[PATCH v3 0/2] Rust and the shadow call stack sanitizer

[PATCH v3 0/2] Rust and the shadow call stack sanitizer

[Alice Ryhl]

This patch series makes it possible to use Rust together with the shadow
call stack sanitizer. The first patch is intended to be backported to
ensure that people don't try to use SCS with Rust on older kernel
versions. The second patch makes it possible to use Rust with the shadow
call stack sanitizer.

The second patch in this series doesn't make sense without [1], though
it doesn't break the build if [1] is missing.

Link: https://lore.kernel.org/rust-for-linux/20240701183625.665574-12-ojeda@kernel.org/ [1]
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
Changes in v3:
- Use -Zfixed-x18.
- Add logic to reject unsupported rustc versions.
- Also include a fix to be backported.
- Link to v2: https://lore.kernel.org/rust-for-linux/20240305-shadow-call-stack-v2-1-c7b4a3f4d616@google.com/

Changes in v2:
- Add -Cforce-unwind-tables flag.
- Link to v1: https://lore.kernel.org/rust-for-linux/20240304-shadow-call-stack-v1-1-f055eaf40a2c@google.com/

---
Alice Ryhl (2):
      rust: SHADOW_CALL_STACK is incompatible with Rust
      rust: add flags for shadow call stack sanitizer

 Makefile            | 1 +
 arch/Kconfig        | 1 +
 arch/arm64/Makefile | 3 +++
 3 files changed, 5 insertions(+)
---
base-commit: 83b1e6e4170cf96b2a7c49070dd43749649f454e
change-id: 20240304-shadow-call-stack-9c197a4361d9

Best regards,
-- 
Alice Ryhl <aliceryhl@google.com>

[PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust

[Alice Ryhl]

When using the shadow call stack sanitizer, all code must be compiled
with the -ffixed-x18 flag, but this flag is not currently being passed
to Rust. This results in crashes that are extremely difficult to debug.

To ensure that nobody else has to go through the same debugging session
that I had to, prevent configurations that enable both SHADOW_CALL_STACK
and RUST.

It is rather common for people to backport 724a75ac9542 ("arm64: rust:
Enable Rust support for AArch64"), so I recommend applying this fix all
the way back to 6.1.

Cc: <stable@vger.kernel.org> # 6.1 and later
Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 arch/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 975dd22a2dbd..238448a9cb71 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -690,6 +690,7 @@ config SHADOW_CALL_STACK
 	bool "Shadow Call Stack"
 	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
 	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
+	depends on !RUST
 	depends on MMU
 	help
 	  This option enables the compiler's Shadow Call Stack, which

-- 
2.45.2.803.g4e1b14247a-goog

Re: [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust

[Nathan Chancellor]

On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
> When using the shadow call stack sanitizer, all code must be compiled
> with the -ffixed-x18 flag, but this flag is not currently being passed
> to Rust. This results in crashes that are extremely difficult to debug.
> 
> To ensure that nobody else has to go through the same debugging session
> that I had to, prevent configurations that enable both SHADOW_CALL_STACK
> and RUST.
> 
> It is rather common for people to backport 724a75ac9542 ("arm64: rust:
> Enable Rust support for AArch64"), so I recommend applying this fix all
> the way back to 6.1.
> 
> Cc: <stable@vger.kernel.org> # 6.1 and later
> Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

Would it be better to move this to arch/arm64/Kconfig?

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 167e51067508..080907776db9 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -90,7 +90,7 @@ config ARM64
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC
 	select ARCH_SUPPORTS_HUGETLBFS
 	select ARCH_SUPPORTS_MEMORY_FAILURE
-	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
+	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST
 	select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
 	select ARCH_SUPPORTS_LTO_CLANG_THIN
 	select ARCH_SUPPORTS_CFI_CLANG

RISC-V probably needs the same change, which further leads me to believe
that this workaround should be architecture specific, as they may be
fixed and enabled at different rates.

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 6b4d71aa9bed..4d89afdd385d 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK
 	def_bool $(cc-option,-fsanitize=shadow-call-stack)
 	# https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
 	depends on $(ld-option,--no-relax-gp)
+	depends on !RUST
 
 config RISCV_USE_LINKER_RELAXATION
 	def_bool y

> ---
>  arch/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 975dd22a2dbd..238448a9cb71 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -690,6 +690,7 @@ config SHADOW_CALL_STACK
>  	bool "Shadow Call Stack"
>  	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
>  	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> +	depends on !RUST
>  	depends on MMU
>  	help
>  	  This option enables the compiler's Shadow Call Stack, which
> 
> -- 
> 2.45.2.803.g4e1b14247a-goog
> 

Re: [PATCH v3 1/2] rust: SHADOW_CALL_STACK is incompatible with Rust

[Alice Ryhl]

On Thu, Jul 4, 2024 at 6:45 PM Nathan Chancellor <nathan@kernel.org> wrote:
>
> On Thu, Jul 04, 2024 at 03:07:57PM +0000, Alice Ryhl wrote:
> > When using the shadow call stack sanitizer, all code must be compiled
> > with the -ffixed-x18 flag, but this flag is not currently being passed
> > to Rust. This results in crashes that are extremely difficult to debug.
> >
> > To ensure that nobody else has to go through the same debugging session
> > that I had to, prevent configurations that enable both SHADOW_CALL_STACK
> > and RUST.
> >
> > It is rather common for people to backport 724a75ac9542 ("arm64: rust:
> > Enable Rust support for AArch64"), so I recommend applying this fix all
> > the way back to 6.1.
> >
> > Cc: <stable@vger.kernel.org> # 6.1 and later
> > Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
> > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
>
> Would it be better to move this to arch/arm64/Kconfig?
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 167e51067508..080907776db9 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -90,7 +90,7 @@ config ARM64
>         select ARCH_SUPPORTS_DEBUG_PAGEALLOC
>         select ARCH_SUPPORTS_HUGETLBFS
>         select ARCH_SUPPORTS_MEMORY_FAILURE
> -       select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
> +       select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && !RUST
>         select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
>         select ARCH_SUPPORTS_LTO_CLANG_THIN
>         select ARCH_SUPPORTS_CFI_CLANG
>
> RISC-V probably needs the same change, which further leads me to believe
> that this workaround should be architecture specific, as they may be
> fixed and enabled at different rates.
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index 6b4d71aa9bed..4d89afdd385d 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -213,6 +213,7 @@ config HAVE_SHADOW_CALL_STACK
>         def_bool $(cc-option,-fsanitize=shadow-call-stack)
>         # https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769
>         depends on $(ld-option,--no-relax-gp)
> +       depends on !RUST
>
>  config RISCV_USE_LINKER_RELAXATION
>         def_bool y

Thanks for taking a look. For now, I went with placing the `depends
on` in CONFIG_RUST as suggested by the others. This avoids cases where
enabling Rust results in changes to how mitigations are configured.

As for riscv, it doesn't need any special flags. Please see the commit
message for more details on riscv support.

https://lore.kernel.org/all/20240729-shadow-call-stack-v4-0-2a664b082ea4@google.com/

Alice

[PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Alice Ryhl]

As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
we can now use Rust with the shadow call stack sanitizer.

On older versions of Rust, it is possible to use shadow call stack by
passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
this flag emits a warning, so this patch does not add support for that.

Currently, the compiler thinks that the aarch64-unknown-none target
doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
you enable shadow call stack in non-dynamic mode. See [2] for the
feature request to add this. Kconfig is not configured to reject this
configuration because that leads to cyclic Kconfig rules.

Link: https://github.com/rust-lang/rust/issues/121972 [1]
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
 Makefile            | 1 +
 arch/Kconfig        | 2 +-
 arch/arm64/Makefile | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index c11a10c8e710..4ae741601a1c 100644
--- a/Makefile
+++ b/Makefile
@@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
 ifndef CONFIG_DYNAMIC_SCS
 CC_FLAGS_SCS	:= -fsanitize=shadow-call-stack
 KBUILD_CFLAGS	+= $(CC_FLAGS_SCS)
+KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
 endif
 export CC_FLAGS_SCS
 endif
diff --git a/arch/Kconfig b/arch/Kconfig
index 238448a9cb71..5a6e296df5e6 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
 	bool "Shadow Call Stack"
 	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
 	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
-	depends on !RUST
+	depends on !RUST || RUSTC_VERSION >= 108000
 	depends on MMU
 	help
 	  This option enables the compiler's Shadow Call Stack, which
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 3f0f35fd5bb7..bbf313ddd700 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -57,9 +57,11 @@ KBUILD_AFLAGS	+= $(call cc-option,-mabi=lp64)
 ifneq ($(CONFIG_UNWIND_TABLES),y)
 KBUILD_CFLAGS	+= -fno-asynchronous-unwind-tables -fno-unwind-tables
 KBUILD_AFLAGS	+= -fno-asynchronous-unwind-tables -fno-unwind-tables
+KBUILD_RUSTFLAGS += -Cforce-unwind-tables=n
 else
 KBUILD_CFLAGS	+= -fasynchronous-unwind-tables
 KBUILD_AFLAGS	+= -fasynchronous-unwind-tables
+KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
 endif
 
 ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
@@ -114,6 +116,7 @@ endif
 
 ifeq ($(CONFIG_SHADOW_CALL_STACK), y)
 KBUILD_CFLAGS	+= -ffixed-x18
+KBUILD_RUSTFLAGS += -Zfixed-x18
 endif
 
 ifeq ($(CONFIG_CPU_BIG_ENDIAN), y)

-- 
2.45.2.803.g4e1b14247a-goog

Re: [PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Nathan Chancellor]

Hi Alice,

On Thu, Jul 04, 2024 at 03:07:58PM +0000, Alice Ryhl wrote:
> As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
> we can now use Rust with the shadow call stack sanitizer.
> 
> On older versions of Rust, it is possible to use shadow call stack by
> passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
> this flag emits a warning, so this patch does not add support for that.
> 
> Currently, the compiler thinks that the aarch64-unknown-none target
> doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
> you enable shadow call stack in non-dynamic mode. See [2] for the

                                                        ^ this should be [1]?

> feature request to add this. Kconfig is not configured to reject this
> configuration because that leads to cyclic Kconfig rules.

While it probably does not matter much given Rust for Linux is still "in
the works", I think it would be good to avoid these build failures.
Perhaps something like this could work (which basically just forces on
UNWIND_PATCH_PAC_INTO_SCS when Rust is enabled).

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 5d91259ee7b5..a9f08a2bd1c6 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -89,7 +89,7 @@ config ARM64
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC
 	select ARCH_SUPPORTS_HUGETLBFS
 	select ARCH_SUPPORTS_MEMORY_FAILURE
-	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK
+	select ARCH_SUPPORTS_SHADOW_CALL_STACK if CC_HAVE_SHADOW_CALL_STACK && (!RUST || CAN_UNWIND_PATCH_PAC_INTO_SCS)
 	select ARCH_SUPPORTS_LTO_CLANG if CPU_LITTLE_ENDIAN
 	select ARCH_SUPPORTS_LTO_CLANG_THIN
 	select ARCH_SUPPORTS_CFI_CLANG
@@ -2262,12 +2262,16 @@ config STACKPROTECTOR_PER_TASK
 	def_bool y
 	depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_SYSREG
 
-config UNWIND_PATCH_PAC_INTO_SCS
-	bool "Enable shadow call stack dynamically using code patching"
+config CAN_UNWIND_PATCH_PAC_INTO_SCS
+	def_bool y
 	# needs Clang with https://github.com/llvm/llvm-project/commit/de07cde67b5d205d58690be012106022aea6d2b3 incorporated
 	depends on CC_IS_CLANG && CLANG_VERSION >= 150000
 	depends on ARM64_PTR_AUTH_KERNEL && CC_HAS_BRANCH_PROT_PAC_RET
-	depends on SHADOW_CALL_STACK
+
+config UNWIND_PATCH_PAC_INTO_SCS
+	bool "Enable shadow call stack dynamically using code patching" if !RUST
+	depends on SHADOW_CALL_STACK && CAN_UNWIND_PATCH_PAC_INTO_SCS
+	default y if RUST
 	select UNWIND_TABLES
 	select DYNAMIC_SCS
 

Otherwise, it might be good to wait to enable this until [1] is
addressed, but I don't really feel that strongly about it.

From a Kconfig/Kbuild perspective, the rest of the patch seems fine.

> Link: https://github.com/rust-lang/rust/issues/121972 [1]
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> ---
>  Makefile            | 1 +
>  arch/Kconfig        | 2 +-
>  arch/arm64/Makefile | 3 +++
>  3 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/Makefile b/Makefile
> index c11a10c8e710..4ae741601a1c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
>  ifndef CONFIG_DYNAMIC_SCS
>  CC_FLAGS_SCS	:= -fsanitize=shadow-call-stack
>  KBUILD_CFLAGS	+= $(CC_FLAGS_SCS)
> +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
>  endif
>  export CC_FLAGS_SCS
>  endif
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 238448a9cb71..5a6e296df5e6 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
>  	bool "Shadow Call Stack"
>  	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
>  	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> -	depends on !RUST
> +	depends on !RUST || RUSTC_VERSION >= 108000
>  	depends on MMU
>  	help
>  	  This option enables the compiler's Shadow Call Stack, which
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 3f0f35fd5bb7..bbf313ddd700 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -57,9 +57,11 @@ KBUILD_AFLAGS	+= $(call cc-option,-mabi=lp64)
>  ifneq ($(CONFIG_UNWIND_TABLES),y)
>  KBUILD_CFLAGS	+= -fno-asynchronous-unwind-tables -fno-unwind-tables
>  KBUILD_AFLAGS	+= -fno-asynchronous-unwind-tables -fno-unwind-tables
> +KBUILD_RUSTFLAGS += -Cforce-unwind-tables=n
>  else
>  KBUILD_CFLAGS	+= -fasynchronous-unwind-tables
>  KBUILD_AFLAGS	+= -fasynchronous-unwind-tables
> +KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
>  endif
>  
>  ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
> @@ -114,6 +116,7 @@ endif
>  
>  ifeq ($(CONFIG_SHADOW_CALL_STACK), y)
>  KBUILD_CFLAGS	+= -ffixed-x18
> +KBUILD_RUSTFLAGS += -Zfixed-x18
>  endif
>  
>  ifeq ($(CONFIG_CPU_BIG_ENDIAN), y)
> 
> -- 
> 2.45.2.803.g4e1b14247a-goog
> 

Re: [PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Conor Dooley]

[-- Attachment #1: Type: text/plain, Size: 2367 bytes --]

On Thu, Jul 04, 2024 at 03:07:58PM +0000, Alice Ryhl wrote:
> As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
> we can now use Rust with the shadow call stack sanitizer.
> 
> On older versions of Rust, it is possible to use shadow call stack by
> passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
> this flag emits a warning, so this patch does not add support for that.
> 
> Currently, the compiler thinks that the aarch64-unknown-none target
> doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
> you enable shadow call stack in non-dynamic mode. See [2] for the
> feature request to add this. Kconfig is not configured to reject this
> configuration because that leads to cyclic Kconfig rules.
> 
> Link: https://github.com/rust-lang/rust/issues/121972 [1]
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> ---
>  Makefile            | 1 +
>  arch/Kconfig        | 2 +-
>  arch/arm64/Makefile | 3 +++
>  3 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/Makefile b/Makefile
> index c11a10c8e710..4ae741601a1c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
>  ifndef CONFIG_DYNAMIC_SCS
>  CC_FLAGS_SCS	:= -fsanitize=shadow-call-stack
>  KBUILD_CFLAGS	+= $(CC_FLAGS_SCS)
> +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
>  endif
>  export CC_FLAGS_SCS
>  endif
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 238448a9cb71..5a6e296df5e6 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
>  	bool "Shadow Call Stack"
>  	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
>  	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> -	depends on !RUST
> +	depends on !RUST || RUSTC_VERSION >= 108000
>  	depends on MMU
>  	help
>  	  This option enables the compiler's Shadow Call Stack, which

For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
inclined to say that RUST is actually what should grow the depends on.
That way it'll be RUST that gets silently disabled in configs when patch
1 gets backported (where it is mostly useless anyway) rather than SCS
nor will it disable SCS when someone enables RUST in their config,
instead it'd be a conscious choice.

Cheers,
Conor.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Sami Tolvanen]

On Thu, Jul 4, 2024 at 10:17 AM Conor Dooley <conor@kernel.org> wrote:
>
> For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
> inclined to say that RUST is actually what should grow the depends on.
> That way it'll be RUST that gets silently disabled in configs when patch
> 1 gets backported (where it is mostly useless anyway) rather than SCS
> nor will it disable SCS when someone enables RUST in their config,
> instead it'd be a conscious choice.

I agree, we shouldn't silently disable hardening features when Rust is enabled.

Sami

Re: [PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Alice Ryhl]

On Tue, Jul 9, 2024 at 2:10 AM Sami Tolvanen <samitolvanen@google.com> wrote:
>
> On Thu, Jul 4, 2024 at 10:17 AM Conor Dooley <conor@kernel.org> wrote:
> >
> > For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
> > inclined to say that RUST is actually what should grow the depends on.
> > That way it'll be RUST that gets silently disabled in configs when patch
> > 1 gets backported (where it is mostly useless anyway) rather than SCS
> > nor will it disable SCS when someone enables RUST in their config,
> > instead it'd be a conscious choice.
>
> I agree, we shouldn't silently disable hardening features when Rust is enabled.

That definitely wasn't my intention. I'll update it for v4.

Alice

Re: [PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

[Alice Ryhl]

On Thu, Jul 4, 2024 at 7:17 PM Conor Dooley <conor@kernel.org> wrote:
>
> On Thu, Jul 04, 2024 at 03:07:58PM +0000, Alice Ryhl wrote:
> > As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
> > we can now use Rust with the shadow call stack sanitizer.
> >
> > On older versions of Rust, it is possible to use shadow call stack by
> > passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
> > this flag emits a warning, so this patch does not add support for that.
> >
> > Currently, the compiler thinks that the aarch64-unknown-none target
> > doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
> > you enable shadow call stack in non-dynamic mode. See [2] for the
> > feature request to add this. Kconfig is not configured to reject this
> > configuration because that leads to cyclic Kconfig rules.
> >
> > Link: https://github.com/rust-lang/rust/issues/121972 [1]
> > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> > ---
> >  Makefile            | 1 +
> >  arch/Kconfig        | 2 +-
> >  arch/arm64/Makefile | 3 +++
> >  3 files changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/Makefile b/Makefile
> > index c11a10c8e710..4ae741601a1c 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
> >  ifndef CONFIG_DYNAMIC_SCS
> >  CC_FLAGS_SCS := -fsanitize=shadow-call-stack
> >  KBUILD_CFLAGS        += $(CC_FLAGS_SCS)
> > +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
> >  endif
> >  export CC_FLAGS_SCS
> >  endif
> > diff --git a/arch/Kconfig b/arch/Kconfig
> > index 238448a9cb71..5a6e296df5e6 100644
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
> >       bool "Shadow Call Stack"
> >       depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
> >       depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> > -     depends on !RUST
> > +     depends on !RUST || RUSTC_VERSION >= 108000
> >       depends on MMU
> >       help
> >         This option enables the compiler's Shadow Call Stack, which
>
> For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
> inclined to say that RUST is actually what should grow the depends on.
> That way it'll be RUST that gets silently disabled in configs when patch
> 1 gets backported (where it is mostly useless anyway) rather than SCS
> nor will it disable SCS when someone enables RUST in their config,
> instead it'd be a conscious choice.

Okay, I'll make that change. I suspect this will also break the
Kconfig cycle mentioned in the commit message. Thanks for the
suggestion!

Alice