From: Deepak Gupta <debug@rivosinc.com>
To: qemu-riscv@nongnu.org, qemu-devel@nongnu.org, jim.shu@sifive.com,
andy.chiu@sifive.com, jesse.huang@sifive.com,
kito.cheng@sifive.com
Cc: palmer@dabbelt.com, Alistair.Francis@wdc.com, laurent@vivier.eu,
bmeng.cn@gmail.com, liwei1518@gmail.com,
dbarboza@ventanamicro.com, zhiwei_liu@linux.alibaba.com,
Deepak Gupta <debug@rivosinc.com>
Subject: [PATCH 16/24] target/riscv: shadow stack mmu index for shadow stack instructions
Date: Thu, 25 Jul 2024 16:46:05 -0700 [thread overview]
Message-ID: <20240725234614.3850142-17-debug@rivosinc.com> (raw)
In-Reply-To: <20240725234614.3850142-1-debug@rivosinc.com>
Shadow stack instructions shadow stack mmu index for load/stores.
`MMU_IDX_SS_ACCESS` at bit positon 3 is used as shadow stack index.
Shadow stack mmu index depend on privilege and SUM bit. If shadow stack
accesses happening in user mode, shadow stack mmu index = 0b1000. If
shaodw stack access happening in supervisor mode mmu index = 0b1001. If
shadow stack access happening in supervisor mode with SUM=1 then mmu
index = 0b1010
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
target/riscv/cpu.h | 13 +++++++++++++
target/riscv/cpu_helper.c | 3 +++
target/riscv/insn_trans/trans_rva.c.inc | 8 ++++++++
target/riscv/internals.h | 1 +
target/riscv/translate.c | 25 +++++++++++++++++++++++++
5 files changed, 50 insertions(+)
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 0e0a9d2be1..82475490ab 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -614,6 +614,19 @@ FIELD(TB_FLAGS, AXL, 26, 2)
FIELD(TB_FLAGS, FCFI_LP_EXPECTED, 28, 1)
/* zicfiss needs a TB flag so that correct TB is located based on tb flags */
FIELD(TB_FLAGS, BCFI_ENABLED, 29, 1)
+/*
+ * zicfiss shadow stack is special memory on which regular stores aren't
+ * allowed but shadow stack stores are allowed. Shadow stack stores can
+ * happen as `sspush` or `ssamoswap` instructions. `sspush` implicitly
+ * takes shadow stack address from CSR_SSP. But `ssamoswap` takes address
+ * from encoded input register and it will be used by supervisor software
+ * to access (read/write) user shadow stack for setting up rt_frame during
+ * signal delivery. Supervisor software will do so by setting SUM=1. Thus
+ * a TB flag is needed if SUM was 1 during TB generation to correctly
+ * reflect memory permissions to access shadow stack user memory from
+ * supervisor mode.
+ */
+FIELD(TB_FLAGS, SUM, 30, 1)
#ifdef TARGET_RISCV32
#define riscv_cpu_mxl(env) ((void)(env), MXL_RV32)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 7942587a56..b2bb1e4293 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -180,6 +180,9 @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc,
fs = EXT_STATUS_DIRTY;
vs = EXT_STATUS_DIRTY;
#else
+ flags = FIELD_DP32(flags, TB_FLAGS, SUM,
+ ((env->mstatus & MSTATUS_SUM) == MSTATUS_SUM));
+
flags = FIELD_DP32(flags, TB_FLAGS, PRIV, env->priv);
flags |= riscv_env_mmu_index(env, 0);
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
index db6c03f6a8..68b71339a3 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -132,6 +132,10 @@ static bool trans_ssamoswap_w(DisasContext *ctx, arg_amoswap_w *a)
decode_save_opc(ctx);
src1 = get_address(ctx, a->rs1, 0);
+#ifndef CONFIG_USER_ONLY
+ /* Shadow stack access and thus index is SS TLB index */
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_atomic_xchg_tl(dest, src1, src2, ss_mmu_idx, (MO_ALIGN | MO_TESL));
gen_set_gpr(ctx, a->rd, dest);
@@ -224,6 +228,10 @@ static bool trans_ssamoswap_d(DisasContext *ctx, arg_amoswap_w *a)
decode_save_opc(ctx);
src1 = get_address(ctx, a->rs1, 0);
+#ifndef CONFIG_USER_ONLY
+ /* Shadow stack access and thus index is SS TLB index */
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_atomic_xchg_tl(dest, src1, src2, ss_mmu_idx, (MO_ALIGN | MO_TESQ));
gen_set_gpr(ctx, a->rd, dest);
diff --git a/target/riscv/internals.h b/target/riscv/internals.h
index dad0657c80..5147d6bf90 100644
--- a/target/riscv/internals.h
+++ b/target/riscv/internals.h
@@ -32,6 +32,7 @@
* - S+SUM+2STAGE 0b110
* - Shadow stack+U 0b1000
* - Shadow stack+S 0b1001
+ * - Shadow stack+SUM 0b1010
*/
#define MMUIdx_U 0
#define MMUIdx_S 1
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 9152a963ee..ad0f841807 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -123,6 +123,8 @@ typedef struct DisasContext {
bool fcfi_lp_expected;
/* zicfiss extension, if shadow stack was enabled during TB gen */
bool bcfi_enabled;
+ /* SUM was on during tb translation? */
+ bool sum;
} DisasContext;
static inline bool has_ext(DisasContext *ctx, uint32_t ext)
@@ -1128,6 +1130,29 @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
return translator_ldl(env, &ctx->base, pc);
}
+#ifndef CONFIG_USER_ONLY
+static unsigned int get_ss_index(DisasContext *ctx)
+{
+ int ss_mmu_idx = MMU_IDX_SS_ACCESS;
+
+ /*
+ * If priv mode is S then a separate index for supervisor
+ * shadow stack accesses
+ */
+ if (ctx->priv == PRV_S) {
+ ss_mmu_idx |= MMUIdx_S;
+ }
+
+ /* If SUM was set, SS index should have S cleared */
+ if (ctx->sum) {
+ ss_mmu_idx &= ~(MMUIdx_S);
+ ss_mmu_idx |= MMUIdx_S_SUM;
+ }
+
+ return ss_mmu_idx;
+}
+#endif
+
/* Include insn module translation function */
#include "insn_trans/trans_rvi.c.inc"
#include "insn_trans/trans_rvm.c.inc"
--
2.44.0
next prev parent reply other threads:[~2024-07-25 23:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 23:45 [PATCH 00/24] riscv support for control flow integrity extensions Deepak Gupta
2024-07-25 23:45 ` [PATCH 01/24] target/riscv: Add zicfilp extension Deepak Gupta
2024-07-25 23:45 ` [PATCH 02/24] target/riscv: Introduce elp state and enabling controls for zicfilp Deepak Gupta
2024-07-25 23:45 ` [PATCH 03/24] target/riscv: save and restore elp state on priv transitions Deepak Gupta
2024-07-25 23:45 ` [PATCH 04/24] target/riscv: additional code information for sw check Deepak Gupta
2024-07-25 23:45 ` [PATCH 05/24] target/riscv: tracking indirect branches (fcfi) for zicfilp Deepak Gupta
2024-07-25 23:45 ` [PATCH 06/24] target/riscv: zicfilp `lpad` impl and branch tracking Deepak Gupta
2024-07-25 23:45 ` [PATCH 07/24] disas/riscv: enabled `lpad` disassembly Deepak Gupta
2024-07-25 23:45 ` [PATCH 08/24] linux-user/syscall: introduce prctl for indirect branch tracking Deepak Gupta
2024-07-25 23:45 ` [PATCH 09/24] linux-user/riscv: implement indirect branch tracking prctls Deepak Gupta
2024-07-25 23:45 ` [PATCH 10/24] target/riscv: Add zicfiss extension Deepak Gupta
2024-07-25 23:46 ` [PATCH 11/24] target/riscv: introduce ssp and enabling controls for zicfiss Deepak Gupta
2024-07-25 23:46 ` [PATCH 12/24] target/riscv: tb flag for shadow stack instructions Deepak Gupta
2024-07-25 23:46 ` [PATCH 13/24] target/riscv: implement zicfiss instructions Deepak Gupta
2024-07-25 23:46 ` [PATCH 14/24] target/riscv: compressed encodings for sspush and sspopchk Deepak Gupta
2024-07-25 23:46 ` [PATCH 15/24] target/riscv: mmu changes for zicfiss shadow stack protection Deepak Gupta
2024-07-25 23:46 ` Deepak Gupta [this message]
2024-07-25 23:46 ` [PATCH 17/24] linux-user/syscall: introduce prctl for shadow stack enable/disable Deepak Gupta
2024-07-25 23:46 ` [PATCH 18/24] linux-user/riscv: setup/teardown zicfiss shadow stack for qemu-user Deepak Gupta
2024-07-25 23:46 ` [PATCH 19/24] disas/riscv: enable disassembly for zicfiss instructions Deepak Gupta
2024-07-25 23:46 ` [PATCH 20/24] disas/riscv: enable disassembly for compressed sspush/sspopchk Deepak Gupta
2024-07-25 23:46 ` [PATCH 21/24] target/riscv: add trace-hooks for each case of sw-check exception Deepak Gupta
2024-07-25 23:46 ` [PATCH 22/24] linux-user: permit RISC-V CFI dynamic entry in VDSO Deepak Gupta
2024-07-25 23:46 ` [PATCH 23/24] linux-user: Add RISC-V zicfilp support " Deepak Gupta
2024-07-25 23:46 ` [PATCH 24/24] linux-user/riscv: Adding zicfiss/lp extension in hwprobe syscall Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725234614.3850142-17-debug@rivosinc.com \
--to=debug@rivosinc.com \
--cc=Alistair.Francis@wdc.com \
--cc=andy.chiu@sifive.com \
--cc=bmeng.cn@gmail.com \
--cc=dbarboza@ventanamicro.com \
--cc=jesse.huang@sifive.com \
--cc=jim.shu@sifive.com \
--cc=kito.cheng@sifive.com \
--cc=laurent@vivier.eu \
--cc=liwei1518@gmail.com \
--cc=palmer@dabbelt.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=zhiwei_liu@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).