From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32DC8C74A5B for ; Sun, 19 Mar 2023 00:16:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 99C55280005; Sat, 18 Mar 2023 20:16:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 923A4280001; Sat, 18 Mar 2023 20:16:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7506E280005; Sat, 18 Mar 2023 20:16:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 57435280001 for ; Sat, 18 Mar 2023 20:16:10 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 29F5D80C99 for ; Sun, 19 Mar 2023 00:16:10 +0000 (UTC) X-FDA: 80583730500.02.F1AED0F Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by imf05.hostedemail.com (Postfix) with ESMTP id 0C9AD100019 for ; Sun, 19 Mar 2023 00:16:07 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=FVn2TzAM; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679184968; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=RjDWz6QztU2WGgm8Ai0lU/L1fcgwZ8GHfXLrNr2QNDk=; b=YH3Z6DSQIMr9BA4UOOMBSwdyIilp7yRyVAPLl5lrLaZ0F9GGLUh+kR+Gju5E2ilfCOUjVP yl6yDrxhKvYYG2okovTMoWIg/9fS/7OOCnfKViICHAR0137TE/xuIWFHZaZC/f6jzppXsk ji5bSRA0CU8Ad9h5DDzLPQsTjwotEqc= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=FVn2TzAM; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679184968; a=rsa-sha256; cv=none; b=iXoIXQGMvYO5Tp/hmSljcN4+HYuvCLuAQYQgUCz4JdB1chYmOVtdm5anHeauVhDLzX4ib2 zCx7Rm6Zl5HHgThg6J62TLhu5bFV3heY0OOlrPWcdl4oeUjtEnTHUFRdzx5XCfm4iN6zf7 gKXNC6qH0xCJiNau4iIKNzuqA2AMgGY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679184968; x=1710720968; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=/SBgbCkSzTb9QOJ8HmCDkj2Bq5biu5bt/+mw6FahRpc=; b=FVn2TzAMZMDFpoSYIE28PJKacrePH4ZZXMhEQAJC5gdJyYsF6VeOzK0R x37twxpCPRvPC/mrb59vNpSLGxx4xtG1BCEBDmKPHSjyqODRhMLmAeoxA z86htCi4sZPrmi9nk+AlgozSph7Q5NsQ+2DjvrV9gKmZZTZZRUh9rjjVH f/hEBYTU0YzRlcS1Va4Ez5DpJJFzOK9AxlfPjUc7nM6V0jX9t6YIbiFdE rOFFtJIn4hITgp5876b3hNJ4907ba7t2JRG7Qr63jahTCaskw0+2RtVyD k8Y5SYPGwP4bOpfVtLZumMUozHa2Rm8m1dMime7xOQ1pN54VDmSyZv/Xh Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="338490883" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="338490883" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:07 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="749672796" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="749672796" Received: from bmahatwo-mobl1.gar.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.135.34.5]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:05 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v8 07/40] x86/traps: Move control protection handler to separate file Date: Sat, 18 Mar 2023 17:15:02 -0700 Message-Id: <20230319001535.23210-8-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230319001535.23210-1-rick.p.edgecombe@intel.com> References: <20230319001535.23210-1-rick.p.edgecombe@intel.com> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 0C9AD100019 X-Stat-Signature: xto57str17cbtkaya9kin9r5prqfg75j X-Rspam-User: X-HE-Tag: 1679184967-730676 X-HE-Meta: U2FsdGVkX19Id8NBQnkL0w3keIutsSXqGWFCbLuCa3GY8Te0VA38JTiPmmj0rWMRt5aM2DR+90ho1fdqnMUng2iYHHhX2qo1HSRsGjEcTxwbZn8rDA+xSo+0CzSksHD1xHvXFEq+l5tE9SeQcXLYlAPFMsXER3vYbBqE4wp4sI+EIr4wtzbMqcUuLn5SJJDzrpzsjHE+VB1ZTL/fH6xDuIL0Lw+6YiImVhC8XAVKdea/ygLXG9lGEIi+er3t+klkBECAi+JrLBWRtDgAVdf+f+9klvsnw3A00Lmr8elSrSJChQpPf6USoselXc+KyH+PHb6/Hf0U28FRm11/A++QymVr1lHYxl/ATn9hHZFj0YEJ5jyxbC5QiXEe54FCvfHK4PeLemyK+5tjcfMs4IgprPKTUJvt8pmDlOpZF2BWxZdHal+LGIbuekwq+w7v4lJyDFXmXo9DXu8kV+j3pA6d9gLCJ8PYsnK82IqQ6DobhNMRI8GEJ1OkV39YC+VVgPvLSLsY2wJstfI0QE0zThKRksImqrCggUD27ZyEVyaMrNF13xf9jxzKaFY3ffl+imomPTlULXXgHZsLCsu6WcV0mh2XlUNkp09wTmKMY7dseTM5v7r/7UPY4/k3WdDOax2fwW1oQ+fIP39S+sJ1rXQ8MHXuKCxLokGgPWAM5dnPQ+kk4thoBtiraBFwozNrkS3u6+GAe5uuyAG1hy0u1370ZMV/j1ymMLwvE2wV6bWWeCz1mS0jxo1JcXh+sVVCm4sjg/VKiWCTj+PXfvprWOeIdCzXoprJZQ7SOLtlcEYDZhhILRz3UrUFvQAsjjgapKbi8sUKPpEBOH7Yj+3f0ztpaPd9VA+0GYPbQLbzzqgb3wO5P98JVQH7r/BvtU3Ht5U1OJ9ArUl3m8q3iXBJHRg7J9p0lt84Rt0HOKPTbESpabJzA0cs2YscGBSdhWEdfm93VNP5KpCXR4m+8qzM2Pp q12MhEzN Cv/DbKYbX1X98fmWO1g91Jj8FfY5kxNqfV+adhzeQPvtLNDcQJT33PqU/6hMy/laEzsvS+qzNO8fbo+Ragvu4YKANuiyFqts53VBJzTeQ4Df8mzXZoq+Pn8A5xdNNbv3RLSvIPMHDf9qzAUzsbfpTuyLwII86BlLTem3yPnHXdJ5K+gH9BMsIK9DIuHko+7AE4gcExGqGpJlFBSb1GfI6MuNpPXKp701VK6EZzVQc0vgxOPOE0sAg+stZEn22sC8CpOCUTvYPQ5pJApUpbFYtCxd/eWfVEAaBOpqyP4Zdc3wGcVNt1840ZC/dufqqgIokk2bWUyhnDKOJczuZuLfQNNlqndsgOdDHLO3F X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Today the control protection handler is defined in traps.c and used only for the kernel IBT feature. To reduce ifdeffery, move it to it's own file. In future patches, functionality will be added to make this handler also handle user shadow stack faults. So name the file cet.c. No functional change. Signed-off-by: Rick Edgecombe Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- v8: - Add "x86/traps" to log (Boris) v6: - Split move to cet.c and shadow stack enhancements to fault handler to separate files. (Kees) --- arch/x86/kernel/Makefile | 2 ++ arch/x86/kernel/cet.c | 76 ++++++++++++++++++++++++++++++++++++++++ arch/x86/kernel/traps.c | 75 --------------------------------------- 3 files changed, 78 insertions(+), 75 deletions(-) create mode 100644 arch/x86/kernel/cet.c diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index dd61752f4c96..92446f1dedd7 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -144,6 +144,8 @@ obj-$(CONFIG_CFI_CLANG) += cfi.o obj-$(CONFIG_CALL_THUNKS) += callthunks.o +obj-$(CONFIG_X86_CET) += cet.o + ### # 64 bit specific files ifeq ($(CONFIG_X86_64),y) diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c new file mode 100644 index 000000000000..7ad22b705b64 --- /dev/null +++ b/arch/x86/kernel/cet.c @@ -0,0 +1,76 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include + +static __ro_after_init bool ibt_fatal = true; + +extern void ibt_selftest_ip(void); /* code label defined in asm below */ + +enum cp_error_code { + CP_EC = (1 << 15) - 1, + + CP_RET = 1, + CP_IRET = 2, + CP_ENDBR = 3, + CP_RSTRORSSP = 4, + CP_SETSSBSY = 5, + + CP_ENCL = 1 << 15, +}; + +DEFINE_IDTENTRY_ERRORCODE(exc_control_protection) +{ + if (!cpu_feature_enabled(X86_FEATURE_IBT)) { + pr_err("Unexpected #CP\n"); + BUG(); + } + + if (WARN_ON_ONCE(user_mode(regs) || (error_code & CP_EC) != CP_ENDBR)) + return; + + if (unlikely(regs->ip == (unsigned long)&ibt_selftest_ip)) { + regs->ax = 0; + return; + } + + pr_err("Missing ENDBR: %pS\n", (void *)instruction_pointer(regs)); + if (!ibt_fatal) { + printk(KERN_DEFAULT CUT_HERE); + __warn(__FILE__, __LINE__, (void *)regs->ip, TAINT_WARN, regs, NULL); + return; + } + BUG(); +} + +/* Must be noinline to ensure uniqueness of ibt_selftest_ip. */ +noinline bool ibt_selftest(void) +{ + unsigned long ret; + + asm (" lea ibt_selftest_ip(%%rip), %%rax\n\t" + ANNOTATE_RETPOLINE_SAFE + " jmp *%%rax\n\t" + "ibt_selftest_ip:\n\t" + UNWIND_HINT_FUNC + ANNOTATE_NOENDBR + " nop\n\t" + + : "=a" (ret) : : "memory"); + + return !ret; +} + +static int __init ibt_setup(char *str) +{ + if (!strcmp(str, "off")) + setup_clear_cpu_cap(X86_FEATURE_IBT); + + if (!strcmp(str, "warn")) + ibt_fatal = false; + + return 1; +} + +__setup("ibt=", ibt_setup); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index d317dc3d06a3..cc223e60aba2 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -213,81 +213,6 @@ DEFINE_IDTENTRY(exc_overflow) do_error_trap(regs, 0, "overflow", X86_TRAP_OF, SIGSEGV, 0, NULL); } -#ifdef CONFIG_X86_KERNEL_IBT - -static __ro_after_init bool ibt_fatal = true; - -extern void ibt_selftest_ip(void); /* code label defined in asm below */ - -enum cp_error_code { - CP_EC = (1 << 15) - 1, - - CP_RET = 1, - CP_IRET = 2, - CP_ENDBR = 3, - CP_RSTRORSSP = 4, - CP_SETSSBSY = 5, - - CP_ENCL = 1 << 15, -}; - -DEFINE_IDTENTRY_ERRORCODE(exc_control_protection) -{ - if (!cpu_feature_enabled(X86_FEATURE_IBT)) { - pr_err("Unexpected #CP\n"); - BUG(); - } - - if (WARN_ON_ONCE(user_mode(regs) || (error_code & CP_EC) != CP_ENDBR)) - return; - - if (unlikely(regs->ip == (unsigned long)&ibt_selftest_ip)) { - regs->ax = 0; - return; - } - - pr_err("Missing ENDBR: %pS\n", (void *)instruction_pointer(regs)); - if (!ibt_fatal) { - printk(KERN_DEFAULT CUT_HERE); - __warn(__FILE__, __LINE__, (void *)regs->ip, TAINT_WARN, regs, NULL); - return; - } - BUG(); -} - -/* Must be noinline to ensure uniqueness of ibt_selftest_ip. */ -noinline bool ibt_selftest(void) -{ - unsigned long ret; - - asm (" lea ibt_selftest_ip(%%rip), %%rax\n\t" - ANNOTATE_RETPOLINE_SAFE - " jmp *%%rax\n\t" - "ibt_selftest_ip:\n\t" - UNWIND_HINT_FUNC - ANNOTATE_NOENDBR - " nop\n\t" - - : "=a" (ret) : : "memory"); - - return !ret; -} - -static int __init ibt_setup(char *str) -{ - if (!strcmp(str, "off")) - setup_clear_cpu_cap(X86_FEATURE_IBT); - - if (!strcmp(str, "warn")) - ibt_fatal = false; - - return 1; -} - -__setup("ibt=", ibt_setup); - -#endif /* CONFIG_X86_KERNEL_IBT */ - #ifdef CONFIG_X86_F00F_BUG void handle_invalid_op(struct pt_regs *regs) #else -- 2.17.1