From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org, Pierrick Bouvier <pierrick.bouvier@linaro.org>
Subject: [PATCH v7 69/73] linux-user/aarch64: Generate GCS signal records
Date: Wed, 8 Oct 2025 14:56:09 -0700 [thread overview]
Message-ID: <20251008215613.300150-70-richard.henderson@linaro.org> (raw)
In-Reply-To: <20251008215613.300150-1-richard.henderson@linaro.org>
Here we must push and pop a cap on the GCS stack as
well as the gcs record on the normal stack.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
linux-user/aarch64/signal.c | 138 ++++++++++++++++++++++++++++++++++--
1 file changed, 132 insertions(+), 6 deletions(-)
diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index ef97be3ac7..f7edfa249e 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -22,6 +22,7 @@
#include "signal-common.h"
#include "linux-user/trace.h"
#include "target/arm/cpu-features.h"
+#include "gcs-internal.h"
struct target_sigcontext {
uint64_t fault_address;
@@ -152,6 +153,16 @@ struct target_zt_context {
QEMU_BUILD_BUG_ON(TARGET_ZT_SIG_REG_BYTES != \
sizeof_field(CPUARMState, za_state.zt0));
+#define TARGET_GCS_MAGIC 0x47435300
+#define GCS_SIGNAL_CAP(X) ((X) & TARGET_PAGE_MASK)
+
+struct target_gcs_context {
+ struct target_aarch64_ctx head;
+ uint64_t gcspr;
+ uint64_t features_enabled;
+ uint64_t reserved;
+};
+
struct target_rt_sigframe {
struct target_siginfo info;
struct target_ucontext uc;
@@ -322,6 +333,35 @@ static void target_setup_zt_record(struct target_zt_context *zt,
}
}
+static bool target_setup_gcs_record(struct target_gcs_context *ctx,
+ CPUARMState *env, uint64_t return_addr)
+{
+ uint64_t mode = gcs_get_el0_mode(env);
+ uint64_t gcspr = env->cp15.gcspr_el[0];
+
+ if (mode & PR_SHADOW_STACK_ENABLE) {
+ /* Push a cap for the signal frame. */
+ gcspr -= 8;
+ if (put_user_u64(GCS_SIGNAL_CAP(gcspr), gcspr)) {
+ return false;
+ }
+
+ /* Push a gcs entry for the trampoline. */
+ if (put_user_u64(return_addr, gcspr - 8)) {
+ return false;
+ }
+ env->cp15.gcspr_el[0] = gcspr - 8;
+ }
+
+ __put_user(TARGET_GCS_MAGIC, &ctx->head.magic);
+ __put_user(sizeof(*ctx), &ctx->head.size);
+ __put_user(gcspr, &ctx->gcspr);
+ __put_user(mode, &ctx->features_enabled);
+ __put_user(0, &ctx->reserved);
+
+ return true;
+}
+
static void target_restore_general_frame(CPUARMState *env,
struct target_rt_sigframe *sf)
{
@@ -502,6 +542,64 @@ static bool target_restore_zt_record(CPUARMState *env,
return true;
}
+static bool target_restore_gcs_record(CPUARMState *env,
+ struct target_gcs_context *ctx,
+ bool *rebuild_hflags)
+{
+ TaskState *ts = get_task_state(env_cpu(env));
+ uint64_t cur_mode = gcs_get_el0_mode(env);
+ uint64_t new_mode, gcspr;
+
+ __get_user(new_mode, &ctx->features_enabled);
+ __get_user(gcspr, &ctx->gcspr);
+
+ /*
+ * The kernel pushes the value through the hw register:
+ * write_sysreg_s(gcspr, SYS_GCSPR_EL0) in restore_gcs_context,
+ * then read_sysreg_s(SYS_GCSPR_EL0) in gcs_restore_signal.
+ * Since the bottom 3 bits are RES0, this can (CONSTRAINED UNPREDICTABLE)
+ * force align the value. Mirror the choice from gcspr_write().
+ */
+ gcspr &= ~7;
+
+ if (new_mode & ~(PR_SHADOW_STACK_ENABLE |
+ PR_SHADOW_STACK_WRITE |
+ PR_SHADOW_STACK_PUSH)) {
+ return false;
+ }
+ if ((new_mode ^ cur_mode) & ts->gcs_el0_locked) {
+ return false;
+ }
+ if (new_mode & ~cur_mode & PR_SHADOW_STACK_ENABLE) {
+ return false;
+ }
+
+ if (new_mode & PR_SHADOW_STACK_ENABLE) {
+ uint64_t cap;
+
+ /* Pop and clear the signal cap. */
+ if (get_user_u64(cap, gcspr)) {
+ return false;
+ }
+ if (cap != GCS_SIGNAL_CAP(gcspr)) {
+ return false;
+ }
+ if (put_user_u64(0, gcspr)) {
+ return false;
+ }
+ gcspr += 8;
+ } else {
+ new_mode = 0;
+ }
+
+ env->cp15.gcspr_el[0] = gcspr;
+ if (new_mode != cur_mode) {
+ *rebuild_hflags = true;
+ gcs_set_el0_mode(env, new_mode);
+ }
+ return true;
+}
+
static int target_restore_sigframe(CPUARMState *env,
struct target_rt_sigframe *sf)
{
@@ -511,8 +609,10 @@ static int target_restore_sigframe(CPUARMState *env,
struct target_za_context *za = NULL;
struct target_tpidr2_context *tpidr2 = NULL;
struct target_zt_context *zt = NULL;
+ struct target_gcs_context *gcs = NULL;
uint64_t extra_datap = 0;
bool used_extra = false;
+ bool rebuild_hflags = false;
int sve_size = 0;
int za_size = 0;
int zt_size = 0;
@@ -582,6 +682,15 @@ static int target_restore_sigframe(CPUARMState *env,
zt_size = size;
break;
+ case TARGET_GCS_MAGIC:
+ if (gcs
+ || size != sizeof(struct target_gcs_context)
+ || !cpu_isar_feature(aa64_gcs, env_archcpu(env))) {
+ goto err;
+ }
+ gcs = (struct target_gcs_context *)ctx;
+ break;
+
case TARGET_EXTRA_MAGIC:
if (extra || size != sizeof(struct target_extra_context)) {
goto err;
@@ -612,6 +721,10 @@ static int target_restore_sigframe(CPUARMState *env,
goto err;
}
+ if (gcs && !target_restore_gcs_record(env, gcs, &rebuild_hflags)) {
+ goto err;
+ }
+
/* SVE data, if present, overwrites FPSIMD data. */
if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
goto err;
@@ -631,6 +744,9 @@ static int target_restore_sigframe(CPUARMState *env,
}
if (env->svcr != svcr) {
env->svcr = svcr;
+ rebuild_hflags = true;
+ }
+ if (rebuild_hflags) {
arm_rebuild_hflags(env);
}
unlock_user(extra, extra_datap, 0);
@@ -701,7 +817,7 @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
uc.tuc_mcontext.__reserved),
};
int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0, tpidr2_ofs = 0;
- int zt_ofs = 0, esr_ofs = 0;
+ int zt_ofs = 0, esr_ofs = 0, gcs_ofs = 0;
int sve_size = 0, za_size = 0, tpidr2_size = 0, zt_size = 0;
struct target_rt_sigframe *frame;
struct target_rt_frame_record *fr;
@@ -720,6 +836,11 @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
&layout);
}
+ if (env->cp15.gcspr_el[0]) {
+ gcs_ofs = alloc_sigframe_space(sizeof(struct target_gcs_context),
+ &layout);
+ }
+
/* SVE state needs saving only if it exists. */
if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
cpu_isar_feature(aa64_sme, env_archcpu(env))) {
@@ -779,6 +900,12 @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
goto give_sigsegv;
}
+ if (ka->sa_flags & TARGET_SA_RESTORER) {
+ return_addr = ka->sa_restorer;
+ } else {
+ return_addr = default_rt_sigreturn;
+ }
+
target_setup_general_frame(frame, env, set);
target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
if (esr_ofs) {
@@ -786,6 +913,10 @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
/* Leave ESR_EL1 clear while it's not relevant. */
env->cp15.esr_el[1] = 0;
}
+ if (gcs_ofs &&
+ !target_setup_gcs_record((void *)frame + gcs_ofs, env, return_addr)) {
+ goto give_sigsegv;
+ }
target_setup_end_record((void *)frame + layout.std_end_ofs);
if (layout.extra_ofs) {
target_setup_extra_record((void *)frame + layout.extra_ofs,
@@ -811,11 +942,6 @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
__put_user(env->xregs[29], &fr->fp);
__put_user(env->xregs[30], &fr->lr);
- if (ka->sa_flags & TARGET_SA_RESTORER) {
- return_addr = ka->sa_restorer;
- } else {
- return_addr = default_rt_sigreturn;
- }
env->xregs[0] = usig;
env->xregs[29] = frame_addr + fr_ofs;
env->xregs[30] = return_addr;
--
2.43.0
next prev parent reply other threads:[~2025-10-08 22:11 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 21:55 [PATCH v7 00/73] target/arm: Implement FEAT_GCS Richard Henderson
2025-10-08 21:55 ` [PATCH v7 01/73] tests/functional: update tests using TF-A/TF-RMM to support FEAT_GCS Richard Henderson
2025-10-08 21:55 ` [PATCH v7 02/73] target/arm: Add isar feature test for FEAT_S1PIE, FEAT_S2PIE Richard Henderson
2025-10-08 21:55 ` [PATCH v7 03/73] target/arm: Enable TCR2_ELx.PIE Richard Henderson
2025-10-08 21:55 ` [PATCH v7 04/73] target/arm: Implement PIR_ELx, PIRE0_ELx, S2PIR_EL2 registers Richard Henderson
2025-10-08 21:55 ` [PATCH v7 05/73] target/arm: Force HPD for stage2 translations Richard Henderson
2025-10-08 21:55 ` [PATCH v7 06/73] target/arm: Cache NV1 early in get_phys_addr_lpae Richard Henderson
2025-10-08 21:55 ` [PATCH v7 07/73] target/arm: Populate PIE in aa64_va_parameters Richard Henderson
2025-10-08 21:55 ` [PATCH v7 08/73] target/arm: Implement get_S1prot_indirect Richard Henderson
2025-10-08 21:55 ` [PATCH v7 09/73] target/arm: Implement get_S2prot_indirect Richard Henderson
2025-10-08 21:55 ` [PATCH v7 10/73] target/arm: Expand CPUARMState.exception.syndrome to 64 bits Richard Henderson
2025-10-09 14:14 ` Philippe Mathieu-Daudé
2025-10-09 17:43 ` Richard Henderson
2025-10-08 21:55 ` [PATCH v7 11/73] target/arm: Expand syndrome parameter to raise_exception* Richard Henderson
2025-10-08 21:55 ` [PATCH v7 12/73] target/arm: Implement dirtybit check for PIE Richard Henderson
2025-10-08 21:55 ` [PATCH v7 13/73] target/arm: Enable FEAT_S1PIE and FEAT_S2PIE on -cpu max Richard Henderson
2025-10-08 21:55 ` [PATCH v7 14/73] include/exec/memopidx: Adjust for 32 mmu indexes Richard Henderson
2025-10-09 14:03 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 15/73] include/hw/core/cpu: Widen MMUIdxMap Richard Henderson
2025-10-08 21:55 ` [PATCH v7 16/73] target/arm: Split out mmuidx.h from cpu.h Richard Henderson
2025-10-08 21:55 ` [PATCH v7 17/73] target/arm: Convert arm_mmu_idx_to_el from switch to table Richard Henderson
2025-10-08 21:55 ` [PATCH v7 18/73] target/arm: Remove unused env argument from regime_el Richard Henderson
2025-10-08 21:55 ` [PATCH v7 19/73] target/arm: Convert regime_el from switch to table Richard Henderson
2025-10-08 21:55 ` [PATCH v7 20/73] target/arm: Convert regime_has_2_ranges " Richard Henderson
2025-10-08 21:55 ` [PATCH v7 21/73] target/arm: Remove unused env argument from regime_is_pan Richard Henderson
2025-10-08 21:55 ` [PATCH v7 22/73] target/arm: Convert regime_is_pan from switch to table Richard Henderson
2025-10-08 21:55 ` [PATCH v7 23/73] target/arm: Remove unused env argument from regime_is_user Richard Henderson
2025-10-08 21:55 ` [PATCH v7 24/73] target/arm: Convert regime_is_user from switch to table Richard Henderson
2025-10-08 21:55 ` [PATCH v7 25/73] target/arm: Convert arm_mmu_idx_is_stage1_of_2 " Richard Henderson
2025-10-08 21:55 ` [PATCH v7 26/73] target/arm: Convert regime_is_stage2 " Richard Henderson
2025-10-08 21:55 ` [PATCH v7 27/73] target/arm: Introduce mmu indexes for GCS Richard Henderson
2025-10-08 21:55 ` [PATCH v7 28/73] target/arm: Introduce regime_to_gcs Richard Henderson
2025-10-08 21:55 ` [PATCH v7 29/73] target/arm: Support page protections for GCS mmu indexes Richard Henderson
2025-10-08 21:55 ` [PATCH v7 30/73] target/arm: Implement gcs bit for data abort Richard Henderson
2025-10-08 21:55 ` [PATCH v7 31/73] target/arm: Add GCS cpregs Richard Henderson
2025-10-08 21:55 ` [PATCH v7 32/73] target/arm: Add GCS enable and trap levels to DisasContext Richard Henderson
2025-10-08 21:55 ` [PATCH v7 33/73] target/arm: Implement FEAT_CHK Richard Henderson
2025-10-08 21:55 ` [PATCH v7 34/73] target/arm: Make helper_exception_return system-only Richard Henderson
2025-10-09 14:38 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 35/73] target/arm: Export cpsr_{read_for, write_from}_spsr_elx Richard Henderson
2025-10-09 14:37 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 36/73] target/arm: Expand pstate to 64 bits Richard Henderson
2025-10-08 21:55 ` [PATCH v7 37/73] target/arm: Add syndrome data for EC_GCS Richard Henderson
2025-10-08 21:55 ` [PATCH v7 38/73] target/arm: Add arm_hcr_el2_nvx_eff Richard Henderson
2025-10-09 14:34 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 39/73] target/arm: Use arm_hcr_el2_nvx_eff in access_nv1 Richard Henderson
2025-10-09 14:34 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 40/73] target/arm: Split out access_nv1_with_nvx Richard Henderson
2025-10-09 14:04 ` Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 41/73] target/arm: Implement EXLOCKException for ELR_ELx and SPSR_ELx Richard Henderson
2025-10-08 21:55 ` [PATCH v7 42/73] target/arm: Split {full,core}_a64_user_mem_index Richard Henderson
2025-10-09 14:05 ` [PATCH v7 42/73] target/arm: Split {full, core}_a64_user_mem_index Philippe Mathieu-Daudé
2025-10-08 21:55 ` [PATCH v7 43/73] target/arm: Introduce delay_exception{_el} Richard Henderson
2025-10-08 21:55 ` [PATCH v7 44/73] target/arm: Emit HSTR trap exception out of line Richard Henderson
2025-10-08 21:55 ` [PATCH v7 45/73] target/arm: Emit v7m LTPSIZE " Richard Henderson
2025-10-08 21:55 ` [PATCH v7 46/73] target/arm: Implement GCSSTR, GCSSTTR Richard Henderson
2025-10-08 21:55 ` [PATCH v7 47/73] target/arm: Implement GCSB Richard Henderson
2025-10-08 21:55 ` [PATCH v7 48/73] target/arm: Implement GCSPUSHM Richard Henderson
2025-10-08 21:55 ` [PATCH v7 49/73] target/arm: Implement GCSPOPM Richard Henderson
2025-10-08 21:55 ` [PATCH v7 50/73] target/arm: Implement GCSPUSHX Richard Henderson
2025-10-08 21:55 ` [PATCH v7 51/73] target/arm: Implement GCSPOPX Richard Henderson
2025-10-08 21:55 ` [PATCH v7 52/73] target/arm: Implement GCSPOPCX Richard Henderson
2025-10-08 21:55 ` [PATCH v7 53/73] target/arm: Implement GCSSS1 Richard Henderson
2025-10-08 21:55 ` [PATCH v7 54/73] target/arm: Implement GCSSS2 Richard Henderson
2025-10-08 21:55 ` [PATCH v7 55/73] target/arm: Add gcs record for BL Richard Henderson
2025-10-08 21:55 ` [PATCH v7 56/73] target/arm: Add gcs record for BLR Richard Henderson
2025-10-08 21:55 ` [PATCH v7 57/73] target/arm: Add gcs record for BLR with PAuth Richard Henderson
2025-10-08 21:55 ` [PATCH v7 58/73] target/arm: Load gcs record for RET Richard Henderson
2025-10-08 21:55 ` [PATCH v7 59/73] target/arm: Load gcs record for RET with PAuth Richard Henderson
2025-10-08 21:56 ` [PATCH v7 60/73] target/arm: Copy EXLOCKEn to EXLOCK on exception to the same EL Richard Henderson
2025-10-08 21:56 ` [PATCH v7 61/73] target/arm: Implement EXLOCK check during exception return Richard Henderson
2025-10-08 21:56 ` [PATCH v7 62/73] target/arm: Enable FEAT_GCS with -cpu max Richard Henderson
2025-10-09 14:33 ` Philippe Mathieu-Daudé
2025-10-08 21:56 ` [PATCH v7 63/73] linux-user/aarch64: Implement prctls for GCS Richard Henderson
2025-10-08 21:56 ` [PATCH v7 64/73] linux-user/aarch64: Allocate new gcs stack on clone Richard Henderson
2025-10-08 21:56 ` [PATCH v7 65/73] linux-user/aarch64: Release gcs stack on thread exit Richard Henderson
2025-10-08 21:56 ` [PATCH v7 66/73] linux-user/aarch64: Implement map_shadow_stack syscall Richard Henderson
2025-10-08 21:56 ` [PATCH v7 67/73] target/arm: Enable GCSPR_EL0 for read in user-mode Richard Henderson
2025-10-08 21:56 ` [PATCH v7 68/73] linux-user/aarch64: Inject SIGSEGV for GCS faults Richard Henderson
2025-10-08 21:56 ` Richard Henderson [this message]
2025-10-08 21:56 ` [PATCH v7 70/73] linux-user/aarch64: Enable GCS in HWCAP Richard Henderson
2025-10-08 21:56 ` [PATCH v7 71/73] tests/tcg/aarch64: Add gcsstr Richard Henderson
2025-10-08 21:56 ` [PATCH v7 72/73] tests/tcg/aarch64: Add gcspushm Richard Henderson
2025-10-08 21:56 ` [PATCH v7 73/73] tests/tcg/aarch64: Add gcsss Richard Henderson
2025-10-10 11:40 ` [PATCH v7 00/73] target/arm: Implement FEAT_GCS Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251008215613.300150-70-richard.henderson@linaro.org \
--to=richard.henderson@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).