Re: [RFC PATCH v1 07/28] riscv: kernel handling on trap entry/exit for user cfi

From: "Stefan O'Rear" <sorear@fastmail.com>
To: debug <debug@rivosinc.com>,
	rick.p.edgecombe@intel.com, broonie@kernel.org,
	Szabolcs.Nagy@arm.com,
	"kito.cheng@sifive.com" <kito.cheng@sifive.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Andrew Jones" <ajones@ventanamicro.com>,
	paul.walmsley@sifive.com, "Palmer Dabbelt" <palmer@dabbelt.com>,
	"Conor Dooley" <conor.dooley@microchip.com>,
	cleger@rivosinc.com, "Atish Patra" <atishp@atishpatra.org>,
	"Alexandre Ghiti" <alex@ghiti.fr>,
	"Björn Töpel" <bjorn@rivosinc.com>,
	"Alexandre Ghiti" <alexghiti@rivosinc.com>
Cc: "Jonathan Corbet" <corbet@lwn.net>,
	"Albert Ou" <aou@eecs.berkeley.edu>,
	oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	shuah@kernel.org, "Christian Brauner" <brauner@kernel.org>,
	guoren <guoren@kernel.org>,
	samitolvanen@google.com, "Evan Green" <evan@rivosinc.com>,
	xiao.w.wang@intel.com, "Anup Patel" <apatel@ventanamicro.com>,
	mchitale@ventanamicro.com, waylingii@gmail.com,
	greentime.hu@sifive.com, "Heiko Stuebner" <heiko@sntech.de>,
	"Jisheng Zhang" <jszhang@kernel.org>,
	shikemeng@huaweicloud.com, david@redhat.com,
	"Charlie Jenkins" <charlie@rivosinc.com>,
	panqinglin2020@iscas.ac.cn, willy@infradead.org,
	"Vincent Chen" <vincent.chen@sifive.com>,
	"Andy Chiu" <andy.chiu@sifive.com>,
	"Greg Ungerer" <gerg@kernel.org>,
	jeeheng.sia@starfivetech.com, mason.huo@starfivetech.com,
	ancientmodern4@gmail.com, mathis.salmen@matsal.de,
	cuiyunhui@bytedance.com, bhe@redhat.com, chenjiahao16@huawei.com,
	ruscur@russell.cc, bgray@linux.ibm.com, alx@kernel.org,
	baruch@tkos.co.il, zhangqing@loongson.cn,
	"Catalin Marinas" <catalin.marinas@arm.com>,
	revest@chromium.org, josh@joshtriplett.org, joey.gouly@arm.com,
	shr@devkernel.io, omosnace@redhat.com, ojeda@kernel.org,
	jhubbard@nvidia.com, linux-doc@vger.kernel.org,
	linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, linux-arch@vger.kernel.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [RFC PATCH v1 07/28] riscv: kernel handling on trap entry/exit for user cfi
Date: Thu, 25 Jan 2024 02:29:01 -0500	[thread overview]
Message-ID: <ab343d4b-d8b0-47fc-8040-83313a3d735e@app.fastmail.com> (raw)
In-Reply-To: <20240125062739.1339782-8-debug@rivosinc.com>

On Thu, Jan 25, 2024, at 1:21 AM, debug@rivosinc.com wrote:
> From: Deepak Gupta <debug@rivosinc.com>
>
> Carves out space in arch specific thread struct for cfi status and shadow stack
> in usermode on riscv.
>
> This patch does following
> - defines a new structure cfi_status with status bit for cfi feature
> - defines shadow stack pointer, base and size in cfi_status structure
> - defines offsets to new member fields in thread in asm-offsets.c
> - Saves and restore shadow stack pointer on trap entry (U --> S) and exit
>   (S --> U)
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
>  arch/riscv/include/asm/processor.h   |  1 +
>  arch/riscv/include/asm/thread_info.h |  3 +++
>  arch/riscv/include/asm/usercfi.h     | 24 ++++++++++++++++++++++++
>  arch/riscv/kernel/asm-offsets.c      |  5 ++++-
>  arch/riscv/kernel/entry.S            | 25 +++++++++++++++++++++++++
>  5 files changed, 57 insertions(+), 1 deletion(-)
>  create mode 100644 arch/riscv/include/asm/usercfi.h
>
> diff --git a/arch/riscv/include/asm/processor.h 
> b/arch/riscv/include/asm/processor.h
> index ee2f51787ff8..d4dc298880fc 100644
> --- a/arch/riscv/include/asm/processor.h
> +++ b/arch/riscv/include/asm/processor.h
> @@ -14,6 +14,7 @@
> 
>  #include <asm/ptrace.h>
>  #include <asm/hwcap.h>
> +#include <asm/usercfi.h>
> 
>  #ifdef CONFIG_64BIT
>  #define DEFAULT_MAP_WINDOW	(UL(1) << (MMAP_VA_BITS - 1))
> diff --git a/arch/riscv/include/asm/thread_info.h 
> b/arch/riscv/include/asm/thread_info.h
> index 320bc899a63b..6a2acecec546 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -58,6 +58,9 @@ struct thread_info {
>  	int			cpu;
>  	unsigned long		syscall_work;	/* SYSCALL_WORK_ flags */
>  	unsigned long envcfg;
> +#ifdef CONFIG_RISCV_USER_CFI
> +	struct cfi_status       user_cfi_state;
> +#endif
>  #ifdef CONFIG_SHADOW_CALL_STACK
>  	void			*scs_base;
>  	void			*scs_sp;
> diff --git a/arch/riscv/include/asm/usercfi.h 
> b/arch/riscv/include/asm/usercfi.h
> new file mode 100644
> index 000000000000..080d7077d12c
> --- /dev/null
> +++ b/arch/riscv/include/asm/usercfi.h
> @@ -0,0 +1,24 @@
> +/* SPDX-License-Identifier: GPL-2.0
> + * Copyright (C) 2023 Rivos, Inc.
> + * Deepak Gupta <debug@rivosinc.com>
> + */
> +#ifndef _ASM_RISCV_USERCFI_H
> +#define _ASM_RISCV_USERCFI_H
> +
> +#ifndef __ASSEMBLY__
> +#include <linux/types.h>
> +
> +#ifdef CONFIG_RISCV_USER_CFI
> +struct cfi_status {
> +	unsigned long ubcfi_en : 1; /* Enable for backward cfi. */
> +	unsigned long rsvd : ((sizeof(unsigned long)*8) - 1);
> +	unsigned long user_shdw_stk; /* Current user shadow stack pointer */
> +	unsigned long shdw_stk_base; /* Base address of shadow stack */
> +	unsigned long shdw_stk_size; /* size of shadow stack */
> +};
> +
> +#endif /* CONFIG_RISCV_USER_CFI */
> +
> +#endif /* __ASSEMBLY__ */
> +
> +#endif /* _ASM_RISCV_USERCFI_H */
> diff --git a/arch/riscv/kernel/asm-offsets.c 
> b/arch/riscv/kernel/asm-offsets.c
> index cdd8f095c30c..5e1f412e96ba 100644
> --- a/arch/riscv/kernel/asm-offsets.c
> +++ b/arch/riscv/kernel/asm-offsets.c
> @@ -43,8 +43,11 @@ void asm_offsets(void)
>  #ifdef CONFIG_SHADOW_CALL_STACK
>  	OFFSET(TASK_TI_SCS_SP, task_struct, thread_info.scs_sp);
>  #endif
> -
>  	OFFSET(TASK_TI_CPU_NUM, task_struct, thread_info.cpu);
> +#ifdef CONFIG_RISCV_USER_CFI
> +	OFFSET(TASK_TI_CFI_STATUS, task_struct, thread_info.user_cfi_state);
> +	OFFSET(TASK_TI_USER_SSP, task_struct, 
> thread_info.user_cfi_state.user_shdw_stk);
> +#endif
>  	OFFSET(TASK_THREAD_F0,  task_struct, thread.fstate.f[0]);
>  	OFFSET(TASK_THREAD_F1,  task_struct, thread.fstate.f[1]);
>  	OFFSET(TASK_THREAD_F2,  task_struct, thread.fstate.f[2]);
> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
> index 63c3855ba80d..410659e2eadb 100644
> --- a/arch/riscv/kernel/entry.S
> +++ b/arch/riscv/kernel/entry.S
> @@ -49,6 +49,21 @@ SYM_CODE_START(handle_exception)
>  	REG_S x5,  PT_T0(sp)
>  	save_from_x6_to_x31
> 
> +#ifdef CONFIG_RISCV_USER_CFI
> +	/*
> +	* we need to save cfi status only when previous mode was U
> +	*/
> +	csrr s2, CSR_STATUS
> +	andi s2, s2, SR_SPP
> +	bnez s2, skip_bcfi_save
> +	/* load cfi status word */
> +	lw s3, TASK_TI_CFI_STATUS(tp)
> +	andi s3, s3, 1
> +	beqz s3, skip_bcfi_save
> +	csrr s3, CSR_SSP
> +	REG_S s3, TASK_TI_USER_SSP(tp) /* save user ssp in thread_info */
> +skip_bcfi_save:
> +#endif
>  	/*
>  	 * Disable user-mode memory access as it should only be set in the
>  	 * actual user copy routines.
> @@ -141,6 +156,16 @@ SYM_CODE_START_NOALIGN(ret_from_exception)
>  	 * structures again.
>  	 */
>  	csrw CSR_SCRATCH, tp
> +
> +#ifdef CONFIG_RISCV_USER_CFI
> +	lw s3, TASK_TI_CFI_STATUS(tp)
> +	andi s3, s3, 1
> +	beqz s3, skip_bcfi_resume
> +	REG_L s3, TASK_TI_USER_SSP(tp) /* restore user ssp from thread struct */
> +	csrw CSR_SSP, s3
> +skip_bcfi_resume:
> +#endif
> +

We shouldn't need any of this in the entry/exit code, at least as long as
the kernel itself is not using Zicfiss.  ssp can keep its value in the
kernel and swap it on task switches.  Our entry/exit code is rather short
and I'd like to keep it that way.

-s

>  1:
>  	REG_L a0, PT_STATUS(sp)
>  	/*
> -- 
> 2.43.0
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv