fpu_user_xstate_size" was introduced by commit:
> >
> > commit 91c3dba7dbc199191272f4a9863f86ea3bfd679f
> > Author: Yu-cheng Yu
> > Date: Fri Jun 17 13:07:17 2016 -0700
> >
> > x86/fpu/xstate: Fix PTRACE frames for XSAVES
> >
> > XSAVES us
On Tue, 2017-06-20 at 20:59 +0200, Richard Weinberger wrote:
> Yu-cheng,
>
> Am 20.06.2017 um 20:17 schrieb Richard Weinberger:
> > Yu-cheng,
> >
> > Am 20.06.2017 um 20:04 schrieb Yu-cheng Yu:
> >>>> So to summarize:
> >>>>
> >&g
VM_SHSTK indicates a shadow stack memory area.
The shadow stack is implemented only for the 64-bit kernel.
Signed-off-by: Yu-cheng Yu
---
include/linux/mm.h | 8
mm/internal.h | 8
2 files changed, 16 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
This patch adds basic shadow stack enabling/disabling routines.
A task's shadow stack is allocated from memory with VM_SHSTK
flag set and read-only protection. The shadow stack is
allocated to a fixed size of RLIMIT_STACK.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/
On Wed, 2018-07-11 at 06:47 -0700, H.J. Lu wrote:
> On Wed, Jul 11, 2018 at 2:57 AM, Florian Weimer
> wrote:
> >
> > On 07/11/2018 12:26 AM, Yu-cheng Yu wrote:
> >
> > >
> > > +To build a CET-enabled kernel, Binutils v2.30 and GCC v8.1 or
> &
On Wed, 2018-07-11 at 11:45 +0200, Peter Zijlstra wrote:
> On Tue, Jul 10, 2018 at 03:26:30PM -0700, Yu-cheng Yu wrote:
> >
> > diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-
> > opcode-map.txt
> > index e0b85930dd77..72bb7c48a7df 100644
> > ---
On Wed, 2018-07-11 at 17:27 +0200, Peter Zijlstra wrote:
> On Wed, Jul 11, 2018 at 07:58:09AM -0700, Yu-cheng Yu wrote:
> >
> > On Wed, 2018-07-11 at 11:45 +0200, Peter Zijlstra wrote:
> > >
> > > On Tue, Jul 10, 2018 at 03:26:30PM -0700, Yu-cheng Yu wrote:
>
On Wed, 2018-07-11 at 11:34 +0200, Peter Zijlstra wrote:
> On Tue, Jul 10, 2018 at 03:26:29PM -0700, Yu-cheng Yu wrote:
> >
> > +/* MSR_IA32_U_CET and MSR_IA32_S_CET bits */
> > +#define MSR_IA32_CET_SHSTK_EN 0x0001
> > +#
find_regset() goes through regsets sequentially. Empty slots
in regset arrays causes mismatch. Add comments to x86_regset
enum.
Signed-off-by: Yu-cheng Yu
---
arch/x86/kernel/ptrace.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
From: "H.J. Lu"
When Intel indirect branch tracking is enabled, functions in vDSO which
may be called indirectly must have endbr32 or endbr64 as the first
instruction. Compiler must support -fcf-protection=branch so that it
can be used to compile vDSO.
Signed-off-by: H.J. Lu
---
arch/x86/entr
uffer that has:
*addr = IBT bitmap base address
*(addr + 1) = IBT bitmap size
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/uapi/asm/prctl.h | 2 ++
arch/x86/kernel/cet_prctl.c | 21 +
2 files changed, 23 insertions(+)
diff --git
From: "H.J. Lu"
Add ENDBR64 to vsyscall entry points.
Signed-off-by: H.J. Lu
---
arch/x86/entry/vsyscall/vsyscall_emu_64.S | 9 +
1 file changed, 9 insertions(+)
diff --git a/arch/x86/entry/vsyscall/vsyscall_emu_64.S
b/arch/x86/entry/vsyscall/vsyscall_emu_64.S
index c9596a9af159..085
.
H.J. Lu (3):
x86: Insert endbr32/endbr64 to vDSO
x86/vsyscall/32: Add ENDBR32 to vsyscall entry point
x86/vsyscall/64: Add ENDBR64 to vsyscall entry points
Yu-cheng Yu (8):
x86/cet/ibt: Add Kconfig option for user-mode Indirect Branch Tracking
x86/cet/ibt: User-mode indirect branch tracking
Look in .note.gnu.property of an ELF file and check if Indirect
Branch Tracking needs to be enabled for the task.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/uapi/asm/elf_property.h | 1 +
arch/x86/kernel/elf.c| 5 +
2 files changed, 6
On Mon, 2018-11-19 at 14:17 -0800, Andy Lutomirski wrote:
> On Mon, Nov 19, 2018 at 1:55 PM Yu-cheng Yu wrote:
> >
> > From: "H.J. Lu"
> >
> > When Intel indirect branch tracking is enabled, functions in vDSO which
> > may be called indirectl
In fill_note_info(), we kzalloc elf_thread_core_info.notes[] only
for (core_note_type != 0) regsets. However, in
fill_thread_core_info(), we still leave empty notes and go beyond
the allocated size. Fix it.
Signed-off-by: Yu-cheng Yu
---
fs/binfmt_elf.c | 14 --
1 file changed, 8
In the past there were some issues resulting from additions to
XSAVE/XSAVES. Introduce a few tests to help detect issues early.
Cc: Andy Lutomirski
Cc: Borislav Petkov
Cc: Dave Hansen
Cc: Ingo Molnar
Cc: Shuah Khan
Signed-off-by: Yu-cheng Yu
---
tools/testing/selftests/x86/Makefile
On Wed, 2019-02-27 at 13:45 -0800, Dave Hansen wrote:
> I wonder, though, if you can spend a little more time on these. They
> look a little "raw". They're virtually free of comments and there is no
> explanation of what the tests do or why they do them. I honestly forget
> things like what XSAV
Explain no_user_shstk/no_user_ibt kernel parameters, and introduce a new
document on Control-flow Enforcement Technology (CET).
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
.../admin-guide/kernel-parameters.txt | 6 +
Documentation/x86/index.rst | 1
After the introduction of _PAGE_COW, a modified page's PTE can have either
_PAGE_DIRTY or _PAGE_COW. Change _PAGE_DIRTY to _PAGE_DIRTY_BITS.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
Cc: David Airlie
Cc: Joonas Lahtinen
Cc: Jani Nikula
Cc: Daniel Vetter
Cc: Rodrigo Vivi
Cc: Z
ted for the 32-bit kernel.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/pgtable.h | 136 ---
arch/x86/include/asm/pgtable_types.h | 42 -
2 files changed, 165 insertions(+), 13 deletions(-)
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/in
pte_*() are updated.
Pte_modify() changes a PTE to 'newprot', but it doesn't use the pte_*().
Introduce fixup_dirty_pte(), which sets a dirty PTE, based on _PAGE_RW,
to either _PAGE_DIRTY or _PAGE_COW.
Apply the same changes to pmd_modify().
Signed-off-by: Yu-cheng Yu
Reviewe
results in ambiguity between shadow stack and
kernel read-only pages. To resolve this, removed Dirty from kernel read-
only pages.
Signed-off-by: Yu-cheng Yu
Cc: "H. Peter Anvin"
Cc: Kees Cook
Cc: Thomas Gleixner
Cc: Dave Hansen
Cc: Christoph Hellwig
Cc: Andy Lutomirski
Cc: Ingo
https://lkml.kernel.org/r/20200521211720.20236-1-yu-cheng...@intel.com/
[5] The kernel ptrace patch is tested with an Intel-internal updated GDB.
I am holding off the kernel ptrace patch to re-test it with my earlier
patch for fixing regset holes.
Yu-cheng Yu (25):
Documentation/x86: Add CET descrip
Stack applications continue to work, but without protection.
Signed-off-by: Yu-cheng Yu
---
arch/x86/Kconfig | 23 +++
arch/x86/Kconfig.assembler | 5 +
2 files changed, 28 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f851179ff0
A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However,
read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These
two cases are handled differently for page faults. Introduce VM_SHSTK to
track shadow stack VMAs.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
clearing
_PAGE_DIRTY (vs. _PAGE_RW) is used to trigger the fault, shadow stack read
fault and shadow stack write fault are not differentiated and both are
handled as a write access.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/trap_pf.h | 2 ++
arch/x86/mm/fault.c
Introduce a software-defined X86_FEATURE_CET, which indicates either Shadow
Stack or Indirect Branch Tracking (or both) is present. Also introduce
related cpu init/setup functions.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cpufeatures.h | 2 +-
arch
non-
atomically, a transient shadow stack PTE can be created as a result.
Thus, prevent that with cmpxchg.
Dave Hansen, Jann Horn, Andy Lutomirski, and Peter Zijlstra provided many
insights to the issue. Jann Horn provided the cmpxchg solution.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm
Add CPU feature flags for Control-flow Enforcement Technology (CET).
CPUID.(EAX=7,ECX=0):ECX[bit 7] Shadow stack
CPUID.(EAX=7,ECX=0):EDX[bit 20] Indirect Branch Tracking
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cpufeatures.h | 2 ++
arch/x86/include
: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/fpu/types.h | 23 +--
arch/x86/include/asm/fpu/xstate.h | 6 --
arch/x86/include/asm/msr-index.h | 19 +++
arch/x86/kernel/fpu/xstate.c | 10 +-
4 files changed, 53 insertions(+), 5
different vma
flags, and handled accordingly in maybe_mkwrite().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
mm/memory.c | 5 ++---
mm/migrate.c | 3 +--
mm/mprotect.c | 2 +-
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index fe
From: "H.J. Lu"
Update ARCH_X86_CET_STATUS and ARCH_X86_CET_DISABLE for Indirect Branch
Tracking.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/cet_prctl.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/cet
Introduce user-mode Indirect Branch Tracking (IBT) support. Add routines
for the setup/disable of IBT.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h | 3 +++
arch/x86/kernel/cet.c | 33 +
2 files changed, 36 insertions
t
x86/vdso: Insert endbr32/endbr64 to vDSO
Yu-cheng Yu (4):
x86/cet/ibt: Update Kconfig for user-mode Indirect Branch Tracking
x86/cet/ibt: User-mode Indirect Branch Tracking support
x86/cet/ibt: Handle signals for Indirect Branch Tracking
x86/cet/ibt: Update ELF header parsing for Indirect Br
, arrives at a non-ENDBR opcode.
The control-protection fault handler works in a similar way as the general
protection fault handler. It provides the si_code SEGV_CPERR to the signal
handler.
Signed-off-by: Yu-cheng Yu
Cc: Michael Kerrisk
---
arch/x86/include/asm/idtentry.h| 4 ++
arch/x86
SIZE.
Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
CALL, and RET from going beyond.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/page_64_types.h | 10 ++
include/linux/mm.h | 24
2 files c
page is
writable again.
Update maybe_mkwrite() by introducing arch_maybe_mkwrite(), which sets
_PAGE_DIRTY for a shadow stack PTE.
Apply the same changes to maybe_pmd_mkwrite().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/Kconfig| 4
arch/x86/mm/pgtable.c | 18
Introduce basic shadow stack enabling/disabling/allocation routines.
A task's shadow stack is allocated from memory with VM_SHSTK flag and has
a fixed size of min(RLIMIT_STACK, 4GB).
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h | 28 ++
arc
compiler is up-to-date at config time.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 816830e3f062..f462ef9d3305 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1964,6
urn.
IBT state machine is described in Intel SDM Vol. 1, Sec. 18.3.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/cet.c| 26 --
arch/x86/kernel/fpu/signal.c | 8 +---
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/arch/x
off-by: Yu-cheng Yu
Acked-by: Andy Lutomirski
Reviewed-by: Kees Cook
---
arch/x86/entry/vdso/Makefile | 4
1 file changed, 4 insertions(+)
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 02e3e42f380b..ff7b56feb5c3 100644
--- a/arch/x86/entry/vdso/Makefile
. Re-introduce vm_flags to do_mmap(), but without the old wrapper
do_mmap_pgoff(). Instead, make all callers of the wrapper pass a zero
vm_flags to do_mmap().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Peter Collingbourne
Reviewed-by: Kees Cook
Cc: Andrew Morton
Cc: Oleg Nesterov
Cc: linux...@kv
Account shadow stack pages to stack memory.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/mm/pgtable.c | 7 +++
include/linux/pgtable.h | 11 +++
mm/mmap.c | 5 +
3 files changed, 23 insertions(+)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86
An ELF file's .note.gnu.property indicates features the file supports.
The property is parsed at loading time and passed to arch_setup_elf_
property(). Update it for Indirect Branch Tracking.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/process_64.c | 8 ++
From: "H.J. Lu"
Add ENDBR32 to __kernel_vsyscall entry point.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
Acked-by: Andy Lutomirski
Reviewed-by: Kees Cook
---
arch/x86/entry/vdso/vdso32/system_call.S | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/entry/v
se-case of this function is Shadow
Stack.
ARM64 is the other arch that has ARCH_USE_GNU_PROPERTY and arch_parse_elf_
property(). Add arch_setup_elf_property() for it.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
Cc: Mark Brown
Cc: Catalin Marinas
Cc: Dave Martin
---
arch/arm64/include
4 min(RLIMIT_STACK, 4 GB). This allows
more threads to run in a 32-bit address space.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cet.h | 3 ++
arch/x86/include/asm/mmu_context.h | 3 ++
arch/x86/kernel/cet.c | 44 ++
arch/x86/kernel/proc
can_follow_write_pte() check, it belongs to the writable page case and
should be excluded from the read-only page pte_dirty() check. Apply
the same changes to can_follow_write_pmd().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
mm/gup.c | 8 +---
mm/huge_memory.c | 8 +---
2
atures.
Also change do_arch_prctl_common()'s parameter 'cpuid_enabled' to
'arg2', as it is now also passed to prctl_cet().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h| 3 ++
arch/x86/include/uapi/asm/prctl.h | 4 +++
arch/x
cking (IBT) series, but add
that into sc_ext now to keep the struct stable in case the IBT series is
applied later.
Signed-off-by: Yu-cheng Yu
---
arch/x86/ia32/ia32_signal.c| 17 +++
arch/x86/include/asm/cet.h | 8 ++
arch/x86/include/asm/fpu/internal.h| 10 ++
arch/x
architectures.
[1] https://lore.kernel.org/lkml/20200828121624.108243-1-hjl.to...@gmail.com/
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/mman.h | 85
arch/x86/include/uapi/asm/mman.h | 28 ++-
include/linux/mm.h | 1 +
mm/mmap.c
Explain no_user_shstk/no_user_ibt kernel parameters, and introduce a new
document on Control-flow Enforcement Technology (CET).
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
.../admin-guide/kernel-parameters.txt | 6 +
Documentation/x86/index.rst | 1
rsion of the selftests patches:
https://lkml.kernel.org/r/20200521211720.20236-1-yu-cheng...@intel.com/
[5] The kernel ptrace patch is tested with an Intel-internal updated GDB.
I am holding off the kernel ptrace patch to re-test it with my earlier
patch for fixing regset holes.
Yu-
Add CPU feature flags for Control-flow Enforcement Technology (CET).
CPUID.(EAX=7,ECX=0):ECX[bit 7] Shadow stack
CPUID.(EAX=7,ECX=0):EDX[bit 20] Indirect Branch Tracking
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cpufeatures.h | 2 ++
arch/x86/include
Stack applications continue to work, but without protection.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/Kconfig | 22 ++
arch/x86/Kconfig.assembler | 5 +
2 files changed, 27 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index
Introduce a software-defined X86_FEATURE_CET, which indicates either Shadow
Stack or Indirect Branch Tracking (or both) is present. Also introduce
related cpu init/setup functions.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cpufeatures.h | 2 +-
arch
, arrives at a non-ENDBR opcode.
The control-protection fault handler works in a similar way as the general
protection fault handler. It provides the si_code SEGV_CPERR to the signal
handler.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
Cc: Michael Kerrisk
---
arch/x86/include/asm
ted for the 32-bit kernel.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/pgtable.h | 185 ---
arch/x86/include/asm/pgtable_types.h | 42 +-
2 files changed, 206 insertions(+), 21 deletions(-)
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/in
: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/fpu/types.h | 23 +--
arch/x86/include/asm/fpu/xstate.h | 6 --
arch/x86/include/asm/msr-index.h | 19 +++
arch/x86/kernel/fpu/xstate.c | 10 +-
4 files changed, 53 insertions(+), 5
After the introduction of _PAGE_COW, a modified page's PTE can have either
_PAGE_DIRTY or _PAGE_COW. Change _PAGE_DIRTY to _PAGE_DIRTY_BITS.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
Cc: David Airlie
Cc: Joonas Lahtinen
Cc: Jani Nikula
Cc: Daniel Vetter
Cc: Rodrigo Vivi
Cc: Z
non-
atomically, a transient shadow stack PTE can be created as a result.
Thus, prevent that with cmpxchg.
Dave Hansen, Jann Horn, Andy Lutomirski, and Peter Zijlstra provided many
insights to the issue. Jann Horn provided the cmpxchg solution.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
results in ambiguity between shadow stack and
kernel read-only pages. To resolve this, removed Dirty from kernel read-
only pages.
Signed-off-by: Yu-cheng Yu
Cc: "H. Peter Anvin"
Cc: Kees Cook
Cc: Thomas Gleixner
Cc: Dave Hansen
Cc: Christoph Hellwig
Cc: Andy Lutomirski
Cc: Ingo
different vma
flags, and handled accordingly in maybe_mkwrite().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
mm/memory.c | 5 ++---
mm/migrate.c | 3 +--
mm/mprotect.c | 2 +-
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index fe
pte_*() are updated.
Pte_modify() changes a PTE to 'newprot', but it doesn't use the pte_*().
Introduce fixup_dirty_pte(), which sets a dirty PTE, based on _PAGE_RW,
to either _PAGE_DIRTY or _PAGE_COW.
Apply the same changes to pmd_modify().
Signed-off-by: Yu-cheng Yu
Reviewe
page is
writable again.
Update maybe_mkwrite() by introducing arch_maybe_mkwrite(), which sets
_PAGE_DIRTY for a shadow stack PTE.
Apply the same changes to maybe_pmd_mkwrite().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/Kconfig| 4
arch/x86/mm/pgtable.c | 18
SIZE.
Thus, putting a gap page on both ends of a shadow stack prevents INCSSP,
CALL, and RET from going beyond.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/page_64_types.h | 10 ++
include/linux/mm.h | 24
2 files c
c_ext', which is used to save
shadow stack restore token address and WAIT_ENDBR status. WAIT_ENDBR will
be introduced later in the Indirect Branch Tracking (IBT) series, but add
that into sc_ext now to keep the struct stable in case the IBT series is
applied later.
Signed-off-by: Yu-cheng Yu
R
Account shadow stack pages to stack memory.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/mm/pgtable.c | 7 +++
include/linux/pgtable.h | 11 +++
mm/mmap.c | 5 +
3 files changed, 23 insertions(+)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86
Introduce basic shadow stack enabling/disabling/allocation routines.
A task's shadow stack is allocated from memory with VM_SHSTK flag and has
a fixed size of min(RLIMIT_STACK, 4GB).
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h | 28 ++
arc
clearing
_PAGE_DIRTY (vs. _PAGE_RW) is used to trigger the fault, shadow stack read
fault and shadow stack write fault are not differentiated and both are
handled as a write access.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/trap_pf.h | 2 ++
arch/x86/mm/fault.c
A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However,
read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These
two cases are handled differently for page faults. Introduce VM_SHSTK to
track shadow stack VMAs.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
. Re-introduce vm_flags to do_mmap(), but without the old wrapper
do_mmap_pgoff(). Instead, make all callers of the wrapper pass a zero
vm_flags to do_mmap().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Peter Collingbourne
Reviewed-by: Kees Cook
Cc: Andrew Morton
Cc: Oleg Nesterov
Cc: linux...@kv
can_follow_write_pte() check, it belongs to the writable page case and
should be excluded from the read-only page pte_dirty() check. Apply
the same changes to can_follow_write_pmd().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
mm/gup.c | 8 +---
mm/huge_memory.c | 8 +---
2
se-case of this function is Shadow
Stack.
ARM64 is the other arch that has ARCH_USE_GNU_PROPERTY and arch_parse_elf_
property(). Add arch_setup_elf_property() for it.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
Cc: Mark Brown
Cc: Catalin Marinas
Cc: Dave Martin
---
arch/arm64/include
[2] Indirect Branch Tracking patches v20:
https://lkml.kernel.org/r/20210210180245.13770-1-yu-cheng...@intel.com/
H.J. Lu (3):
x86/cet/ibt: Update arch_prctl functions for Indirect Branch Tracking
x86/vdso/32: Add ENDBR32 to __kernel_vsyscall entry point
x86/vdso: Insert endbr32/endbr64
compiler is up-to-date at config time.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index cafa4a2c1d2d..5e157031bf82 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1963,6
atures.
Also change do_arch_prctl_common()'s parameter 'cpuid_enabled' to
'arg2', as it is now also passed to prctl_cet().
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h| 3 ++
arch/x86/include/uapi/asm/prctl.h | 4 +++
arch/x
To prepare changes to arch_calc_vm_prot_bits() in the next patch, and be
consistent with other architectures, move arch_vm_get_page_prot() and
arch_calc_vm_prot_bits() to arch/x86/include/asm/mman.h.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/mman.h | 30
Introduce user-mode Indirect Branch Tracking (IBT) support. Add routines
for the setup/disable of IBT.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/cet.h | 3 +++
arch/x86/kernel/cet.c | 33 +
2 files changed, 36 insertions
be using this as a
bypass to shadow stack protection. However, the attacker would have to get
to the syscall first.
[1] https://lore.kernel.org/lkml/20200828121624.108243-1-hjl.to...@gmail.com/
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/mman.h | 57
An ELF file's .note.gnu.property indicates features the file supports.
The property is parsed at loading time and passed to arch_setup_elf_
property(). Update it for Indirect Branch Tracking.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/process_64.c | 8 ++
From: "H.J. Lu"
Update ARCH_X86_CET_STATUS and ARCH_X86_CET_DISABLE for Indirect Branch
Tracking.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/cet_prctl.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/cet
urn.
IBT state machine is described in Intel SDM Vol. 1, Sec. 18.3.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/kernel/cet.c| 26 --
arch/x86/kernel/fpu/signal.c | 8 +---
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/arch/x
). A compat-mode thread shadow stack
size is further reduced to 1/4. This allows more threads to run in a 32-
bit address space.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cet.h | 5 +++
arch/x86/include/asm/mmu_context.h | 3 ++
arch/x86/kernel/cet.c
off-by: Yu-cheng Yu
Acked-by: Andy Lutomirski
Reviewed-by: Kees Cook
---
arch/x86/entry/vdso/Makefile | 4
1 file changed, 4 insertions(+)
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 02e3e42f380b..ff7b56feb5c3 100644
--- a/arch/x86/entry/vdso/Makefile
From: "H.J. Lu"
Add ENDBR32 to __kernel_vsyscall entry point.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
Acked-by: Andy Lutomirski
Reviewed-by: Kees Cook
---
arch/x86/entry/vdso/vdso32/system_call.S | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/entry/v
Introduce a software-defined X86_FEATURE_CET, which indicates either Shadow
Stack or Indirect Branch Tracking (or both) is present. Also introduce
related cpu init/setup functions.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cpufeatures.h | 2 +-
arch/x86/include/asm/disabled
Add CPU feature flags for Control-flow Enforcement Technology (CET).
CPUID.(EAX=7,ECX=0):ECX[bit 7] Shadow stack
CPUID.(EAX=7,ECX=0):EDX[bit 20] Indirect Branch Tracking
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cpufeatures.h | 2 ++
arch/x86/include/asm/disabled-features.h
, arrives at a non-ENDBR opcode.
The control-protection fault handler works in a similar way as the general
protection fault handler. It provides the si_code SEGV_CPERR to the signal
handler.
Signed-off-by: Yu-cheng Yu
Cc: Michael Kerrisk
---
arch/x86/include/asm/idtentry.h| 4 ++
arch/x86
results in ambiguity between shadow stack and
kernel read-only pages. To resolve this, removed Dirty from kernel read-
only pages.
Signed-off-by: Yu-cheng Yu
Cc: "H. Peter Anvin"
Cc: Kees Cook
Cc: Thomas Gleixner
Cc: Dave Hansen
Cc: Christoph Hellwig
Cc: Andy Lutomirski
Cc: Ingo
https://lkml.kernel.org/r/20200521211720.20236-1-yu-cheng...@intel.com/
[5] The kernel ptrace patch is tested with an Intel-internal updated GDB.
I am holding off the kernel ptrace patch to re-test it with my earlier
patch for fixing regset holes.
Yu-cheng Yu (25):
Documentation/x86: Add
Stack applications continue to work, but without protection.
Signed-off-by: Yu-cheng Yu
---
arch/x86/Kconfig | 22 ++
arch/x86/Kconfig.assembler | 5 +
2 files changed, 27 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f851179ff0
ted for the 32-bit kernel.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/pgtable.h | 125 ---
arch/x86/include/asm/pgtable_types.h | 42 -
2 files changed, 154 insertions(+), 13 deletions(-)
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/in
clearing
_PAGE_DIRTY (vs. _PAGE_RW) is used to trigger the fault, shadow stack read
fault and shadow stack write fault are not differentiated and both are
handled as a write access.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
---
arch/x86/include/asm/trap_pf.h | 2 ++
arch/x86/mm/fault.c
A shadow stack PTE must be read-only and have _PAGE_DIRTY set. However,
read-only and Dirty PTEs also exist for copy-on-write (COW) pages. These
two cases are handled differently for page faults. Introduce VM_SHSTK to
track shadow stack VMAs.
Signed-off-by: Yu-cheng Yu
Reviewed-by: Kees Cook
pte_*() are updated.
Pte_modify() changes a PTE to 'newprot', but it doesn't use the pte_*().
Introduce fixup_dirty_pte(), which sets a dirty PTE, based on _PAGE_RW,
to either _PAGE_DIRTY or _PAGE_COW.
Apply the same changes to pmd_modify().
Signed-off-by: Yu-cheng Yu
---
arch/
non-
atomically, a transient shadow stack PTE can be created as a result.
Thus, prevent that with cmpxchg.
Dave Hansen, Jann Horn, Andy Lutomirski, and Peter Zijlstra provided many
insights to the issue. Jann Horn provided the cmpxchg solution.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm
different vma
flags, and handled accordingly in maybe_mkwrite().
Signed-off-by: Yu-cheng Yu
---
mm/memory.c | 5 ++---
mm/migrate.c | 3 +--
mm/mprotect.c | 2 +-
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index feff48e1465a..1de649c61013 10064
Account shadow stack pages to stack memory.
Signed-off-by: Yu-cheng Yu
---
arch/x86/mm/pgtable.c | 7 +++
include/linux/pgtable.h | 11 +++
mm/mmap.c | 5 +
3 files changed, 23 insertions(+)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
index
1 - 100 of 894 matches
Mail list logo
