From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 001EDC6FA99 for ; Fri, 10 Mar 2023 16:11:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0FDA46B0071; Fri, 10 Mar 2023 11:11:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0ADC96B0074; Fri, 10 Mar 2023 11:11:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EB82E8E0001; Fri, 10 Mar 2023 11:11:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id DA5956B0071 for ; Fri, 10 Mar 2023 11:11:38 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 8ADEE1406B2 for ; Fri, 10 Mar 2023 16:11:38 +0000 (UTC) X-FDA: 80553479076.26.60DD15A Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by imf12.hostedemail.com (Postfix) with ESMTP id 0911D40019 for ; Fri, 10 Mar 2023 16:11:28 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=temperror ("DNS error when getting key") header.d=alien8.de header.s=dkim header.b=rDzJnDqN; spf=temperror (imf12.hostedemail.com: error in processing during lookup of bp@alien8.de: DNS error) smtp.mailfrom=bp@alien8.de; dmarc=temperror reason="query timed out" header.from=alien8.de (policy=temperror) Received: from zn.tnic (p5de8e9fe.dip0.t-ipconnect.de [93.232.233.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 32E441EC0554; Fri, 10 Mar 2023 17:11:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1678464686; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=SghMXOAoohlbIS9JDR4dT2QIcRHFiPilO4AsVNWRpQk=; b=rDzJnDqN2QVo9NC5XgnbGL49tbfsrIRwB6KlCMgIVB/xJXpoymdJuRIbvDcTTKtDGPad8G ZdjG8kjOEtJOoPnx9/z2HikmIFMBXy7Fb7SPLJStSCEbZ7Klr0zwVrX0cOhd8aH5s57Mfm a6cmZ9TNb2I9zvzGH86qQpwh5rZqHo0= Date: Fri, 10 Mar 2023 17:11:19 +0100 From: Borislav Petkov To: Rick Edgecombe Cc: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Subject: Re: [PATCH v7 33/41] x86/shstk: Introduce map_shadow_stack syscall Message-ID: References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-34-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230227222957.24501-34-rick.p.edgecombe@intel.com> X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 0911D40019 X-Rspam-User: X-Stat-Signature: hrnj88dqidr9iyuz1fper4spsiq4c6s7 X-HE-Tag: 1678464688-956447 X-HE-Meta: U2FsdGVkX196jm7VgVwVNhX5etX7BDEWgHeS8iG7aDZa5IYYU4t/XV3ckQo85VdddCW4BMCKha8m/75MnjRtnFUIVaZoXQQGJSHiUi1tOjydx82Na+7fEcJz+uxUecxWCFbu5YiTFVJv3xqPQtaDOuJomKT1EL2tS1P79qU+kmLu+Q0IzyNbaNtgPfJ/Q3QNfVPUjG7cnDBKOX00NcCdopUaehTuQ4P8nWzk+IXcN9RkYjNURPh/2pRBqVgzxv34MPw3sMsePHrkkrnutVbWNlTdJW1L9e6QBsbTK0RRYl4MuEQzdldrXnO3LURE3WaRmmTJvpbtMT+oHoSnYi1JRd6LMYERPlc5N3IiRDVbtC6RDEs9vpcNyqzlUHvcDWPRkmol7z2JGpdOoGmrVlOW40MqPOEby+3RHWOux8TlG0Pw7cs/1sPx5pZpHyoS8EbFFaWnZTCcfxyvuD+z9dmisKmffORkmNp2cmt3lkJtAr104re6PAIizWfEBvhtSwNqyokVfV3V4Jvsy4MILF92//8CjRcfK5d7fNKtAWd3tKRsvrMg2wWwnaqyBsFNGWGFHCigytWMAB+6tjTh4QYrJlyZpobSmIKQRgFHRxQQjgehPJ/C9mg2stZ+i1Rad5LR3ZYFNp88OBvCU7sl9dIng3xGKt5/epT9Wyz7vep6LuDBJYBKciGufYgQ5r1G/3E5sk08Iv9gvhGZyUYticrJNKbKJwIxVV5nUfyqQwpkP2Vpa5k+zsH03PrRLkLjieWvFsgSxKkw3zfAAwXLNC0m/8eqnwMWKYjf9dYhtQ2QhOV36eK+ZMz8t+QozatGT3qBW3n850C6zSqgkkpw9mjAzZiMK5bha9SfNvajOrkHdHBuoBlP49otxe2VOnetui7F295/d/F79fFeQY/EuPrdlsWVE+edCrOG74xPpbB8hE331lQftOZspeWRKo6KMIc+irqKA9kym2YZRRVouFL DBWoeQcw bcKncotvswE0XEYH48UACLTS21bcHIMKHzniTCAPVisOgZBZR5hI9gh/TGC8pwv2Ajhg+svPgfB/BBQLl8ztY/ypxMdVQlu1yATAmzSPjzZe/njzvqhtByqZ2ZM+l/pBp7/I5kPsRKLVi2si5QuMUIWKXkXaL3Eb+Da7UzCYrOuDkzwNGFUOa/ns1LR70Vn0VDYRnccV2YE0Qi+FgLxLa9HYcC3fDRyUAl+eRhL6mftw/BgA1Kq4PywQkCCCMMTzDN03GsZEWaP3WWxI0JfUYGDSE8lTSdzMSlrMAh/y+ZJWlMf+g8dT4Mnm8UXPeS49XXJs4zf3X0aWRDozLLcaTSwVlyZ9evzgyrePUsuY8mhobUlZjnM94KTyZ8/1IoZyga+FhRd92tsPRWedRo4ng2jZ3zydvAgGVYY1b61Zl0hGjwm2nJHBzlyvhKuRmw5wN9vH0QqMe2EQK5ig= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Feb 27, 2023 at 02:29:49PM -0800, Rick Edgecombe wrote: > When operating with shadow stacks enabled, the kernel will automatically > allocate shadow stacks for new threads, however in some cases userspace > will need additional shadow stacks. The main example of this is the > ucontext family of functions, which require userspace allocating and > pivoting to userspace managed stacks. > > Unlike most other user memory permissions, shadow stacks need to be > provisioned with special data in order to be useful. They need to be setup > with a restore token so that userspace can pivot to them via the RSTORSSP > instruction. But, the security design of shadow stack's is that they "stacks" > should not be written to except in limited circumstances. This presents a > problem for userspace, as to how userspace can provision this special > data, without allowing for the shadow stack to be generally writable. > > Previously, a new PROT_SHADOW_STACK was attempted, which could be > mprotect()ed from RW permissions after the data was provisioned. This was > found to not be secure enough, as other thread's could write to the "threads" > shadow stack during the writable window. > > The kernel can use a special instruction, WRUSS, to write directly to > userspace shadow stacks. So the solution can be that memory can be mapped > as shadow stack permissions from the beginning (never generally writable > in userspace), and the kernel itself can write the restore token. > > First, a new madvise() flag was explored, which could operate on the > PROT_SHADOW_STACK memory. This had a couple downsides: ^ of > 1. Extra checks were needed in mprotect() to prevent writable memory from > ever becoming PROT_SHADOW_STACK. > 2. Extra checks/vma state were needed in the new madvise() to prevent > restore tokens being written into the middle of pre-used shadow stacks. > It is ideal to prevent restore tokens being added at arbitrary > locations, so the check was to make sure the shadow stack had never been > written to. > 3. It stood out from the rest of the madvise flags, as more of direct > action than a hint at future desired behavior. > > So rather than repurpose two existing syscalls (mmap, madvise) that don't > quite fit, just implement a new map_shadow_stack syscall to allow > userspace to map and setup new shadow stacks in one step. While ucontext > is the primary motivator, userspace may have other unforeseen reasons to > setup it's own shadow stacks using the WRSS instruction. Towards this "its" > provide a flag so that stacks can be optionally setup securely for the > common case of ucontext without enabling WRSS. Or potentially have the > kernel set up the shadow stack in some new way. > > The following example demonstrates how to create a new shadow stack with > map_shadow_stack: > void *shstk = map_shadow_stack(addr, stack_size, SHADOW_STACK_SET_TOKEN); ... > diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl > index c84d12608cd2..f65c671ce3b1 100644 > --- a/arch/x86/entry/syscalls/syscall_64.tbl > +++ b/arch/x86/entry/syscalls/syscall_64.tbl > @@ -372,6 +372,7 @@ > 448 common process_mrelease sys_process_mrelease > 449 common futex_waitv sys_futex_waitv > 450 common set_mempolicy_home_node sys_set_mempolicy_home_node > +451 64 map_shadow_stack sys_map_shadow_stack Yeah, this'll need a manpage too, I presume. But later. > +SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags) > +{ > + bool set_tok = flags & SHADOW_STACK_SET_TOKEN; > + unsigned long aligned_size; > + > + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) > + return -EOPNOTSUPP; > + > + if (flags & ~SHADOW_STACK_SET_TOKEN) > + return -EINVAL; > + > + /* If there isn't space for a token */ > + if (set_tok && size < 8) > + return -EINVAL; > + > + if (addr && addr <= 0xFFFFFFFF) < SZ_4G > + return -EINVAL; Can we use distinct negative retvals in each case so that it is clear to userspace where it fails, *if* it fails? > + /* > + * An overflow would result in attempting to write the restore token > + * to the wrong location. Not catastrophic, but just return the right > + * error code and block it. > + */ > + aligned_size = PAGE_ALIGN(size); > + if (aligned_size < size) > + return -EOVERFLOW; > + > + return alloc_shstk(addr, aligned_size, size, set_tok); > +} -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette