From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 90792C48BF6 for ; Mon, 4 Mar 2024 23:33:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZwQTWt3pFYwMUqwGY3Qk6JUjYGdiBFT2/EzX53WbIh0=; b=1C+1BGarwpyzz3 G9RrHNX1XVRaccfSF4tyJ4gyq9Yw4JKfq2chn/Xrwy72auOydxqQgsqiyQbJSPzih+N5vWBH4KdcI qyYXEvRXtJrKkJ/PmwisXRo7UopKkkrqCX3bSFIJhZt5crhlFvFdld4NIZrnNtcpM7Tk8VoPuW+D6 MNRUlmBuraE4/sTCQF7lOx55+2adoX8Pu0+GssAdNgbGCIEMrYkbSPPX79DoiMeAzB1SzZo2Mwrtv der9sfckSYuDkC3bughz4W8BxStAYual1MJdGuVLWNxum4rdPsNLxDIIU1bAiV3u5bxHb89kY0Q/K bqzOFm0GdXZQFd6KWjtw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhHo0-0000000B5C6-2Euo; Mon, 04 Mar 2024 23:33:12 +0000 Received: from mout.kundenserver.de ([212.227.17.13]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhHnv-0000000B5BF-2Nlp for linux-arm-kernel@lists.infradead.org; Mon, 04 Mar 2024 23:33:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=valentinobst.de; s=s1-ionos; t=1709595162; x=1710199962; i=kernel@valentinobst.de; bh=3o8JX74qCDA51a+Kvn176uBKDeXH9cfTcdIi9xS8xcI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=IuC5uf0A3lHp6cLxsz/joBejn7JJEXksXN+MG3Nt0fpGBrzPKf03LVcZKrK367db +58W+O84yh2rOcxVQlUstaSXVj9uCh3tFFcB+h9R1X2Hc9tHAp3EjvWyQDuRYMZzJ AefibVGcLBsYGwiIpTm2XiVNnUmWqDgBx8mVno8+/G4Sr8+Kh5VpSP6x68ZxLVyo8 iS4x/4wz/4eWSVtBaTSQ3MNNX0CukFQsF0nP7EcQkqjYOa5wx2HmHNWyLoyPdFXWw QWKxo/+3xdYs404Lx1K24smHHtz1OfFBQQ9mSbcdvRLorycHhwmR39IXbyxZ0AjFr 9rhM2zxghxbvx0TN0A== X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6 Received: from archbook.fritz.box ([217.249.70.154]) by mrelayeu.kundenserver.de (mreue106 [213.165.67.113]) with ESMTPSA (Nemesis) id 1M1qbm-1rjTeb3vTs-002H3B; Tue, 05 Mar 2024 00:32:42 +0100 From: Valentin Obst To: samitolvanen@google.com, aliceryhl@google.com Cc: Jamie.Cunliffe@arm.com, a.hindborg@samsung.com, alex.gaynor@gmail.com, ardb@kernel.org, benno.lossin@proton.me, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, broonie@kernel.org, catalin.marinas@arm.com, gary@garyguo.net, keescook@chromium.org, linux-arm-kernel@lists.infradead.org, linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, mark.rutland@arm.com, masahiroy@kernel.org, maz@kernel.org, nathan@kernel.org, ndesaulniers@google.com, nicolas@fjasle.eu, ojeda@kernel.org, rust-for-linux@vger.kernel.org, wedsonaf@gmail.com, will@kernel.org, Valentin Obst Subject: Re: [PATCH] rust: add flags for shadow call stack sanitizer Date: Tue, 5 Mar 2024 00:31:51 +0100 Message-ID: <20240304233151.248925-1-kernel@valentinobst.de> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: MIME-Version: 1.0 X-Provags-ID: V03:K1:lMesWN2+nwzOhaR31bjDdybINENheJaYKFD+YnF4H8qbr/dYcfe 4E5r+D1MYjQIOG0M1tU6jnlVWDDSKLBC+LmzTyesRy/eCaXXasg2FX26NrNerjZ/9qwlYgx 1LNS1pDly8BPzVNfcznBzg1OzrPSEJgaa4LUCYmO7dS4MIU2oskeBFbGCpLDN3pyc/SJK6D ynFGCBVQgbOf+cybyHFgw== UI-OutboundReport: notjunk:1;M01:P0:nmQsQuvRxKA=;QF99al9oGAEcgWOtAgyl7ApR3VQ uQoACSsUMnAUR9jCOhdaXt14pyC0HToTQ6TdYiE8+uJfYl5dT8PNVwboSDvjiLzw3Kv/5EVKg NUflG8JVL5P8WMJ5dIVDpeyIAkWXKYRHQ3bhhPX84zenT9aEnCuiDHPNfHiXBN4NsIGDWA9U5 Nuyn06yWeQyJUq8ccR2FF0GcV40kJLN7B3jtuRSEXA97Q22TDrkilt86w1IVoo3ikHaTAzWM8 XUro9s7lvAKZU6d8nu1uqMNpoQ3qCsILOy9+yllXdDkmDe0jycKKz+gfvrCe7vCaop3wgVhw+ SEEj7LkcveVUg5prwr5P4Bl5XJnsCgXnbUJHXONcTMT3NXJujOIEEmcoUV3vrYhIZn03c2w03 9IMSIFdKXfZukWS0qT1GWMPapKsdgIRTAlRX7NWR+b96Ixjn/cqZ/1/MfSTywtkidp59gNwhf 6oIW+hhCUrUGFZIUQzMwtzGTsDarXUYkndQcBawmcSYQry61IL3sI6QBtS6eoeVwmHEp1aqlA vzaZXi063lglA6XMied/qxVhHR0T+QshpudJF9PrKYs/96Rp9kmELLV0wjMQ3DbWUwmRvpTYo OthbQsya88lIZuhn9g7X66r3+HJC+ossIj8QGvg9EPAv8lnSv2hvT0i/LEEA1fQcYxyRY5pYv Xiq1B2C8Xo0Rsw5+LcMjp2V0Z1iZy+3n1DI0fuuMPeB7uAKtWguIzyenC0lh/8P8oMRisu8Mz gOk5GmFhGieiQyn7PxkXaVJrQp1UWXJYzIf567v2rk8gy9VAeBxo2g= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240304_153308_200910_01871D15 X-CRM114-Status: GOOD ( 39.50 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org > > > > Add flags to support the shadow call stack sanitizer, both in the > > dynamic and non-dynamic modes. > > > > Right now, the compiler will emit the warning "unknown feature specified > > for `-Ctarget-feature`: `reserve-x18`". However, the compiler still > > passes it to the codegen backend, so the flag will work just fine. Once > > rustc starts recognizing the flag (or provides another way to enable the > > feature), it will stop emitting this warning. See [1] for the relevant > > issue. > > > > Currently, the compiler thinks that the aarch64-unknown-none target > > doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if > > you enable shadow call stack in non-dynamic mode. However, I still think > > it is reasonable to add the flag now, as it will at least fail the build > > when using an invalid configuration, until the Rust compiler is fixed to > > list -Zsanitizer=shadow-call-stack as supported for the target. See [2] > > for the feature request to add this. > > > > I have tested this change with Rust Binder on an Android device using > > CONFIG_DYNAMIC_SCS. Without the -Ctarget-feature=+reserve-x18 flag, the > > phone crashes immediately on boot, and with the flag, the phone appears > > to work normally. > > > > Link: https://github.com/rust-lang/rust/issues/121970 [1] > > Link: https://github.com/rust-lang/rust/issues/121972 [2] > > Signed-off-by: Alice Ryhl > > --- > > It's not 100% clear to me whether this patch is enough for full SCS > > support in Rust. If there is some issue where this makes things compile > > and work without actually applying SCS to the Rust code, please let me > > know. Is there some way to verify that it is actually working? > > Perhaps you could write a Rust version of the CFI_BACKWARD test in LKDTM? > > Alternatively, the simplest way to verify this is to look at the > disassembly and verify that shadow stack instructions are emitted to > Rust functions too. In case of dynamic SCS, you might need to dump > function memory in a debugger to verify that PAC instructions were > patched correctly. If they're not, the code will just quietly continue > working without using shadow stacks. Was just in the process of doing that: - `paciasp`/`autiasp` pairs are emitted for functions in Rust modules. - Rust modules have no `.init.eh_frame` section, which implies that `module_finalize` is _not_ rewriting the pac insns when SCS is dynamic. - Confirmed that behavior in the debugger (C modules and the C part of the kernel are correctly rewritten, Rust modules execute with `paciasp`/`autiasp` still in place). - Kernel boots just fine with Rust kunit tests, tested with and without dynamic SCS, i.e., on a CPU that supports PAC/BTI and one that does not. - Rust sample modules load and unload without problems as well. - `x18` is indeed not used in the codegen. I guess we might be able to get this working when we tweak the build system to emit the missing section for Rust modules. - Best Valentin > > > This patch raises the question of whether we should change the Rust > > aarch64 support to use a custom target.json specification. If we do > > that, then we can fix both the warning for dynamic SCS and the > > build-failure for non-dynamic SCS without waiting for a new version of > > rustc with the mentioned issues fixed. > > Sure, having a custom target description for the kernel might be > useful for other purposes too. In the meantime: > > Reviewed-by: Sami Tolvanen > > Sami > > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel