From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E6C28C25B10
	for <linux-mm@archiver.kernel.org>; Fri, 10 May 2024 22:52:01 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 55D7F6B013B; Fri, 10 May 2024 18:52:01 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4E6D96B013D; Fri, 10 May 2024 18:52:01 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 386D06B013E; Fri, 10 May 2024 18:52:01 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 16BC16B013B
	for <linux-mm@kvack.org>; Fri, 10 May 2024 18:52:01 -0400 (EDT)
Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id B87F24019A
	for <linux-mm@kvack.org>; Fri, 10 May 2024 22:52:00 +0000 (UTC)
X-FDA: 82103985600.16.7864B36
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174])
	by imf01.hostedemail.com (Postfix) with ESMTP id DA6C340015
	for <linux-mm@kvack.org>; Fri, 10 May 2024 22:51:58 +0000 (UTC)
Authentication-Results: imf01.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=Jm4F1W4r;
	dmarc=none;
	spf=pass (imf01.hostedemail.com: domain of charlie@rivosinc.com designates 209.85.215.174 as permitted sender) smtp.mailfrom=charlie@rivosinc.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1715381519;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=tMbbgJzCaBy4mQmI2cQucFpA9UtNe/7h1nzGeBGSfRc=;
	b=bAuSC/DmndkNWxPVjRx86TN3P3W8bCAqOrGuKtGoSXgz0Rk9PQ0gfEpY6EVsRxUZAL6pAl
	iU0v+fSTfIDFilFwNT8esR9VUVIGCb0anlU0yQf4G/gp53vaBY2ZRDJYT6DgTyAvDQzLsY
	v3XLR4OcSLLRNHrl0uwz2aGrr7ysiUE=
ARC-Authentication-Results: i=1;
	imf01.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=Jm4F1W4r;
	dmarc=none;
	spf=pass (imf01.hostedemail.com: domain of charlie@rivosinc.com designates 209.85.215.174 as permitted sender) smtp.mailfrom=charlie@rivosinc.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1715381519; a=rsa-sha256;
	cv=none;
	b=fk7uY5PdjA3c25/g4wKm7clIPL+A+3faD54jzIWMKv6ImlosbDQJkZ6nY6oRekgf+R3uZY
	1J1kxmBmMAUo5u7WItKIgVt112ZGs4uxs9yv2rBVOMlp24OjZjXdfUkZPM5rEQDxnHgJ1u
	Q1Ht5lUW8z20+dIi8973j9srkz5cp+k=
Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-5d4d15ec7c5so2052777a12.1
        for <linux-mm@kvack.org>; Fri, 10 May 2024 15:51:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1715381518; x=1715986318; darn=kvack.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=tMbbgJzCaBy4mQmI2cQucFpA9UtNe/7h1nzGeBGSfRc=;
        b=Jm4F1W4rRagR2CYxdh+2hahf7lV0wTRH/cPl5B4h75UZ8dQojD4FMT+HcI7vgRwI+8
         mqyw9QCOOjZgbCpTpR8wJ2DsLGo6YJMuNl8tmHzWh9kUi5Wpn28GI3ktFpHj/vKRY+08
         7Tr0+5c/aMomNl7FdtEgpbtYgjjYXu8/EtIxMPJgXbc6D3cb5AZVLoFDtOPuc9J4FYxN
         3MptZsa/cMQ9DJ81Cnnl59JuLv4oZpo5BfxttEMTFJ9BxozopouUU4WgBzcGoZespW4V
         /a5G8YtdYqWFQLLjn1Q0eGTc/182wLXAQMcK7XO2Pe/6BdhlU41nDREZJWPiUS/e9XAS
         z3JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715381518; x=1715986318;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tMbbgJzCaBy4mQmI2cQucFpA9UtNe/7h1nzGeBGSfRc=;
        b=fZTmyxWol8wLRg4XbaspJEspQbPLY8lxlHfCUW3QHDLxqc9AhiKZ43WHAtsHJKi/PE
         lcKB8pF3NwL6HsjTqqrZUAbWDT579cBK6dD97m9HsMLnlv9TU5hD6UtrxIuwhCwqf9dZ
         jIKXtxwJ+jG5fxYpaQlZPssYl66QdvEJRo0Aaspb0IetNWJTm2Ta0dKv3i8pU90+sKED
         JqCto2m4YE/8sU5gl/8j1B3w708jLktDDDPDBLDd1j8tnnYf4pKyY7/0829VF85skqrd
         pvQ8lnoCY3BY7CeJXJOOFKokX1pYX7eFJ5TW3HXcw3DQ0+8yIHbO/lUxdY3AiSOyus9G
         jw6A==
X-Forwarded-Encrypted: i=1; AJvYcCVTh+EWiRfGilhVP4zQ31EYpU88N+7NU8zpjW75wSVXJCtmVkP+cpmue5cfjGbZGMWenBAMtS4EvYASkKgmiyJrTSk=
X-Gm-Message-State: AOJu0YzHVuKXm93s2kAdedBs59Ep9/0n9gAPmLGE42IszrzKN7/1qLxv
	wSJ8v+KuXuySVKPkQVCTA1GkZxcJXnUDFOFev7JNdRAZGGPy5IBIduePlBgq0ls=
X-Google-Smtp-Source: AGHT+IERwBJ/HGGrfgcaUUxkgUQ2q7nsPpLNAHxyqmyy/ZTgRKVDYn6DWzAegoGcnw2mJ8/WwGXNmQ==
X-Received: by 2002:a17:90b:1a87:b0:2b4:e4d2:c72b with SMTP id 98e67ed59e1d1-2b6cc4502dcmr4308614a91.2.1715381517564;
        Fri, 10 May 2024 15:51:57 -0700 (PDT)
Received: from ghost ([2601:647:5700:6860:629e:3f2:f321:6c])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-1ef0bf30caesm37597025ad.160.2024.05.10.15.51.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 10 May 2024 15:51:56 -0700 (PDT)
Date: Fri, 10 May 2024 15:51:51 -0700
From: Charlie Jenkins <charlie@rivosinc.com>
To: Deepak Gupta <debug@rivosinc.com>
Cc: paul.walmsley@sifive.com, rick.p.edgecombe@intel.com,
	broonie@kernel.org, Szabolcs.Nagy@arm.com, kito.cheng@sifive.com,
	keescook@chromium.org, ajones@ventanamicro.com,
	conor.dooley@microchip.com, cleger@rivosinc.com,
	atishp@atishpatra.org, alex@ghiti.fr, bjorn@rivosinc.com,
	alexghiti@rivosinc.com, samuel.holland@sifive.com, conor@kernel.org,
	linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org,
	linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
	linux-mm@kvack.org, linux-arch@vger.kernel.org,
	linux-kselftest@vger.kernel.org, corbet@lwn.net, palmer@dabbelt.com,
	aou@eecs.berkeley.edu, robh+dt@kernel.org,
	krzysztof.kozlowski+dt@linaro.org, oleg@redhat.com,
	akpm@linux-foundation.org, arnd@arndb.de, ebiederm@xmission.com,
	Liam.Howlett@oracle.com, vbabka@suse.cz, lstoakes@gmail.com,
	shuah@kernel.org, brauner@kernel.org, andy.chiu@sifive.com,
	jerry.shih@sifive.com, hankuan.chen@sifive.com,
	greentime.hu@sifive.com, evan@rivosinc.com, xiao.w.wang@intel.com,
	apatel@ventanamicro.com, mchitale@ventanamicro.com,
	dbarboza@ventanamicro.com, sameo@rivosinc.com,
	shikemeng@huaweicloud.com, willy@infradead.org,
	vincent.chen@sifive.com, guoren@kernel.org, samitolvanen@google.com,
	songshuaishuai@tinylab.org, gerg@kernel.org, heiko@sntech.de,
	bhe@redhat.com, jeeheng.sia@starfivetech.com, cyy@cyyself.name,
	maskray@google.com, ancientmodern4@gmail.com,
	mathis.salmen@matsal.de, cuiyunhui@bytedance.com,
	bgray@linux.ibm.com, mpe@ellerman.id.au, baruch@tkos.co.il,
	alx@kernel.org, david@redhat.com, catalin.marinas@arm.com,
	revest@chromium.org, josh@joshtriplett.org, shr@devkernel.io,
	deller@gmx.de, omosnace@redhat.com, ojeda@kernel.org,
	jhubbard@nvidia.com
Subject: Re: [PATCH v3 07/29] riscv: usercfi state for task and save/restore
 of CSR_SSP on trap entry/exit
Message-ID: <Zj6lB7Ae7MSdpT5c@ghost>
References: <20240403234054.2020347-1-debug@rivosinc.com>
 <20240403234054.2020347-8-debug@rivosinc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240403234054.2020347-8-debug@rivosinc.com>
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: DA6C340015
X-Stat-Signature: bthwjmtp6jyaw4j9wj4jh8jpbtfhumeg
X-HE-Tag: 1715381518-518622
X-HE-Meta: U2FsdGVkX1966ga+tPU5MLGVHV9zzARPCq4iTJJ4TkC/mQ6Z3lhtZybRdns3o9zZfM4eSDTqRIPIRfVS1t/B05RNZq8+UosbPcXnbPgsXsnLVDAY638NzSpKJwuobKKJLhWnZ6vSfnhYBK1UenWSB3sWPyhZamK4PivL0DXX/gbA2+2Pj5oApYbos+iz0uP7BR90Hkb+F2arZPDUT7AnJPJfO4/Bko1cU052GaqtfHA0UT11hPX0Ok2YU2J5b8HJOGlMPx6ew6Jv5PwiIS9zYeW9j47EWGKOm5BVY04ohud0VgGZyzD5gWG2BYCgkZDM3YRAnTg21nf9w/EAt79vYCrCu1yTw4MgFbP0SYvDFomsRdrYAFfd9/9AWkbXLy2wC2eaPB1Sq7X51NLhAluwN96B0M1cT0Q/FKJCvK7FFrA1hDw9gyUYUaXdQhyRcHHdLnNjXPZfzSMgiSahah1BBJ6vDqhsCA+xMrgUnFDzL9+/FjueVv5jHEhho8bZIrrxCHPZbJ+7nX0PSTS3mNc4dwevLr85+St27vQNrRnKF3cj0eqNPSCtYI1uq1Lbv7BmU5OvqV2l1no3SrTpqsoj/qfd47akj51SgzBSVdurjTl+UY6CysFWnSGQ/lx0hllBHpaQsh4ovpHoIv3q1SwvCNwDvWarhsHEJo2lF3WS7SaBmsDeTMiJpfNUe6Yf3PpSwxtW+NN+zAECtZFqjX8z/j3fMMNkyVpNMlUxM9JBHRCDFY8DWJtC0dC7ysxa9fsxP+IGHu+ZzSHPXmKJ/EQ0eR2QIW/i+SGKXTGYIyssbi1R/1UJPBuTFnCETSjS/6knxPyRiLT4bt81wb9n2Wd4bLiaqdCrVlFsf9gjNaehpqQwRpUstocqzozAr0mmbcs4wxk6Bf07YaQnFNtka3hzbYDqlGyE7uD8s6z9IgKddypX1MpqKkncPqx5yTvmxOHBYCcmrEGmzGC5TKx5GGv
 5v03Nlny
 +iFltcM1XK0g0t7kg+Rc6DDcrXsq+0jo3cRtwlG0z1L8XgOfOnL9TlKoGWT8eTQvFb4ytNBsg/bIVrpFZJ3fuqATi5ZsN/Ff4HjQO60fky02Fk3GYN1sUOs0yRyxgYdOQkMygsZtC8ax7Xhlhr/CVTI2GVQ+Pm8TTvvEeV4YlrvVn8Lms/p/x5/1FsS/Sqy5baY1kL79k6a4lI48AsPZe8f2tAbynCYIXxM403XYlY8thNSyTcmFFGf9M2y/O7pHdmO8Z4aV+6FXbiUwhX4l167NRCgsjDokoagvhX4zDyvBDyHvgkSSdnMX7JdHRf5BnFBph808gFefwztwr21lZsjMze3CzTAbak5wiRF+H7ttTuZ5gALqZuDOXqjg6+xPKI3B04XsnX+qbf9X65ySdNktRFHemL9Y6i0Hjk+gYypCAGsu5pJnveUB9B2ZMKws6GCa5Q5upEn+JSmCu1jbYc9Hle+AGgODnEsFXpEtK1F9jLT8yaKPL6f0C+li01FbbkZ6eQXkuA2xOALPYXH/h7LvcKFASczYauyqGI+h38rBAa0kaH/QqSvL7/VIZfZuKXFaHu2k42rDc/qs=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Wed, Apr 03, 2024 at 04:34:55PM -0700, Deepak Gupta wrote:
> Carves out space in arch specific thread struct for cfi status and shadow
> stack in usermode on riscv.
> 
> This patch does following
> - defines a new structure cfi_status with status bit for cfi feature
> - defines shadow stack pointer, base and size in cfi_status structure
> - defines offsets to new member fields in thread in asm-offsets.c
> - Saves and restore shadow stack pointer on trap entry (U --> S) and exit
>   (S --> U)
> 
> Shadow stack save/restore is gated on feature availiblity and implemented
> using alternative. CSR can be context switched in `switch_to` as well but
> soon as kernel shadow stack support gets rolled in, shadow stack pointer
> will need to be switched at trap entry/exit point (much like `sp`). It can
> be argued that kernel using shadow stack deployment scenario may not be as
> prevalant as user mode using this feature. But even if there is some
> minimal deployment of kernel shadow stack, that means that it needs to be
> supported. And thus save/restore of shadow stack pointer in entry.S instead
> of in `switch_to.h`.
> 
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
>  arch/riscv/include/asm/processor.h   |  1 +
>  arch/riscv/include/asm/thread_info.h |  3 +++
>  arch/riscv/include/asm/usercfi.h     | 24 ++++++++++++++++++++++++
>  arch/riscv/kernel/asm-offsets.c      |  4 ++++
>  arch/riscv/kernel/entry.S            | 26 ++++++++++++++++++++++++++
>  5 files changed, 58 insertions(+)
>  create mode 100644 arch/riscv/include/asm/usercfi.h
> 
> diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h
> index 6c5b3d928b12..f8decf357804 100644
> --- a/arch/riscv/include/asm/processor.h
> +++ b/arch/riscv/include/asm/processor.h
> @@ -14,6 +14,7 @@
>  
>  #include <asm/ptrace.h>
>  #include <asm/hwcap.h>
> +#include <asm/usercfi.h>
>  
>  #ifdef CONFIG_64BIT
>  #define DEFAULT_MAP_WINDOW	(UL(1) << (MMAP_VA_BITS - 1))
> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
> index a503bdc2f6dd..f1dee307806e 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -57,6 +57,9 @@ struct thread_info {
>  	int			cpu;
>  	unsigned long		syscall_work;	/* SYSCALL_WORK_ flags */
>  	unsigned long envcfg;
> +#ifdef CONFIG_RISCV_USER_CFI
> +	struct cfi_status       user_cfi_state;
> +#endif
>  #ifdef CONFIG_SHADOW_CALL_STACK
>  	void			*scs_base;
>  	void			*scs_sp;
> diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h
> new file mode 100644
> index 000000000000..4fa201b4fc4e
> --- /dev/null
> +++ b/arch/riscv/include/asm/usercfi.h
> @@ -0,0 +1,24 @@
> +/* SPDX-License-Identifier: GPL-2.0
> + * Copyright (C) 2024 Rivos, Inc.
> + * Deepak Gupta <debug@rivosinc.com>
> + */
> +#ifndef _ASM_RISCV_USERCFI_H
> +#define _ASM_RISCV_USERCFI_H
> +
> +#ifndef __ASSEMBLY__
> +#include <linux/types.h>
> +
> +#ifdef CONFIG_RISCV_USER_CFI
> +struct cfi_status {
> +	unsigned long ubcfi_en : 1; /* Enable for backward cfi. */
> +	unsigned long rsvd : ((sizeof(unsigned long)*8) - 1);
> +	unsigned long user_shdw_stk; /* Current user shadow stack pointer */
> +	unsigned long shdw_stk_base; /* Base address of shadow stack */
> +	unsigned long shdw_stk_size; /* size of shadow stack */
> +};
> +
> +#endif /* CONFIG_RISCV_USER_CFI */
> +
> +#endif /* __ASSEMBLY__ */
> +
> +#endif /* _ASM_RISCV_USERCFI_H */
> diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c
> index a03129f40c46..5c5ea015c776 100644
> --- a/arch/riscv/kernel/asm-offsets.c
> +++ b/arch/riscv/kernel/asm-offsets.c
> @@ -44,6 +44,10 @@ void asm_offsets(void)
>  #endif
>  
>  	OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu);
> +#ifdef CONFIG_RISCV_USER_CFI
> +	OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state);
> +	OFFSET(TASK_TI_USER_SSP, task_struct, thread_info.user_cfi_state.user_shdw_stk);
> +#endif
>  	OFFSET(TASK_THREAD_F0,  task_struct, thread.fstate.f[0]);
>  	OFFSET(TASK_THREAD_F1,  task_struct, thread.fstate.f[1]);
>  	OFFSET(TASK_THREAD_F2,  task_struct, thread.fstate.f[2]);
> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
> index 9d1a305d5508..7245a0ea25c1 100644
> --- a/arch/riscv/kernel/entry.S
> +++ b/arch/riscv/kernel/entry.S
> @@ -60,6 +60,20 @@ SYM_CODE_START(handle_exception)
>  
>  	REG_L s0, TASK_TI_USER_SP(tp)
>  	csrrc s1, CSR_STATUS, t0
> +	/*
> +	 * If previous mode was U, capture shadow stack pointer and save it away
> +	 * Zero CSR_SSP at the same time for sanitization.
> +	 */
> +	ALTERNATIVE("nop; nop; nop; nop",
> +				__stringify(			\
> +				andi s2, s1, SR_SPP;	\
> +				bnez s2, skip_ssp_save;	\
> +				csrrw s2, CSR_SSP, x0;	\
> +				REG_S s2, TASK_TI_USER_SSP(tp); \
> +				skip_ssp_save:),
> +				0,
> +				RISCV_ISA_EXT_ZICFISS,
> +				CONFIG_RISCV_USER_CFI)
>  	csrr s2, CSR_EPC
>  	csrr s3, CSR_TVAL
>  	csrr s4, CSR_CAUSE
> @@ -141,6 +155,18 @@ SYM_CODE_START_NOALIGN(ret_from_exception)
>  	 * structures again.
>  	 */
>  	csrw CSR_SCRATCH, tp
> +
> +	/*
> +	 * Going back to U mode, restore shadow stack pointer
> +	 */
> +	ALTERNATIVE("nop; nop",
> +				__stringify(					\
> +				REG_L s3, TASK_TI_USER_SSP(tp); \
> +				csrw CSR_SSP, s3),
> +				0,
> +				RISCV_ISA_EXT_ZICFISS,
> +				CONFIG_RISCV_USER_CFI)
> +
>  1:
>  #ifdef CONFIG_RISCV_ISA_V_PREEMPTIVE
>  	move a0, sp
> -- 
> 2.43.2
> 

Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>