[PATCH v11 22/27] riscv: kernel command line option to opt out of user cfi

This commit adds a kernel command line option using which user cfi can be disabled. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/usercfi.c | 21 + 1 file changed, 21 insertions(+) diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c index 6e561256bfaf

Re: [PATCH v3 22/29] riscv sigcontext: adding cfi state field in sigcontext

On Fri, May 24, 2024 at 05:46:16PM +0800, Andy Chiu wrote: Hi Deepak, On Thu, Apr 4, 2024 at 7:42 AM Deepak Gupta wrote: Shadow stack needs to be saved and restored on signal delivery and signal return. sigcontext embedded in ucontext is extendible. Adding cfi state in there which can be

Re: [PATCH v3 13/29] riscv mmu: write protect and shadow stack

On Thu, May 23, 2024 at 04:59:30PM +0200, Alexandre Ghiti wrote: Hi Deepak, On Mon, May 13, 2024 at 7:32 PM Deepak Gupta wrote: On Sun, May 12, 2024 at 06:31:24PM +0200, Alexandre Ghiti wrote: >On 04/04/2024 01:35, Deepak Gupta wrote: >>`fork` implements copy on write (COW) by mak

Re: [PATCH v3 10/29] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

On Mon, May 13, 2024 at 11:36:49AM -0700, Charlie Jenkins wrote: On Mon, May 13, 2024 at 10:47:25AM -0700, Deepak Gupta wrote: On Fri, May 10, 2024 at 02:02:54PM -0700, Charlie Jenkins wrote: > On Wed, Apr 03, 2024 at 04:34:58PM -0700, Deepak Gupta wrote: > > `arch_calc_vm_prot

Re: [PATCH v3 02/29] riscv: define default value for envcfg for task

On Fri, May 10, 2024 at 03:33:36PM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:34:50PM -0700, Deepak Gupta wrote: Defines a base default value for envcfg per task. By default all tasks should have cache zeroing capability. Any future base capabilities that apply to all tasks can be

Re: [PATCH v3 17/29] prctl: arch-agnostic prctl for indirect branch tracking

On Fri, May 10, 2024 at 04:29:19PM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:35:05PM -0700, Deepak Gupta wrote: Three architectures (x86, aarch64, riscv) have support for indirect branch tracking feature in a very similar fashion. On a very high level, indirect branch tracking is

Re: [PATCH v3 10/29] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

On Sun, May 12, 2024 at 06:24:45PM +0200, Alexandre Ghiti wrote: Hi Deepak, On 04/04/2024 01:34, Deepak Gupta wrote: `arch_calc_vm_prot_bits` is implemented on risc-v to return VM_READ | VM_WRITE if PROT_WRITE is specified. Similarly `riscv_sys_mmap` is updated to convert all incoming

Re: [PATCH v3 10/29] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

On Fri, May 10, 2024 at 02:02:54PM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:34:58PM -0700, Deepak Gupta wrote: `arch_calc_vm_prot_bits` is implemented on risc-v to return VM_READ | VM_WRITE if PROT_WRITE is specified. Similarly `riscv_sys_mmap` is updated to convert all incoming

Re: [PATCH v3 12/29] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

On Sun, May 12, 2024 at 06:28:59PM +0200, Alexandre Ghiti wrote: On 04/04/2024 01:35, Deepak Gupta wrote: pte_mkwrite creates PTEs with WRITE encodings for underlying arch. Underlying arch can have two types of writeable mappings. One that can be written using regular store instructions

Re: [PATCH v3 13/29] riscv mmu: write protect and shadow stack

On Sun, May 12, 2024 at 06:31:24PM +0200, Alexandre Ghiti wrote: On 04/04/2024 01:35, Deepak Gupta wrote: `fork` implements copy on write (COW) by making pages readonly in child and parent both. ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE. Assumption is that page is readable

Re: [PATCH v3 14/29] riscv/mm: Implement map_shadow_stack() syscall

On Sun, May 12, 2024 at 06:50:18PM +0200, Alexandre Ghiti wrote: On 04/04/2024 01:35, Deepak Gupta wrote: As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the existing mmap() and madvise() syscalls

Re: [PATCH v3 15/29] riscv/shstk: If needed allocate a new shadow stack on clone

On Sun, May 12, 2024 at 07:05:27PM +0200, Alexandre Ghiti wrote: On 04/04/2024 01:35, Deepak Gupta wrote: Userspace specifies VM_CLONE to share address space and spawn new thread. CLONE_VM? Yes I meant CLONE_VM, will fix it. `clone` allow userspace to specify a new stack for new

Re: [PATCH v3 27/29] riscv: Documentation for landing pad / indirect branch tracking

On Fri, May 10, 2024 at 01:30:32PM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:35:15PM -0700, Deepak Gupta wrote: Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta

Re: [PATCH v3 04/29] riscv: zicfilp / zicfiss in dt-bindings (extensions.yaml)

On Thu, May 09, 2024 at 09:32:49PM +0100, Conor Dooley wrote: On Thu, May 09, 2024 at 11:46:26AM -0700, Deepak Gupta wrote: On Thu, May 09, 2024 at 07:14:26PM +0100, Conor Dooley wrote: > On Tue, Apr 16, 2024 at 08:44:16AM -0700, Deepak Gupta wrote: > > On Mon, Apr 15, 2024 at 02:41:0

Re: [PATCH v3 29/29] kselftest/riscv: kselftest for user mode cfi

On Thu, May 09, 2024 at 11:21:15AM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:35:17PM -0700, Deepak Gupta wrote: + +int main(int argc, char *argv[]) +{ + int ret = 0; + unsigned long lpad_status = 0, ss_status = 0; + + ksft_print_header(); + + ksft_set_plan

Re: [PATCH v3 01/29] riscv: envcfg save and restore on task switching

On Wed, May 08, 2024 at 05:10:46PM -0700, Charlie Jenkins wrote: On Wed, Apr 03, 2024 at 04:34:49PM -0700, Deepak Gupta wrote: envcfg CSR defines enabling bits for cache management instructions and soon will control enabling for control flow integrity and pointer masking features. Control flow

Re: [PATCH v3 04/29] riscv: zicfilp / zicfiss in dt-bindings (extensions.yaml)

On Thu, May 09, 2024 at 07:14:26PM +0100, Conor Dooley wrote: On Tue, Apr 16, 2024 at 08:44:16AM -0700, Deepak Gupta wrote: On Mon, Apr 15, 2024 at 02:41:05PM -0500, Rob Herring wrote: > On Wed, Apr 10, 2024 at 02:37:21PM -0700, Deepak Gupta wrote: > > On Wed, Apr 10, 2024 at 4:

Re: [PATCH 07/10] riscv: add ISA extension parsing for Zcmop

On Wed, Apr 10, 2024 at 11:27:16PM +0100, Conor Dooley wrote: On Wed, Apr 10, 2024 at 11:16:11PM +0100, Conor Dooley wrote: On Wed, Apr 10, 2024 at 02:32:41PM -0700, Deepak Gupta wrote: > On Wed, Apr 10, 2024 at 11:11:00AM +0200, Clément Léger wrote: > > Add parsing for Zcmop ISA

Re: [PATCH 0/5] Add parsing for Zimop ISA extension

On Mon, Apr 08, 2024 at 10:01:12AM +0200, Clément Léger wrote: On 05/04/2024 19:33, Deepak Gupta wrote: On Fri, Apr 5, 2024 at 8:26 AM Andrew Jones wrote: On Thu, Apr 04, 2024 at 12:32:46PM +0200, Clément Léger wrote: The Zimop ISA extension was ratified recently. This series adds support

Re: [PATCH v3 04/29] riscv: zicfilp / zicfiss in dt-bindings (extensions.yaml)

On Wed, Apr 10, 2024 at 4:58 AM Rob Herring wrote: > > On Wed, Apr 03, 2024 at 04:34:52PM -0700, Deepak Gupta wrote: > > Make an entry for cfi extensions in extensions.yaml. > > > > Signed-off-by: Deepak Gupta > > --- > > .../devicetree/bindings

Re: [PATCH 00/10] Add support for a few Zc* extensions as well as Zcmop

For the series: Reviewed-by: Deepak Gupta On Wed, Apr 10, 2024 at 2:13 AM Clément Léger wrote: > > Add support for (yet again) more RVA23U64 missing extensions. Add > support for Zcmop, Zca, Zcf, Zcd and Zcb extensions isa string parsing, > hwprobe and kvm support. Zce, Z

Re: [PATCH 07/10] riscv: add ISA extension parsing for Zcmop

On Wed, Apr 10, 2024 at 11:11:00AM +0200, Clément Léger wrote: Add parsing for Zcmop ISA extension which was ratified in commit b854a709c00 ("Zcmop is ratified/1.0") of the riscv-isa-manual. Signed-off-by: Clément Léger --- arch/riscv/include/asm/hwcap.h | 1 + arch/riscv/kernel/cpufeature.c | 1

Re: [PATCH 0/5] Add parsing for Zimop ISA extension

On Fri, Apr 5, 2024 at 8:26 AM Andrew Jones wrote: > > On Thu, Apr 04, 2024 at 12:32:46PM +0200, Clément Léger wrote: > > The Zimop ISA extension was ratified recently. This series adds support > > for parsing it from riscv,isa, hwprobe export and kvm support for > > Guest/VM. > > I'm not sure we

Re: [PATCH v3 09/29] mm: abstract shadow stack vma behind `vma_is_shadow_stack`

On Thu, Apr 04, 2024 at 09:02:17PM +0200, David Hildenbrand wrote: On 04.04.24 01:34, Deepak Gupta wrote: } - } else if (!(vm_flags & VM_READ)) { + } else if (!(vm_flags & VM_READ) && !vma_is_shadow_stack(vm_flags)) { + /* reads allowed if its

Re: [PATCH v3 08/29] mm: Define VM_SHADOW_STACK for RISC-V

On Thu, Apr 4, 2024 at 12:15 PM David Hildenbrand wrote: > > On 04.04.24 21:04, Mark Brown wrote: > > On Thu, Apr 04, 2024 at 08:58:06PM +0200, David Hildenbrand wrote: > > > >> or even introduce some ARCH_HAS_SHADOW_STACK so we can remove these > >> arch-specific thingies here. > > > > It would b

[PATCH v3 29/29] kselftest/riscv: kselftest for user mode cfi

test. Make sure signal delivery results in token creation on shadow stack and consumes (and verifies) token on sigreturn - shadow stack protection test. attempts to write using regular store instruction on shadow stack memory must result in access faults Signed-off-by: Deepak

[PATCH v3 28/29] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/zicfiss.rst | 169 +++ 1 file changed, 169 insertions(+) create mode 100644 Documentation

[PATCH v3 27/29] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/zicfilp.rst | 104 +++ 1 file changed, 104 insertions(+) create mode 100644

[PATCH v3 26/29] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 18 ++ 1 file changed, 18 insertions(+) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 7e0b2bcc388f..d6f1303ef660 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -203,6

[PATCH v3 25/29] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe

Adding enumeration of zicfilp and zicfiss extensions in hwprobe syscall. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/hwprobe.h | 2 ++ arch/riscv/kernel/sys_hwprobe.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/riscv/include/uapi/asm/hwprobe.h b/arch/riscv

[PATCH v3 24/29] riscv/ptrace: riscv cfi status and state via ptrace and in core files

allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface. It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h | 18

[PATCH v3 23/29] riscv signal: Save and restore of shadow stack for signal

on sigreturn, kernel retrieves token from top of shadow stack and validates it. This allows that user mode can't arbitrary pivot to any shadow stack address without having a token and thus provide strong security assurance between signaly delivery and sigreturn window. Signed-off-by: Deepak

[PATCH v3 22/29] riscv sigcontext: adding cfi state field in sigcontext

Shadow stack needs to be saved and restored on signal delivery and signal return. sigcontext embedded in ucontext is extendible. Adding cfi state in there which can be used to save cfi state before signal delivery and restore cfi state on sigreturn Signed-off-by: Deepak Gupta --- arch/riscv

[PATCH v3 21/29] riscv/traps: Introduce software check exception

(on execution of `sspopchk`). In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/kernel/entry.S | 3 ++ arch/riscv/kernel

[PATCH v3 20/29] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/proces

[PATCH v3 19/29] riscv: Implements arch agnostic indirect branch tracking prctls

prctls implemented are: PR_SET_INDIR_BR_LP_STATUS, PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 22 - arch/riscv/kernel/process.c | 5 +++ arch/riscv/kernel/usercfi.c | 76

[PATCH v3 18/29] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18 +- arch/riscv/kernel

[PATCH v3 17/29] prctl: arch-agnostic prctl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Signed-off-by: Deepak Gupta --- include/uapi/linux/prctl.h | 27 +++ kernel/sys.c | 30 ++ 2 files changed, 57 insertions(+) diff --git a

[PATCH v3 16/29] prctl: arch-agnostic prctl for shadow stack

Deepak Gupta but later modified by Mark Brown for arm's GCS patch series. Signed-off-by: Mark Brown Co-developed-by: Deepak Gupta --- include/linux/mm.h | 3 +++ include/uapi/linux/prctl.h | 22 ++ kernel/sys.c | 30

[PATCH v3 15/29] riscv/shstk: If needed allocate a new shadow stack on clone

provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 39 ++ arch/riscv/kernel/process.c | 12 ++- arch/riscv/kernel/user

[PATCH v3 14/29] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatibility and portability with other architectues, user mode can specify token set flag. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 2 + arch/riscv/kernel/user

[PATCH v3 13/29] riscv mmu: write protect and shadow stack

d-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 9b837239d3e8..7a1c2a98d272 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b

[PATCH v3 12/29] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range (i.e. VM_SHADOW_STACK) Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 7 +++ arch/riscv/mm/pgtable.c | 21 + 2 files changed, 28 insertions(+) diff --git a/arch/riscv/include/asm/pgtable.h b

[PATCH v3 11/29] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 1 file changed, 12 insertions(+) diff --git a/arch/riscv/include/asm

[PATCH v3 10/29] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 24 arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 11 +++ arch/riscv/mm/init.c | 2 +- mm/mmap.c| 1 + 5 files changed, 38

[PATCH v3 09/29] mm: abstract shadow stack vma behind `vma_is_shadow_stack`

-off-by: Deepak Gupta Suggested-by: Mike Rapoport --- include/linux/mm.h | 13 - mm/gup.c | 5 +++-- mm/internal.h | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 64109f6c70f5..9952937be659 100644

[PATCH v3 08/29] mm: Define VM_SHADOW_STACK for RISC-V

: https://lore.kernel.org/lkml/20231009-arm64-gcs-v6-12-78e55deaa...@kernel.org/#r Signed-off-by: Deepak Gupta --- fs/proc/task_mmu.c | 3 +++ include/linux/mm.h | 11 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index

[PATCH v3 07/29] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/thread_info.h | 3 +++ arch/riscv/include/asm/use

[PATCH v3 06/29] riscv: zicfiss / zicfilp extension csr and bit definitions

-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index bbd2207adb39..3bb126d1c5ff 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -18,6

[PATCH v3 05/29] riscv: zicfiss / zicfilp enumeration

feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/cpufeature.h | 13 + arch/riscv/include/asm/hwcap.h | 2 ++ arch/riscv/include/asm

[PATCH v3 04/29] riscv: zicfilp / zicfiss in dt-bindings (extensions.yaml)

Make an entry for cfi extensions in extensions.yaml. Signed-off-by: Deepak Gupta --- .../devicetree/bindings/riscv/extensions.yaml | 10 ++ 1 file changed, 10 insertions(+) diff --git a/Documentation/devicetree/bindings/riscv/extensions.yaml b/Documentation/devicetree

[PATCH v3 03/29] riscv/Kconfig: enable HAVE_EXIT_THREAD for riscv

riscv will need an implementation for exit_thread to clean up shadow stack when thread exits. If current thread had shadow stack enabled, shadow stack is allocated by default for any new thread. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 1 + arch/riscv/kernel/process.c | 5

[PATCH v3 02/29] riscv: define default value for envcfg for task

Defines a base default value for envcfg per task. By default all tasks should have cache zeroing capability. Any future base capabilities that apply to all tasks can be turned on same way. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 2 ++ arch/riscv/kernel/process.c | 6

[PATCH v3 01/29] riscv: envcfg save and restore on task switching

. This patch creates a place holder for envcfg CSR in `thread_info` and adds logic to save and restore on task switching. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/switch_to.h | 10 ++ arch/riscv/include/asm/thread_info.h | 1 + 2 files changed, 11 insertions(+) diff --git a

[PATCH v3 00/29] riscv control-flow integrity for usermode

Sending out v3 for cpu assisted riscv user mode control flow integrity. v2 [9] was sent a week ago for this riscv usermode control flow integrity enabling. RFC patchset was (v1) early this year (January) [7]. changes in v3 -- envcfg: logic to pick up base envcfg had a bug where `ENVCF

Re: [PATCH v2 27/27] kselftest/riscv: kselftest for user mode cfi

On Mon, Apr 1, 2024 at 10:34 AM Deepak Gupta wrote: > > On Mon, Apr 1, 2024 at 2:48 AM Muhammad Usama Anjum > wrote: > > > > >>> Signed-off-by: Deepak Gupta > > >>> --- > > >>> tools/testing/selftests/riscv/Makefile| 2 +-

Re: [PATCH v2 27/27] kselftest/riscv: kselftest for user mode cfi

On Mon, Apr 1, 2024 at 2:48 AM Muhammad Usama Anjum wrote: > > >>> Signed-off-by: Deepak Gupta > >>> --- > >>> tools/testing/selftests/riscv/Makefile| 2 +- > >>> tools/testing/selftests/riscv/cfi/Makefile| 10 + > &g

Re: [PATCH v2 27/27] kselftest/riscv: kselftest for user mode cfi

On Fri, Mar 29, 2024 at 12:50 PM Muhammad Usama Anjum wrote: > > On 3/29/24 9:44 AM, Deepak Gupta wrote: > > Adds kselftest for RISC-V control flow integrity implementation for user > > mode. There is not a lot going on in kernel for enabling landing pad for > > user mod

Re: [PATCH v2 11/27] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

On Thu, Mar 28, 2024 at 9:46 PM Deepak Gupta wrote: > > pte_mkwrite creates PTEs with WRITE encodings for underlying arch. Underlying > arch can have two types of writeable mappings. One that can be written using > regular store instructions. Another one that can only be w

Re: [PATCH v2 04/27] riscv: zicfiss/zicfilp enumeration

> > > > +- const: zicfilp > > + description: > > +The standard Zicfilp extension for enforcing forward edge > > control-flow > > +integrity as ratified in commit 0036ff2 of riscv-cfi. > > + > > +- const: zicfiss > > + description: > > +

[PATCH v2 27/27] kselftest/riscv: kselftest for user mode cfi

) token on sigreturn - shadow stack protection test. attempts to write using regular store instruction on shadow stack memory must result in access faults Signed-off-by: Deepak Gupta --- tools/testing/selftests/riscv/Makefile| 2 +- tools/testing/selftests/riscv/cfi/Makefile

[PATCH v2 26/27] riscv: Documentation for shadow stack on riscv

Adding documentation on shadow stack for user mode on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/zicfiss.rst | 169 +++ 1 file changed, 169 insertions(+) create mode 100644 Documentation

[PATCH v2 25/27] riscv: Documentation for landing pad / indirect branch tracking

Adding documentation on landing pad aka indirect branch tracking on riscv and kernel interfaces exposed so that user tasks can enable it. Signed-off-by: Deepak Gupta --- Documentation/arch/riscv/zicfilp.rst | 104 +++ 1 file changed, 104 insertions(+) create mode 100644

[PATCH v2 24/27] riscv: create a config for shadow stack and landing pad instr support

support cpu assisted user mode cfi. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 18 ++ 1 file changed, 18 insertions(+) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 7e0b2bcc388f..d6f1303ef660 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -203,6

[PATCH v2 23/27] riscv/ptrace: riscv cfi status and state via ptrace and in core files

allowed via ptrace set interface. However setting `elp` state or setting shadow stack pointer are allowed via ptrace set interface. It is expected `gdb` might have use to fixup `elp` state or `shadow stack` pointer. Signed-off-by: Deepak Gupta --- arch/riscv/include/uapi/asm/ptrace.h | 18

[PATCH v2 22/27] riscv signal: Save and restore of shadow stack for signal

on sigreturn, kernel retrieves token from top of shadow stack and validates it. This allows that user mode can't arbitrary pivot to any shadow stack address without having a token and thus provide strong security assurance between signaly delivery and sigreturn window. Signed-off-by: Deepak

[PATCH v2 21/27] riscv sigcontext: adding cfi state field in sigcontext

Shadow stack needs to be saved and restored on signal delivery and signal return. sigcontext embedded in ucontext is extendible. Adding cfi state in there which can be used to save cfi state before signal delivery and restore cfi state on sigreturn Signed-off-by: Deepak Gupta --- arch/riscv

[PATCH v2 20/27] riscv/traps: Introduce software check exception

(on execution of `sspopchk`) In case of cfi violation, SIGSEGV is raised with code=SEGV_CPERR. SEGV_CPERR was introduced by x86 shadow stack patches. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/asm-prototypes.h | 1 + arch/riscv/kernel/entry.S | 3 ++ arch/riscv/kernel

[PATCH v2 19/27] riscv/kernel: update __show_regs to print shadow stack register

Updating __show_regs to print captured shadow stack pointer as well. On tasks where shadow stack is disabled, it'll simply print 0. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/proces

[PATCH v2 18/27] riscv: Implements arch argnostic indirect branch tracking prctls

prctls implemented are PR_SET_INDIR_BR_LP_STATUS / PR_GET_INDIR_BR_LP_STATUS and PR_LOCK_INDIR_BR_LP_STATUS. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 22 - arch/riscv/kernel/process.c | 5 +++ arch/riscv/kernel/usercfi.c | 76

[PATCH v2 17/27] riscv: Implements arch agnostic shadow stack prctls

PR_SHADOW_STACK_ENABLE is implemented because RISCV allows each mode to write to their own shadow stack using `sspush` or `ssamoswap`. PR_LOCK_SHADOW_STACK_STATUS locks current configuration of shadow stack enabling. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 18 +- arch/riscv/kernel

[PATCH v2 16/27] prctl: arch-agnostic prtcl for indirect branch tracking

. - PR_LOCK_INDIR_BR_LP_STATUS: Locks configured status for indirect branch tracking for user thread. Signed-off-by: Deepak Gupta --- include/uapi/linux/prctl.h | 27 +++ kernel/sys.c | 30 ++ 2 files changed, 57 insertions

[PATCH v2 15/27] prctl: arch-agnostic prctl for shadow stack

Deepak Gupta but later modified by Mark Brown for arm's GCS patch series. Signed-off-by: Mark Brown Co-developed-by: Deepak Gupta Signed-off-by: Deepak Gupta --- include/linux/mm.h | 3 +++ include/uapi/linux/prctl.h | 22 ++ kernel/sys.c

[PATCH v2 14/27] riscv/shstk: If needed allocate a new shadow stack on clone

provided. This is not settled yet and being extensively discussed on mailing list. Once that's settled, this commit will adapt to that. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/usercfi.h | 39 ++ arch/riscv/kernel/process.c | 12 +++ arch/riscv/kernel/user

[PATCH v2 13/27] riscv/mm: Implement map_shadow_stack() syscall

setup by kernel because user mode can do that by itself. However to provide compatiblity and portability with other architectues, user mode can specify token set flag. Signed-off-by: Deepak Gupta --- arch/riscv/kernel/Makefile | 2 + arch/riscv/kernel/user

[PATCH v2 12/27] riscv mmu: write protect and shadow stack

d-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h index 9b837239d3e8..7a1c2a98d272 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b

[PATCH v2 11/27] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs

can select write PTE encoding based on VMA range. On riscv, presence of only VM_WRITE in vma->vm_flags means it's a shadow stack. Signed-off-by: Deepak Gupta rebase with a30f0ca0fa31cdb2ac3d24b7b5be9e3ae75f4175 Implementation of pte_mkwrite and pmd_mkwrite on riscv Signed-off-by: Deep

[PATCH v2 10/27] riscv mm: manufacture shadow stack pte

This patch implements creating shadow stack pte (on riscv). Creating shadow stack PTE on riscv means that clearing RWX and then setting W=1. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/pgtable.h | 12 1 file changed, 12 insertions(+) diff --git a/arch/riscv/include/asm

[PATCH v2 09/27] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE

encodings. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/mman.h| 24 arch/riscv/include/asm/pgtable.h | 1 + arch/riscv/kernel/sys_riscv.c| 11 +++ arch/riscv/mm/init.c | 2 +- mm/mmap.c| 1 + 5 files changed, 38

[PATCH v2 08/27] mm: abstract shadow stack vma behind `arch_is_shadow_stack`

each arch specific. Signed-off-by: Deepak Gupta --- include/linux/mm.h | 12 +++- mm/gup.c | 5 +++-- mm/internal.h | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 225af437ecba..9e6a4fbfccac 100644

[PATCH v2 07/27] mm: Define VM_SHADOW_STACK for RISC-V

same. Signed-off-by: Deepak Gupta --- include/linux/mm.h | 20 +++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index f5a97dec5169..225af437ecba 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -352,7 +352,25

[PATCH v2 06/27] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit

kernel shadow stack, that means that it needs to be supported. And thus save/restore of shadow stack pointer in entry.S instead of in `switch_to.h`. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/processor.h | 1 + arch/riscv/include/asm/thread_info.h | 3 +++ arch/riscv/include/asm/use

[PATCH v2 05/27] riscv: zicfiss/zicfilp extension csr and bit definitions

-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 16 1 file changed, 16 insertions(+) diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h index bbd2207adb39..3bb126d1c5ff 100644 --- a/arch/riscv/include/asm/csr.h +++ b/arch/riscv/include/asm/csr.h @@ -18,6

[PATCH v2 04/27] riscv: zicfiss/zicfilp enumeration

device tree and accordinlgy lights up bit in cpu feature bitmap. Furthermore this patch adds detection utility functions to return whether shadow stack or landing pads are supported by cpu. Signed-off-by: Deepak Gupta --- .../devicetree/bindings/riscv/extensions.yaml | 10 ++ arch/riscv

[PATCH v2 03/27] riscv/Kconfig: enable HAVE_EXIT_THREAD for riscv

riscv will need an implementation for exit_thread to clean up shadow stack when thread exits. If current thread had shadow stack enabled, shadow stack is allocated by default for any new thread. Signed-off-by: Deepak Gupta --- arch/riscv/Kconfig | 1 + arch/riscv/kernel/process.c | 5

[PATCH v2 02/27] riscv: define default value for envcfg

Defines a base default value for envcfg per task. By default all tasks should have cache zeroing capability. Any future base capabilities that apply to all tasks can be turned on same way. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/csr.h | 2 ++ arch/riscv/kernel/process.c | 1 + 2

[PATCH v2 01/27] riscv: envcfg save and restore on task switching

. This patch creates a place holder for envcfg CSR in `thread_info` and adds logic to save and restore on task switching. Signed-off-by: Deepak Gupta --- arch/riscv/include/asm/switch_to.h | 10 ++ arch/riscv/include/asm/thread_info.h | 1 + 2 files changed, 11 insertions(+) diff --git a

[PATCH v2 00/27] riscv control-flow integrity for usermode

mm/20231122-arm64-gcs-v7-2-201c483bd...@kernel.org/ [7] - https://lore.kernel.org/lkml/20240125062739.1339782-1-de...@rivosinc.com/ [8] - https://docs.google.com/spreadsheets/d/1_cHGH4ctNVvFRiS7hW9dEGKtXLAJ3aX4Z_iTSa3Tw2U/edit#gid=0 Deepak Gupta (26): riscv: envcfg save and restore on task swit

Re: [RFC PATCH v1 09/28] mm: abstract shadow stack vma behind `arch_is_shadow_stack`

On Tue, Feb 13, 2024 at 11:34:59AM +0100, David Hildenbrand wrote: On 25.01.24 18:07, Deepak Gupta wrote: On Thu, Jan 25, 2024 at 09:18:07AM +0100, David Hildenbrand wrote: On 25.01.24 07:21, de...@rivosinc.com wrote: From: Deepak Gupta x86 has used VM_SHADOW_STACK (alias to VM_HIGH_ARCH_5

Re: [RFC PATCH v1 15/28] riscv/mm: Implement map_shadow_stack() syscall

On Fri, Feb 09, 2024 at 08:44:53PM +, Edgecombe, Rick P wrote: On Wed, 2024-01-24 at 22:21 -0800, de...@rivosinc.com wrote: From: Deepak Gupta As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") th

Re: [RFC PATCH v1 15/28] riscv/mm: Implement map_shadow_stack() syscall

On Tue, Feb 06, 2024 at 04:01:28PM +, Mark Brown wrote: On Wed, Jan 24, 2024 at 10:21:40PM -0800, de...@rivosinc.com wrote: As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the existing mmap() and madvise() s

Re: [RFC PATCH v1 18/28] prctl: arch-agnostic prtcl for indirect branch tracking

On Tue, Feb 06, 2024 at 04:13:39PM +, Mark Brown wrote: On Wed, Jan 24, 2024 at 10:21:43PM -0800, de...@rivosinc.com wrote: To allow userspace to enable this feature for itself, following prtcls are defined: - PR_GET_INDIR_BR_LP_STATUS: Gets current configured status for indirect branch

Re: [RFC PATCH v1 11/28] riscv: Implementing "PROT_SHADOWSTACK" on riscv

On Fri, Feb 09, 2024 at 08:44:35PM +, Edgecombe, Rick P wrote: On Wed, 2024-01-24 at 22:21 -0800, de...@rivosinc.com wrote: +   /* +    * PROT_SHADOWSTACK is a kernel only protection flag on risc- v. +    * mmap doesn't expect PROT_SHADOWSTACK to be set by user space. +    *

Re: [PATCH RFT v5 3/7] mm: Introduce ARCH_HAS_USER_SHADOW_STACK

uggested-by: David Hildenbrand > Acked-by: David Hildenbrand > Signed-off-by: Mark Brown Reviewed-by: Deepak Gupta

Re: [PATCH RFT v5 1/7] Documentation: userspace-api: Add shadow stack API documentation

On Fri, Feb 2, 2024 at 4:05 PM Mark Brown wrote: > > There are a number of architectures with shadow stack features which we are > presenting to userspace with as consistent an API as we can (though there > are some architecture specifics). Especially given that there are some > important consider

Re: [RFC PATCH v1 15/28] riscv/mm: Implement map_shadow_stack() syscall

On Thu, Jan 25, 2024 at 01:24:16PM -0800, Charlie Jenkins wrote: On Wed, Jan 24, 2024 at 10:21:40PM -0800, de...@rivosinc.com wrote: From: Deepak Gupta As discussed extensively in the changelog for the addition of this syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall&

Re: [RFC PATCH v1 07/28] riscv: kernel handling on trap entry/exit for user cfi

On Thu, Jan 25, 2024 at 02:47:49PM -0500, Stefan O'Rear wrote: On Thu, Jan 25, 2024, at 12:30 PM, Deepak Gupta wrote: On Thu, Jan 25, 2024 at 02:29:01AM -0500, Stefan O'Rear wrote: On Thu, Jan 25, 2024, at 1:21 AM, de...@rivosinc.com wrote: From: Deepak Gupta Carves out spa

Re: [RFC PATCH v1 24/28] riscv: select config for shadow stack and landing pad instr support

On Thu, Jan 25, 2024 at 06:44:48PM +, Conor Dooley wrote: On Thu, Jan 25, 2024 at 10:12:16AM -0800, Deepak Gupta wrote: On Thu, Jan 25, 2024 at 06:04:26PM +, Conor Dooley wrote: > On Wed, Jan 24, 2024 at 10:21:49PM -0800, de...@rivosinc.com wrote: > > From: Deepak Gupta >

Re: [RFC PATCH v1 05/28] riscv: zicfiss/zicfilp enumeration

On Thu, Jan 25, 2024 at 05:59:24PM +, Conor Dooley wrote: Yo, Series is RFC, so not gonna review it in depth, just wanted to comment on this particular patch. On Wed, Jan 24, 2024 at 10:21:30PM -0800, de...@rivosinc.com wrote: From: Deepak Gupta This patch adds support for detecting

Re: [RFC PATCH v1 24/28] riscv: select config for shadow stack and landing pad instr support

On Thu, Jan 25, 2024 at 06:04:26PM +, Conor Dooley wrote: On Wed, Jan 24, 2024 at 10:21:49PM -0800, de...@rivosinc.com wrote: From: Deepak Gupta This patch selects config shadow stack support and landing pad instr support. Shadow stack support and landing instr support is hidden behind

  1   2   >