On 2024/6/21 2:38, Kees Cook wrote:
> On Thu, Jun 20, 2024 at 09:16:49PM +0800, Jinjie Ruan wrote:
>> Add the STACKLEAK gcc plugin to arm32 by adding the helper used by
>> stackleak common code: on_thread_stack(). It initialize the stack with the
>> poison value before returning from system calls which improves the kernel
>> security. Additionally, this disables the plugin in EFI stub code and
>> decompress code, which are out of scope for the protection.
>
> Oh very cool! Thanks for sending this!
>
>> Before the test on Qemu versatilepb board:
>> # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
>> lkdtm: Performing direct entry STACKLEAK_ERASING
>> lkdtm: XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)
>>
>> After:
>> # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
>> lkdtm: Performing direct entry STACKLEAK_ERASING
>> lkdtm: stackleak stack usage:
>> high offset: 80 bytes
>> current: 280 bytes
>> lowest: 696 bytes
>> tracked: 696 bytes
>> untracked: 192 bytes
>> poisoned: 7220 bytes
>> low offset: 4 bytes
>> lkdtm: OK: the rest of the thread stack is properly erased
>>
>> Signed-off-by: Jinjie Ruan <ruanjinjie@xxxxxxxxxx>
>> ---
>> arch/arm/Kconfig | 1 +
>> arch/arm/boot/compressed/Makefile | 1 +
>> arch/arm/include/asm/stacktrace.h | 5 +++++
>> arch/arm/kernel/entry-common.S | 3 +++
>> drivers/firmware/efi/libstub/Makefile | 3 ++-
>> 5 files changed, 12 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
>> index 036381c5d42f..b211b7f5a138 100644
>> --- a/arch/arm/Kconfig
>> +++ b/arch/arm/Kconfig
>> @@ -86,6 +86,7 @@ config ARM
>> select HAVE_ARCH_PFN_VALID
>> select HAVE_ARCH_SECCOMP
>> select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT
>> + select HAVE_ARCH_STACKLEAK
>> select HAVE_ARCH_THREAD_STRUCT_WHITELIST
>> select HAVE_ARCH_TRACEHOOK
>> select HAVE_ARCH_TRANSPARENT_HUGEPAGE if ARM_LPAE
>> diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
>> index 6bca03c0c7f0..945b5975fce2 100644
>> --- a/arch/arm/boot/compressed/Makefile
>> +++ b/arch/arm/boot/compressed/Makefile
>> @@ -9,6 +9,7 @@ OBJS =
>>
>> HEAD = head.o
>> OBJS += misc.o decompress.o
>> +CFLAGS_decompress.o += $(DISABLE_STACKLEAK_PLUGIN)
>> ifeq ($(CONFIG_DEBUG_UNCOMPRESS),y)
>> OBJS += debug.o
>> AFLAGS_head.o += -DDEBUG
>> diff --git a/arch/arm/include/asm/stacktrace.h b/arch/arm/include/asm/stacktrace.h
>> index 360f0d2406bf..a9b4b72ed241 100644
>> --- a/arch/arm/include/asm/stacktrace.h
>> +++ b/arch/arm/include/asm/stacktrace.h
>> @@ -26,6 +26,11 @@ struct stackframe {
>> #endif
>> };
>>
>> +static inline bool on_thread_stack(void)
>> +{
>> + return !(((unsigned long)(current->stack) ^ current_stack_pointer) & ~(THREAD_SIZE - 1));
>> +}
>> +
>> static __always_inline
>> void arm_get_current_stackframe(struct pt_regs *regs, struct stackframe *frame)
>> {
>> diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
>> index 5c31e9de7a60..f379c852dcb7 100644
>> --- a/arch/arm/kernel/entry-common.S
>> +++ b/arch/arm/kernel/entry-common.S
>> @@ -119,6 +119,9 @@ no_work_pending:
>>
>> ct_user_enter save = 0
>>
>> +#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
>> + bl stackleak_erase_on_task_stack
>> +#endif
>> restore_user_regs fast = 0, offset = 0
>> ENDPROC(ret_to_user_from_irq)
>> ENDPROC(ret_to_user)
>> diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
>> index 06f0428a723c..20d8a491f25f 100644
>> --- a/drivers/firmware/efi/libstub/Makefile
>> +++ b/drivers/firmware/efi/libstub/Makefile
>> @@ -27,7 +27,8 @@ cflags-$(CONFIG_ARM64) += -fpie $(DISABLE_STACKLEAK_PLUGIN) \
>> cflags-$(CONFIG_ARM) += -DEFI_HAVE_STRLEN -DEFI_HAVE_STRNLEN \
>> -DEFI_HAVE_MEMCHR -DEFI_HAVE_STRRCHR \
>> -DEFI_HAVE_STRCMP -fno-builtin -fpic \
>> - $(call cc-option,-mno-single-pic-base)
>> + $(call cc-option,-mno-single-pic-base) \
>> + $(DISABLE_STACKLEAK_PLUGIN)
>> cflags-$(CONFIG_RISCV) += -fpic -DNO_ALTERNATIVE -mno-relax
>> cflags-$(CONFIG_LOONGARCH) += -fpie
>
> This looks very straight forward! If an ARM person can Ack this, I could
> carry it via the hardening tree. Otherwise, it should probably go via
> rmk's patch tracker?
Thank you for your attention and reply.
>
> -Kees
>
