Re: [PATCH 01/10] x86/cet: User-mode shadow stack support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2018-06-12 at 21:56 +1000, Balbir Singh wrote:
> 
> On 08/06/18 00:37, Yu-cheng Yu wrote:
> > This patch adds basic shadow stack enabling/disabling routines.
> > A task's shadow stack is allocated from memory with VM_SHSTK
> > flag set and read-only protection.  The shadow stack is
> > allocated to a fixed size and that can be changed by the system
> > admin.
> > 
> 
> I presume a read-only permission on the kernel side, but it
> can be written by hardware?

Yes, the shadow stack is written by the processor when a call
instruction is executed.

...

> > 
> > diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h
> > new file mode 100644
> > index 000000000000..9d5bc1efc9b7
> > --- /dev/null
> > +++ b/arch/x86/include/asm/cet.h
> > @@ -0,0 +1,32 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#ifndef _ASM_X86_CET_H
> > +#define _ASM_X86_CET_H
> > +
> > +#ifndef __ASSEMBLY__
> > +#include <linux/types.h>
> > +
> > +struct task_struct;
> > +/*
> > + * Per-thread CET status
> > + */
> > +struct cet_stat {
> 
> stat sounds like statistics, just expand out to status please

I will make it 'cet_status'.

> > +	unsigned long	shstk_base;
> > +	unsigned long	shstk_size;
> > +	unsigned int	shstk_enabled:1;
> > +};
> > +
> > +#ifdef CONFIG_X86_INTEL_CET
> > +unsigned long cet_get_shstk_ptr(void);
> 
> For the current task? Why does _ptr routine return an unsigned long?

What about cet_get_shstk_addr()?

...

> > diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
> > index fda2114197b3..428d13828ba9 100644
> > --- a/arch/x86/include/asm/msr-index.h
> > +++ b/arch/x86/include/asm/msr-index.h
> > @@ -770,4 +770,18 @@
> >  #define MSR_VM_IGNNE                    0xc0010115
> >  #define MSR_VM_HSAVE_PA                 0xc0010117
> >  
> > +/* Control-flow Enforcement Technology MSRs */
> > +#define MSR_IA32_U_CET		0x6a0
> > +#define MSR_IA32_S_CET		0x6a2
> > +#define MSR_IA32_PL0_SSP	0x6a4
> > +#define MSR_IA32_PL3_SSP	0x6a7
> > +#define MSR_IA32_INT_SSP_TAB	0x6a8
> 
> some comments on the purpose of the MSR would be nice

Sure.

...

> 
> I think there was a comment about this being TASK_SIZE_MAX
> 
> > +
> > +	rdmsrl(MSR_IA32_U_CET, r);
> > +	wrmsrl(MSR_IA32_U_CET, r | MSR_IA32_CET_SHSTK_EN);
> > +	wrmsrl(MSR_IA32_PL3_SSP, addr);
> 
> Should the enable happen before setting addr? I would expect to do this in the opposite order.

I will check.

> > +	return 0;
> > +}
> > +
> > +unsigned long cet_get_shstk_ptr(void)
> > +{
> > +	unsigned long ptr;
> > +
> > +	if (!current->thread.cet.shstk_enabled)
> > +		return 0;
> > +
> > +	rdmsrl(MSR_IA32_PL3_SSP, ptr);
> > +	return ptr;
> > +}
> > +
> > +static unsigned long shstk_mmap(unsigned long addr, unsigned long len)
> > +{
> > +	struct mm_struct *mm = current->mm;
> > +	unsigned long populate;
> > +
> > +	down_write(&mm->mmap_sem);
> > +	addr = do_mmap(NULL, addr, len, PROT_READ,
> > +		       MAP_ANONYMOUS | MAP_PRIVATE, VM_SHSTK,
> > +		       0, &populate, NULL);
> > +	up_write(&mm->mmap_sem);
> 
> What happens if the mmap fails for any reason? I presume the caller disables shadow stack on this process?

This is from exec(), and that fails.

> > +
> > +	if (populate)
> > +		mm_populate(addr, populate);
> > +
> > +	return addr;
> > +}
> > +
> > +int cet_setup_shstk(void)
> > +{
> > +	unsigned long addr, size;
> > +
> > +	if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
> > +		return -EOPNOTSUPP;
> > +
> > +	size = SHSTK_SIZE;
> > +	addr = shstk_mmap(0, size);
> > +
> > +	if (addr >= TASK_SIZE)
> > +		return -ENOMEM;
> > +
> 
> TASK_SIZE_MAX?

Yes.

> 
> > +	cet_set_shstk_ptr(addr + size - sizeof(void *));
> > +	current->thread.cet.shstk_base = addr;
> > +	current->thread.cet.shstk_size = size;
> > +	current->thread.cet.shstk_enabled = 1;
> > +	return 0;
> > +}
> > +
> > +void cet_disable_shstk(void)
> > +{
> > +	u64 r;
> > +
> > +	if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
> > +		return;
> > +
> > +	rdmsrl(MSR_IA32_U_CET, r);
> > +	r &= ~(MSR_IA32_CET_SHSTK_EN);
> > +	wrmsrl(MSR_IA32_U_CET, r);
> > +	wrmsrl(MSR_IA32_PL3_SSP, 0);
> 
> Again, I'd expect the order to be the reverse
> 
> > +	current->thread.cet.shstk_enabled = 0;
> > +}
> > +
> > +void cet_disable_free_shstk(struct task_struct *tsk)
> > +{
> > +	if (!cpu_feature_enabled(X86_FEATURE_SHSTK) ||
> > +	    !tsk->thread.cet.shstk_enabled)
> > +		return;
> > +
> > +	if (tsk == current)
> > +		cet_disable_shstk();
> > +
> > +	/*
> > +	 * Free only when tsk is current or shares mm
> > +	 * with current but has its own shstk.
> > +	 */
> > +	if (tsk->mm && (tsk->mm == current->mm) &&
> > +	    (tsk->thread.cet.shstk_base)) {
> 
> Does the caller hold a reference to tsk->mm?

If (tsk->mm == current->mm), i.e. it is current or it is a pthread of
current, then yes.

Yu-cheng




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux