linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "Xu, Pengfei" <pengfei.xu@intel.com>,
	"vedvyas.shanbhogue@intel.com" <vedvyas.shanbhogue@intel.com>,
	"tglx@linutronix.de" <tglx@linutronix.de>,
	"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
	"Lutomirski, Andy" <luto@kernel.org>,
	"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
	"peterz@infradead.org" <peterz@infradead.org>,
	"corbet@lwn.net" <corbet@lwn.net>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"jannh@google.com" <jannh@google.com>,
	"x86@kernel.org" <x86@kernel.org>, "bp@alien8.de" <bp@alien8.de>,
	"pavel@ucw.cz" <pavel@ucw.cz>,
	"rdunlap@infradead.org" <rdunlap@infradead.org>,
	"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
	"Dave.Martin@arm.com" <Dave.Martin@arm.com>,
	"arnd@arndb.de" <arnd@arndb.de>,
	"bsingharora@gmail.com" <bsingharora@gmail.com>,
	"mike.kravetz@oracle.com" <mike.kravetz@oracle.com>,
	"oleg@redhat.com" <oleg@redhat.com>,
	"fweimer@redhat.com" <fweimer@redhat.com>,
	"keescook@chromium.org" <keescook@chromium.org>,
	"Yu, Yu-cheng" <yu-cheng.yu@intel.com>,
	"gorcunov@gmail.com" <gorcunov@gmail.com>,
	"Huang, Haitao" <haitao.huang@intel.com>,
	"hpa@zytor.com" <hpa@zytor.com>,
	"mingo@redhat.com" <mingo@redhat.com>,
	"Shankar, Ravi V" <ravi.v.shankar@intel.com>,
	"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"esyr@redhat.com" <esyr@redhat.com>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"Yang, Weijiang" <weijiang.yang@intel.com>,
	"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>
Subject: Re: [PATCH v27 06/10] x86/cet/ibt: Update arch_prctl functions for Indirect Branch Tracking
Date: Mon, 19 Jul 2021 18:21:34 +0000	[thread overview]
Message-ID: <31008f559a7263d2a4042f9c061efcd4e86b5a69.camel@intel.com> (raw)
In-Reply-To: <20210521221531.30168-7-yu-cheng.yu@intel.com>

On Fri, 2021-05-21 at 15:15 -0700, Yu-cheng Yu wrote:
> From: "H.J. Lu" <hjl.tools@gmail.com>
> 
> Update ARCH_X86_CET_STATUS and ARCH_X86_CET_DISABLE for Indirect
> Branch
> Tracking.
> 
> Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> ---
>  arch/x86/kernel/cet_prctl.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/arch/x86/kernel/cet_prctl.c
> b/arch/x86/kernel/cet_prctl.c
> index b426d200e070..bd3c80d402e7 100644
> --- a/arch/x86/kernel/cet_prctl.c
> +++ b/arch/x86/kernel/cet_prctl.c
> @@ -22,6 +22,9 @@ static int cet_copy_status_to_user(struct
> thread_shstk *shstk, u64 __user *ubuf)
>                 buf[2] = shstk->size;
>         }
>  
> +       if (shstk->ibt)
> +               buf[0] |= GNU_PROPERTY_X86_FEATURE_1_IBT;
> +
Can you have IBT enabled but not shadow stack via kernel parameters?
Outside this diff it has:
if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
	return -ENOTSUPP;

So if "no_user_shstk" is set, this can't be used for IBT. But the
kernel would attempt to enable IBT.

Also if so, the CR4 bit enabling logic needs adjusting in this IBT
series. If not, we should probably mention this in the docs and enforce
it. It would then follow the logic in Kconfig, so maybe the simplest.
Like maybe instead of no_user_shstk, just no_user_cet?

>         return copy_to_user(ubuf, buf, sizeof(buf));
>  }
>  
> @@ -46,6 +49,8 @@ int prctl_cet(int option, u64 arg2)
>                         return -EINVAL;
>                 if (arg2 & GNU_PROPERTY_X86_FEATURE_1_SHSTK)
>                         shstk_disable();
> +               if (arg2 & GNU_PROPERTY_X86_FEATURE_1_IBT)
> +                       ibt_disable();
>                 return 0;
>  
>         case ARCH_X86_CET_LOCK:


  reply	other threads:[~2021-07-19 19:59 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-21 22:15 [PATCH v27 00/10] Control-flow Enforcement: Indirect Branch Tracking Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 01/10] x86/cet/ibt: Add Kconfig option for " Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 02/10] x86/cet/ibt: Add user-mode Indirect Branch Tracking support Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 03/10] x86/cet/ibt: Handle signals for Indirect Branch Tracking Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 04/10] x86/cet/ibt: Disable IBT for ia32 Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 05/10] x86/cet/ibt: Update ELF header parsing for Indirect Branch Tracking Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 06/10] x86/cet/ibt: Update arch_prctl functions " Yu-cheng Yu
2021-07-19 18:21   ` Edgecombe, Rick P [this message]
2021-07-20 17:09     ` Yu, Yu-cheng
2021-07-20 19:45       ` Edgecombe, Rick P
2021-05-21 22:15 ` [PATCH v27 07/10] x86/vdso: Insert endbr32/endbr64 to vDSO Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 08/10] x86/vdso: Introduce ENDBR macro Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 09/10] x86/vdso/32: Add ENDBR to __kernel_vsyscall entry point Yu-cheng Yu
2021-05-21 22:15 ` [PATCH v27 10/10] x86/vdso: Add ENDBR to __vdso_sgx_enter_enclave Yu-cheng Yu
2021-05-22 22:47   ` Jarkko Sakkinen
2021-05-24 19:01     ` Yu, Yu-cheng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=31008f559a7263d2a4042f9c061efcd4e86b5a69.camel@intel.com \
    --to=rick.p.edgecombe@intel.com \
    --cc=Dave.Martin@arm.com \
    --cc=arnd@arndb.de \
    --cc=bp@alien8.de \
    --cc=bsingharora@gmail.com \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=esyr@redhat.com \
    --cc=fweimer@redhat.com \
    --cc=gorcunov@gmail.com \
    --cc=haitao.huang@intel.com \
    --cc=hjl.tools@gmail.com \
    --cc=hpa@zytor.com \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=mike.kravetz@oracle.com \
    --cc=mingo@redhat.com \
    --cc=nadav.amit@gmail.com \
    --cc=oleg@redhat.com \
    --cc=pavel@ucw.cz \
    --cc=pengfei.xu@intel.com \
    --cc=peterz@infradead.org \
    --cc=ravi.v.shankar@intel.com \
    --cc=rdunlap@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=vedvyas.shanbhogue@intel.com \
    --cc=weijiang.yang@intel.com \
    --cc=x86@kernel.org \
    --cc=yu-cheng.yu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).