From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3A593C74A5B
	for <linux-mm@archiver.kernel.org>; Fri, 17 Mar 2023 17:09:46 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A32336B0075; Fri, 17 Mar 2023 13:09:45 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9BAF76B0078; Fri, 17 Mar 2023 13:09:45 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 837296B007B; Fri, 17 Mar 2023 13:09:45 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 6E8C06B0075
	for <linux-mm@kvack.org>; Fri, 17 Mar 2023 13:09:45 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 089951419A0
	for <linux-mm@kvack.org>; Fri, 17 Mar 2023 17:09:45 +0000 (UTC)
X-FDA: 80579027130.07.0542973
Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181])
	by imf29.hostedemail.com (Postfix) with ESMTP id 3543C120018
	for <linux-mm@kvack.org>; Fri, 17 Mar 2023 17:09:43 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=Z7nmpkLK;
	spf=pass (imf29.hostedemail.com: domain of debug@rivosinc.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=debug@rivosinc.com;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679072983; a=rsa-sha256;
	cv=none;
	b=29ULgOsaKhuNFGlKyI8q5bQtd5jikGpv19Dnz/TWbelaoFCVijhY03ZyL7SnhdBJAY6obE
	7eBVTb0TcJtLDsC/YAlQ4eexw/D1ZrdpTv+upQKtRNbIYzk94gaFKN2sZJaVNKMN9FQ0zz
	dDOcAsncvhSVyaHxgFjY0/JVIOEdn7o=
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=Z7nmpkLK;
	spf=pass (imf29.hostedemail.com: domain of debug@rivosinc.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=debug@rivosinc.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1679072983;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=yyGiCOuzpCUygYrGB2PwFluAD4+Kj2HT1bQEGXBzqqs=;
	b=2uVoaby8jHhFKWB/9P2ymCnOyQchauHaHVo1JhAXnV34XuMXFklBzG9b0Sl8uNHNVFAG54
	HoQt49vZ69pGBxdzT69p5ImNonDtSWJ9uJ5Ms49q1AziwCuAmulhQvDDfsJzR/59jQl2YW
	Yt0O0/18u+RDsSln7kFz79JCji1ZHkU=
Received: by mail-yb1-f181.google.com with SMTP id t6so381621ybb.9
        for <linux-mm@kvack.org>; Fri, 17 Mar 2023 10:09:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20210112.gappssmtp.com; s=20210112; t=1679072982;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yyGiCOuzpCUygYrGB2PwFluAD4+Kj2HT1bQEGXBzqqs=;
        b=Z7nmpkLKoGRLV+P2V/8LME8aWSNFmNhPgyFVKqtl2aYwfLMBFAy6IMaHXlp4FvtbZp
         sKYJeU2zg04OOU+M8DqUhdKDmF7CtBnyJF3DMmZ2lCQEWexghjH2XTbPUAENd2lKOEbJ
         7vrbI5pnmVpv2N0sNAYLpmfWtkXRNeBYMnYo7leB0kUTfRFH+FQYCvXjsdNB6THdBg4t
         8zlIbIx0O6DH/n6MnYPSE7Bd4EMyp6tRtl8L/QYFYGMWkiu8752qSl9k4rD8eb+D36al
         DtH4cdKh6iSZNyV79DtBAMOaQXxbV5eILGoWqiE06QQ4rmbfz9F7OI/W6UE2RAfld7KL
         A7QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679072982;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=yyGiCOuzpCUygYrGB2PwFluAD4+Kj2HT1bQEGXBzqqs=;
        b=0uEVZPS+2pZL1D3SsVyZi5/Tsu/qp1VpVy29lpMsT+20EfnRq6jf+w83nax3/m1zob
         v9DpC1CMarNU5dPx5gWjJ48mE4Iw/z7D7GruhMDBpRdj9uVscoUxXf/+Pvs2P95a6o36
         1dCsXYgTFIporTVAyn1jxamb8LKXY+8PKc9FCTIT8UGuDMTQzwoVqF6IrGc9X4Y1juPb
         VNR3NdbV29tP2FN0ptgU/ggloZGcuBV9MgWhXoN2wuusDU0Tbi1UvMu03jod9vbztewE
         3vOnZf3bvnt71eXVUd6plKKGGfsQKG3/fWd6dQxFoljbnaGdtCbrJWzyByCFjQwKPupg
         fLCg==
X-Gm-Message-State: AO0yUKXRDlyRCi3HUz/9tsS5ruzmt4rTsrSja9A6Bh4jCA1b7mAX/20q
	+PEGYgxzeNTLkXP1F23gtCPt+2AVor3hN3vAXTHx/OGX4gHeNEpPCbQKN0Qi
X-Google-Smtp-Source: AK7set8WHpFUpGLzM3ZMAI8efrv3wxVYI2960/n8L99qdwz+ch5b09JYgpcWyA+XYcURNxejBGDwGuAnYXXWegpW86k=
X-Received: by 2002:a5b:406:0:b0:a09:314f:a3ef with SMTP id
 m6-20020a5b0406000000b00a09314fa3efmr160914ybp.12.1679072982266; Fri, 17 Mar
 2023 10:09:42 -0700 (PDT)
MIME-Version: 1.0
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-22-rick.p.edgecombe@intel.com>
In-Reply-To: <20230227222957.24501-22-rick.p.edgecombe@intel.com>
From: Deepak Gupta <debug@rivosinc.com>
Date: Fri, 17 Mar 2023 10:09:33 -0700
Message-ID: <CAKC1njTexZ3-8u8iW3cDv9FBSUx107N-MMekMoLL5ShRFaryYQ@mail.gmail.com>
Subject: Re: [PATCH v7 21/41] mm: Add guard pages around a shadow stack.
To: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, 
	Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, 
	linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, 
	Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, 
	Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, 
	Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, 
	Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, 
	Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, 
	Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, 
	Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, 
	Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, 
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, 
	eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, 
	dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, 
	christina.schimpe@intel.com, david@redhat.com, 
	Yu-cheng Yu <yu-cheng.yu@intel.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspam-User: 
X-Rspamd-Queue-Id: 3543C120018
X-Rspamd-Server: rspam01
X-Stat-Signature: x77uihprhx87k4mryqiyw4xewffkxw6p
X-HE-Tag: 1679072983-530077
X-HE-Meta: U2FsdGVkX1+Djf4A+YMPiyvo2/yUO0LBae70iczVfcBelXiglIcKCTWojyJWzE7ZYf3mBfaGejjbtc4CBdxvvelxv9JwPnvuMHnfLObFusIt2oQWPHq2+5xxSpOl4jbieGN8xkXyngR6UrYGbV7w8NMN8SxTIunUnL7z9+uzyzu/350H9R+Bv4DA9wMoS777QUkRdTY50QAVz/Q6/SpnnrFOXF1/uHnr8Me+piqaedglp2V+/BA/TQeapTWAXITEE+OLRNPz57FwEnTsE4tPbgyvS1j35mZLVAG7CWhegfrmWuLpjxrwVxNYm5BDq1/Upt9fgtTvzckqxG7MMrurKdvi7B/f3V6ZIR3MJpzL1RvCYRFjHC7X6rQTISIH67ZGWBqTG+stgbaonyF2o5nuezdNdGlRpC10hBQX2wKr282SKrAXD+F/GiWmKqnoq+TX333bHfeeBfgYdXsj4E3FHJJ+b0ZqAr/SQI6A7qRg120A7/q8rjRP78R/t2ua8xbjEUDn4BlWEPrt4csIOhV+8ZvosOujvxlfeTE6GIS5N7udM4DM8dhSvuFlva9DN1j3rianVumV8G0VvNfYcSgHIRU8WtEaO3qRNq95k7cAgCIEh9NE5mG/2jk5xcFFQtcz5NBOSWCN4105b6hjy5JgrTshDCu5IHErv9+cEjZLdtPWwn9d1qaQkcx7elKhNecA69BT37ksMPCAE0BhzZT9KQ5CrmRnF2BN0WS48Yz6scocv80FVEIQQxiXyP2P3re5WQEDf8sBhtMKVVEWA8gHCBDIy0+W0MD6eP5AdSzig0KGwwBEYEiAGV7xQDJaZQOZHArMB83bU1Y2RlIOYqo7+fKQ2ni9/9njOlq+MhhPMJPcV6m2e5/34kKSkuOVMSxArZWukYgOqV4JS21yCbnw+p5qr3/y0RC8UIbvQ0ZJnerCjFlxuqdJhdeswCx1nE7LDsSj0CeH2bZsSkAb/D2
 IdkNUwGO
 BBKFvH0EBkm93EGNXA37XHSfwnQVW9llvj/da0NVThnZCvg8sh6f0TEt2lZZ0mYx29ruglXIMgpCgPs3kQYaCjdakOwX7uDUJBCNja/xaLH/RSPS4bDpVm8yleBEjRJ0tL0nD7mkDrPi7Aks5LYDINuOd91S2j/ARbSE1ZacYpGqhqbHnT6EqbtVnxHgD99TX6EUBmt/rzQuz/+s9/sJZUs16S4RFbm6nTTwOxMzcWI6kLj5fVlAi97QG5dkFEETOnzT8qIg0a6RbahgK0+ec1aP+Q/0jpSyKaZgcfczl9J56DOeDrGXuc4N7XVNJfiM3rgzCLfnK73u3dktnQmnFmXsJ4CSPytuihlJ6HH318758rUyIkH+DFWB25NkETAXhGbxjfMhhCYc4lCVKfylrkXDzuP3dyBMG1/598olF211SwfcN2KrWKKPTB1EGDgd0eGUYQxFUUy3ApRdp9i4UZ0mlRnaB/LP1w9h433AG4YrKveMbB1US/rinpkwa0JzHEc3b/OKXLdGySxVEA+RdB7DyAQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Feb 27, 2023 at 2:31=E2=80=AFPM Rick Edgecombe
<rick.p.edgecombe@intel.com> wrote:
>
> From: Yu-cheng Yu <yu-cheng.yu@intel.com>
>
> The x86 Control-flow Enforcement Technology (CET) feature includes a new
> type of memory called shadow stack. This shadow stack memory has some
> unusual properties, which requires some core mm changes to function
> properly.
>
> The architecture of shadow stack constrains the ability of userspace to
> move the shadow stack pointer (SSP) in order to  prevent corrupting or
> switching to other shadow stacks. The RSTORSSP can move the ssp to
> different shadow stacks, but it requires a specially placed token in orde=
r
> to do this. However, the architecture does not prevent incrementing the
> stack pointer to wander onto an adjacent shadow stack. To prevent this in
> software, enforce guard pages at the beginning of shadow stack vmas, such
> that there will always be a gap between adjacent shadow stacks.
>
> Make the gap big enough so that no userspace SSP changing operations
> (besides RSTORSSP), can move the SSP from one stack to the next. The
> SSP can increment or decrement by CALL, RET  and INCSSP. CALL and RET
> can move the SSP by a maximum of 8 bytes, at which point the shadow
> stack would be accessed.
>
> The INCSSP instruction can also increment the shadow stack pointer. It
> is the shadow stack analog of an instruction like:
>
>         addq    $0x80, %rsp
>
> However, there is one important difference between an ADD on %rsp and
> INCSSP. In addition to modifying SSP, INCSSP also reads from the memory
> of the first and last elements that were "popped". It can be thought of
> as acting like this:
>
> READ_ONCE(ssp);       // read+discard top element on stack
> ssp +=3D nr_to_pop * 8; // move the shadow stack
> READ_ONCE(ssp-8);     // read+discard last popped stack element
>
> The maximum distance INCSSP can move the SSP is 2040 bytes, before it
> would read the memory. Therefore a single page gap will be enough to
> prevent any operation from shifting the SSP to an adjacent stack, since
> it would have to land in the gap at least once, causing a fault.
>
> This could be accomplished by using VM_GROWSDOWN, but this has a
> downside. The behavior would allow shadow stack's to grow, which is
> unneeded and adds a strange difference to how most regular stacks work.
>
> Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> Tested-by: John Allen <john.allen@amd.com>
> Tested-by: Kees Cook <keescook@chromium.org>
> Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
> Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> Cc: Kees Cook <keescook@chromium.org>
>
> ---
> v5:
>  - Fix typo in commit log
>
> v4:
>  - Drop references to 32 bit instructions
>  - Switch to generic code to drop __weak (Peterz)
>
> v2:
>  - Use __weak instead of #ifdef (Dave Hansen)
>  - Only have start gap on shadow stack (Andy Luto)
>  - Create stack_guard_start_gap() to not duplicate code
>    in an arch version of vm_start_gap() (Dave Hansen)
>  - Improve commit log partly with verbiage from (Dave Hansen)
>
> Yu-cheng v25:
>  - Move SHADOW_STACK_GUARD_GAP to arch/x86/mm/mmap.c.
> ---
>  include/linux/mm.h | 31 ++++++++++++++++++++++++++-----
>  1 file changed, 26 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 097544afb1aa..6a093daced88 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -3107,15 +3107,36 @@ struct vm_area_struct *vma_lookup(struct mm_struc=
t *mm, unsigned long addr)
>         return mtree_load(&mm->mm_mt, addr);
>  }
>
> +static inline unsigned long stack_guard_start_gap(struct vm_area_struct =
*vma)
> +{
> +       if (vma->vm_flags & VM_GROWSDOWN)
> +               return stack_guard_gap;
> +
> +       /*
> +        * Shadow stack pointer is moved by CALL, RET, and INCSSPQ.
> +        * INCSSPQ moves shadow stack pointer up to 255 * 8 =3D ~2 KB
> +        * and touches the first and the last element in the range, which
> +        * triggers a page fault if the range is not in a shadow stack.
> +        * Because of this, creating 4-KB guard pages around a shadow
> +        * stack prevents these instructions from going beyond.
> +        *
> +        * Creation of VM_SHADOW_STACK is tightly controlled, so a vma
> +        * can't be both VM_GROWSDOWN and VM_SHADOW_STACK
> +        */
> +       if (vma->vm_flags & VM_SHADOW_STACK)
> +               return PAGE_SIZE;

This is an arch agnostic header file. Can we remove `VM_SHADOW_STACK`
from here? and instead
have `arch_is_shadow_stack` which consumes vma flags and returns true or fa=
lse.
This allows different architectures to choose their own encoding of
vma flags to represent a shadow stack.

> +
> +       return 0;
> +}
> +
>  static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
>  {
> +       unsigned long gap =3D stack_guard_start_gap(vma);
>         unsigned long vm_start =3D vma->vm_start;
>
> -       if (vma->vm_flags & VM_GROWSDOWN) {
> -               vm_start -=3D stack_guard_gap;
> -               if (vm_start > vma->vm_start)
> -                       vm_start =3D 0;
> -       }
> +       vm_start -=3D gap;
> +       if (vm_start > vma->vm_start)
> +               vm_start =3D 0;
>         return vm_start;
>  }
>
> --
> 2.17.1
>