On Wed, Oct 9, 2024 at 7:46 AM Deepak Gupta wrote:
>
> Adds kselftest for RISC-V control flow integrity implementation for user
> mode. There is not a lot going on in kernel for enabling landing pad for
> user mode. cfi selftest are intended to be compiled with zicfilp and
> zicfiss enabled compil
On Fri, Oct 11, 2024 at 6:18 PM Mark Brown wrote:
>
> On Fri, Oct 11, 2024 at 01:44:55PM +0800, Zong Li wrote:
> > On Wed, Oct 9, 2024 at 7:46 AM Deepak Gupta wrote:
>
> > > + if (si->si_code == SEGV_CPERR) {
>
> > Hi Deepak,
> > I got some erro
On Wed, Oct 2, 2024 at 12:20 AM Deepak Gupta wrote:
>
> Userspace specifies CLONE_VM to share address space and spawn new thread.
> `clone` allow userspace to specify a new stack for new thread. However
> there is no way to specify new shadow stack base address without changing
> API. This patch a
On Tue, Oct 8, 2024 at 7:30 AM Deepak Gupta wrote:
>
> On Mon, Oct 07, 2024 at 04:17:47PM +0800, Zong Li wrote:
> >On Wed, Oct 2, 2024 at 12:20 AM Deepak Gupta wrote:
> >>
> >> Userspace specifies CLONE_VM to share address space and spawn new thread.
> >> `
On Tue, Oct 8, 2024 at 1:31 PM Deepak Gupta wrote:
>
> On Tue, Oct 08, 2024 at 01:16:17PM +0800, Zong Li wrote:
> >On Tue, Oct 8, 2024 at 7:30 AM Deepak Gupta wrote:
> >>
> >> On Mon, Oct 07, 2024 at 04:17:47PM +0800, Zong Li wrote:
> >> >On Wed, O
On Sat, Oct 12, 2024 at 3:46 AM Deepak Gupta wrote:
>
> On Fri, Oct 11, 2024 at 07:43:30PM +0800, Zong Li wrote:
> >On Fri, Oct 11, 2024 at 6:18 PM Mark Brown wrote:
> >>
> >> On Fri, Oct 11, 2024 at 01:44:55PM +0800, Zong Li wrote:
> >> > On Wed,
[VM_NONE] = PAGE_NONE,
> [VM_READ] = PAGE_READ,
> - [VM_WRITE] = PAGE_COPY,
> + [VM_WRITE] = PAGE_SHADOWSTACK,
> [VM_WRITE
27;t need this, it has removed by the '6da111574baf
("riscv: Provide a definition for 'pause'")'. Apart from that, this
patch looks good to me.
Reviewed-by: Zong Li
> +
> +KBUILD_BASE_ISA = -march=$(shell echo $(riscv-march-y) | sed -E
> 's/(rv32ima|r
On Tue, Mar 11, 2025 at 1:50 AM Deepak Gupta wrote:
>
> Adds kselftest for RISC-V control flow integrity implementation for user
> mode. There is not a lot going on in kernel for enabling landing pad for
> user mode. cfi selftest are intended to be compiled with zicfilp and
> zicfiss enabled compi
te),
> + __RISCV_ISA_EXT_SUPERSET_VALIDATE(zicfiss, RISCV_ISA_EXT_ZICFISS,
> riscv_xlinuxenvcfg_exts,
> + riscv_cfi_validate),
> __RISCV_ISA_EXT_DATA(zicntr, RISCV_ISA_EXT_ZICNTR),
> __RISCV_ISA_EXT_DATA(zicond, RISCV_ISA_EXT_ZICOND),
> __RISCV_ISA_EXT_DATA(zicsr, RISCV_ISA_EXT_ZICSR),
>
LGTM.
Reviewed-by: Zong Li
> --
> 2.34.1
>
>
> ___
> linux-riscv mailing list
> linux-ri...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
uct *vma)
> +{
> + if (vma->vm_flags & VM_SHADOW_STACK)
> + return pte_mkwrite_shstk(pte);
> +
> + return pte_mkwrite_novma(pte);
> +}
> +
> +pmd_t pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma)
> +{
> +
* which perform writes to CSR_SSP properly, shadow stack pivoting is
> not possible. Since
> +* CSR_SSP is writeable by user mode, it itself can setup a shadow
> stack token subsequent
> +* to allocation. Although in order to provide portablity with other
> archit
* encoding 000b which is wrong encoding with V = 1. This should lead
> to page fault
> +* but we dont want this wrong configuration to be set in page tables.
> +*/
> + atomic_long_set((atomic_long_t *)ptep,
> +
,8 @@ static void hwprobe_isa_ext0(struct riscv_hwprobe *pair,
> EXT_KEY(ZCB);
> EXT_KEY(ZCMOP);
> EXT_KEY(ZICBOZ);
> + EXT_KEY(ZICFILP);
> + EXT_KEY(ZICFISS);
>
> + /* If shadow stack is not supported or not enabled, nothing to
> release */
> + if (!cpu_supports_shadow_stack() || !is_shstk_enabled(tsk))
> + return;
> +
> + /*
> +* When fork() with CLONE_VM fails, the child (tsk) already has a
>
+ li a6, SBI_EXT_FWFT_SET
> + li a0, SBI_FWFT_SHADOW_STACK
> + li a1, 1 /* enable supervisor to access shadow stack access */
> + li a2, SBI_FWFT_SET_FLAG_LOCK
> + ecall
> scs_load_current
>
> #ifdef CONFIG_KASAN
>
LGTM.
Reviewed-by: Zong Li
> --
> 2.34.1
>
>
> ___
> linux-riscv mailing list
> linux-ri...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
ase user space can use this prctl to lock
> +current settings.
> +
> +5. violations related to indirect branch tracking
> +--
> +
> +Pertaining to indirect branch tracking, CPU raises software ch
cfi violation, then merge into flow of unknown trap
> handler */
> + if (!handle_user_cfi_violation(regs))
> + do_trap_unknown(regs);
> +
> + irqentry_exit_to_user_mode(regs);
> + } else {
> + /* sw c
; + /* Reject unknown flags */
> + if (status & ~PR_INDIR_BR_LP_ENABLE)
> + return -EINVAL;
> +
> + enable_indir_lp = (status & PR_INDIR_BR_LP_ENABLE) ? true : false;
> + set_indir_lp_status(t, enable_indir_lp);
&
case PR_SET_INDIR_BR_LP_STATUS:
> + if (arg3 || arg4 || arg5)
> + return -EINVAL;
> + error = arch_set_indir_br_lp_status(me, arg2);
> + break;
> + case PR_LOCK_INDIR_BR_LP_STATUS:
> + if
e we want parent to have
> availability of shadow
> +* stack whenever VFORKed child releases resources via exit or exec
> but at the same
> +* time we want VFORKed child to break away and establish new shadow
> stack if it desires
> +*
> +*/
> + if (!enable_shstk)
> + shstk_release(t);
> +
> + set_shstk_status(t, enable_shstk);
> + return 0;
> +}
> +
> +int arch_lock_shadow_stack_status(struct task_struct *task,
> + unsigned long arg)
> +{
> + /* If shtstk not supported or not enabled on task, nothing to lock
> here */
> + if (!cpu_supports_shadow_stack() ||
> + !is_shstk_enabled(task) || arg != 0)
> + return -EINVAL;
> +
> + set_shstk_lock(task);
> +
> + return 0;
> +}
>
LGTM
Reviewed-by: Zong Li
> --
> 2.34.1
>
>
> ___
> linux-riscv mailing list
> linux-ri...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
ng x86 and picking up the same bitpos.
> + */
> +# define VM_SHADOW_STACK VM_HIGH_ARCH_5
> +#endif
> +
> #ifndef VM_SHADOW_STACK
> # define VM_SHADOW_STACK VM_NONE
> #endif
>
LGTM.
Reviewed-by: Zong Li
> --
> 2.34.1
>
>
> ___
> */
> csrw CSR_SCRATCH, tp
> +
> + /*
> +* Going back to U mode, restore shadow stack pointer
> +*/
> + ALTERNATIVE("nop; nop",
> + __stringify(
> \
> +
c inline pmd_t pmd_mkwrite_shstk(pmd_t pte)
> +{
> + return __pmd((pmd_val(pte) & ~(_PAGE_LEAF)) | _PAGE_WRITE);
> +}
> +
> static inline pmd_t pmd_wrprotect(pmd_t pmd)
> {
> return pte_pmd(pte_wrprotect(pmd_pte(pmd)));
>
LGTM.
Reviewed-by: Zong Li
> --
On Mon, Mar 10, 2025 at 11:42 PM Deepak Gupta wrote:
>
> Three architectures (x86, aarch64, riscv) have support for indirect branch
> tracking feature in a very similar fashion. On a very high level, indirect
> branch tracking is a CPU feature where CPU tracks branches which uses
> memory operand
> +
> +#define SBI_FWFT_GLOBAL_FEATURE_BIT(1 << 31)
> +#define SBI_FWFT_PLATFORM_FEATURE_BIT (1 << 30)
> +
> +#define SBI_FWFT_SET_FLAG_LOCK (1 << 0)
>
> /* SBI spec version fields */
> #define SBI_SPEC_VERSION_DEFAULT 0x1
>
LGT
dversary will have to
> +make sure that there is a ``shadow stack token`` in addition to invoking
> +:c:macro:`sigreturn`
> +
> +7. Signal shadow stack
> +---
> +Following structure has been added to sigcontext for RISC-V::
> +
> +struct
ates
> against
> + JOP / COP attacks. Applications must be enabled to use it, and old
> user-
> + space does not get protection "for free".
> + default y
> +
> config ARCH_MMAP_RND_BITS_MIN
> default 18 if 64BIT
> default 8
>
28 matches
Mail list logo
