-by: Mark Brown
---
arch/x86/include/asm/shstk.h | 11 +++--
arch/x86/kernel/process.c| 2 +-
arch/x86/kernel/shstk.c | 105 ++-
include/linux/sched/task.h | 13 ++
include/uapi/linux/sched.h | 13 --
kernel/fork.c
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3_selftests.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h
b/tools/testing/selftests/clone3/clone3_selftests.h
index 3d2663fe50ba..39b5dcba663c 100644
--- a/tools/testing/s
change.
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 77 -
1 file changed, 37 insertions(+), 40 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3.c
b/tools/testing/selftests/clone3/clone3.c
index e61f07973ce5..e066b201fa64
In order to improve diagnostics and allow tests to explicitly look for
signals check to see if the child exited due to a signal and if it did
print the code and return it as a positive value, distinct from the
negative errnos currently returned.
Signed-off-by: Mark Brown
---
tools/testing
lone3() may return
-E2BIG due to the use of newer struct versions. Currently no tests need
this but it will become an issue for testing clone3() support for shadow
stacks, the support for shadow stacks is already present on x86.
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.
., this should be overly cautious.
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 134 +-
tools/testing/selftests/clone3/clone3_selftests.h | 38 ++
2 files changed, 171 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests
On Thu, Aug 08, 2024 at 03:23:50AM -0300, Thiago Jung Bauermann wrote:
> Thank you for the pointer. It turned out that I accidentally ran the
> selftests binaries from the v9 version instead of the v10 version, and
> the gcs-stress-thread binary failed because it was using the old value
> for PR_S
On Fri, Aug 09, 2024 at 07:19:26PM +0100, Catalin Marinas wrote:
> On Thu, Aug 08, 2024 at 09:15:25AM +0100, Mark Brown wrote:
> > + /* This should really be an atomic cmpxchg. It is not. */
> > + if (access_remote_vm(mm, addr, &val, sizeof(val),
> > +
On Mon, Aug 12, 2024 at 03:09:24PM +0100, Andre Przywara wrote:
> + /* Did we find the lowest supported VL? */
> + if (use_sme && vq < sve_vq_from_vl(vl))
> + break;
We don't need the use_sme check here, SVE is just architecturally
guaranteed to never t
On Tue, Aug 13, 2024 at 05:25:47PM +0100, Catalin Marinas wrote:
> However, the x86 would be slightly inconsistent here between clone() and
> clone3(). I guess it depends how you look at it. The classic clone()
> syscall, if one doesn't pass CLONE_VM but does set new stack, there's no
> new shadow
On Wed, Aug 14, 2024 at 10:38:54AM +0100, Catalin Marinas wrote:
> On Tue, Aug 13, 2024 at 07:58:26PM +0100, Mark Brown wrote:
> > ISTR the concerns were around someone being clever with vfork() but I
> > don't remember anything super concrete. In terms of the inconsisten
On Wed, Aug 14, 2024 at 03:51:42PM +0100, Dave Martin wrote:
> On Thu, Aug 01, 2024 at 01:06:50PM +0100, Mark Brown wrote:
> > + put_user_gcs((unsigned long)sigtramp, gcspr_el0 - 2, &ret);
> > + put_user_gcs(GCS_SIGNAL_CAP(gcspr_el0 - 1), gcspr_el0 - 1, &ret
On Wed, Aug 14, 2024 at 04:09:51PM +0100, Dave Martin wrote:
> On Thu, Aug 01, 2024 at 01:06:51PM +0100, Mark Brown wrote:
> > + if (add_all || task_gcs_el0_enabled(current)) {
> > + err = sigframe_alloc(user, &user->gcs_offset,
> > +
On Thu, Aug 15, 2024 at 12:18:23AM +, Edgecombe, Rick P wrote:
> On Thu, 2024-08-08 at 09:15 +0100, Mark Brown wrote:
> > + ssp = args->shadow_stack + args->shadow_stack_size;
> > + addr = ssp - SS_FRAME_SIZE;
> > + expected = ssp | BIT(0);
>
On Thu, Aug 15, 2024 at 02:37:22PM +0100, Dave Martin wrote:
> Is there a test for taking and returning from a signal on an alternate
> (main) stack, when a shadow stack is in use? Sounds like something
> that would be good to check if not.
Not specifically for any of the architectures.
signat
On Thu, Aug 15, 2024 at 03:01:21PM +0100, Dave Martin wrote:
> My thought was that if libc knows about shadow stacks, it is probably
> going to be built to use them too and so would enable shadow stack
> during startup to protect its own code.
> (Technically those would be independent decisions,
On Thu, Aug 15, 2024 at 03:20:52PM +, Edgecombe, Rick P wrote:
> On Thu, 2024-08-01 at 13:06 +0100, Mark Brown wrote:
> > Use VM_HIGH_ARCH_5 for guarded control stack pages.
> FYI - If you want to have more complete guard gaps, you need to do this for
> arm
> too:
> ht
On Thu, Aug 15, 2024 at 04:11:56PM +0100, Dave Martin wrote:
> On Thu, Aug 15, 2024 at 03:45:45PM +0100, Mark Brown wrote:
> > On Thu, Aug 15, 2024 at 02:37:22PM +0100, Dave Martin wrote:
> > > Is there a test for taking and returning from a signal on an alternate
> >
On Thu, Aug 15, 2024 at 04:26:47PM +0100, Mark Brown wrote:
> On Thu, Aug 15, 2024 at 03:20:52PM +, Edgecombe, Rick P wrote:
> > FYI - If you want to have more complete guard gaps, you need to do this for
> > arm
> > too:
> > https://lore.kernel.org/linux-
On Thu, Aug 15, 2024 at 06:00:15PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:31PM +0100, Mark Brown wrote:
> > + - If EL2 is present:
> > +- GCSCR_EL2 must be initialised to 0.
> > + - If the kernel is entered at EL1 and EL2 is present:
> >
On Thu, Aug 15, 2024 at 05:53:19PM +, Edgecombe, Rick P wrote:
> On Thu, 2024-08-15 at 17:39 +0100, Mark Brown wrote:
> > > Oh, thanks for the heads up - I'd missed that.
> > Looking at this I think it makes sense to do as was done for x86 and
> > split this out
On Fri, Aug 16, 2024 at 09:44:46AM +0100, Catalin Marinas wrote:
> We could, in theory, consume this token in the parent before the child
> mm is created. The downside is that if a parent forks multiple
> processes using the same shadow stack, it will have to set the token
> each time. I'd be fine
On Fri, Aug 16, 2024 at 12:09:01PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:32PM +0100, Mark Brown wrote:
> > +* EL0 GCS entries with bit 63 set are reserved for use, one such use is
> > defined
> Maybe "reserved for specific uses". The proposed
On Fri, Aug 16, 2024 at 03:15:19PM +0100, Marc Zyngier wrote:
> Mark Brown wrote:
> > + { SYS_DESC(SYS_GCSCR_EL1), NULL, reset_val, GCSCR_EL1, 0 },
> > + { SYS_DESC(SYS_GCSPR_EL1), NULL, reset_unknown, GCSPR_EL1 },
> > + { SYS_DESC(SYS_GCSCRE0_EL1), NULL, rese
On Fri, Aug 16, 2024 at 02:52:28PM +, Edgecombe, Rick P wrote:
> On Fri, 2024-08-16 at 09:44 +0100, Catalin Marinas wrote:
> > BTW, since it's the parent setting up the shadow stack in its own
> > address space before forking, I think at least the read can avoid
> > access_remote_vm() and we c
On Fri, Aug 16, 2024 at 04:29:13PM +0100, Catalin Marinas wrote:
> On Fri, Aug 16, 2024 at 11:51:57AM +0100, Mark Brown wrote:
> > I change back to parsing the token in the parent but I don't want to end
> > up in a cycle of bouncing between the two implementations depending o
On Fri, Aug 16, 2024 at 05:52:20PM +0200, Jann Horn wrote:
> As a heads-up so you don't get surprised by this in the future:
> Because clone3() does not pass the flags in a register like clone()
> does, it is not available in places like docker containers that use
> the default Docker seccomp pol
are
> not strictly identical, the compiler warns about it:
> : warning: "_GNU_SOURCE" redefined
> : note: this is the location of the previous definition
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Fri, Aug 16, 2024 at 04:32:45PM +0100, Andre Przywara wrote:
> The F8DP2 DPISA extension has a separate cpuinfo field, named
> accordingly.
> Change the erroneously placed name of "f8dp4" to "f8dp2".
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Fri, Aug 16, 2024 at 04:32:46PM +0100, Andre Przywara wrote:
> If MTE is not available on a system, we detect this early and skip all
> the MTE selftests. However this happens before we print the TAP plan, so
> tools parsing the TAP output get confused and report an error.
Reviewed
test/arm64: Add utilities and a test to validate
> mte memory")
I'm not sure this qualifies as a fix given that all the strings we're
passing in here are trusted... otheriwse this looks good.
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Fri, Aug 16, 2024 at 04:32:48PM +0100, Andre Przywara wrote:
> When masking the return value of a prctl, which is clearly an "int", we
> use a uapi header provided mask, which is defined using an "UL" modifier,
> so the whole expression is promoted to a long. This upsets the compiler's
> printf
question is defined in a
> kernel uapi header, which uses a self defined __u64 type, and the arm64
> kernel headers define this using "int-ll64.h", so it becomes an
> "unsigned long long". This mismatch leads to the usual compiler warning.
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
mte memory")
This is another one where calling it a fix seems like it's pushing it,
it's a modernisation rather than a correctness thing. Otherwise
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Fri, Aug 16, 2024 at 04:32:51PM +0100, Andre Przywara wrote:
> When checking MTE tags, we print some diagnostic messages when the tests
> fail. Some variables uses there are "longs", however we only use "%x"
> for the format specifier.
Reviewed-by: Mark Brown
s
On Fri, Aug 16, 2024 at 04:38:48PM +0100, Catalin Marinas wrote:
> On Fri, Aug 16, 2024 at 02:52:28PM +, Edgecombe, Rick P wrote:
> > On the x86 side, we don't have a shadow stack access CMPXCHG. We will have
> > to
> > GUP and do a normal CMPXCHG off of the direct map to handle it fully
> >
On Fri, Aug 16, 2024 at 05:55:48PM +0100, Andre Przywara wrote:
> Mark Brown wrote:
> > On Fri, Aug 16, 2024 at 04:32:48PM +0100, Andre Przywara wrote:
> > > ksft_print_msg("Got %x, expected %x\n",
> > > -
On Fri, Aug 16, 2024 at 05:59:08PM +0100, Andre Przywara wrote:
> Mark Brown wrote:
> > On Fri, Aug 16, 2024 at 04:32:50PM +0100, Andre Przywara wrote:
> > > Fixes: e9b60476bea0 ("kselftest/arm64: Add utilities and a test to
> > > validate mte memory")
On Fri, Aug 16, 2024 at 07:08:09PM +0200, Jann Horn wrote:
> Yeah, having a FOLL_FORCE write in clone3 would be a weakness for
> userspace CFI and probably make it possible to violate mseal()
> restrictions that are supposed to enforce that address space regions
> are read-only.
Note that this wi
On Mon, Aug 19, 2024 at 10:17:52AM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:45PM +0100, Mark Brown wrote:
> > +static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
> > +{
> > + if (unlikely(is_gcs_fault(esr))) {
> > +
On Mon, Aug 19, 2024 at 12:46:13PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:46PM +0100, Mark Brown wrote:
> > + /*
> > +* Ensure that GCS changes are observable by/from other PEs in
> > +* case of migration.
> > +*/
> > +
On Mon, Aug 19, 2024 at 01:04:18PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:47PM +0100, Mark Brown wrote:
> > +static int copy_thread_gcs(struct task_struct *p,
> > + const struct kernel_clone_args *args)
> > +{
>
er if only one vector length is
> supported (but za_regs is correct)
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Mon, Aug 19, 2024 at 10:10:36AM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:40PM +0100, Mark Brown wrote:
> > + if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
> > + /*
> > +* An executable
adow stacks are supported it
seemed sensible to roll it in here.
[1] https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa...@kernel.org/
Signed-off-by: Mark Brown
---
Changes in v9:
- Pull token validation earlier and report problems with an error return
to parent rather than signal delive
feature let's provide some documentation covering the common aspects.
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
Documentation/userspace-api/index.rst| 1 +
Documentation/userspace-api/shadow_stack.rst
interfaces.
Reviewed-by: Rick Edgecombe
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/ksft_shstk.h | 63
1 file changed, 63 insertions(+)
diff --git a/tools/testing/selftests/ksft_shstk.h
b
Gupta
Reviewed-by: Rick Edgecombe
Reviewed-by: Mike Rapoport (IBM)
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6
-by: Mark Brown
---
arch/x86/include/asm/shstk.h | 11 +++--
arch/x86/kernel/process.c| 2 +-
arch/x86/kernel/shstk.c | 103 +-
include/linux/sched/task.h | 18 +++
include/uapi/linux/sched.h | 13 +++--
kernel/fork.c| 114
s.
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3_selftests.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h
b/tools/testing/selftests/clone3/clone3_se
change.
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 77 -
1 file changed, 37 insertions(+), 40 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3.c
b
d-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/clone3/clone3.c
b/tools/testing/selftests/clone3/clone3.c
index e066b201fa64..5b8b7d640e70 100644
--- a/tools/testing/selftests/clone3/clone3.c
+++ b/
., this should be overly cautious.
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 147 +-
tools/testing/selftests/clone3/clone3_selftests.h | 38 ++
2 files changed, 184 insertions(+), 1 deletion(-)
diff --git a/tools
On Tue, Aug 20, 2024 at 03:59:21PM +0100, Catalin Marinas wrote:
> On Mon, Aug 19, 2024 at 05:33:24PM +0100, Mark Brown wrote:
> > On Mon, Aug 19, 2024 at 10:10:36AM +0100, Catalin Marinas wrote:
> > > At a quick look, do_mmap() seems to always set VM_MAYEXEC but discar
On Mon, Aug 19, 2024 at 04:44:52PM +0100, Mark Brown wrote:
> On Mon, Aug 19, 2024 at 12:46:13PM +0100, Catalin Marinas wrote:
> > On Thu, Aug 01, 2024 at 01:06:46PM +0100, Mark Brown wrote:
> > > + /*
> > > + * Ensure that GCS changes are observable by/from othe
On Tue, Aug 20, 2024 at 09:36:46PM +, Edgecombe, Rick P wrote:
> On Mon, 2024-08-19 at 20:24 +0100, Mark Brown wrote:
> > + /* This should really be an atomic cmpxchg. It is not. */
> > + copy_from_user_page(vma, page, addr, &
On Tue, Aug 20, 2024 at 11:57:23PM +, Edgecombe, Rick P wrote:
> On Wed, 2024-08-21 at 00:34 +0100, Mark Brown wrote:
> > I was doing things this way for symmetry with how we specify the normal
> > stack. That's a bit different since the kernel will actually use the
>
On Wed, Aug 21, 2024 at 01:45:16AM +, Edgecombe, Rick P wrote:
> On Wed, 2024-08-21 at 01:19 +0100, Mark Brown wrote:
> > I think it's going to be strange one way or another, either you specify
> > a size that we don't currently really use or you have two things bot
On Wed, Aug 21, 2024 at 09:50:22AM +0100, Catalin Marinas wrote:
> On Tue, Aug 20, 2024 at 06:56:19PM +0100, Mark Brown wrote:
> > I forgot when writing the above that we always allow reads from
> > GCSPR_EL0 in order to avoid corner cases for unwinders in the case of
> >
On Wed, Aug 21, 2024 at 01:54:33PM +0100, Catalin Marinas wrote:
> Otherwise it looks fine.
> Reviewed-by: Catalin Marinas
I've also added:
+
+ /* Ensure we remember GCSPR_EL0 if we're disabling. */
+ if (task_gcs_el0_enabled(current))
+ current->thread.gcspr_el0 = re
On Wed, Aug 21, 2024 at 03:54:49PM +, Edgecombe, Rick P wrote:
> On Wed, 2024-08-21 at 13:45 +0100, Mark Brown wrote:
> > It's entirely possible it just leaked. My own attempts to dig through
> > the archives haven't turned up anything on the subjecti either, it see
On Wed, Aug 21, 2024 at 06:28:49PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:50PM +0100, Mark Brown wrote:
> > + ret = copy_from_user(&cap, (__user void*)gcspr_el0, sizeof(cap));
> > + if (ret)
> > + return -EFAULT;
> Can the us
On Wed, Aug 21, 2024 at 06:57:16PM +0100, Catalin Marinas wrote:
> On Thu, Aug 01, 2024 at 01:06:52PM +0100, Mark Brown wrote:
> > + if (user_gcs.features_enabled & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK)
> > + return -EINVAL;
> > + /* Do not allow enable
On Wed, Aug 21, 2024 at 07:28:08PM +0100, Mark Brown wrote:
> part of an otherwise invalid write. The validation is checking for
> unknown features and enables. With clone3() we could relax the enable
> check, but I've just pulled that out of the series for the time being.
Act
adow stacks are supported it
seemed sensible to roll it in here.
[1] https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa...@kernel.org/
Signed-off-by: Mark Brown
---
Changes in v10:
- Integrate fixes & improvements for the x86 implementation from Rick
Edgecombe.
- Require that the shado
feature let's provide some documentation covering the common aspects.
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
Documentation/userspace-api/index.rst| 1 +
Documentation/userspace-api/shadow_stack.rst
interfaces.
Reviewed-by: Rick Edgecombe
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/ksft_shstk.h | 61
1 file changed, 61 insertions(+)
diff --git a/tools/testing/selftests/ksft_shstk.h
b
Gupta
Reviewed-by: Rick Edgecombe
Reviewed-by: Mike Rapoport (IBM)
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6
thread is executed.
Since we are now using more fields from the kernel_clone_args we pass that
into the shadow stack code rather than individual fields.
Portions of the x86 architecture code were written by Rick Edgecombe.
Signed-off-by: Mark Brown
---
arch/x86/include/asm/shstk.h | 11
s.
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3_selftests.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h
b/tools/testing/selftests/clone3/clone3_se
change.
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 77 -
1 file changed, 37 insertions(+), 40 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3.c
b
d-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/clone3/clone3.c
b/tools/testing/selftests/clone3/clone3.c
index e066b201fa64..5b8b7d640e70 100644
--- a/tools/testing/selftests/clone3/clone3.c
+++ b/
., this should be overly cautious.
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 171 +-
tools/testing/selftests/clone3/clone3_selftests.h | 38 +
2 files changed, 208 insertions(+), 1 deletion(-)
diff --git a/tools
hadow-stack-v9-0-962d74f99...@kernel.org
Previous versions of this series depended on that, this dependency has
been removed in order to make merging easier.
[1] https://lore.kernel.org/lkml/20230213045351.3945824-1-de...@rivosinc.com/
Signed-off-by: Mark Brown
---
Changes in v11:
- Remove the depen
Gupta
Reviewed-by: Rick Edgecombe
Reviewed-by: Mike Rapoport (IBM)
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6
.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/mman.h | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h
index 5966ee4a6154
locking interface reworked. The set status prctl()
is also reworked to just set flags, if setting/reading the shadow stack
pointer is required this could be a separate prctl.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
include/linux/mm.h
stack marker suitable for use by unwinders should be added
above that.
For arm64 the top of stack marker is all bits 0.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/x86/include/uapi/asm/mman.h | 3 ---
include/uapi/asm-generic/mman.h | 4
fault
we also require that the feature be specifically disabled, existing
kernels implicitly have this requirement and especially given that the
MMU must be disabled it is difficult to see a situation where leaving
GCS enabled would be reasonable.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark
Add some documentation of the userspace ABI for Guarded Control Stacks.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/gcs.rst | 230 +
Documentation/arch/arm64/index.rst | 1 +
2 files changed, 231 insertions
The architecture defines a format for guarded control stack caps, used
to mark the top of an unused GCS in order to limit the potential for
exploitation via stack switching. Add definitions associated with these.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark
sufficiently fast paths for this to be a problem.
Note that GCSSTTR is used to store to EL0.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 51
arch/arm64/include/asm/uaccess.h | 22
In order for EL1 to write to an EL0 GCS it must use the GCSSTTR instruction
rather than a normal STTR. Provide a put_user_gcs() which does this.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/uaccess.h | 18
function call instructions without faulting regardless of the
state when the kernel is started.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/el2_setup.h | 29 +
1 file changed, 29 insertions(+)
diff
Add a cpufeature for GCS, allowing other code to conditionally support it
at runtime.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/cpufeature.h | 6 ++
arch/arm64/kernel/cpufeature.c | 9 +
arch/arm64
-by: Mark Brown
---
arch/arm64/include/asm/pgtable-prot.h | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/pgtable-prot.h
b/arch/arm64/include/asm/pgtable-prot.h
index b11cfb9fdd37..545d54c88520 100644
--- a/arch/arm64/include/asm/pgtable
Use VM_HIGH_ARCH_5 for guarded control stack pages.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/filesystems/proc.rst | 2 +-
include/linux/mm.h | 12 +++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/Documentation
Map pages flagged as being part of a GCS as such rather than using the
full set of generic VM flags.
This is done using a conditional rather than extending the size of
protection_map since that would make for a very sparse array.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
deliberately conservative choice to avoid errors due to oversights.
Further fields should be made writable in future.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/kvm_host.h | 12
arch/arm64/include/asm/vncr_mapping.h | 2 ++
arch/arm64/kvm
Hook up an override for GCS, allowing it to be disabled from the command
line by specifying arm64.nogcs in case there are problems.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
arch/arm64/kernel/pi/idreg-override.c
Provide a hwcap to enable userspace to detect support for GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/elf_hwcaps.rst | 2 ++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/uapi/asm/hwcap.h | 1 +
arch/arm64/kernel
ating any GCS
fault as fatal.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/esr.h | 28 +++-
arch/arm64/include/asm/exception.h | 2 ++
arch/arm64/kernel/entry-common.c | 23 +++
arch/arm64/kernel/tr
it
attempts to do GCS operations outside a GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/mm/fault.c | 40
1 file changed, 40 insertions(+)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 451ba7cbd5ad
been disabled.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 24
arch/arm64/include/asm/processor.h | 6
arch/arm64/kernel/process.c| 56 ++
arch/arm64/mm/Makefile | 1 +
arch/arm64/mm/gcs.c
allocate
min(RLIMIT_STACK, 2G). Since the GCS only stores the call stack and not
any variables this should be more than sufficient for most applications.
GCSs allocated via this mechanism will be freed when the thread exits.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 9
-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 22 +++
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/mm/gcs.c| 79 ++
3 files changed, 102 insertions(+)
diff --git a/arch/arm64/include
hiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/mm/gcs.c | 64 +
1 file changed, 64 insertions(+)
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 5eb746fdd872..d9614900c910 100644
--- a/arc
;t be interpreted as
a valid token or address.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 1 +
arch/arm64/kernel/signal.c | 112 +--
arch/arm64/mm/gcs.c | 1 +
3 files changed, 109 insertions(
, there is a conflict
between specifying GCSPR_EL0 and allocation of a new GCS and this is not
an ancticipated use case. We also enforce GCS configuration locking on
signal return.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/sigcontext.h | 9
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/ptrace.h | 8 ++
arch/arm64/kernel/ptrace.c | 54
include/uapi/linux/elf.h | 1 +
3 files changed, 63 insertions(+)
diff --git a/arch/arm64/include/uapi/asm/ptrace.h
b
701 - 800 of 886 matches
Mail list logo
