On Sat, Mar 15, 2025 at 6:51 AM Deepak Gupta <debug@xxxxxxxxxxxx> wrote:
>
> Implement architecture agnostic prctls() interface for setting and getting
> shadow stack status.
>
> prctls implemented are PR_GET_SHADOW_STACK_STATUS,
> PR_SET_SHADOW_STACK_STATUS and PR_LOCK_SHADOW_STACK_STATUS.
>
> As part of PR_SET_SHADOW_STACK_STATUS/PR_GET_SHADOW_STACK_STATUS, only
> PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to
> write to their own shadow stack using `sspush` or `ssamoswap`.
>
> PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack
> enabling.
>
> Signed-off-by: Deepak Gupta <debug@xxxxxxxxxxxx>
> ---
> arch/riscv/include/asm/usercfi.h | 18 ++++++-
> arch/riscv/kernel/process.c | 8 +++
> arch/riscv/kernel/usercfi.c | 110 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 135 insertions(+), 1 deletion(-)
>
> diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h
> index 82d28ac98d76..c4dcd256f19a 100644
> --- a/arch/riscv/include/asm/usercfi.h
> +++ b/arch/riscv/include/asm/usercfi.h
> @@ -7,6 +7,7 @@
>
> #ifndef __ASSEMBLY__
> #include <linux/types.h>
> +#include <linux/prctl.h>
>
> struct task_struct;
> struct kernel_clone_args;
> @@ -14,7 +15,8 @@ struct kernel_clone_args;
> #ifdef CONFIG_RISCV_USER_CFI
> struct cfi_status {
> unsigned long ubcfi_en : 1; /* Enable for backward cfi. */
> - unsigned long rsvd : ((sizeof(unsigned long) * 8) - 1);
> + unsigned long ubcfi_locked : 1;
> + unsigned long rsvd : ((sizeof(unsigned long) * 8) - 2);
> unsigned long user_shdw_stk; /* Current user shadow stack pointer */
> unsigned long shdw_stk_base; /* Base address of shadow stack */
> unsigned long shdw_stk_size; /* size of shadow stack */
> @@ -27,6 +29,12 @@ void set_shstk_base(struct task_struct *task, unsigned long shstk_addr, unsigned
> unsigned long get_shstk_base(struct task_struct *task, unsigned long *size);
> void set_active_shstk(struct task_struct *task, unsigned long shstk_addr);
> bool is_shstk_enabled(struct task_struct *task);
> +bool is_shstk_locked(struct task_struct *task);
> +bool is_shstk_allocated(struct task_struct *task);
> +void set_shstk_lock(struct task_struct *task);
> +void set_shstk_status(struct task_struct *task, bool enable);
> +
> +#define PR_SHADOW_STACK_SUPPORTED_STATUS_MASK (PR_SHADOW_STACK_ENABLE)
>
> #else
>
> @@ -42,6 +50,14 @@ bool is_shstk_enabled(struct task_struct *task);
>
> #define is_shstk_enabled(task) false
>
> +#define is_shstk_locked(task) false
> +
> +#define is_shstk_allocated(task) false
> +
> +#define set_shstk_lock(task)
> +
> +#define set_shstk_status(task, enable)
> +
> #endif /* CONFIG_RISCV_USER_CFI */
>
> #endif /* __ASSEMBLY__ */
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index 99acb6342a37..cd11667593fe 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -153,6 +153,14 @@ void start_thread(struct pt_regs *regs, unsigned long pc,
> regs->epc = pc;
> regs->sp = sp;
>
> + /*
> + * clear shadow stack state on exec.
> + * libc will set it later via prctl.
> + */
> + set_shstk_status(current, false);
> + set_shstk_base(current, 0, 0);
> + set_active_shstk(current, 0);
> +
> #ifdef CONFIG_64BIT
> regs->status &= ~SR_UXL;
>
> diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
> index 73cf87dab186..b93b324eed26 100644
> --- a/arch/riscv/kernel/usercfi.c
> +++ b/arch/riscv/kernel/usercfi.c
> @@ -24,6 +24,16 @@ bool is_shstk_enabled(struct task_struct *task)
> return task->thread_info.user_cfi_state.ubcfi_en ? true : false;
> }
>
> +bool is_shstk_allocated(struct task_struct *task)
> +{
> + return task->thread_info.user_cfi_state.shdw_stk_base ? true : false;
> +}
> +
> +bool is_shstk_locked(struct task_struct *task)
> +{
> + return task->thread_info.user_cfi_state.ubcfi_locked ? true : false;
> +}
> +
> void set_shstk_base(struct task_struct *task, unsigned long shstk_addr, unsigned long size)
> {
> task->thread_info.user_cfi_state.shdw_stk_base = shstk_addr;
> @@ -42,6 +52,26 @@ void set_active_shstk(struct task_struct *task, unsigned long shstk_addr)
> task->thread_info.user_cfi_state.user_shdw_stk = shstk_addr;
> }
>
> +void set_shstk_status(struct task_struct *task, bool enable)
> +{
> + if (!cpu_supports_shadow_stack())
> + return;
> +
> + task->thread_info.user_cfi_state.ubcfi_en = enable ? 1 : 0;
> +
> + if (enable)
> + task->thread.envcfg |= ENVCFG_SSE;
> + else
> + task->thread.envcfg &= ~ENVCFG_SSE;
> +
> + csr_write(CSR_ENVCFG, task->thread.envcfg);
> +}
> +
> +void set_shstk_lock(struct task_struct *task)
> +{
> + task->thread_info.user_cfi_state.ubcfi_locked = 1;
> +}
> +
> /*
> * If size is 0, then to be compatible with regular stack we want it to be as big as
> * regular stack. Else PAGE_ALIGN it and return back
> @@ -262,3 +292,83 @@ void shstk_release(struct task_struct *tsk)
> vm_munmap(base, size);
> set_shstk_base(tsk, 0, 0);
> }
> +
> +int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *status)
> +{
> + unsigned long bcfi_status = 0;
> +
> + if (!cpu_supports_shadow_stack())
> + return -EINVAL;
> +
> + /* this means shadow stack is enabled on the task */
> + bcfi_status |= (is_shstk_enabled(t) ? PR_SHADOW_STACK_ENABLE : 0);
> +
> + return copy_to_user(status, &bcfi_status, sizeof(bcfi_status)) ? -EFAULT : 0;
> +}
> +
> +int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status)
> +{
> + unsigned long size = 0, addr = 0;
> + bool enable_shstk = false;
> +
> + if (!cpu_supports_shadow_stack())
> + return -EINVAL;
> +
> + /* Reject unknown flags */
> + if (status & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK)
> + return -EINVAL;
> +
> + /* bcfi status is locked and further can't be modified by user */
> + if (is_shstk_locked(t))
> + return -EINVAL;
> +
> + enable_shstk = status & PR_SHADOW_STACK_ENABLE;
> + /* Request is to enable shadow stack and shadow stack is not enabled already */
> + if (enable_shstk && !is_shstk_enabled(t)) {
> + /* shadow stack was allocated and enable request again
> + * no need to support such usecase and return EINVAL.
> + */
> + if (is_shstk_allocated(t))
> + return -EINVAL;
> +
> + size = calc_shstk_size(0);
> + addr = allocate_shadow_stack(0, size, 0, false);
> + if (IS_ERR_VALUE(addr))
> + return -ENOMEM;
> + set_shstk_base(t, addr, size);
> + set_active_shstk(t, addr + size);
> + }
> +
> + /*
> + * If a request to disable shadow stack happens, let's go ahead and release it
> + * Although, if CLONE_VFORKed child did this, then in that case we will end up
> + * not releasing the shadow stack (because it might be needed in parent). Although
> + * we will disable it for VFORKed child. And if VFORKed child tries to enable again
> + * then in that case, it'll get entirely new shadow stack because following condition
> + * are true
> + * - shadow stack was not enabled for vforked child
> + * - shadow stack base was anyways pointing to 0
> + * This shouldn't be a big issue because we want parent to have availability of shadow
> + * stack whenever VFORKed child releases resources via exit or exec but at the same
> + * time we want VFORKed child to break away and establish new shadow stack if it desires
> + *
> + */
> + if (!enable_shstk)
> + shstk_release(t);
> +
> + set_shstk_status(t, enable_shstk);
> + return 0;
> +}
> +
> +int arch_lock_shadow_stack_status(struct task_struct *task,
> + unsigned long arg)
> +{
> + /* If shtstk not supported or not enabled on task, nothing to lock here */
> + if (!cpu_supports_shadow_stack() ||
> + !is_shstk_enabled(task) || arg != 0)
> + return -EINVAL;
> +
> + set_shstk_lock(task);
> +
> + return 0;
> +}
>
LGTM
Reviewed-by: Zong Li <zong.li@xxxxxxxxxx>
> --
> 2.34.1
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/linux-riscv
