From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D22EEC64ED8
	for <linux-mm@archiver.kernel.org>; Mon, 27 Feb 2023 22:32:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B53116B00A6; Mon, 27 Feb 2023 17:32:00 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id ADB026B00A7; Mon, 27 Feb 2023 17:32:00 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 907546B00A8; Mon, 27 Feb 2023 17:32:00 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 81F866B00A6
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 17:32:00 -0500 (EST)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 5026E120306
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 22:32:00 +0000 (UTC)
X-FDA: 80514520800.09.6AE41A9
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
	by imf24.hostedemail.com (Postfix) with ESMTP id 70BD118000C
	for <linux-mm@kvack.org>; Mon, 27 Feb 2023 22:31:58 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=PX4+WgEM;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf24.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.136 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1677537118;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:content-type:
	 content-transfer-encoding:in-reply-to:in-reply-to:
	 references:references:dkim-signature;
	bh=PfVyx2ZUIDwJeog9TcVEcCcnDkbyw8PVB33z8FVE0wQ=;
	b=CuNjtpSKH/fm25zP6xgAG/OC4tQ8hjzQfGpKYLSW5b0zFxLTWaLJF8oQIiW5/eNl691+wA
	cOVVq20qPYtJlFlu/13nR/dGjGZMDt+nzu4NxfaFbDawgrbxTuUitDuBm8URof/momHxbY
	GT2Uy7OAh7uIIxgn3Hly+qLv6ezVjDY=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=PX4+WgEM;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf24.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.136 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677537118; a=rsa-sha256;
	cv=none;
	b=AwsRsO2GtF93Vma7V6JcDmvMD35flZkzeunxaOP3iynOh/tivXKdlZ3Y9gArxCdWCjuLXl
	65rwL4EhJZPx6iS2aWOwtJ2v7NnzuWRuuBJC/O52N/Wfl+IvU8slEq+sqksNt0yjUDVWzR
	LGzx6H6e7JU8YKhk4kXiwFJnvqOZMUM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1677537118; x=1709073118;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references;
  bh=HyAWoaPlsuor4NZWrHVRIBqQGXmP1Us+CQiWWbdiIWE=;
  b=PX4+WgEMCEtElX3vaZvxDIv4NCwVDsIUoWpnxXVvNmkkr/58yzrWxHpk
   rjlEGpPWpd+9V/5iB5FdZalRYJuIDOdibJNjp+wucTfA5NgLvWNziepIx
   J9UZMcJI12nQHp2urRIwOeuT53fTHTne3LereO/MkwczXt8JO5oHwU/jr
   vc2U2c0IIkWDOrB3C+A+3S6zAbllBk2xvbAVeFTxP5atrKRHzLmjBjzxD
   are2kNQudzMZ1t6OsmvCoqwcrnalOiQO7O/JignGqW5IdIlQTRSwo1P6i
   gxOOvEca1u49Z0NazR9ccaKk/U7Jxp4H8E2F322jtWSmMmVSzNspRPOT9
   Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="313657824"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400"; 
   d="scan'208";a="313657824"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2023 14:31:33 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="848024775"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400"; 
   d="scan'208";a="848024775"
Received: from leonqu-mobl1.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.209.72.19])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2023 14:31:32 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org,
	"H . Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org,
	linux-arch@vger.kernel.org,
	linux-api@vger.kernel.org,
	Arnd Bergmann <arnd@arndb.de>,
	Andy Lutomirski <luto@kernel.org>,
	Balbir Singh <bsingharora@gmail.com>,
	Borislav Petkov <bp@alien8.de>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Eugene Syromiatnikov <esyr@redhat.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H . J . Lu" <hjl.tools@gmail.com>,
	Jann Horn <jannh@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Kees Cook <keescook@chromium.org>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Pavel Machek <pavel@ucw.cz>,
	Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Weijiang Yang <weijiang.yang@intel.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	John Allen <john.allen@amd.com>,
	kcc@google.com,
	eranian@google.com,
	rppt@kernel.org,
	jamorris@linux.microsoft.com,
	dethoma@microsoft.com,
	akpm@linux-foundation.org,
	Andrew.Cooper3@citrix.com,
	christina.schimpe@intel.com,
	david@redhat.com,
	debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com
Subject: [PATCH v7 34/41] x86/shstk: Support WRSS for userspace
Date: Mon, 27 Feb 2023 14:29:50 -0800
Message-Id: <20230227222957.24501-35-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
X-Rspamd-Queue-Id: 70BD118000C
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-Stat-Signature: ynx8i1br3c9o53dxnjpuft89akbc5ci7
X-HE-Tag: 1677537118-679228
X-HE-Meta: U2FsdGVkX1+HNF3yjJKx/IQtYLYnnMypd2GNngVmoXUeLnB7RVGLtUcFhJlVSPpAYNZNKEOFgBZ0b/HrNdMrBXWRgSUreH166zzVg5rKVK00Ii7velusEfLsxYjOGu3iBJPKbPD7rPfbgTqyPGMc0dbPH8EWYrTchmGpQGR5bYmRjC+wAGB/gUAaQVmqixP6rbvEeEeBDukP8ILCeGaOArGVn4IziPH//hmHUzi7E7bIPRIi0GQ8bxLQ8zvfzGccEWvaUPuqqn39ObVKQ8agUa782KeokxGMSC15pd96y8RGSXC127yI9M7IibigEy8Xtc7unPEqxLMbk01geoQrY5CWAYbcEOdUiqcxYhyWAVhTivo7h7KCrMD6vWzEVGBrtD4QD2OliRRrvZQZdaxgCDTSf2jPdJViQxxBFzf0T4UtXLzu0UQkWD039DrGJFKbVul3pWH1WT7ZbH82P9V08PeDynTIGND+pbNRaBePffrMKBvEFWQ5sMEBEyG0lI3xQAmqQYgFj0YEZQRlbsMANH/tQjOIY2zuiv3x29LjO99Kx5ea3X56zEq/SOt86fuBEm/4KF/Q6vx2INKA65sWKzDx/1+EnR/LUm/FpJhQpLCSA5fWVRU0lDL3AqkHf+duItdiymRMfDV5vMo5kor/fITWC0yoN7l2pfgEaFREcBURY5uaqAG4DDjHkT7YHFHkHP0o7qd266cQHCxjIvtiaWh3uKiKx8OshV1PU3+LLzmzFKq2LYucntOkr5xIkhY8E2gCCGOT9rFAijyXMJwclke/EQQcT7e/01Yzm4wzX/J+sv8/8CX8spohPf9W0/3rzxd4+AuRAnTlOLQHHB3O1HkPqld6hW2XUsW/lf7sEIfrja8JwBQMjoJiqvaSfhBVipjBjk1JsfI5R/nxySAzNKRNLXvSwowQaTrnxUCxsoEgvaHAue8bPz1umfSn6iToETJTYyqedO/RHsZSu0g
 smHtcnz5
 fzgHNoI+maWP3f72gHXPkgmrZXGVD1ADeDa1RGcvk3tlKD0qsrptL6ASH/6LdGHt1oPkNLzJ5Fkvv+qERP3IvZWPctOfJJ/SzJIXoUVwB3gfblbV5iaGJ9o4sQJPV8+lMTAMdz8Nkm+jI89Ce40ZOmXglJGIZoBdp8qLlKbrgNGGrLWAlNbotkwClFPk0gmUpN/WB06gY8Ja+Z1WA33xs4TJ85X0gjAT4NPCVYSu65zT1SmUHdSK5gut/z+0QVTWwAzJeGgFHBwUSAEVEBoJZsJ3dHfCutXpUW9m+uZaT/KmyAfQJ4p4tVSNUzSVUTSfUppcxWoFyAgo7H1jakYI3Q6i17M0aePYl+zKr
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

For the current shadow stack implementation, shadow stacks contents can't
easily be provisioned with arbitrary data. This property helps apps
protect themselves better, but also restricts any potential apps that may
want to do exotic things at the expense of a little security.

The x86 shadow stack feature introduces a new instruction, WRSS, which
can be enabled to write directly to shadow stack permissioned memory from
userspace. Allow it to get enabled via the prctl interface.

Only enable the userspace WRSS instruction, which allows writes to
userspace shadow stacks from userspace. Do not allow it to be enabled
independently of shadow stack, as HW does not support using WRSS when
shadow stack is disabled.

>From a fault handler perspective, WRSS will behave very similar to WRUSS,
which is treated like a user access from a #PF err code perspective.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

---
v6:
 - Make set_clr_bits_msrl() avoid side affects in 'msr'

v5:
 - Switch to EOPNOTSUPP
 - Move set_clr_bits_msrl() to patch where it is first used
 - Commit log formatting

v3:
 - Make wrss_control() static
 - Fix verbiage in commit log (Kees)

v2:
 - Add some commit log verbiage from (Dave Hansen)

v1:
 - New patch.
---
 arch/x86/include/asm/msr.h        | 11 +++++++++++
 arch/x86/include/uapi/asm/prctl.h |  1 +
 arch/x86/kernel/shstk.c           | 32 ++++++++++++++++++++++++++++++-
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h
index 65ec1965cd28..2d3b35c957ad 100644
--- a/arch/x86/include/asm/msr.h
+++ b/arch/x86/include/asm/msr.h
@@ -310,6 +310,17 @@ void msrs_free(struct msr *msrs);
 int msr_set_bit(u32 msr, u8 bit);
 int msr_clear_bit(u32 msr, u8 bit);
 
+/* Helper that can never get accidentally un-inlined. */
+#define set_clr_bits_msrl(msr, set, clear)	do {	\
+	u64 __val, __new_val, __msr = msr;		\
+							\
+	rdmsrl(__msr, __val);				\
+	__new_val = (__val & ~(clear)) | (set);		\
+							\
+	if (__new_val != __val)				\
+		wrmsrl(__msr, __new_val);		\
+} while (0)
+
 #ifdef CONFIG_SMP
 int rdmsr_on_cpu(unsigned int cpu, u32 msr_no, u32 *l, u32 *h);
 int wrmsr_on_cpu(unsigned int cpu, u32 msr_no, u32 l, u32 h);
diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
index 7dfd9dc00509..e31495668056 100644
--- a/arch/x86/include/uapi/asm/prctl.h
+++ b/arch/x86/include/uapi/asm/prctl.h
@@ -28,5 +28,6 @@
 
 /* ARCH_SHSTK_ features bits */
 #define ARCH_SHSTK_SHSTK		(1ULL <<  0)
+#define ARCH_SHSTK_WRSS			(1ULL <<  1)
 
 #endif /* _ASM_X86_PRCTL_H */
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 0a3decab70ee..009cb3fa0ae5 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -363,6 +363,36 @@ void shstk_free(struct task_struct *tsk)
 	unmap_shadow_stack(shstk->base, shstk->size);
 }
 
+static int wrss_control(bool enable)
+{
+	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+		return -EOPNOTSUPP;
+
+	/*
+	 * Only enable wrss if shadow stack is enabled. If shadow stack is not
+	 * enabled, wrss will already be disabled, so don't bother clearing it
+	 * when disabling.
+	 */
+	if (!features_enabled(ARCH_SHSTK_SHSTK))
+		return -EPERM;
+
+	/* Already enabled/disabled? */
+	if (features_enabled(ARCH_SHSTK_WRSS) == enable)
+		return 0;
+
+	fpregs_lock_and_load();
+	if (enable) {
+		set_clr_bits_msrl(MSR_IA32_U_CET, CET_WRSS_EN, 0);
+		features_set(ARCH_SHSTK_WRSS);
+	} else {
+		set_clr_bits_msrl(MSR_IA32_U_CET, 0, CET_WRSS_EN);
+		features_clr(ARCH_SHSTK_WRSS);
+	}
+	fpregs_unlock();
+
+	return 0;
+}
+
 static int shstk_disable(void)
 {
 	if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
@@ -379,7 +409,7 @@ static int shstk_disable(void)
 	fpregs_unlock();
 
 	shstk_free(current);
-	features_clr(ARCH_SHSTK_SHSTK);
+	features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS);
 
 	return 0;
 }
-- 
2.17.1