ort for riscv control flow
integrity for user mode programs can be compiled in the kernel.
- Enabling of control flow integrity for user programs is left to user runtime
- This patch series introduces arch agnostic `prctls` to enable shadow stack
and indirect branch tracking. And implements them on
Signed-off-by: Mark Brown
Reviewed-by: Rick Edgecombe
Reviewed-by: Deepak Gupta
Signed-off-by: Deepak Gupta
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6 ++
4 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86
vma
or not.
Signed-off-by: Deepak Gupta
---
include/linux/mm.h | 7 ++-
mm/gup.c | 2 +-
mm/internal.h | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index e39796ea17db..f0dc94fb782a 100644
--- a/include/linux/
fork(), setting the value for the
init task sets the default value for all other threads.
Reviewed-by: Andrew Jones
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/switch_to.h | 8
arch/riscv/include/asm/thread_info.h | 1
riscv will need an implementation for exit_thread to clean up shadow stack
when thread exits. If current thread had shadow stack enabled, shadow
stack is allocated by default for any new thread.
Signed-off-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/Kconfig | 1
Make an entry for cfi extensions in extensions.yaml.
Signed-off-by: Deepak Gupta
---
.../devicetree/bindings/riscv/extensions.yaml| 12
1 file changed, 12 insertions(+)
diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml
b/Documentation/devicetree
feature bitmap. Furthermore this patch adds detection
utility functions to return whether shadow stack or landing pads are
supported by cpu.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/cpufeature.h | 13 +
arch/riscv/include/asm/hwcap.h | 2 ++
arch/riscv/include/asm
-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/include/asm/csr.h | 16
1 file changed, 16 insertions(+)
diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h
index 25966995da04..af7ed9bedaee 100644
--- a/arch/riscv/include/asm/csr.h
+++ b/arch
shadow stack, that means that it needs to be
supported. And thus save/restore of shadow stack pointer in entry.S instead
of in `switch_to.h`.
Signed-off-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/include/asm/processor.h | 1 +
arch/riscv/include/asm/thread_info.h | 3 +++
encodings.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/mman.h| 24
arch/riscv/include/asm/pgtable.h | 1 +
arch/riscv/kernel/sys_riscv.c| 10 ++
arch/riscv/mm/init.c | 2 +-
mm/mmap.c| 1 +
5 files changed, 37
This patch implements creating shadow stack pte (on riscv). Creating
shadow stack PTE on riscv means that clearing RWX and then setting W=1.
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 10 ++
1 file changed, 10 insertions(+)
diff
can select write PTE encoding based on VMA range (i.e.
VM_SHADOW_STACK)
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 7 +++
arch/riscv/mm/pgtable.c | 17 +
2 files changed, 24 insertions(+)
diff --git a/arch/riscv
mless.
Signed-off-by: Deepak Gupta
Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 30fd4874e871..3e05fedb871c 100644
--- a/arch/riscv/includ
setup by kernel because user mode can do that by itself. However to
provide compatibility and portability with other architectues, user mode
can specify token set flag.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/Makefile | 2 +
arch/riscv/kernel/user
can be provided. This is not settled yet and being
extensively discussed on mailing list. Once that's settled, this commit
will adapt to that.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 45
arch/riscv/kernel/process.c | 12 ++-
arch/riscv/kernel/user
Deepak Gupta but later
modified by Mark Brown for arm's GCS patch series.
Signed-off-by: Mark Brown
Co-developed-by: Deepak Gupta
Signed-off-by: Deepak Gupta
---
include/linux/mm.h | 3 +++
include/uapi/linux/prctl.h | 21 +
kernel/sys.c
.
- PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch
tracking for user thread.
Signed-off-by: Deepak Gupta
---
include/linux/cpu.h| 4
include/uapi/linux/prctl.h | 27 +++
kernel/sys.c | 30 ++
3 files
re-evaluate our solution.
Link:
https://lore.kernel.org/linux-riscv/20240322-168f191eeb8479b2ea169a5e@orel/ [1]
Link:
https://lore.kernel.org/linux-riscv/20240323-28943722feb57a41fb0ff488@orel/ [2]
Reviewed-by: Andrew Jones
Reviewed-by: Conor Dooley
Reviewed-by: Deepak Gupta
Signed-off-by: Sam
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/cpufeature.h | 2 +-
arch/riscv/kernel/cpufeature.c | 4 ++--
arch/riscv/kernel/smpboot.c | 2 --
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/arch/riscv
PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to
write to their own shadow stack using `sspush` or `ssamoswap`.
PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack
enabling.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 30 -
arch/riscv
prctls implemented are:
PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and
PR_LOCK_INDIR_BR_LP_STATUS.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 28 +++-
arch/riscv/kernel/process.c | 5 +++
arch/riscv/kernel/usercfi.c | 76
(on execution of `sspopchk`).
In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR.
SEGV_CPERR was introduced by x86 shadow stack patches.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/asm-prototypes.h | 1 +
arch/riscv/include/asm/entry-common.h | 2 ++
arch/riscv/kernel
Shadow stack needs to be saved and restored on signal delivery and signal
return.
sigcontext embedded in ucontext is extendible. Defining cfi state in there
which can be used to save cfi state before signal delivery and restore
cfi state on sigreturn
Signed-off-by: Deepak Gupta
---
arch/riscv
on sigreturn, kernel retrieves token from top of
shadow stack and validates it. This allows that user mode can't arbitrary
pivot to any shadow stack address without having a token and thus provide
strong security assurance between signaly delivery and sigreturn window.
Signed-off-by: Deepak
Updating __show_regs to print captured shadow stack pointer as well.
On tasks where shadow stack is disabled, it'll simply print 0.
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --
allowed via ptrace set interface. However setting `elp` state or
setting shadow stack pointer are allowed via ptrace set interface. It is
expected `gdb` might have use to fixup `elp` state or `shadow stack`
pointer.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/ptrace.h | 18
Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/hwprobe.h | 2 ++
arch/riscv/kernel/sys_hwprobe.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/arch/riscv/include/uapi/asm/hwprobe.h
b/arch/riscv
support cpu assisted user mode cfi.
If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`
and `ARCH_HAS_USER_SHADOW_STACK` for riscv.
Signed-off-by: Deepak Gupta
---
arch/riscv/Kconfig | 19 +++
1 file changed, 19 insertions(+)
diff --git a/arch/riscv/Kconfig b
Adding documentation on landing pad aka indirect branch tracking on riscv
and kernel interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/zicfilp.rst | 104 +++
1 file changed, 104 insertions(+)
create mode 100644
Adding documentation on shadow stack for user mode on riscv and kernel
interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/zicfiss.rst | 169 +++
1 file changed, 169 insertions(+)
create mode 100644 Documentation
test. Make sure signal delivery results in token creation on
shadow stack and consumes (and verifies) token on sigreturn
- shadow stack protection test. attempts to write using regular store
instruction on shadow stack memory must result in access faults
Signed-off-by: Deepak
On Fri, Sep 13, 2024 at 09:25:57PM +0200, Andy Chiu wrote:
Hi Deepak,
Deepak Gupta 於 2024年9月13日 週五 上午1:20寫道:
Save shadow stack pointer in sigcontext structure while delivering signal.
Restore shadow stack pointer from sigcontext on sigreturn.
As part of save operation, kernel uses
On Fri, Sep 13, 2024 at 09:35:50PM +0200, Andy Chiu wrote:
Hi Deepak
Deepak Gupta 於 2024年9月13日 週五 上午2:32寫道:
zicfiss / zicfilp introduces a new exception to priv isa `software check
exception` with cause code = 18. This patch implements software check
exception.
Additionally it implements a
On Tue, Oct 08, 2024 at 02:18:58PM +0800, Zong Li wrote:
On Tue, Oct 8, 2024 at 1:31 PM Deepak Gupta wrote:
On Tue, Oct 08, 2024 at 01:16:17PM +0800, Zong Li wrote:
>On Tue, Oct 8, 2024 at 7:30 AM Deepak Gupta wrote:
>>
>> On Mon, Oct 07, 2024 at 04:17:47PM +0800, Zong Li wr
alexgh...@rivosinc.com
Cc: samitolva...@google.com
Cc: broo...@kernel.org
Cc: rick.p.edgeco...@intel.com
Signed-off-by: Deepak Gupta
---
changelog
-
v6:
- Picked up Samuel Holland's changes as is with `envcfg` placed in
`thread` instead of `thread_info`
- fixed unaligned newline escapes
Signed-off-by: Mark Brown
Reviewed-by: Rick Edgecombe
Reviewed-by: Deepak Gupta
Reviewed-by: Carlos Bilbao
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6 ++
4 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86
riscv will need an implementation for exit_thread to clean up shadow stack
when thread exits. If current thread had shadow stack enabled, shadow
stack is allocated by default for any new thread.
Signed-off-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/Kconfig | 1
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
---
arch/riscv/include/asm/cpufeature.h | 2 +-
arch/riscv/kernel/cpufeature.c | 4 ++--
arch/riscv/kernel/smpboot.c | 2 --
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/arch/riscv/include/asm/cpufeature.h
b
re-evaluate our solution.
Link:
https://lore.kernel.org/linux-riscv/20240322-168f191eeb8479b2ea169a5e@orel/ [1]
Link:
https://lore.kernel.org/linux-riscv/20240323-28943722feb57a41fb0ff488@orel/ [2]
Reviewed-by: Andrew Jones
Reviewed-by: Conor Dooley
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holl
vma
or not.
Signed-off-by: Deepak Gupta
---
mm/gup.c | 2 +-
mm/vma.h | 10 +++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index a82890b46a36..8e6e14179f6c 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1282,7 +1282,7 @@ static int check_vma_fl
fork(), setting the value for the
init task sets the default value for all other threads.
Reviewed-by: Andrew Jones
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
---
arch/riscv/include/asm/processor.h | 1 +
arch/riscv/include/asm/switch_to.h | 8
arch/riscv/kernel
feature bitmap. Furthermore this patch adds detection
utility functions to return whether shadow stack or landing pads are
supported by cpu.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/cpufeature.h | 13 +
arch/riscv/include/asm/hwcap.h | 2 ++
arch/riscv/include/asm
Make an entry for cfi extensions in extensions.yaml.
Signed-off-by: Deepak Gupta
---
Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++
1 file changed, 14 insertions(+)
diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml
b/Documentation/devicetree
-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/include/asm/csr.h | 16
1 file changed, 16 insertions(+)
diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h
index 25966995da04..af7ed9bedaee 100644
--- a/arch/riscv/include/asm/csr.h
+++ b/arch
shadow stack, that means that it needs to be
supported. And thus save/restore of shadow stack pointer in entry.S instead
of in `switch_to.h`.
Signed-off-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/include/asm/processor.h | 1 +
arch/riscv/include/asm/thread_info.h | 3 +++
mless.
Signed-off-by: Deepak Gupta
Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 7963ab11d924..fdab7d74437d 100644
--- a/arch/riscv/includ
can select write PTE encoding based on VMA range (i.e.
VM_SHADOW_STACK)
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 7 +++
arch/riscv/mm/pgtable.c | 17 +
2 files changed, 24 insertions(+)
diff --git a/arch/riscv
encodings.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/mman.h| 24
arch/riscv/include/asm/pgtable.h | 1 +
arch/riscv/kernel/sys_riscv.c| 10 ++
arch/riscv/mm/init.c | 2 +-
mm/mmap.c| 1 +
5 files changed, 37
This patch implements creating shadow stack pte (on riscv). Creating
shadow stack PTE on riscv means that clearing RWX and then setting W=1.
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 10 ++
1 file changed, 10 insertions(+)
diff
setup by kernel because user mode can do that by itself. However to
provide compatibility and portability with other architectues, user mode
can specify token set flag.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/Makefile | 2 +
arch/riscv/kernel/user
can be provided. This is not settled yet and being
extensively discussed on mailing list. Once that's settled, this commit
will adapt to that.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 25
arch/riscv/kernel/process.c | 11 +++-
arch/riscv/kernel/user
Deepak Gupta but later
modified by Mark Brown for arm's GCS patch series.
Signed-off-by: Mark Brown
Signed-off-by: Deepak Gupta
---
include/linux/mm.h | 3 +++
include/uapi/linux/prctl.h | 21 +
kernel/sys.c | 30 ++
3
.
- PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch
tracking for user thread.
Signed-off-by: Deepak Gupta
---
include/linux/cpu.h| 4
include/uapi/linux/prctl.h | 27 +++
kernel/sys.c | 30 ++
3 files
prctls implemented are:
PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and
PR_LOCK_INDIR_BR_LP_STATUS.
On trap entry, ELP state is recorded in sstatus image on stack and SR_ELP
in CSR_STATUS is cleared.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 16 -
arch
PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to
write to their own shadow stack using `sspush` or `ssamoswap`.
PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack
enabling.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 18 ++-
arch/riscv/kernel
(on execution of `sspopchk`).
In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR.
SEGV_CPERR was introduced by x86 shadow stack patches.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/asm-prototypes.h | 1 +
arch/riscv/include/asm/entry-common.h | 2 ++
arch/riscv/kernel
and a magic identifier of the
extension. Then, the extensions body contains the new architectural
states in the form defined by uapi.
Signed-off-by: Andy Chiu
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 10
arch/riscv/include/uapi/asm/ptrace.h | 4 ++
arch/
From: Andy Chiu
The function save_v_state() served two purposes. First, it saved
extension context into the signal stack. Then, it constructed the
extension header if there was no fault. The second part is independent
of the extension itself. As a result, we can pull that part out, so
future exte
Updating __show_regs to print captured shadow stack pointer as well.
On tasks where shadow stack is disabled, it'll simply print 0.
Signed-off-by: Deepak Gupta
Reviewed-by: Alexandre Ghiti
---
arch/riscv/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --
, it must
be enabled as early as possible for better coverage and prevent imbalance
between regular stack and shadow stack. After `relocate_enable_mmu` has
been done, this is as early as possible it can enabled.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/asm-offsets.c | 4
arch/riscv
allowed via ptrace set interface. However setting `elp` state or
setting shadow stack pointer are allowed via ptrace set interface. It is
expected `gdb` might have use to fixup `elp` state or `shadow stack`
pointer.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/ptrace.h | 18
From: Clément Léger
Add necessary SBI definitions to use the FWFT extension.
Signed-off-by: Clément Léger
---
arch/riscv/include/asm/sbi.h | 27 +++
1 file changed, 27 insertions(+)
diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h
index 98f631b0
This commit adds a kernel command line option using which user cfi can be
disabled.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/usercfi.c | 20
1 file changed, 20 insertions(+)
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
index 92d03eb76c03
support cpu assisted user mode cfi.
If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.
Signed-off-by: Deepak Gupta
---
arch/riscv/Kconfig | 20
1 file changed, 20 insertions(+)
diff --git a
Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/hwprobe.h | 2 ++
arch/riscv/kernel/sys_hwprobe.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/arch/riscv/include/uapi/asm/hwprobe.h
b/arch/riscv
indeed enabled and working
This is to ensure shadow stack is indeed enabled and working
ok 1 shstk fork test
ok 2 map shadow stack syscall
ok 3 shadow stack gup tests
ok 4 shadow stack signal tests
ok 5 memory protections of shadow stack memory
"""
Signed-off-by: Deepak Gupta
Adding documentation on shadow stack for user mode on riscv and kernel
interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/index.rst | 1 +
Documentation/arch/riscv/zicfiss.rst | 176 +++
2 files
Adding documentation on landing pad aka indirect branch tracking on riscv
and kernel interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/index.rst | 1 +
Documentation/arch/riscv/zicfilp.rst | 115
On Tue, Oct 08, 2024 at 10:55:29PM +, Edgecombe, Rick P wrote:
On Tue, 2024-10-08 at 15:36 -0700, Deepak Gupta wrote:
+unsigned long shstk_alloc_thread_stack(struct task_struct *tsk,
+ const struct kernel_clone_args *args)
+{
+ unsigned long
On Fri, Oct 11, 2024 at 07:43:30PM +0800, Zong Li wrote:
On Fri, Oct 11, 2024 at 6:18 PM Mark Brown wrote:
On Fri, Oct 11, 2024 at 01:44:55PM +0800, Zong Li wrote:
> On Wed, Oct 9, 2024 at 7:46 AM Deepak Gupta wrote:
> > + if (si->si_code == SEGV_CPERR) {
> Hi Deepa
On Wed, Oct 02, 2024 at 05:18:36PM -0600, Shuah Khan wrote:
On 10/1/24 10:06, Deepak Gupta wrote:
Adds kselftest for RISC-V control flow integrity implementation for user
mode. There is not a lot going on in kernel for enabling landing pad for
user mode. cfi selftest are intended to be compiled
features are expected to be inherited by new threads and cleared
on exec(), unknown features should be rejected for enable but accepted
for locking (in order to allow for future proofing).
This is based on a patch originally written by Deepak Gupta but modified
fairly heavily, support for indirect
On Mon, Oct 07, 2024 at 04:17:47PM +0800, Zong Li wrote:
On Wed, Oct 2, 2024 at 12:20 AM Deepak Gupta wrote:
Userspace specifies CLONE_VM to share address space and spawn new thread.
`clone` allow userspace to specify a new stack for new thread. However
there is no way to specify new shadow
On Wed, Oct 09, 2024 at 02:36:12PM +0100, Lorenzo Stoakes wrote:
On Tue, Oct 08, 2024 at 03:36:53PM -0700, Deepak Gupta wrote:
`arch_calc_vm_prot_bits` is implemented on risc-v to return VM_READ |
VM_WRITE if PROT_WRITE is specified. Similarly `riscv_sys_mmap` is
updated to convert all incoming
On Tue, Oct 08, 2024 at 01:16:17PM +0800, Zong Li wrote:
On Tue, Oct 8, 2024 at 7:30 AM Deepak Gupta wrote:
On Mon, Oct 07, 2024 at 04:17:47PM +0800, Zong Li wrote:
>On Wed, Oct 2, 2024 at 12:20 AM Deepak Gupta wrote:
>>
>> Userspace specifies CLONE_VM to share address spac
nel.
- Enabling of control flow integrity for user programs is left to user runtime
- This patch series introduces arch agnostic `prctls` to enable shadow stack
and indirect branch tracking. And implements them on riscv.
---
Andy Chiu (1):
riscv: signal: abstract header saving for setup_sigc
Make an entry for cfi extensions in extensions.yaml.
Signed-off-by: Deepak Gupta
Acked-by: Rob Herring (Arm)
---
Documentation/devicetree/bindings/riscv/extensions.yaml | 14 ++
1 file changed, 14 insertions(+)
diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml
fork(), setting the value for the
init task sets the default value for all other threads.
Reviewed-by: Andrew Jones
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
---
arch/riscv/include/asm/processor.h | 1 +
arch/riscv/include/asm/switch_to.h | 8
arch/riscv/kernel
shadow stack, that means that it needs to be
supported. And thus save/restore of shadow stack pointer in entry.S instead
of in `switch_to.h`.
Signed-off-by: Deepak Gupta
Reviewed-by: Charlie Jenkins
---
arch/riscv/include/asm/processor.h | 1 +
arch/riscv/include/asm/thread_info.h | 3 +++
setup by kernel because user mode can do that by itself. However to
provide compatibility and portability with other architectues, user mode
can specify token set flag.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/Makefile | 2 +
arch/riscv/kernel/user
mless.
Signed-off-by: Deepak Gupta
Alexandre Ghiti
---
arch/riscv/include/asm/pgtable.h | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 7963ab11d924..fdab7d74437d 100644
--- a/arch/riscv/includ
(on execution of `sspopchk`).
In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR.
SEGV_CPERR was introduced by x86 shadow stack patches.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/asm-prototypes.h | 1 +
arch/riscv/include/asm/entry-common.h | 2 ++
arch/riscv/kernel
From: Andy Chiu
The function save_v_state() served two purposes. First, it saved
extension context into the signal stack. Then, it constructed the
extension header if there was no fault. The second part is independent
of the extension itself. As a result, we can pull that part out, so
future exte
PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to
write to their own shadow stack using `sspush` or `ssamoswap`.
PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack
enabling.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 18 ++-
arch/riscv/kernel
prctls implemented are:
PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and
PR_LOCK_INDIR_BR_LP_STATUS.
On trap entry, ELP state is recorded in sstatus image on stack and SR_ELP
in CSR_STATUS is cleared.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 16 -
arch
.
- PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch
tracking for user thread.
Signed-off-by: Deepak Gupta
Reviewed-by: Mark Brown
---
include/linux/cpu.h| 4
include/uapi/linux/prctl.h | 27 +++
kernel/sys.c | 30
and a magic identifier of the
extension. Then, the extensions body contains the new architectural
states in the form defined by uapi.
Signed-off-by: Andy Chiu
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/usercfi.h | 10
arch/riscv/include/uapi/asm/ptrace.h | 4 ++
arch/
Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/hwprobe.h | 2 ++
arch/riscv/kernel/sys_hwprobe.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/arch/riscv/include/uapi/asm/hwprobe.h
b/arch/riscv
allowed via ptrace set interface. However setting `elp` state or
setting shadow stack pointer are allowed via ptrace set interface. It is
expected `gdb` might have use to fixup `elp` state or `shadow stack`
pointer.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/uapi/asm/ptrace.h | 18
encodings.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/mman.h| 24
arch/riscv/include/asm/pgtable.h | 1 +
arch/riscv/kernel/sys_riscv.c| 10 ++
arch/riscv/mm/init.c | 2 +-
4 files changed, 36 insertions(+), 1 deletion(-)
diff --git a
re-evaluate our solution.
Link:
https://lore.kernel.org/linux-riscv/20240322-168f191eeb8479b2ea169a5e@orel/ [1]
Link:
https://lore.kernel.org/linux-riscv/20240323-28943722feb57a41fb0ff488@orel/ [2]
Reviewed-by: Andrew Jones
Reviewed-by: Conor Dooley
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holl
From: Clément Léger
Add necessary SBI definitions to use the FWFT extension.
Signed-off-by: Clément Léger
---
arch/riscv/include/asm/sbi.h | 27 +++
1 file changed, 27 insertions(+)
diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h
index 98f631b0
feature bitmap. Furthermore this patch adds detection
utility functions to return whether shadow stack or landing pads are
supported by cpu.
Signed-off-by: Deepak Gupta
---
arch/riscv/include/asm/cpufeature.h | 13 +
arch/riscv/include/asm/hwcap.h | 2 ++
arch/riscv/include/asm
This commit adds a kernel command line option using which user cfi can be
disabled.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/usercfi.c | 20
1 file changed, 20 insertions(+)
diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c
index 04b0305943b1
, it must
be enabled as early as possible for better coverage and prevent imbalance
between regular stack and shadow stack. After `relocate_enable_mmu` has
been done, this is as early as possible it can enabled.
Signed-off-by: Deepak Gupta
---
arch/riscv/kernel/asm-offsets.c | 4
arch/riscv
indeed enabled and working
This is to ensure shadow stack is indeed enabled and working
ok 1 shstk fork test
ok 2 map shadow stack syscall
ok 3 shadow stack gup tests
ok 4 shadow stack signal tests
ok 5 memory protections of shadow stack memory
"""
Signed-off-by: Deepak Gupta
support cpu assisted user mode cfi.
If CONFIG_RISCV_USER_CFI is selected, select `ARCH_USES_HIGH_VMA_FLAGS`,
`ARCH_HAS_USER_SHADOW_STACK` and DYNAMIC_SIGFRAME for riscv.
Signed-off-by: Deepak Gupta
---
arch/riscv/Kconfig | 20
1 file changed, 20 insertions(+)
diff --git a
Adding documentation on shadow stack for user mode on riscv and kernel
interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/index.rst | 1 +
Documentation/arch/riscv/zicfiss.rst | 176 +++
2 files
Adding documentation on landing pad aka indirect branch tracking on riscv
and kernel interfaces exposed so that user tasks can enable it.
Signed-off-by: Deepak Gupta
---
Documentation/arch/riscv/index.rst | 1 +
Documentation/arch/riscv/zicfilp.rst | 115
Reviewed-by: Deepak Gupta
Signed-off-by: Samuel Holland
---
arch/riscv/include/asm/cpufeature.h | 2 +-
arch/riscv/kernel/cpufeature.c | 4 ++--
arch/riscv/kernel/smpboot.c | 2 --
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/arch/riscv/include/asm/cpufeature.h
b
1 - 100 of 304 matches
Mail list logo
