From: Bagas Sanjaya <bagasdotme@gmail.com>
To: Deepak Gupta <debug@rivosinc.com>,
paul.walmsley@sifive.com, palmer@sifive.com, conor@kernel.org,
linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org
Cc: corbet@lwn.net, palmer@dabbelt.com, aou@eecs.berkeley.edu,
robh@kernel.org, krzk+dt@kernel.org, oleg@redhat.com,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com,
peterz@infradead.org, akpm@linux-foundation.org, arnd@arndb.de,
ebiederm@xmission.com, kees@kernel.org, Liam.Howlett@oracle.com,
vbabka@suse.cz, lorenzo.stoakes@oracle.com, shuah@kernel.org,
brauner@kernel.org, samuel.holland@sifive.com,
andy.chiu@sifive.com, jerry.shih@sifive.com,
greentime.hu@sifive.com, charlie@rivosinc.com, evan@rivosinc.com,
cleger@rivosinc.com, xiao.w.wang@intel.com,
ajones@ventanamicro.com, anup@brainfault.org,
mchitale@ventanamicro.com, atishp@rivosinc.com,
sameo@rivosinc.com, bjorn@rivosinc.com, alexghiti@rivosinc.com,
david@redhat.com, libang.li@antgroup.com, jszhang@kernel.org,
leobras@redhat.com, guoren@kernel.org, samitolvanen@google.com,
songshuaishuai@tinylab.org, costa.shul@redhat.com,
bhe@redhat.com, zong.li@sifive.com, puranjay@kernel.org,
namcaov@gmail.com, antonb@tenstorrent.com, sorear@fastmail.com,
quic_bjorande@quicinc.com, ancientmodern4@gmail.com,
ben.dooks@codethink.co.uk, quic_zhonhan@quicinc.com,
cuiyunhui@bytedance.com, yang.lee@linux.alibaba.com,
ke.zhao@shingroup.cn, sunilvl@ventanamicro.com,
tanzhasanwork@gmail.com, schwab@suse.de, dawei.li@shingroup.cn,
rppt@kernel.org, willy@infradead.org, usama.anjum@collabora.com,
osalvador@suse.de, ryan.roberts@arm.com, andrii@kernel.org,
alx@kernel.org, catalin.marinas@arm.com, broonie@kernel.org,
revest@chromium.org, bgray@linux.ibm.com, deller@gmx.de,
zev@bewilderbeest.net
Subject: Re: [PATCH v4 29/30] riscv: Documentation for shadow stack on riscv
Date: Mon, 16 Sep 2024 10:20:46 +0700 [thread overview]
Message-ID: <ZuekDuJS66-YGg5L@archie.me> (raw)
In-Reply-To: <20240912231650.3740732-30-debug@rivosinc.com>
[-- Attachment #1: Type: text/plain, Size: 14927 bytes --]
On Thu, Sep 12, 2024 at 04:16:48PM -0700, Deepak Gupta wrote:
> Adding documentation on shadow stack for user mode on riscv and kernel
> interfaces exposed so that user tasks can enable it.
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
> Documentation/arch/riscv/zicfiss.rst | 169 +++++++++++++++++++++++++++
> 1 file changed, 169 insertions(+)
> create mode 100644 Documentation/arch/riscv/zicfiss.rst
Add the toctree entry:
---- >8 ----
diff --git a/Documentation/arch/riscv/index.rst b/Documentation/arch/riscv/index.rst
index be7237b6968213..e240eb0ceb70c4 100644
--- a/Documentation/arch/riscv/index.rst
+++ b/Documentation/arch/riscv/index.rst
@@ -15,6 +15,7 @@ RISC-V architecture
vector
cmodx
zicfilp
+ zicfiss
features
> +Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
> +in case we need some extra information in future for landing pads / indirect branch
> +tracking. It has been kept today in order to allow backward compatibility in future.
> +
> +struct __sc_riscv_cfi_state {
> + unsigned long ss_ptr;
> + unsigned long rsvd;
> +};
Sphinx reports indentation warning again:
Documentation/arch/riscv/zicfiss.rst:163: WARNING: Definition list ends without a blank line; unexpected unindent.
I have to wrap __sc_riscv_cfi_state struct definition as a literal code block:
---- >8 ----
diff --git a/Documentation/arch/riscv/zicfiss.rst b/Documentation/arch/riscv/zicfiss.rst
index f133b6af9c1525..96d85ed352b146 100644
--- a/Documentation/arch/riscv/zicfiss.rst
+++ b/Documentation/arch/riscv/zicfiss.rst
@@ -155,12 +155,12 @@ make sure that there is a `shadow stack token` in addition to invoking `sigretur
-----------------------
Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
in case we need some extra information in future for landing pads / indirect branch
-tracking. It has been kept today in order to allow backward compatibility in future.
+tracking. It has been kept today in order to allow backward compatibility in future::
-struct __sc_riscv_cfi_state {
+ struct __sc_riscv_cfi_state {
unsigned long ss_ptr;
unsigned long rsvd;
-};
+ };
As part of signal delivery, shadow stack token is saved on current shadow stack itself and
updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
> +
> +As part of signal delivery, shadow stack token is saved on current shadow stack itself and
> +updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
> +Existing shadow stack allocation is used for signal delivery. During `sigreturn`, kernel will
> +obtain `ss_ptr` from `sigcontext` and verify the saved token on shadow stack itself and switch
> +shadow stack.
Also inline the code identifiers (keywords):
---- >8 ----
diff --git a/Documentation/arch/riscv/zicfiss.rst b/Documentation/arch/riscv/zicfiss.rst
index 96d85ed352b146..9f721fbcaa6f6a 100644
--- a/Documentation/arch/riscv/zicfiss.rst
+++ b/Documentation/arch/riscv/zicfiss.rst
@@ -23,30 +23,30 @@ of the program.
Return addresses live on stack and thus in read-write memory and thus are
susceptible to corruption and allows an adversary to reach any program counter
-(PC) in address space. On RISC-V `zicfiss` extension provides an alternate stack
-`shadow stack` on which return addresses can be safely placed in prolog of the
-function and retrieved in epilog. `zicfiss` extension makes following changes
+(PC) in address space. On RISC-V ``zicfiss`` extension provides an alternate stack
+(`shadow stack`) on which return addresses can be safely placed in prolog of the
+function and retrieved in epilog. ``zicfiss`` extension makes following changes:
- PTE encodings for shadow stack virtual memory
An earlier reserved encoding in first stage translation i.e.
PTE.R=0, PTE.W=1, PTE.X=0 becomes PTE encoding for shadow stack pages.
- - `sspush x1/x5` instruction pushes (stores) `x1/x5` to shadow stack.
+ - ``sspush x1/x5`` instruction pushes (stores) `x1/x5`` to shadow stack.
- - `sspopchk x1/x5` instruction pops (loads) from shadow stack and compares
- with `x1/x5` and if un-equal, CPU raises `software check exception` with
- `*tval = 3`
+ - ``sspopchk x1/x5`` instruction pops (loads) from shadow stack and compares
+ with ``x1/x5`` and if not equal, CPU raises software check exception
+ with ``*tval = 3``
-Compiler toolchain makes sure that function prologs have `sspush x1/x5` to save return
-address on shadow stack in addition to regular stack. Similarly function epilogs have
-`ld x5, offset(x2)`; `sspopchk x5` to ensure that popped value from regular stack
-matches with popped value from shadow stack.
+Compiler toolchain makes sure that function prologs have ``sspush x1/x5`` to
+save return address on shadow stack in addition to regular stack. Similarly
+function epilogs have ``ld x5, offset(x2); sspopchk x5`` to ensure that popped
+value from regular stack matches with popped value from shadow stack.
2. Shadow stack protections and linux memory manager
-----------------------------------------------------
As mentioned earlier, shadow stack get new page table encodings and thus have some
-special properties assigned to them and instructions that operate on them as below
+special properties assigned to them and instructions that operate on them as below:
- Regular stores to shadow stack memory raises access store faults.
This way shadow stack memory is protected from stray inadvertant
@@ -60,11 +60,11 @@ special properties assigned to them and instructions that operate on them as bel
shadow stack store.
- Shadow stack load / shadow stack store on read-only memory raises
- AMO/store page fault. Thus both `sspush x1/x5` and `sspopchk x1/x5`
+ AMO/store page fault. Thus both ``sspush x1/x5`` and ``sspopchk x1/x5``
will raise AMO/store page fault. This simplies COW handling in kernel
During fork, kernel can convert shadow stack pages into read-only
memory (as it does for regular read-write memory) and as soon as
- subsequent `sspush` or `sspopchk` in userspace is encountered, then
+ subsequent ``sspush`` or ``sspopchk`` in userspace is encountered, then
kernel can perform COW.
- Shadow stack load / shadow stack store on read-write, read-write-
@@ -75,8 +75,8 @@ special properties assigned to them and instructions that operate on them as bel
3. ELF and psABI
-----------------
-Toolchain sets up `GNU_PROPERTY_RISCV_FEATURE_1_BCFI` for property
-`GNU_PROPERTY_RISCV_FEATURE_1_AND` in notes section of the object file.
+Toolchain sets up ``GNU_PROPERTY_RISCV_FEATURE_1_BCFI`` for property
+``GNU_PROPERTY_RISCV_FEATURE_1_AND`` in notes section of the object file.
4. Linux enabling
------------------
@@ -89,25 +89,25 @@ shadow stack for the program.
5. prctl() enabling
--------------------
-`PR_SET_SHADOW_STACK_STATUS` / `PR_GET_SHADOW_STACK_STATUS` /
-`PR_LOCK_SHADOW_STACK_STATUS` are three prctls added to manage shadow stack
+``PR_SET_SHADOW_STACK_STATUS`` / ``PR_GET_SHADOW_STACK_STATUS`` /
+``PR_LOCK_SHADOW_STACK_STATUS`` are three prctls added to manage shadow stack
enabling for tasks. prctls are arch agnostic and returns -EINVAL on other arches.
-`PR_SET_SHADOW_STACK_STATUS`: If arg1 `PR_SHADOW_STACK_ENABLE` and if CPU supports
-`zicfiss` then kernel will enable shadow stack for the task. Dynamic loader can
-issue this `prctl` once it has determined that all the objects loaded in address
-space have support for shadow stack. Additionally if there is a `dlopen` to an
-object which wasn't compiled with `zicfiss`, dynamic loader can issue this prctl
-with arg1 set to 0 (i.e. `PR_SHADOW_STACK_ENABLE` being clear)
+``PR_SET_SHADOW_STACK_STATUS``: If arg1 ``PR_SHADOW_STACK_ENABLE`` and if CPU supports
+``zicfiss`` then kernel will enable shadow stack for the task. Dynamic loader can
+issue this ``prctl`` once it has determined that all the objects loaded in address
+space have support for shadow stack. Additionally if there is a ``dlopen`` to an
+object which wasn't compiled with ``zicfiss``, dynamic loader can issue this prctl
+with arg1 set to 0 (i.e. ``PR_SHADOW_STACK_ENABLE`` being clear)
-`PR_GET_SHADOW_STACK_STATUS`: Returns current status of indirect branch tracking.
-If enabled it'll return `PR_SHADOW_STACK_ENABLE`
+``PR_GET_SHADOW_STACK_STATUS``: Returns current status of indirect branch tracking.
+If enabled it'll return ``PR_SHADOW_STACK_ENABLE``
-`PR_LOCK_SHADOW_STACK_STATUS`: Locks current status of shadow stack enabling on the
-task. User space may want to run with strict security posture and wouldn't want
-loading of objects without `zicfiss` support in it and thus would want to disallow
-disabling of shadow stack on current task. In that case user space can use this prctl
-to lock current settings.
+``PR_LOCK_SHADOW_STACK_STATUS``: Locks current status of shadow stack enabling
+on the task. User space may want to run with strict security posture and
+wouldn't want loading of objects without ``zicfiss`` support in it and thus
+would want to disallow disabling of shadow stack on current task. In that case
+user space can use this prctl to lock current settings.
5. violations related to returns with shadow stack enabled
-----------------------------------------------------------
@@ -115,22 +115,22 @@ to lock current settings.
Pertaining to shadow stack, CPU raises software check exception in following
condition
- - On execution of `sspopchk x1/x5`, x1/x5 didn't match top of shadow stack.
- If mismatch happens then cpu does `*tval = 3` and raise software check
- exception
+ - On execution of ``sspopchk x1/x5``, x1/x5 didn't match top of shadow
+ stack. If mismatch happens then cpu does ``*tval = 3`` and raise
+ software check exception.
-Linux kernel will treat this as `SIGSEV`` with code = `SEGV_CPERR` and follow
+Linux kernel will treat this as ``SIGSEV`` with ``SEGV_CPERR`` code and follow
normal course of signal delivery.
6. Shadow stack tokens
-----------------------
-Regular stores on shadow stacks are not allowed and thus can't be tampered with via
-arbitrary stray writes due to bugs. Method of pivoting / switching to shadow stack
-is simply writing to csr `CSR_SSP` changes active shadow stack. This can be problematic
-because usually value to be written to `CSR_SSP` will be loaded somewhere in writeable
-memory and thus allows an adversary to corruption bug in software to pivot to an any
-address in shadow stack range. Shadow stack tokens can help mitigate this problem by
-making sure that:
+Regular stores on shadow stacks are not allowed and thus can't be tampered with
+via arbitrary stray writes due to bugs. Method of pivoting / switching to
+shadow stack is simply writing to csr ``CSR_SSP`` changes active shadow stack.
+This can be problematic because usually value to be written to ``CSR_SSP`` will
+be loaded somewhere in writeable memory and thus allows an adversary to
+corruption bug in software to pivot to an any address in shadow stack range.
+Shadow stack tokens can help mitigate this problem by making sure that:
- When software is switching away from a shadow stack, shadow stack pointer should be
saved on shadow stack itself and call it `shadow stack token`
@@ -139,31 +139,34 @@ making sure that:
from shadow stack pointer and verify that `shadow stack token` itself is pointer to
shadow stack itself.
- - Once the token verification is done, software can perform the write to `CSR_SSP` to
- switch shadow stack.
+ - Once the token verification is done, software can perform the write to
+ ``CSR_SSP`` to switch shadow stack.
-Here software can be user mode task runtime itself which is managing various contexts
-as part of single thread. Software can be kernel as well when kernel has to deliver a
-signal to user task and must save shadow stack pointer. Kernel can perform similar
-procedure by saving a token on user shadow stack itself. This way whenever sigreturn
-happens, kernel can read the token and verify the token and then switch to shadow stack.
-Using this mechanism, kernel helps user task so that any corruption issue in user task
-is not exploited by adversary by arbitrarily using `sigreturn`. Adversary will have to
-make sure that there is a `shadow stack token` in addition to invoking `sigreturn`
+Here software can be user mode task runtime itself which is managing various
+contexts as part of single thread. Software can be kernel as well when kernel
+has to deliver a signal to user task and must save shadow stack pointer. Kernel
+can perform similar procedure by saving a token on user shadow stack itself.
+This way whenever sigreturn happens, kernel can read the token and verify the
+token and then switch to shadow stack. Using this mechanism, kernel helps user
+task so that any corruption issue in user task is not exploited by adversary by
+arbitrarily using ``sigreturn``. Adversary will have to make sure that there is
+a `shadow stack token` in addition to invoking ``sigreturn``
7. Signal shadow stack
-----------------------
-Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
-in case we need some extra information in future for landing pads / indirect branch
-tracking. It has been kept today in order to allow backward compatibility in future::
+Following structure has been added to sigcontext for RISC-V. ``rsvd`` field has
+been kept in case we need some extra information in future for landing pads /
+indirect branch tracking. It has been kept today in order to allow backward
+compatibility in future::
struct __sc_riscv_cfi_state {
unsigned long ss_ptr;
unsigned long rsvd;
};
-As part of signal delivery, shadow stack token is saved on current shadow stack itself and
-updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
-Existing shadow stack allocation is used for signal delivery. During `sigreturn`, kernel will
-obtain `ss_ptr` from `sigcontext` and verify the saved token on shadow stack itself and switch
-shadow stack.
+As part of signal delivery, shadow stack token is saved on current shadow stack
+itself and updated pointer is saved away in ``ss_ptr`` field in
+``__sc_riscv_cfi_state`` under ``sigcontext`` Existing shadow stack allocation
+is used for signal delivery. During ``sigreturn``, kernel will obtain
+``ss_ptr`` from ``sigcontext`` and verify the saved token on shadow stack
+itself and switch shadow stack.
Thanks.
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Bagas Sanjaya <bagasdotme@gmail.com>
To: Deepak Gupta <debug@rivosinc.com>,
paul.walmsley@sifive.com, palmer@sifive.com, conor@kernel.org,
linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org
Cc: quic_zhonhan@quicinc.com, zong.li@sifive.com,
zev@bewilderbeest.net, david@redhat.com, peterz@infradead.org,
catalin.marinas@arm.com, broonie@kernel.org,
dave.hansen@linux.intel.com, atishp@rivosinc.com,
bjorn@rivosinc.com, namcaov@gmail.com, usama.anjum@collabora.com,
guoren@kernel.org, alx@kernel.org, jszhang@kernel.org,
hpa@zytor.com, puranjay@kernel.org, shuah@kernel.org,
sorear@fastmail.com, costa.shul@redhat.com, robh@kernel.org,
antonb@tenstorrent.com, quic_bjorande@quicinc.com,
lorenzo.stoakes@oracle.com, corbet@lwn.net,
dawei.li@shingroup.cn, anup@brainfault.org, deller@gmx.de,
x86@kernel.org, andrii@kernel.org, willy@infradead.org,
kees@kernel.org, mingo@redhat.com, libang.li@antgroup.com,
samitolvanen@google.com, greentime.hu@sifive.com,
ajones@ventanamicro.com, revest@chromium.org,
ancientmodern4@gmail.com, aou@eecs.berkeley.edu,
jerry.shih@sifive.com, alexghiti@rivosinc.com, arnd@arndb.de,
yang.lee@linux.alibaba.com, charlie@rivosinc.com,
bgray@linux.ibm.com, Liam.Howlett@oracle.com, leobras@redhat.com,
songshuaishuai@tinylab.org, xiao.w.wang@intel.com, bp@alien8.de,
cuiyunhui@bytedance.com, mchitale@ventanamicro.com,
cleger@rivosinc.com, tglx@linutronix.de, krzk+dt@kernel.org,
vbabka@suse.cz, osalvador@suse.de, brauner@kernel.org,
bhe@redhat.com, ke.zhao@shingroup.cn, oleg@redhat.com,
samuel.holland@sifive.com, ben.dooks@codethink.co.uk,
evan@rivosinc.com, palmer@dabbelt.com, ebiederm@xmission.com,
andy.chiu@sifive.com, schwab@suse.de, akpm@linux-foundation.org,
sameo@rivosinc.com, tanzhasanwork@gmail.com, rppt@kernel.org,
ryan.roberts@arm.com
Subject: Re: [PATCH v4 29/30] riscv: Documentation for shadow stack on riscv
Date: Mon, 16 Sep 2024 10:20:46 +0700 [thread overview]
Message-ID: <ZuekDuJS66-YGg5L@archie.me> (raw)
In-Reply-To: <20240912231650.3740732-30-debug@rivosinc.com>
[-- Attachment #1.1: Type: text/plain, Size: 14927 bytes --]
On Thu, Sep 12, 2024 at 04:16:48PM -0700, Deepak Gupta wrote:
> Adding documentation on shadow stack for user mode on riscv and kernel
> interfaces exposed so that user tasks can enable it.
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
> Documentation/arch/riscv/zicfiss.rst | 169 +++++++++++++++++++++++++++
> 1 file changed, 169 insertions(+)
> create mode 100644 Documentation/arch/riscv/zicfiss.rst
Add the toctree entry:
---- >8 ----
diff --git a/Documentation/arch/riscv/index.rst b/Documentation/arch/riscv/index.rst
index be7237b6968213..e240eb0ceb70c4 100644
--- a/Documentation/arch/riscv/index.rst
+++ b/Documentation/arch/riscv/index.rst
@@ -15,6 +15,7 @@ RISC-V architecture
vector
cmodx
zicfilp
+ zicfiss
features
> +Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
> +in case we need some extra information in future for landing pads / indirect branch
> +tracking. It has been kept today in order to allow backward compatibility in future.
> +
> +struct __sc_riscv_cfi_state {
> + unsigned long ss_ptr;
> + unsigned long rsvd;
> +};
Sphinx reports indentation warning again:
Documentation/arch/riscv/zicfiss.rst:163: WARNING: Definition list ends without a blank line; unexpected unindent.
I have to wrap __sc_riscv_cfi_state struct definition as a literal code block:
---- >8 ----
diff --git a/Documentation/arch/riscv/zicfiss.rst b/Documentation/arch/riscv/zicfiss.rst
index f133b6af9c1525..96d85ed352b146 100644
--- a/Documentation/arch/riscv/zicfiss.rst
+++ b/Documentation/arch/riscv/zicfiss.rst
@@ -155,12 +155,12 @@ make sure that there is a `shadow stack token` in addition to invoking `sigretur
-----------------------
Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
in case we need some extra information in future for landing pads / indirect branch
-tracking. It has been kept today in order to allow backward compatibility in future.
+tracking. It has been kept today in order to allow backward compatibility in future::
-struct __sc_riscv_cfi_state {
+ struct __sc_riscv_cfi_state {
unsigned long ss_ptr;
unsigned long rsvd;
-};
+ };
As part of signal delivery, shadow stack token is saved on current shadow stack itself and
updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
> +
> +As part of signal delivery, shadow stack token is saved on current shadow stack itself and
> +updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
> +Existing shadow stack allocation is used for signal delivery. During `sigreturn`, kernel will
> +obtain `ss_ptr` from `sigcontext` and verify the saved token on shadow stack itself and switch
> +shadow stack.
Also inline the code identifiers (keywords):
---- >8 ----
diff --git a/Documentation/arch/riscv/zicfiss.rst b/Documentation/arch/riscv/zicfiss.rst
index 96d85ed352b146..9f721fbcaa6f6a 100644
--- a/Documentation/arch/riscv/zicfiss.rst
+++ b/Documentation/arch/riscv/zicfiss.rst
@@ -23,30 +23,30 @@ of the program.
Return addresses live on stack and thus in read-write memory and thus are
susceptible to corruption and allows an adversary to reach any program counter
-(PC) in address space. On RISC-V `zicfiss` extension provides an alternate stack
-`shadow stack` on which return addresses can be safely placed in prolog of the
-function and retrieved in epilog. `zicfiss` extension makes following changes
+(PC) in address space. On RISC-V ``zicfiss`` extension provides an alternate stack
+(`shadow stack`) on which return addresses can be safely placed in prolog of the
+function and retrieved in epilog. ``zicfiss`` extension makes following changes:
- PTE encodings for shadow stack virtual memory
An earlier reserved encoding in first stage translation i.e.
PTE.R=0, PTE.W=1, PTE.X=0 becomes PTE encoding for shadow stack pages.
- - `sspush x1/x5` instruction pushes (stores) `x1/x5` to shadow stack.
+ - ``sspush x1/x5`` instruction pushes (stores) `x1/x5`` to shadow stack.
- - `sspopchk x1/x5` instruction pops (loads) from shadow stack and compares
- with `x1/x5` and if un-equal, CPU raises `software check exception` with
- `*tval = 3`
+ - ``sspopchk x1/x5`` instruction pops (loads) from shadow stack and compares
+ with ``x1/x5`` and if not equal, CPU raises software check exception
+ with ``*tval = 3``
-Compiler toolchain makes sure that function prologs have `sspush x1/x5` to save return
-address on shadow stack in addition to regular stack. Similarly function epilogs have
-`ld x5, offset(x2)`; `sspopchk x5` to ensure that popped value from regular stack
-matches with popped value from shadow stack.
+Compiler toolchain makes sure that function prologs have ``sspush x1/x5`` to
+save return address on shadow stack in addition to regular stack. Similarly
+function epilogs have ``ld x5, offset(x2); sspopchk x5`` to ensure that popped
+value from regular stack matches with popped value from shadow stack.
2. Shadow stack protections and linux memory manager
-----------------------------------------------------
As mentioned earlier, shadow stack get new page table encodings and thus have some
-special properties assigned to them and instructions that operate on them as below
+special properties assigned to them and instructions that operate on them as below:
- Regular stores to shadow stack memory raises access store faults.
This way shadow stack memory is protected from stray inadvertant
@@ -60,11 +60,11 @@ special properties assigned to them and instructions that operate on them as bel
shadow stack store.
- Shadow stack load / shadow stack store on read-only memory raises
- AMO/store page fault. Thus both `sspush x1/x5` and `sspopchk x1/x5`
+ AMO/store page fault. Thus both ``sspush x1/x5`` and ``sspopchk x1/x5``
will raise AMO/store page fault. This simplies COW handling in kernel
During fork, kernel can convert shadow stack pages into read-only
memory (as it does for regular read-write memory) and as soon as
- subsequent `sspush` or `sspopchk` in userspace is encountered, then
+ subsequent ``sspush`` or ``sspopchk`` in userspace is encountered, then
kernel can perform COW.
- Shadow stack load / shadow stack store on read-write, read-write-
@@ -75,8 +75,8 @@ special properties assigned to them and instructions that operate on them as bel
3. ELF and psABI
-----------------
-Toolchain sets up `GNU_PROPERTY_RISCV_FEATURE_1_BCFI` for property
-`GNU_PROPERTY_RISCV_FEATURE_1_AND` in notes section of the object file.
+Toolchain sets up ``GNU_PROPERTY_RISCV_FEATURE_1_BCFI`` for property
+``GNU_PROPERTY_RISCV_FEATURE_1_AND`` in notes section of the object file.
4. Linux enabling
------------------
@@ -89,25 +89,25 @@ shadow stack for the program.
5. prctl() enabling
--------------------
-`PR_SET_SHADOW_STACK_STATUS` / `PR_GET_SHADOW_STACK_STATUS` /
-`PR_LOCK_SHADOW_STACK_STATUS` are three prctls added to manage shadow stack
+``PR_SET_SHADOW_STACK_STATUS`` / ``PR_GET_SHADOW_STACK_STATUS`` /
+``PR_LOCK_SHADOW_STACK_STATUS`` are three prctls added to manage shadow stack
enabling for tasks. prctls are arch agnostic and returns -EINVAL on other arches.
-`PR_SET_SHADOW_STACK_STATUS`: If arg1 `PR_SHADOW_STACK_ENABLE` and if CPU supports
-`zicfiss` then kernel will enable shadow stack for the task. Dynamic loader can
-issue this `prctl` once it has determined that all the objects loaded in address
-space have support for shadow stack. Additionally if there is a `dlopen` to an
-object which wasn't compiled with `zicfiss`, dynamic loader can issue this prctl
-with arg1 set to 0 (i.e. `PR_SHADOW_STACK_ENABLE` being clear)
+``PR_SET_SHADOW_STACK_STATUS``: If arg1 ``PR_SHADOW_STACK_ENABLE`` and if CPU supports
+``zicfiss`` then kernel will enable shadow stack for the task. Dynamic loader can
+issue this ``prctl`` once it has determined that all the objects loaded in address
+space have support for shadow stack. Additionally if there is a ``dlopen`` to an
+object which wasn't compiled with ``zicfiss``, dynamic loader can issue this prctl
+with arg1 set to 0 (i.e. ``PR_SHADOW_STACK_ENABLE`` being clear)
-`PR_GET_SHADOW_STACK_STATUS`: Returns current status of indirect branch tracking.
-If enabled it'll return `PR_SHADOW_STACK_ENABLE`
+``PR_GET_SHADOW_STACK_STATUS``: Returns current status of indirect branch tracking.
+If enabled it'll return ``PR_SHADOW_STACK_ENABLE``
-`PR_LOCK_SHADOW_STACK_STATUS`: Locks current status of shadow stack enabling on the
-task. User space may want to run with strict security posture and wouldn't want
-loading of objects without `zicfiss` support in it and thus would want to disallow
-disabling of shadow stack on current task. In that case user space can use this prctl
-to lock current settings.
+``PR_LOCK_SHADOW_STACK_STATUS``: Locks current status of shadow stack enabling
+on the task. User space may want to run with strict security posture and
+wouldn't want loading of objects without ``zicfiss`` support in it and thus
+would want to disallow disabling of shadow stack on current task. In that case
+user space can use this prctl to lock current settings.
5. violations related to returns with shadow stack enabled
-----------------------------------------------------------
@@ -115,22 +115,22 @@ to lock current settings.
Pertaining to shadow stack, CPU raises software check exception in following
condition
- - On execution of `sspopchk x1/x5`, x1/x5 didn't match top of shadow stack.
- If mismatch happens then cpu does `*tval = 3` and raise software check
- exception
+ - On execution of ``sspopchk x1/x5``, x1/x5 didn't match top of shadow
+ stack. If mismatch happens then cpu does ``*tval = 3`` and raise
+ software check exception.
-Linux kernel will treat this as `SIGSEV`` with code = `SEGV_CPERR` and follow
+Linux kernel will treat this as ``SIGSEV`` with ``SEGV_CPERR`` code and follow
normal course of signal delivery.
6. Shadow stack tokens
-----------------------
-Regular stores on shadow stacks are not allowed and thus can't be tampered with via
-arbitrary stray writes due to bugs. Method of pivoting / switching to shadow stack
-is simply writing to csr `CSR_SSP` changes active shadow stack. This can be problematic
-because usually value to be written to `CSR_SSP` will be loaded somewhere in writeable
-memory and thus allows an adversary to corruption bug in software to pivot to an any
-address in shadow stack range. Shadow stack tokens can help mitigate this problem by
-making sure that:
+Regular stores on shadow stacks are not allowed and thus can't be tampered with
+via arbitrary stray writes due to bugs. Method of pivoting / switching to
+shadow stack is simply writing to csr ``CSR_SSP`` changes active shadow stack.
+This can be problematic because usually value to be written to ``CSR_SSP`` will
+be loaded somewhere in writeable memory and thus allows an adversary to
+corruption bug in software to pivot to an any address in shadow stack range.
+Shadow stack tokens can help mitigate this problem by making sure that:
- When software is switching away from a shadow stack, shadow stack pointer should be
saved on shadow stack itself and call it `shadow stack token`
@@ -139,31 +139,34 @@ making sure that:
from shadow stack pointer and verify that `shadow stack token` itself is pointer to
shadow stack itself.
- - Once the token verification is done, software can perform the write to `CSR_SSP` to
- switch shadow stack.
+ - Once the token verification is done, software can perform the write to
+ ``CSR_SSP`` to switch shadow stack.
-Here software can be user mode task runtime itself which is managing various contexts
-as part of single thread. Software can be kernel as well when kernel has to deliver a
-signal to user task and must save shadow stack pointer. Kernel can perform similar
-procedure by saving a token on user shadow stack itself. This way whenever sigreturn
-happens, kernel can read the token and verify the token and then switch to shadow stack.
-Using this mechanism, kernel helps user task so that any corruption issue in user task
-is not exploited by adversary by arbitrarily using `sigreturn`. Adversary will have to
-make sure that there is a `shadow stack token` in addition to invoking `sigreturn`
+Here software can be user mode task runtime itself which is managing various
+contexts as part of single thread. Software can be kernel as well when kernel
+has to deliver a signal to user task and must save shadow stack pointer. Kernel
+can perform similar procedure by saving a token on user shadow stack itself.
+This way whenever sigreturn happens, kernel can read the token and verify the
+token and then switch to shadow stack. Using this mechanism, kernel helps user
+task so that any corruption issue in user task is not exploited by adversary by
+arbitrarily using ``sigreturn``. Adversary will have to make sure that there is
+a `shadow stack token` in addition to invoking ``sigreturn``
7. Signal shadow stack
-----------------------
-Following structure has been added to sigcontext for RISC-V. `rsvd` field has been kept
-in case we need some extra information in future for landing pads / indirect branch
-tracking. It has been kept today in order to allow backward compatibility in future::
+Following structure has been added to sigcontext for RISC-V. ``rsvd`` field has
+been kept in case we need some extra information in future for landing pads /
+indirect branch tracking. It has been kept today in order to allow backward
+compatibility in future::
struct __sc_riscv_cfi_state {
unsigned long ss_ptr;
unsigned long rsvd;
};
-As part of signal delivery, shadow stack token is saved on current shadow stack itself and
-updated pointer is saved away in `ss_ptr` field in `__sc_riscv_cfi_state` under `sigcontext`
-Existing shadow stack allocation is used for signal delivery. During `sigreturn`, kernel will
-obtain `ss_ptr` from `sigcontext` and verify the saved token on shadow stack itself and switch
-shadow stack.
+As part of signal delivery, shadow stack token is saved on current shadow stack
+itself and updated pointer is saved away in ``ss_ptr`` field in
+``__sc_riscv_cfi_state`` under ``sigcontext`` Existing shadow stack allocation
+is used for signal delivery. During ``sigreturn``, kernel will obtain
+``ss_ptr`` from ``sigcontext`` and verify the saved token on shadow stack
+itself and switch shadow stack.
Thanks.
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 161 bytes --]
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2024-09-16 3:20 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 23:16 [PATCH v4 00/30] riscv control-flow integrity for usermode Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 01/30] mm: Introduce ARCH_HAS_USER_SHADOW_STACK Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-13 15:51 ` Carlos Bilbao
2024-09-13 15:51 ` Carlos Bilbao
2024-09-12 23:16 ` [PATCH v4 02/30] mm: helper `is_shadow_stack_vma` to check shadow stack vma Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 03/30] riscv: Enable cbo.zero only when all harts support Zicboz Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 04/30] riscv: Add support for per-thread envcfg CSR values Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 05/30] riscv: Call riscv_user_isa_enable() only on the boot hart Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 06/30] riscv/Kconfig: enable HAVE_EXIT_THREAD for riscv Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 07/30] riscv: zicfilp / zicfiss in dt-bindings (extensions.yaml) Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-13 0:18 ` Rob Herring (Arm)
2024-09-13 0:18 ` Rob Herring (Arm)
2024-09-13 18:33 ` Conor Dooley
2024-09-13 18:33 ` Conor Dooley
2024-09-12 23:16 ` [PATCH v4 08/30] riscv: zicfiss / zicfilp enumeration Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 09/30] riscv: zicfiss / zicfilp extension csr and bit definitions Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 10/30] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 11/30] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 12/30] riscv mm: manufacture shadow stack pte Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 13/30] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 14/30] riscv mmu: write protect and shadow stack Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 15/30] riscv/mm: Implement map_shadow_stack() syscall Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-13 15:26 ` Mark Brown
2024-09-13 15:26 ` Mark Brown
2024-09-12 23:16 ` [PATCH v4 16/30] riscv/shstk: If needed allocate a new shadow stack on clone Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-14 1:54 ` kernel test robot
2024-09-14 1:54 ` kernel test robot
2024-09-14 3:06 ` kernel test robot
2024-09-14 3:06 ` kernel test robot
2024-09-14 3:26 ` kernel test robot
2024-09-14 3:26 ` kernel test robot
2024-09-12 23:16 ` [PATCH v4 17/30] prctl: arch-agnostic prctl for shadow stack Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 18/30] prctl: arch-agnostic prctl for indirect branch tracking Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 19/30] riscv: Implements arch agnostic shadow stack prctls Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 20/30] riscv: Implements arch agnostic indirect branch tracking prctls Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 21/30] riscv/traps: Introduce software check exception Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-13 19:35 ` Andy Chiu
2024-09-13 19:35 ` Andy Chiu
2024-09-17 0:00 ` Deepak Gupta
2024-09-17 0:00 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 22/30] riscv sigcontext: cfi state struct definition for sigcontext Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 23/30] riscv signal: save and restore of shadow stack for signal Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-13 19:25 ` Andy Chiu
2024-09-13 19:25 ` Andy Chiu
2024-09-16 22:03 ` Deepak Gupta
2024-09-16 22:03 ` Deepak Gupta
2024-09-17 22:03 ` Andy Chiu
2024-09-17 22:03 ` Andy Chiu
2024-09-17 22:52 ` Deepak Gupta
2024-09-17 22:52 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 24/30] riscv/kernel: update __show_regs to print shadow stack register Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 25/30] riscv/ptrace: riscv cfi status and state via ptrace and in core files Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 26/30] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 27/30] riscv: create a config for shadow stack and landing pad instr support Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-12 23:16 ` [PATCH v4 28/30] riscv: Documentation for landing pad / indirect branch tracking Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-16 2:41 ` Bagas Sanjaya
2024-09-16 2:41 ` Bagas Sanjaya
2024-09-12 23:16 ` [PATCH v4 29/30] riscv: Documentation for shadow stack on riscv Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
2024-09-16 3:20 ` Bagas Sanjaya [this message]
2024-09-16 3:20 ` Bagas Sanjaya
2024-09-12 23:16 ` [PATCH v4 30/30] kselftest/riscv: kselftest for user mode cfi Deepak Gupta
2024-09-12 23:16 ` Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuekDuJS66-YGg5L@archie.me \
--to=bagasdotme@gmail.com \
--cc=Liam.Howlett@oracle.com \
--cc=ajones@ventanamicro.com \
--cc=akpm@linux-foundation.org \
--cc=alexghiti@rivosinc.com \
--cc=alx@kernel.org \
--cc=ancientmodern4@gmail.com \
--cc=andrii@kernel.org \
--cc=andy.chiu@sifive.com \
--cc=antonb@tenstorrent.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=arnd@arndb.de \
--cc=atishp@rivosinc.com \
--cc=ben.dooks@codethink.co.uk \
--cc=bgray@linux.ibm.com \
--cc=bhe@redhat.com \
--cc=bjorn@rivosinc.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=charlie@rivosinc.com \
--cc=cleger@rivosinc.com \
--cc=conor@kernel.org \
--cc=corbet@lwn.net \
--cc=costa.shul@redhat.com \
--cc=cuiyunhui@bytedance.com \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=dawei.li@shingroup.cn \
--cc=debug@rivosinc.com \
--cc=deller@gmx.de \
--cc=devicetree@vger.kernel.org \
--cc=ebiederm@xmission.com \
--cc=evan@rivosinc.com \
--cc=greentime.hu@sifive.com \
--cc=guoren@kernel.org \
--cc=hpa@zytor.com \
--cc=jerry.shih@sifive.com \
--cc=jszhang@kernel.org \
--cc=ke.zhao@shingroup.cn \
--cc=kees@kernel.org \
--cc=krzk+dt@kernel.org \
--cc=leobras@redhat.com \
--cc=libang.li@antgroup.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mchitale@ventanamicro.com \
--cc=mingo@redhat.com \
--cc=namcaov@gmail.com \
--cc=oleg@redhat.com \
--cc=osalvador@suse.de \
--cc=palmer@dabbelt.com \
--cc=palmer@sifive.com \
--cc=paul.walmsley@sifive.com \
--cc=peterz@infradead.org \
--cc=puranjay@kernel.org \
--cc=quic_bjorande@quicinc.com \
--cc=quic_zhonhan@quicinc.com \
--cc=revest@chromium.org \
--cc=robh@kernel.org \
--cc=rppt@kernel.org \
--cc=ryan.roberts@arm.com \
--cc=sameo@rivosinc.com \
--cc=samitolvanen@google.com \
--cc=samuel.holland@sifive.com \
--cc=schwab@suse.de \
--cc=shuah@kernel.org \
--cc=songshuaishuai@tinylab.org \
--cc=sorear@fastmail.com \
--cc=sunilvl@ventanamicro.com \
--cc=tanzhasanwork@gmail.com \
--cc=tglx@linutronix.de \
--cc=usama.anjum@collabora.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=xiao.w.wang@intel.com \
--cc=yang.lee@linux.alibaba.com \
--cc=zev@bewilderbeest.net \
--cc=zong.li@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.