From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A625EC28D13 for ; Mon, 22 Aug 2022 09:52:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=DOS1QnPXZqc/e/9FJ6xnF7F9zPC9eY9GgDvnt21HUOU=; b=1a4F0U8ThLoI9L 27XuFAjH9pu1egbU7qFylAk8nOzWWWMEumZUVXtxPTF1rl+zCqcX3ksg5T7L5gzP02QWNBx4ol+sc G2NT0hFEF4bL7v96wy4pZoyEnmt3mlMUcUdQh4Z7bYYT99YGgmjOM53YcTrz693UdJKdGigqWnvlJ tVAQmpZZfOuILZpLTArdH7UzUFH3fuhLaIm+06sQiwu+NwxKlTf5JXQwfBxqHZze6gb6VyU6enria URnZEICuRC4+G5gtPxNHKXDVmaLvc6W7KqqPduLWUbhUlmzawj4273Eaf9FkSmAMZt7zaVa/WxZKM 6zDL8g8d/05BqUITadPA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oQ45h-007CGI-9N; Mon, 22 Aug 2022 09:51:29 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oQ45d-007CDq-Mu for linux-arm-kernel@lists.infradead.org; Mon, 22 Aug 2022 09:51:27 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6296F60F05; Mon, 22 Aug 2022 09:51:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B438DC433C1; Mon, 22 Aug 2022 09:51:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1661161883; bh=MXRTkcjoYdvRfHxboZeOix/JN2ldn2YzLBYjp88QDBE=; h=From:To:Cc:Subject:Date:From; b=DJR7OpnAe2GGNQgBN3JLJHQu4CqQ4oTW3N+gAJ3WYG8CT2ygmsRkVu24hnM1zN2IR 2VEbXNZZMciVeXW/6PR9i95/WUbTJQQE2gentvdjMoUbQQ4JlIwbay/fN3ZDm50qVo v6tQp6WQtxQNoNDJb3NQ6qqzBzB8MBp4jwFUjC3xDYzTLBHuP2iSCqIAMFbZRsOq/w do5eu1yyOl7PIpEyR93C9s9g+8lAAQOEMC12v0GOa8wecUSZiXUSUtGn3x9h5DZgJK yDevs7tJKdsg+xMDfScpaQZbD7b/3uz1aqhAmz4rvKKj2DzoN7/Pa3yeafNclEbkxe mi8XR77YCUFZg== From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: Ard Biesheuvel , Will Deacon , Catalin Marinas , Marc Zyngier , Mark Rutland , Mark Brown , Sami Tolvanen , Nick Desaulniers , Kees Cook Subject: [PATCH v5 0/3] arm64: dynamic shadow call stack support Date: Mon, 22 Aug 2022 11:50:55 +0200 Message-Id: <20220822095058.2912704-1-ardb@kernel.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5185; i=ardb@kernel.org; h=from:subject; bh=MXRTkcjoYdvRfHxboZeOix/JN2ldn2YzLBYjp88QDBE=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjA1F7gsagWbswNKLkRrZf3aqdxrtybJ9hmaSN1HCe 8TKta8SJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCYwNRewAKCRDDTyI5ktmPJP2eDA CMixrKV2o1wm1gkLMtz13Cw98rz10CbkqKc+Un+tw/UiTyx8a5QWv9SU34SyCCqAqOeS4P3cnWjNjJ 6Ir4yDb8dB54+638DNOiacAJhxUA1N+qDdoFbtLIQJl0IdQ3e4Q81LtF9AtFysKs53xuBUo0gK1M0I 8Uvjpgitu4KOiksTcYcEi0hFOA+KGOESFQDq1weHFZOWOtuL+gArc09ZG3eZnNLUMp3lhN9FpqkCiw YfZo4SRFDA0XK4apZobD/iRGPWQl+AlhTuBLyPqtUaKzqebnQBKWb9KZoMcTPTUjkY2sIK6boJEbMh VDu8O8Erru6rZFq+cGFEoRFLq8fdWXOznC/ambcn1K2yWYN/1UxSDhYFxmGAYdNaSaER9U4IKBxS9H V7aIQTxmaVi2lYSJUrR21rG2ROfSLlMOAoX9NGfFtni3icUwWf/+/Gc2TGk/tnFl+w5Sxe0UIVYVnq eceKdtzHv8i9GZC9AZV2Y0Yx+88bLHpesycfc0robTeBM= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220822_025125_851438_F7E65FC2 X-CRM114-Status: GOOD ( 23.06 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Generic kernel images such as Android's GKI usually enable all available security features, which are typically implemented in such a way that they only take effect if the underlying hardware can support it, but don't interfere with correct and efficient operation otherwise. For shadow call stack support, which is always supported by the hardware, it means it will be enabled even if pointer authentication is also supported, and enabled for signing return addresses stored on the stack. The additional security provided by shadow call stack is only marginal in this case, whereas the performance overhead is not. Given that return address signing is based on PACIASP/AUTIASP instructions that implicitly operate on the return address register (X30) and are not idempotent (i.e., each needs to be emitted exactly once before the return address is stored on the ordinary stack and after it has been retrieved from it), we can convert these instruction 1:1 into shadow call stack pushes and pops involving the register X30. As this is something that can be done at runtime rather than build time, we can do this conditionally based on whether or not return address signing is supported on the underlying hardware. In order to allow runtimes to unwind call stacks that involve return address signing, we track whether or not the return address is currently signed by means of DWARF CFI directives in the unwinding metadata. This means we can use this information to locate all PACIASP/AUTIASP instructions in the binary, instead of having to use brute force and go over all instructions in the entire program. This series implements this approach for Clang, which has been vetted (and fixed in release 15) to ensure that the unwind metadata is 100% accurate when it comes to PACIASP/AUTIASP occurrences. Sadly, GCC does not always get that quite right, so this series is Clang-only for the moment. Changes since v4 [1]: - rebase onto v6.0-rc2 - use SYS_FIELD_GET for AA64ISAR1/2 sysreg field accesses - add Sami's Rb/Tb Changes since v3 [2]: - rebase onto arm64/for-next/core - fix init value of dynamic_scs_enabled static key - don't discard .eh_frame sections (to work around a bug in an older Clang version if we are keeping them for dynamic SCS patching, - print a diagnostic if dynamic SCS patching is enabled, - apply build fix suggested by Sami and add his ack to patch #2 Changes since v2 [3]: - don't enable unwind table generation for nVHE code - it cannot be patched anyway so it has no use for it; - drop checks for ID reg overrides - fix some remaining TODOs regarding augmentation data and the code alignment factor - disable PAC for leaf functions when dynamic SCS is configured, so that we don't end up with SCS pushes and pops in all leaf functions too; - add I-cache maintenance after code patching - add Rb's from Nick and Kees. Changes since RFC v1: - implement boot time check for PAC/BTI support, and only enable dynamic SCS if neither are supported; - implement module patching as well; - switch to Clang, and drop workaround for GCC bug; [0] https://lore.kernel.org/linux-arm-kernel/20211013152243.2216899-1-ardb@kernel.org/ [1] https://lore.kernel.org/linux-arm-kernel/20220701152724.3343599-1-ardb@kernel.org/ [2] https://lore.kernel.org/linux-arm-kernel/20220613134008.3760481-1-ardb@kernel.org/ [3] https://lore.kernel.org/linux-arm-kernel/20220505161011.1801596-1-ardb@kernel.org/ Cc: Will Deacon Cc: Catalin Marinas Cc: Marc Zyngier Cc: Mark Rutland Cc: Mark Brown Cc: Sami Tolvanen Cc: Nick Desaulniers Cc: Kees Cook Ard Biesheuvel (3): arm64: unwind: add asynchronous unwind tables to kernel and modules scs: add support for dynamic shadow call stacks arm64: implement dynamic shadow call stack for Clang Makefile | 2 + arch/Kconfig | 7 + arch/arm64/Kconfig | 12 + arch/arm64/Makefile | 15 +- arch/arm64/include/asm/module.lds.h | 8 + arch/arm64/include/asm/scs.h | 49 ++++ arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/head.S | 3 + arch/arm64/kernel/irq.c | 2 +- arch/arm64/kernel/module.c | 8 + arch/arm64/kernel/patch-scs.c | 257 ++++++++++++++++++++ arch/arm64/kernel/pi/Makefile | 1 + arch/arm64/kernel/sdei.c | 2 +- arch/arm64/kernel/setup.c | 4 + arch/arm64/kernel/vmlinux.lds.S | 13 + arch/arm64/kvm/hyp/nvhe/Makefile | 1 + drivers/firmware/efi/libstub/Makefile | 1 + include/asm-generic/vmlinux.lds.h | 9 +- include/linux/scs.h | 18 ++ kernel/scs.c | 14 +- scripts/module.lds.S | 8 +- 21 files changed, 427 insertions(+), 9 deletions(-) create mode 100644 arch/arm64/kernel/patch-scs.c -- 2.35.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel