From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC4CA433A4 for ; Fri, 21 Mar 2025 07:51:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742543469; cv=none; b=t9rfTg5KEu5OytVNN/xoS7y6RS0geT9VG5U0JsZqAjRfOwH2rDXQLi23lxKChxZ+0PZkb9Liy5lWeH93U0kPLM1xxyJAT8RaBMkR3P+I7F7saCBSfrKkWsyN03DnYshv97DKajxkBCXWj2B+uKDTBXDWg3vXChnfdHRm7tBzszA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742543469; c=relaxed/simple; bh=y4dXpl3cvatt6fzahD+2xibQ5xvZLmqxOM6dGyrnOAY=; h=Mime-Version:Content-Type:Date:Message-Id:Subject:Cc:To:From: References:In-Reply-To; b=iPOLARaBKsPj/tS2rDzjl0c66D46ZoqR/mFDlU/OsDWVAHuNQcx+zHLK2gSY0CiEM+1pQhXtDEp+168mGpepBMxCS6VAkCakdJRzHmgw30RW4Ij9BMkx/UcXBy1419Ifz2kr1b+5o11cS/FJ3cbPVCLlZbdKJAvyucPYj0lOtMc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ventanamicro.com; spf=pass smtp.mailfrom=ventanamicro.com; dkim=pass (2048-bit key) header.d=ventanamicro.com header.i=@ventanamicro.com header.b=J4TMQ/tQ; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ventanamicro.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ventanamicro.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ventanamicro.com header.i=@ventanamicro.com header.b="J4TMQ/tQ" Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-3913290f754so216606f8f.1 for ; Fri, 21 Mar 2025 00:51:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ventanamicro.com; s=google; t=1742543465; x=1743148265; darn=vger.kernel.org; h=in-reply-to:references:from:to:cc:subject:message-id:date :content-transfer-encoding:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PhIkdGys04hj0FOCl78FUSdH2+gL7DQzkmTGKMi3P1w=; b=J4TMQ/tQ7kTYKGnisvf4KLzfcQHqt+wqQu+H0MR5iP6uE75MqTF12z1+TQWGyK6GWh iD1Ej0oi4jTnCOoTxAhwTwR9NZ8ZstTQ+OOOzCeBLvaCTSxkoEGNXzm0zOF7zeStKgBu PWyZWzReCQwiVnh5ouvRLebs7wWvp5DQAZ2DQN8FE1cY9L5SibTakRgjlLzmKw867CqO atw4Q9I38DhYVh+t3HU68MeJQNSJIKQ8sqIk+T79lTfMDnGmI++iiSQMId8u2lN1MiP8 8xEuYMAvRSSnCyyuYYlkzjWLmU3zSXBh5NIgaB3rOZX/fkUaU4EjyGVPvFxOlQD73GGb dRZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742543465; x=1743148265; h=in-reply-to:references:from:to:cc:subject:message-id:date :content-transfer-encoding:mime-version:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PhIkdGys04hj0FOCl78FUSdH2+gL7DQzkmTGKMi3P1w=; b=R1FX3o4EBC6rtlNZBH8zVTUWqN4jxWWSFnXlgc66x+le6q2jgtADpkBEkrNAzK0Azm ioiAp6g2pI12B8UuKbve05n0Lq7tmr+w++kKurCPcz7HNB6XEvqkSBU9+sEIia3+aL6R OZCWWCQl0tTKYHvuMKiBHXapVok2WK8YWRFO8AJqnhM48ugAjXmqvBTNgTKFc4lsUtPb fWStGgAMbvnmEntNsqYJ2w8HPGtNLHZxcHpbNOlB6rcy43MKOAXLlRgUyKcEQ36j6UOa IzAv/fWciye/6CL50O96DZxe+wyGpO3WLgF63vMyz9nzhSbzwBTiyi/oLVHW78b4JB1H zw2A== X-Forwarded-Encrypted: i=1; AJvYcCXuZ8OQ9kCP09EcxZSxYMFCrnBleNxR5kZ82iusk3lGGdfaTtba4TmEqjLcKUjW8bLrnr5tYV7ie2A=@vger.kernel.org X-Gm-Message-State: AOJu0YyT09RqFyKsv8fqwotV+PweUO5kvrI56+VxrJZviHKfba68jqq4 LAmMUNmlMl3QN0N16tHmiQyMCpa4kopXtvFnRwbGA0bMRSDDVA5CadkUovaGA3A= X-Gm-Gg: ASbGncscrhZLqLPoB9I7i7TMGiiUv7WsOFeunnchdh+OQJQrTQcF/afVZYlPb/Slac/ BO5vfYF9pZcMoIwDqyl23pGAxQnWt+nh0M/23GCTIiEWe0cx1ek+vTzoODM4njEv3cnhDG6p+Qs z0ORczEZ/uwYjUPyJLXoEKlADrRlZ2ibzMJfy+gmXjomK3vqk4jZ5syyXbZthHmTtKQNQJYI/eh R135mj3qM60v3mJECqc3v3/SqznmHwR8jCDB5RuG45+4i3k36OAOE7qIKz73odmIQv3AJaefrgx MY/UW/FW9hLcv448ZxinhCnT8P2kifDemCqxL+pjUQqVEVNhIu79HYJUW3QMT74Srt0NBWUFxBI uscwA X-Google-Smtp-Source: AGHT+IGwi45hePFM2TZdMOTyXUgfdngf4+B913tg/H8YfeoX7CrwBIY2Kj9KlDmHfMfV0eRC+zYKag== X-Received: by 2002:a5d:598b:0:b0:38d:d743:7d36 with SMTP id ffacd0b85a97d-3997f93046emr899094f8f.10.1742543464931; Fri, 21 Mar 2025 00:51:04 -0700 (PDT) Received: from localhost (ip-89-103-73-235.bb.vodafone.cz. [89.103.73.235]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43d4fdb06b9sm18758395e9.36.2025.03.21.00.51.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Mar 2025 00:51:04 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Fri, 21 Mar 2025 08:51:04 +0100 Message-Id: Subject: Re: [PATCH v12 25/28] riscv: create a config for shadow stack and landing pad instr support Cc: "Thomas Gleixner" , "Ingo Molnar" , "Borislav Petkov" , "Dave Hansen" , , "H. Peter Anvin" , "Andrew Morton" , "Liam R. Howlett" , "Vlastimil Babka" , "Lorenzo Stoakes" , "Paul Walmsley" , "Palmer Dabbelt" , "Albert Ou" , "Conor Dooley" , "Rob Herring" , "Krzysztof Kozlowski" , "Arnd Bergmann" , "Christian Brauner" , "Peter Zijlstra" , "Oleg Nesterov" , "Eric Biederman" , "Kees Cook" , "Jonathan Corbet" , "Shuah Khan" , "Jann Horn" , "Conor Dooley" , , , , , , , , , , , , , , , , , , , , , , "Zong Li" , "linux-riscv" To: "Deepak Gupta" From: =?utf-8?q?Radim_Kr=C4=8Dm=C3=A1=C5=99?= References: <20250314-v5_user_cfi_series-v12-0-e51202b53138@rivosinc.com> <20250314-v5_user_cfi_series-v12-25-e51202b53138@rivosinc.com> In-Reply-To: 2025-03-20T15:29:55-07:00, Deepak Gupta : > On Thu, Mar 20, 2025 at 2:25=E2=80=AFPM Radim Kr=C4=8Dm=C3=A1=C5=99 wrote: >> >> 2025-03-14T14:39:44-07:00, Deepak Gupta : >> > This patch creates a config for shadow stack support and landing pad i= nstr >> > support. Shadow stack support and landing instr support can be enabled= by >> > selecting `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` w= ires >> > up path to enumerate CPU support and if cpu support exists, kernel wil= l >> > support cpu assisted user mode cfi. >> > >> > If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS= `, >> > `ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv. >> > >> > Reviewed-by: Zong Li >> > Signed-off-by: Deepak Gupta >> > --- >> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig >> > @@ -250,6 +250,26 @@ config ARCH_HAS_BROKEN_DWARF5 >> > +config RISCV_USER_CFI >> > + def_bool y >> > + bool "riscv userspace control flow integrity" >> > + depends on 64BIT && $(cc-option,-mabi=3Dlp64 -march=3Drv64ima_zi= cfiss) >> > + depends on RISCV_ALTERNATIVE >> > + select ARCH_HAS_USER_SHADOW_STACK >> > + select ARCH_USES_HIGH_VMA_FLAGS >> > + select DYNAMIC_SIGFRAME >> > + help >> > + Provides CPU assisted control flow integrity to userspace task= s. >> > + Control flow integrity is provided by implementing shadow stac= k for >> > + backward edge and indirect branch tracking for forward edge in= program. >> > + Shadow stack protection is a hardware feature that detects fun= ction >> > + return address corruption. This helps mitigate ROP attacks. >> > + Indirect branch tracking enforces that all indirect branches m= ust land >> > + on a landing pad instruction else CPU will fault. This mitigat= es against >> > + JOP / COP attacks. Applications must be enabled to use it, and= old user- >> > + space does not get protection "for free". >> > + default y >> >> A high level question to kick off my review: >> >> Why are landing pads and shadow stacks merged together? >> >> Apart from adding build flexibility, we could also split the patches >> into two isolated series, because the features are independent. > > Strictly from CPU extensions point of view they are independent features. > Although from a usability point of view they complement each other. A use= r > wanting to enable support for control flow integrity wouldn't be enabling > only landing pad and leaving return flow open for an attacker and vice-ve= rsa. > That's why I defined a single CONFIG for CFI. > > From organizing patches in the patch series, shadow stack and landing > pad patches do not cross into each other and are different from each > other except dt-bindings, hwprobe, csr definitions. I can separate them > out as well if that's desired. It would be my preference, but it's the maintainer's call. I think that landing pads could be merged earlier if they were posted separately, but this series is already on v12, so I don't want to force anything. > Furthermore, I do not see an implementation only implementing zicfilp > while not implementing zicfiss. There is a case of a nommu case where > only zicfilp might be implemented and no zicfiss. However that's the case > which is anyways riscv linux kernel is not actively being tested. IIRC, > it was (nommu linux) considered to be phased out/not supported as well. > > We could have two different configs but I don't see what would serve > apart from the ability to build support for landing pad and shadow stack > differently. As I said from a usability point of view both features > are complimenting > to each other rather than standing out alone and providing full protectio= n. > > A kernel is built with support for enabling both features or none. Sure u= ser > can use either of the prctl to enable either of the features in whatever > combination they see fit. Yeah, it will be rare, but if for some reason one feature cannot be used, then having just one is better than none. We can easily add compile options later and if we start with separate kernel parameters, then the users won't even notice a difference.