From: Sami Tolvanen <samitolvanen@google.com>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Kees Cook <keescook@chromium.org>
Cc: Clement Leger <cleger@rivosinc.com>, Guo Ren <guoren@kernel.org>,
Deepak Gupta <debug@rivosinc.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Fangrui Song <maskray@google.com>,
linux-riscv@lists.infradead.org, llvm@lists.linux.dev,
linux-kernel@vger.kernel.org,
Sami Tolvanen <samitolvanen@google.com>
Subject: [PATCH v3 0/6] riscv: SCS support
Date: Mon, 28 Aug 2023 19:58:34 +0000 [thread overview]
Message-ID: <20230828195833.756747-8-samitolvanen@google.com> (raw)
Hi folks,
This series adds Shadow Call Stack (SCS) support for RISC-V. SCS
uses compiler instrumentation to store return addresses in a
separate shadow stack to protect them against accidental or
malicious overwrites. More information about SCS can be found
here:
https://clang.llvm.org/docs/ShadowCallStack.html
Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow
handling by adding support for accessing per-CPU variables
directly in assembly. The patch is included in this series to
make IRQ stack switching cleaner with SCS, and I've simply
rebased it and fixed a couple of minor issues. Patch 2 uses this
functionality to clean up the stack switching by moving duplicate
code into a single function. On RISC-V, the compiler uses the
gp register for storing the current shadow call stack pointer,
which is incompatible with global pointer relaxation. Patch 3
moves global pointer loading into a macro that can be easily
disabled with SCS. Patch 4 implements SCS register loading and
switching, and allows the feature to be enabled, and patch 5 adds
separate per-CPU IRQ shadow call stacks when CONFIG_IRQ_STACKS is
enabled. Patch 6 fixes the backward-edge CFI test in lkdtm for
RISC-V.
Note that this series requires Clang 17. Earlier Clang versions
support SCS on RISC-V, but use the x18 register instead of gp,
which isn't ideal. gcc has SCS support for arm64, but I'm not
aware of plans to support RISC-V. Once the Zicfiss extension is
ratified, it's probably preferable to use hardware-backed shadow
stacks instead of SCS on hardware that supports the extension,
and we may want to consider implementing CONFIG_DYNAMIC_SCS to
patch between the implementations at runtime (similarly to the
arm64 implementation, which switches to SCS when hardware PAC
support isn't available).
Sami
---
Changes in v3:
- Dropped a now unneeded function declaration (patch 1).
- Refactored call_on_irq_stack to use stack frame offsets
based on Clément's suggestion (patch 2).
- Rebased on top of v6.5.
Changes in v2:
- Fixed asm_per_cpu with !CONFIG_SMP (patch 1).
- Added a fix to the CFI_BACKWARD lkdtm test (patch 6).
- Rebased on top of -rc6.
---
Deepak Gupta (1):
riscv: VMAP_STACK overflow detection thread-safe
Sami Tolvanen (5):
riscv: Deduplicate IRQ stack switching
riscv: Move global pointer loading to a macro
riscv: Implement Shadow Call Stack
riscv: Use separate IRQ shadow call stacks
lkdtm: Fix CFI_BACKWARD on RISC-V
arch/riscv/Kconfig | 6 ++
arch/riscv/Makefile | 4 +
arch/riscv/include/asm/asm-prototypes.h | 1 -
arch/riscv/include/asm/asm.h | 41 ++++++++
arch/riscv/include/asm/irq_stack.h | 3 +
arch/riscv/include/asm/scs.h | 54 +++++++++++
arch/riscv/include/asm/thread_info.h | 16 ++-
arch/riscv/kernel/asm-offsets.c | 9 ++
arch/riscv/kernel/entry.S | 124 ++++++++++++------------
arch/riscv/kernel/head.S | 19 ++--
arch/riscv/kernel/irq.c | 56 +++++------
arch/riscv/kernel/suspend_entry.S | 5 +-
arch/riscv/kernel/traps.c | 68 +------------
arch/riscv/kernel/vdso/Makefile | 2 +-
arch/riscv/purgatory/Makefile | 4 +
drivers/misc/lkdtm/cfi.c | 13 ++-
16 files changed, 248 insertions(+), 177 deletions(-)
create mode 100644 arch/riscv/include/asm/scs.h
base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
--
2.42.0.rc2.253.gd59a3bf2b4-goog
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Sami Tolvanen <samitolvanen@google.com>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Kees Cook <keescook@chromium.org>
Cc: Clement Leger <cleger@rivosinc.com>, Guo Ren <guoren@kernel.org>,
Deepak Gupta <debug@rivosinc.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Fangrui Song <maskray@google.com>,
linux-riscv@lists.infradead.org, llvm@lists.linux.dev,
linux-kernel@vger.kernel.org,
Sami Tolvanen <samitolvanen@google.com>
Subject: [PATCH v3 0/6] riscv: SCS support
Date: Mon, 28 Aug 2023 19:58:34 +0000 [thread overview]
Message-ID: <20230828195833.756747-8-samitolvanen@google.com> (raw)
Hi folks,
This series adds Shadow Call Stack (SCS) support for RISC-V. SCS
uses compiler instrumentation to store return addresses in a
separate shadow stack to protect them against accidental or
malicious overwrites. More information about SCS can be found
here:
https://clang.llvm.org/docs/ShadowCallStack.html
Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow
handling by adding support for accessing per-CPU variables
directly in assembly. The patch is included in this series to
make IRQ stack switching cleaner with SCS, and I've simply
rebased it and fixed a couple of minor issues. Patch 2 uses this
functionality to clean up the stack switching by moving duplicate
code into a single function. On RISC-V, the compiler uses the
gp register for storing the current shadow call stack pointer,
which is incompatible with global pointer relaxation. Patch 3
moves global pointer loading into a macro that can be easily
disabled with SCS. Patch 4 implements SCS register loading and
switching, and allows the feature to be enabled, and patch 5 adds
separate per-CPU IRQ shadow call stacks when CONFIG_IRQ_STACKS is
enabled. Patch 6 fixes the backward-edge CFI test in lkdtm for
RISC-V.
Note that this series requires Clang 17. Earlier Clang versions
support SCS on RISC-V, but use the x18 register instead of gp,
which isn't ideal. gcc has SCS support for arm64, but I'm not
aware of plans to support RISC-V. Once the Zicfiss extension is
ratified, it's probably preferable to use hardware-backed shadow
stacks instead of SCS on hardware that supports the extension,
and we may want to consider implementing CONFIG_DYNAMIC_SCS to
patch between the implementations at runtime (similarly to the
arm64 implementation, which switches to SCS when hardware PAC
support isn't available).
Sami
---
Changes in v3:
- Dropped a now unneeded function declaration (patch 1).
- Refactored call_on_irq_stack to use stack frame offsets
based on Clément's suggestion (patch 2).
- Rebased on top of v6.5.
Changes in v2:
- Fixed asm_per_cpu with !CONFIG_SMP (patch 1).
- Added a fix to the CFI_BACKWARD lkdtm test (patch 6).
- Rebased on top of -rc6.
---
Deepak Gupta (1):
riscv: VMAP_STACK overflow detection thread-safe
Sami Tolvanen (5):
riscv: Deduplicate IRQ stack switching
riscv: Move global pointer loading to a macro
riscv: Implement Shadow Call Stack
riscv: Use separate IRQ shadow call stacks
lkdtm: Fix CFI_BACKWARD on RISC-V
arch/riscv/Kconfig | 6 ++
arch/riscv/Makefile | 4 +
arch/riscv/include/asm/asm-prototypes.h | 1 -
arch/riscv/include/asm/asm.h | 41 ++++++++
arch/riscv/include/asm/irq_stack.h | 3 +
arch/riscv/include/asm/scs.h | 54 +++++++++++
arch/riscv/include/asm/thread_info.h | 16 ++-
arch/riscv/kernel/asm-offsets.c | 9 ++
arch/riscv/kernel/entry.S | 124 ++++++++++++------------
arch/riscv/kernel/head.S | 19 ++--
arch/riscv/kernel/irq.c | 56 +++++------
arch/riscv/kernel/suspend_entry.S | 5 +-
arch/riscv/kernel/traps.c | 68 +------------
arch/riscv/kernel/vdso/Makefile | 2 +-
arch/riscv/purgatory/Makefile | 4 +
drivers/misc/lkdtm/cfi.c | 13 ++-
16 files changed, 248 insertions(+), 177 deletions(-)
create mode 100644 arch/riscv/include/asm/scs.h
base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
--
2.42.0.rc2.253.gd59a3bf2b4-goog
next reply other threads:[~2023-08-28 19:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 19:58 Sami Tolvanen [this message]
2023-08-28 19:58 ` [PATCH v3 0/6] riscv: SCS support Sami Tolvanen
2023-08-28 19:58 ` [PATCH v3 1/6] riscv: VMAP_STACK overflow detection thread-safe Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
2023-08-28 19:58 ` [PATCH v3 2/6] riscv: Deduplicate IRQ stack switching Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
2023-08-29 3:35 ` Guo Ren
2023-08-29 3:35 ` Guo Ren
2023-08-28 19:58 ` [PATCH v3 3/6] riscv: Move global pointer loading to a macro Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
2023-08-28 19:58 ` [PATCH v3 4/6] riscv: Implement Shadow Call Stack Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
2023-08-28 19:58 ` [PATCH v3 5/6] riscv: Use separate IRQ shadow call stacks Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
2023-08-28 19:58 ` [PATCH v3 6/6] lkdtm: Fix CFI_BACKWARD on RISC-V Sami Tolvanen
2023-08-28 19:58 ` Sami Tolvanen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230828195833.756747-8-samitolvanen@google.com \
--to=samitolvanen@google.com \
--cc=aou@eecs.berkeley.edu \
--cc=cleger@rivosinc.com \
--cc=debug@rivosinc.com \
--cc=guoren@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=llvm@lists.linux.dev \
--cc=maskray@google.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.