From: Deepak Gupta <debug@rivosinc.com>
To: Conor Dooley <conor@kernel.org>
Cc: rick.p.edgecombe@intel.com, broonie@kernel.org,
Szabolcs.Nagy@arm.com, kito.cheng@sifive.com,
keescook@chromium.org, ajones@ventanamicro.com,
paul.walmsley@sifive.com, palmer@dabbelt.com,
conor.dooley@microchip.com, cleger@rivosinc.com,
atishp@atishpatra.org, alex@ghiti.fr, bjorn@rivosinc.com,
alexghiti@rivosinc.com, corbet@lwn.net, aou@eecs.berkeley.edu,
oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de,
ebiederm@xmission.com, shuah@kernel.org, brauner@kernel.org,
guoren@kernel.org, samitolvanen@google.com, evan@rivosinc.com,
xiao.w.wang@intel.com, apatel@ventanamicro.com,
mchitale@ventanamicro.com, waylingii@gmail.com,
greentime.hu@sifive.com, heiko@sntech.de, jszhang@kernel.org,
shikemeng@huaweicloud.com, david@redhat.com,
charlie@rivosinc.com, panqinglin2020@iscas.ac.cn,
willy@infradead.org, vincent.chen@sifive.com,
andy.chiu@sifive.com, gerg@kernel.org,
jeeheng.sia@starfivetech.com, mason.huo@starfivetech.com,
ancientmodern4@gmail.com, mathis.salmen@matsal.de,
cuiyunhui@bytedance.com, bhe@redhat.com, chenjiahao16@huawei.com,
ruscur@russell.cc, bgray@linux.ibm.com, alx@kernel.org,
baruch@tkos.co.il, zhangqing@loongson.cn,
catalin.marinas@arm.com, revest@chromium.org,
josh@joshtriplett.org, joey.gouly@arm.com, shr@devkernel.io,
omosnace@redhat.com, ojeda@kernel.org, jhubbard@nvidia.com,
linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [RFC PATCH v1 24/28] riscv: select config for shadow stack and landing pad instr support
Date: Thu, 25 Jan 2024 10:12:16 -0800 [thread overview]
Message-ID: <ZbKkgNX7xfU5KO8X@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20240125-snitch-boogieman-5b4a0b142e61@spud>
On Thu, Jan 25, 2024 at 06:04:26PM +0000, Conor Dooley wrote:
>On Wed, Jan 24, 2024 at 10:21:49PM -0800, debug@rivosinc.com wrote:
>> From: Deepak Gupta <debug@rivosinc.com>
>>
>> This patch selects config shadow stack support and landing pad instr
>> support. Shadow stack support and landing instr support is hidden behind
>> `CONFIG_RISCV_USER_CFI`. Selecting `CONFIG_RISCV_USER_CFI` wires up path
>> to enumerate CPU support and if cpu support exists, kernel will support
>> cpu assisted user mode cfi.
>>
>> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
>> ---
>> arch/riscv/Kconfig | 15 +++++++++++++++
>> 1 file changed, 15 insertions(+)
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index 9d386e9edc45..437b2f9abf3e 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -163,6 +163,7 @@ config RISCV
>> select SYSCTL_EXCEPTION_TRACE
>> select THREAD_INFO_IN_TASK
>> select TRACE_IRQFLAGS_SUPPORT
>> + select RISCV_USER_CFI
>
>This select makes no sense to me, it will unconditionally enable
>RISCV_USER_CFI. I don't think that that is your intent, since you have a
>detailed option below that allows the user to turn it on or off.
>
>If you remove it, the commit message will need to change too FYI.
>
Selecting this config puts support in Kernel so that it can run tasks who wants
to enable hardware assisted control flow integrity for themselves. But apps still
always need to optin using `prctls`. Those prctls are stubs and return EINVAL when
this config is not selected. Not selecting this config means, kernel will not support
enabling this feature for user mode.
I'll edit commit message to better reflect this.
>Thanks,
>Conor.
>
>> select UACCESS_MEMCPY if !MMU
>> select ZONE_DMA32 if 64BIT
>>
>> @@ -182,6 +183,20 @@ config HAVE_SHADOW_CALL_STACK
>> # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
>> depends on $(ld-option,--no-relax-gp)
>>
>> +config RISCV_USER_CFI
>> + bool "riscv userspace control flow integrity"
>> + help
>> + Provides CPU assisted control flow integrity to userspace tasks.
>> + Control flow integrity is provided by implementing shadow stack for
>> + backward edge and indirect branch tracking for forward edge in program.
>> + Shadow stack protection is a hardware feature that detects function
>> + return address corruption. This helps mitigate ROP attacks.
>> + Indirect branch tracking enforces that all indirect branches must land
>> + on a landing pad instruction else CPU will fault. This mitigates against
>> + JOP / COP attacks. Applications must be enabled to use it, and old user-
>> + space does not get protection "for free".
>> + default y
>> +
>> config ARCH_MMAP_RND_BITS_MIN
>> default 18 if 64BIT
>> default 8
>> --
>> 2.43.0
>>
>>
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2024-01-25 18:12 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 6:21 [RFC PATCH v1 00/28] riscv control-flow integrity for usermode debug
2024-01-25 6:21 ` [RFC PATCH v1 01/28] riscv: abstract envcfg CSR debug
2024-02-12 10:23 ` Andrew Jones
2024-01-25 6:21 ` [RFC PATCH v1 02/28] riscv: envcfg save and restore on trap entry/exit debug
2024-01-25 7:19 ` Stefan O'Rear
2024-01-25 17:09 ` Deepak Gupta
2024-01-25 17:54 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 03/28] riscv: define default value for envcfg debug
2024-01-25 6:21 ` [RFC PATCH v1 04/28] riscv/Kconfig: enable HAVE_EXIT_THREAD for riscv debug
2024-01-25 6:21 ` [RFC PATCH v1 05/28] riscv: zicfiss/zicfilp enumeration debug
2024-01-25 17:59 ` Conor Dooley
2024-01-25 18:26 ` Deepak Gupta
2024-01-25 18:46 ` Conor Dooley
2024-01-25 6:21 ` [RFC PATCH v1 06/28] riscv: zicfiss/zicfilp extension csr and bit definitions debug
2024-01-25 6:21 ` [RFC PATCH v1 07/28] riscv: kernel handling on trap entry/exit for user cfi debug
2024-01-25 7:29 ` Stefan O'Rear
2024-01-25 17:30 ` Deepak Gupta
2024-01-25 19:47 ` Stefan O'Rear
2024-01-26 0:25 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 08/28] mm: Define VM_SHADOW_STACK for RISC-V debug
2024-01-25 8:17 ` David Hildenbrand
2024-01-25 17:05 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 09/28] mm: abstract shadow stack vma behind `arch_is_shadow_stack` debug
2024-01-25 8:18 ` David Hildenbrand
2024-01-25 17:07 ` Deepak Gupta
2024-02-13 10:34 ` David Hildenbrand
2024-02-22 1:32 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 10/28] riscv/mm : Introducing new protection flag "PROT_SHADOWSTACK" debug
2024-01-25 6:21 ` [RFC PATCH v1 11/28] riscv: Implementing "PROT_SHADOWSTACK" on riscv debug
[not found] ` <2914cf78e47010e195d963857b37807e8446e3be.camel@intel.com>
2024-02-22 0:39 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 12/28] riscv mm: manufacture shadow stack pte debug
2024-01-25 6:21 ` [RFC PATCH v1 13/28] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs debug
2024-01-25 6:21 ` [RFC PATCH v1 14/28] riscv mmu: write protect and shadow stack debug
2024-01-25 6:21 ` [RFC PATCH v1 15/28] riscv/mm: Implement map_shadow_stack() syscall debug
2024-01-25 21:24 ` Charlie Jenkins
2024-01-26 0:44 ` Deepak Gupta
2024-02-06 16:01 ` Mark Brown
2024-02-22 0:47 ` Deepak Gupta
2024-02-22 13:33 ` Mark Brown
[not found] ` <ba45e69f69851721419b84f1ff8b66a490f92c86.camel@intel.com>
2024-02-22 0:50 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 16/28] riscv/shstk: If needed allocate a new shadow stack on clone debug
2024-01-25 6:21 ` [RFC PATCH v1 17/28] prctl: arch-agnostic prctl for shadow stack debug
2024-01-25 6:21 ` [RFC PATCH v1 18/28] prctl: arch-agnostic prtcl for indirect branch tracking debug
2024-02-06 16:13 ` Mark Brown
2024-02-22 0:42 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 19/28] riscv: Implements arch agnostic shadow stack prctls debug
2024-01-25 6:21 ` [RFC PATCH v1 20/28] riscv: Implements arch argnostic indirect branch tracking prctls debug
2024-01-25 6:21 ` [RFC PATCH v1 21/28] riscv/traps: Introduce software check exception debug
2024-01-25 6:21 ` [RFC PATCH v1 22/28] riscv sigcontext: adding cfi state field in sigcontext debug
2024-01-25 6:21 ` [RFC PATCH v1 23/28] riscv signal: Save and restore of shadow stack for signal debug
2024-01-25 6:21 ` [RFC PATCH v1 24/28] riscv: select config for shadow stack and landing pad instr support debug
2024-01-25 18:04 ` Conor Dooley
2024-01-25 18:12 ` Deepak Gupta [this message]
2024-01-25 18:44 ` Conor Dooley
2024-01-25 19:26 ` Deepak Gupta
2024-01-25 6:21 ` [RFC PATCH v1 25/28] riscv/ptrace: riscv cfi status and state via ptrace and in core files debug
2024-01-25 6:21 ` [RFC PATCH v1 26/28] riscv: Documentation for landing pad / indirect branch tracking debug
2024-01-25 6:21 ` [RFC PATCH v1 27/28] riscv: Documentation for shadow stack on riscv debug
2024-01-25 6:21 ` [RFC PATCH v1 28/28] kselftest/riscv: kselftest for user mode cfi debug
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZbKkgNX7xfU5KO8X@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=ajones@ventanamicro.com \
--cc=akpm@linux-foundation.org \
--cc=alex@ghiti.fr \
--cc=alexghiti@rivosinc.com \
--cc=alx@kernel.org \
--cc=ancientmodern4@gmail.com \
--cc=andy.chiu@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=apatel@ventanamicro.com \
--cc=arnd@arndb.de \
--cc=atishp@atishpatra.org \
--cc=baruch@tkos.co.il \
--cc=bgray@linux.ibm.com \
--cc=bhe@redhat.com \
--cc=bjorn@rivosinc.com \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=charlie@rivosinc.com \
--cc=chenjiahao16@huawei.com \
--cc=cleger@rivosinc.com \
--cc=conor.dooley@microchip.com \
--cc=conor@kernel.org \
--cc=corbet@lwn.net \
--cc=cuiyunhui@bytedance.com \
--cc=david@redhat.com \
--cc=ebiederm@xmission.com \
--cc=evan@rivosinc.com \
--cc=gerg@kernel.org \
--cc=greentime.hu@sifive.com \
--cc=guoren@kernel.org \
--cc=heiko@sntech.de \
--cc=jeeheng.sia@starfivetech.com \
--cc=jhubbard@nvidia.com \
--cc=joey.gouly@arm.com \
--cc=josh@joshtriplett.org \
--cc=jszhang@kernel.org \
--cc=keescook@chromium.org \
--cc=kito.cheng@sifive.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=mason.huo@starfivetech.com \
--cc=mathis.salmen@matsal.de \
--cc=mchitale@ventanamicro.com \
--cc=ojeda@kernel.org \
--cc=oleg@redhat.com \
--cc=omosnace@redhat.com \
--cc=palmer@dabbelt.com \
--cc=panqinglin2020@iscas.ac.cn \
--cc=paul.walmsley@sifive.com \
--cc=revest@chromium.org \
--cc=rick.p.edgecombe@intel.com \
--cc=ruscur@russell.cc \
--cc=samitolvanen@google.com \
--cc=shikemeng@huaweicloud.com \
--cc=shr@devkernel.io \
--cc=shuah@kernel.org \
--cc=vincent.chen@sifive.com \
--cc=waylingii@gmail.com \
--cc=willy@infradead.org \
--cc=xiao.w.wang@intel.com \
--cc=zhangqing@loongson.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).