimum version too, e.g. GCC
>> = 12 (assuming it will be merged)
> 
Ok, I will add a comment in the next version, if this patch will be merged.

>>   config CC_HAVE_SHADOW_CALL_STACK
>> -       def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>> +       def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
> 
> This is changing the default for Clang (which looks fine due to our
> minimum Clang version), but if the test for GCC works the same way,
> why not just keep the line as it was since it covers both?
>
That sounds reasonable, keep this line unchanged is fine.

>> +#if __has_attribute(__no_sanitize_shadow_call_stack__)
>> +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
>> +#else
>> +#define __noscs
>> +#endif
> 
> No need for the `else` branch here, it is done in `compiler_types.h`
> (to be consistent with Clang).
> 
Oh, I see, thanks.

> Also, I hope one day GCC and Clang doing the same for these
> sanitize-related bits...
> 
> Cheers,
> Miguel
> 

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Miguel Ojeda]

On Tue, Nov 2, 2021 at 5:03 PM Dan Li <ashimida@linux.alibaba.com> wrote:
>
> Thanks, Miguel :)

You're welcome! Thanks for your work on this! :)

With those changes and assuming your feature is merged to GCC 12:

    Reviewed-by: Miguel Ojeda <ojeda@kernel.org>

Cheers,
Miguel

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Nick Desaulniers]

On Tue, Nov 2, 2021 at 2:52 AM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 8:58 AM Dan Li <ashimida@linux.alibaba.com> wrote:
> >
> > I tried to submit a patch[1] to add compiler's SCS support on gcc-11.1.0.
>
> This would go into GCC 12, right?
>
> > [1] https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583062.html
>
> Nit: you can use the `Link: ` tag for this.
>
> >  # Supported by clang >= 7.0
>
> We should add a comment here saying the minimum version too, e.g. GCC
> >= 12 (assuming it will be merged)
>
> >  config CC_HAVE_SHADOW_CALL_STACK
> > -       def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
> > +       def_bool CC_IS_CLANG || $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
>
> This is changing the default for Clang (which looks fine due to our
> minimum Clang version), but if the test for GCC works the same way,
> why not just keep the line as it was since it covers both?

Yeah, let's just have the cc-option check used for both toolchains.

> > +#if __has_attribute(__no_sanitize_shadow_call_stack__)
> > +#define __noscs __attribute__((no_sanitize_shadow_call_stack))
> > +#else
> > +#define __noscs
> > +#endif
>
> No need for the `else` branch here, it is done in `compiler_types.h`
> (to be consistent with Clang).

Do we want to move this to include/linux/compiler_attributes.h?
Respecifying these repeatedly in each include/linux/compiler-*.h feels
excessively redundant.

> Also, I hope one day GCC and Clang doing the same for these
> sanitize-related bits...

...
-- 
Thanks,
~Nick Desaulniers

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Miguel Ojeda]

On Tue, Nov 2, 2021 at 7:42 PM Nick Desaulniers <ndesaulniers@google.com> wrote:
>
> Do we want to move this to include/linux/compiler_attributes.h?
> Respecifying these repeatedly in each include/linux/compiler-*.h feels
> excessively redundant.

Note that they are spelled differently, which is one of the reasons to
keep them separate (and why I invoked my hopes of Clang and GCC
agreeing).

I typically mention that we could start breaking this "rule" and it
would be also reasonable; but on the other hand, having it this way
makes the distinction clear and also gives an incentive for compilers
to agree ;)

For reference, the file explains this on the top:

```
* Any other "attributes" (i.e. those that depend on a configuration option,
* on a compiler, on an architecture, on plugins, on other attributes...)
* should be defined elsewhere (e.g. compiler_types.h or compiler-*.h).
* The intention is to keep this file as simple as possible, as well as
* compiler- and version-agnostic (e.g. avoiding GCC_VERSION checks).
```

Cheers,
Miguel

Re: [PATCH] [RFC/RFT] AARCH64: Add gcc Shadow Call Stack support

[Nick Desaulniers]

On Tue, Nov 2, 2021 at 11:51 AM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 7:42 PM Nick Desaulniers <ndesaulniers@google.com> wrote:
> >
> > Do we want to move this to include/linux/compiler_attributes.h?
> > Respecifying these repeatedly in each include/linux/compiler-*.h feels
> > excessively redundant.
>
> Note that they are spelled differently, which is one of the reasons to
> keep them separate (and why I invoked my hopes of Clang and GCC
> agreeing).

Ah, that's right. The sanitizers differ here...I missed `__noscs`
definition in include/linux/compiler-clang.h during my initial code
review.
-- 
Thanks,
~Nick Desaulniers