From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A3D4C77B60 for ; Sun, 19 Mar 2023 00:16:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 04B48280020; Sat, 18 Mar 2023 20:16:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F1AED280021; Sat, 18 Mar 2023 20:16:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D68CB280020; Sat, 18 Mar 2023 20:16:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id BF3AC280001 for ; Sat, 18 Mar 2023 20:16:54 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 9996C120CA9 for ; Sun, 19 Mar 2023 00:16:54 +0000 (UTC) X-FDA: 80583732348.25.11E08FF Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by imf29.hostedemail.com (Postfix) with ESMTP id ADBB5120004 for ; Sun, 19 Mar 2023 00:16:52 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="Mzmc/Oss"; spf=pass (imf29.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679185012; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=PdS9YQ0k1vCI/xLvcPjO4/eFlX4M1vAT9LvhSm6ce6U=; b=Q1tksjg2NKHKzMfs31IQ8AHwWfUWYfDy4x00Xv9+0CyVR0rnQYH0Y8w6wuncNQRuuRP3ut T0ZUkrbk1nbA0T+uVLtARMhhVsHr26xW2H2+Ao5sFMHiNF/9TzfIex1Rc/hcbTvTHdGUjw +Pl0o9PTCKLHGZJYKk0HXhY2KIdglJY= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="Mzmc/Oss"; spf=pass (imf29.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679185012; a=rsa-sha256; cv=none; b=7/Dqt/WMvYK3S74Aae6WBaDlQ6m+WAlyzZ539vlOya7ySJrECnt1yWJx0oRvt6i2oVRB6h zxgH2K1IHqRFA+TTV1iZRSSqSZp2XiceIrFpxFa/KPsGJ763McKScF+bMswgBLewb8w/bw rN0nnHqcLZMi544UyYEasrc3GnrTRrM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679185012; x=1710721012; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=hhZNEhMG5Ur6pBP04hNf9KVjJtSiNiJCBm2RUWbtaSg=; b=Mzmc/OsswJr9nJb7Y/EK+eA1P35A7XLgzN5hZIqgHncvWWXvuLaKQ3Wd OyMRnuR2QxkszsnNRdnQEvnsF4I2qyCFHTqQWcopLHk/MQ1NH91LI++YU VE6e9BnKeoo6RkeqvyWgCHr+mSVKCr+GH/qwLIuja0yl0Tmr2EX62r2bC rC01oNq+xGc8ap+bOUok+BZkgjFMoK+nJb9UFNmW6Py2pWEPpdfOpsCmc Tcgq/D3HVya5zB547IQKiyDfx/SH6mfrF6G50xYoUAHJJmTVp7DES4RPy WgFSLE+hWB+LDUnWpPmGZBr8vQEAdjycHWP+wlxbYP+nibRF1+YKQnQSy Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="338491502" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="338491502" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="749672971" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="749672971" Received: from bmahatwo-mobl1.gar.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.135.34.5]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:50 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v8 34/40] x86/shstk: Support WRSS for userspace Date: Sat, 18 Mar 2023 17:15:29 -0700 Message-Id: <20230319001535.23210-35-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230319001535.23210-1-rick.p.edgecombe@intel.com> References: <20230319001535.23210-1-rick.p.edgecombe@intel.com> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: ADBB5120004 X-Stat-Signature: zbzpk5xekfc1hhj5ujbzs743sybtuy16 X-Rspam-User: X-HE-Tag: 1679185012-630000 X-HE-Meta: U2FsdGVkX19aomiV37/dUWPlYdxEB2O7Mo6gN+ZDlVvUMNMMRdP9nHNq4YI3schHsZDrHteLkIwS9A0vSo/Ha5VMpTwW+b1xBVntXGUmRLuyKb6OP7pTdJPljFcGYD3RB0sayKr6h9ahNZACSeagGeM/Xnq4CMdhEfHIqKCM7jm3JjE4pea7RWtLlv/DdDeToWzkwG42W5y0LmBUw9pWP1Xl4zLi8PQxHj9Ko1d3QsQ7j88+SC+yVhyLiYpIbj6amGMYppYAG2Hquf3NsM2Kh2S2SXKQNHOb72uSxWDSH5dcj6FEGxEbmhSL73vYGirr50JZYRGm5iSwatuw3RGxtEQdszGQ4sT+/6tRVMbTf6V9niKZ+1Tcx7Zm2XEBK6CaRiS770ZDF65AuIj7sfipxIfeAUzK5BjaZLM91j5Lw2d1TlE5snwuSChRib0RKqCtP8rCbTKVZ4pnguuPQHFCz25XQRoGZEcHSfbOYuVWuvzTj4sMPnbTeU7mO0mMcnHHZIijkQqihdBlvi+eq9ShhEUk+YXuzlpd/rSTK3A3cMPmyvlswT0VDtxEMzYQ9kBp8i82uD8MPwJUvznMJYzwbU7DIJV+ce7EZ7sWknRfg4CE1fgvHybTh3/KkaJejeqWFGQ7pPvWXklRSfsLarPvbHmLr4qc4XO6/akva/SNliJieFKAWvn7WBLhxFLnfLaim1br0IYp10hfczsc1TV6Rb1LsQAPDt3kYXAjgcVQgC5NV6zP5MXtCrbN0R2/siObagLwShuOcH/2aiMwSF7aKQHH9MWzsJpp2HttV/PZhTFlFaA5lNgIdJCDUujzZsw3mPgC6wVnnhvs4mnO5ZjbQAL67AilDXZXcWAJMzdQQHfM0wbogB3E4GkzjrT2y69TWS8e5tVuqw/aZ3Y0leQi4B2M3j7tD6myMi4OdvU5QpYqYYS+XJZ1m0l1MRO+gmpN2a0fRiD+1EwXhQBGDDA zFUcqxzR CCQx/EZlq+fShIlaWMuAym7ocnqUTjZ+jao+x8JiZBxZQJh4F4NrnZ9P9nnw/F14wPuiooIRtUHs+MMzLqIw8p0DKymKoll1iJaiG2MOEaWIAvvREYjG7EIDbigeM9EdxAo85tgqdOamoN9Yg5Fmr4v3FGaxj5GCBY9ndBnJoOXir7cR06t7EPJVbApiyZv5yHbLE+q/eNDUaqFY8evSbPW4528sdt3TU4GUeJHQS1kFubG3u4TdxHgTojRYFDvdUjduEMQWAmSMvoZaLK6PTaO+GO7xDqj477Apr4RsXlmHBsMqaB+xJobYSLI1u5OQ6YYlnhEVN/k0iWmAdO96Yi/LWJQ4ezvgYEp8Q X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: For the current shadow stack implementation, shadow stacks contents can't easily be provisioned with arbitrary data. This property helps apps protect themselves better, but also restricts any potential apps that may want to do exotic things at the expense of a little security. The x86 shadow stack feature introduces a new instruction, WRSS, which can be enabled to write directly to shadow stack memory from userspace. Allow it to get enabled via the prctl interface. Only enable the userspace WRSS instruction, which allows writes to userspace shadow stacks from userspace. Do not allow it to be enabled independently of shadow stack, as HW does not support using WRSS when shadow stack is disabled. >From a fault handler perspective, WRSS will behave very similar to WRUSS, which is treated like a user access from a #PF err code perspective. Signed-off-by: Rick Edgecombe Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- v8: - Update commit log verbiage (Boris) - Drop set_clr_bits_msrl() (Boris) - Fix comments wrss->WRSS (Boris) v6: - Make set_clr_bits_msrl() avoid side effects in 'msr' v5: - Switch to EOPNOTSUPP - Move set_clr_bits_msrl() to patch where it is first used - Commit log formatting v3: - Make wrss_control() static - Fix verbiage in commit log (Kees) --- arch/x86/include/uapi/asm/prctl.h | 1 + arch/x86/kernel/shstk.c | 43 ++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h index 7dfd9dc00509..e31495668056 100644 --- a/arch/x86/include/uapi/asm/prctl.h +++ b/arch/x86/include/uapi/asm/prctl.h @@ -28,5 +28,6 @@ /* ARCH_SHSTK_ features bits */ #define ARCH_SHSTK_SHSTK (1ULL << 0) +#define ARCH_SHSTK_WRSS (1ULL << 1) #endif /* _ASM_X86_PRCTL_H */ diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c index 6d2531ce661c..01b45666f1b6 100644 --- a/arch/x86/kernel/shstk.c +++ b/arch/x86/kernel/shstk.c @@ -360,6 +360,47 @@ void shstk_free(struct task_struct *tsk) unmap_shadow_stack(shstk->base, shstk->size); } +static int wrss_control(bool enable) +{ + u64 msrval; + + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + return -EOPNOTSUPP; + + /* + * Only enable WRSS if shadow stack is enabled. If shadow stack is not + * enabled, WRSS will already be disabled, so don't bother clearing it + * when disabling. + */ + if (!features_enabled(ARCH_SHSTK_SHSTK)) + return -EPERM; + + /* Already enabled/disabled? */ + if (features_enabled(ARCH_SHSTK_WRSS) == enable) + return 0; + + fpregs_lock_and_load(); + rdmsrl(MSR_IA32_U_CET, msrval); + + if (enable) { + features_set(ARCH_SHSTK_WRSS); + msrval |= CET_WRSS_EN; + } else { + features_clr(ARCH_SHSTK_WRSS); + if (!(msrval & CET_WRSS_EN)) + goto unlock; + + msrval &= ~CET_WRSS_EN; + } + + wrmsrl(MSR_IA32_U_CET, msrval); + +unlock: + fpregs_unlock(); + + return 0; +} + static int shstk_disable(void) { if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) @@ -376,7 +417,7 @@ static int shstk_disable(void) fpregs_unlock(); shstk_free(current); - features_clr(ARCH_SHSTK_SHSTK); + features_clr(ARCH_SHSTK_SHSTK | ARCH_SHSTK_WRSS); return 0; } -- 2.17.1