Hello,
Mark Brown writes:
> diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
> index 645fe60d000f..605d4e6edc1d 100644
> --- a/arch/arm64/mm/mmap.c
> +++ b/arch/arm64/mm/mmap.c
> @@ -79,9 +79,20 @@ arch_initcall(adjust_protection_map);
>
> pgprot_t vm_get_page_prot(unsigned long vm_
Mark Brown writes:
> When a new thread is created by a thread with GCS enabled the GCS needs
> to be specified along with the regular stack. clone3() has been
> extended to support this case, allowing userspace to explicitly request
> the size for the GCS to be created, but plain clone() is no
Mark Brown writes:
> Implement the architecture neutral prtctl() interface for setting the
> shadow stack status, this supports setting and reading the current GCS
> configuration for the current thread.
>
> Userspace can enable basic GCS functionality and additionally also
> support for GCS pu
Mark Brown writes:
> Since the x86 code has not yet been rebased to v6.5-rc1 this includes
> the architecture neutral parts of Rick Edgecmbe's "x86/shstk: Introduce
> map_shadow_stack syscall".
This paragraph can be dropped now.
--
Thiago
Mark Brown writes:
> +static bool gcs_signal_cap_valid(u64 addr, u64 val)
> +{
> + /*
> + * The top bit should be set, this is an invalid address for
> + * EL0 and will only be set for caps created by signals.
> + */
> + if (!(val & GCS_SIGNAL_CAP_FLAG))
> + r
Mark Brown writes:
> +static int preserve_gcs_context(struct gcs_context __user *ctx)
> +{
> + int err = 0;
> + u64 gcspr;
> +
> + /*
> + * We will add a cap token to the frame, include it in the
> + * GCSPR_EL0 we report to support stack switching via
> + * sigreturn
Mark Brown writes:
> Provide a new register type NT_ARM_GCS reporting the current GCS mode
> and pointer for EL0. Due to the interactions with allocation and
> deallocation of Guarded Control Stacks we do not permit any changes to
> the GCS mode via ptrace, only GCSPR_EL0 may be changed.
The
I'm going a bit out-of-order to report a build failure in a test:
Mark Brown writes:
> +// Recurse x20 times
> +.macro recurse id
I get an assembler error here:
gcc -nostdlib gcs-stress-thread.S -o
/home/thiago.bauermann/src/linux/tools/testing/selftests/arm64/gcs/gcs-stress-thread
gcs-stre
Mark Brown writes:
> + /* Same thing via process_vm_readv() */
> + local_iov.iov_base = &rval;
> + local_iov.iov_len = sizeof(rval);
> + remote_iov.iov_base = (void *)gcspr;
> + remote_iov.iov_len = sizeof(rval);
> + ret = process_vm_writev(child, &local_iov, 1, &remote_
Mark Brown writes:
> diff --git
> a/tools/testing/selftests/arm64/signal/testcases/gcs_exception_fault.c
> b/tools/testing/selftests/arm64/signal/testcases/gcs_exception_fault.c
> new file mode 100644
> index ..532d533592a1
> --- /dev/null
> +++ b/tools/testing/selftests/arm64/sig
Mark Brown writes:
>> Also, it's strange that the tests defined after map_gcs.stack_overflow
>> don't run when I execute this test program. I'm doing:
>
>> $ ./run_kselftest.sh -t arm64:libc-gcs
>
>> I.e., these tests aren't being run in my FVP:
>
>> > +FIXTURE_VARIANT_ADD(map_invalid_gcs, too_
Mark Brown writes:
> arm64/mm: Restructure arch_validate_flags() for extensibility
> prctl: arch-agnostic prctl for shadow stack
> mman: Add map_shadow_stack() flags
> arm64: Document boot requirements for Guarded Control Stacks
> arm64/gcs: Document the ABI for Gu
nto latest clone3() series.
> - Link to v7:
> https://lore.kernel.org/r/20231122-arm64-gcs-v7-0-201c483bd...@kernel.org
Thank you for addressing my comments. I still have a few nets and
questions in a few patches, but regardless of them:
Reviewed-by: Thiago Jung Bauermann
--
Thiago
Mark Brown writes:
> When a new thread is created by a thread with GCS enabled the GCS needs
> to be specified along with the regular stack. clone3() has been
> extended to support this case, allowing userspace to explicitly specify
> the size and location of the GCS. The specified GCS must h
Mark Brown writes:
> +#ifdef CONFIG_ARM64_GCS
> +static int gcs_restore_signal(void)
> +{
> + u64 gcspr_el0, cap;
> + int ret;
> +
> + if (!system_supports_gcs())
> + return 0;
> +
> + if (!(current->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE))
> + retu
Mark Brown writes:
> There are things like threads which nolibc struggles with which we want
> to add coverage for, and the ABI allows us to test most of these even if
> libc itself does not understand GCS so add a test application built
> using the system libc.
>
> Signed-off-by: Mark Brown
>
Mark Brown writes:
> Do some testing of the signal handling for GCS, checking that a GCS
> frame has the expected information in it and that the expected signals
> are delivered with invalid operations.
>
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests/arm64/signal/.gitignore|
Mark Brown writes:
> On Mon, Feb 19, 2024 at 11:15:57PM -0300, Thiago Jung Bauermann wrote:
>
>> The only issue as can be seen above is that the can_call_function test
>> is failing. The child is getting a GCS Segmentation fault when returning
>> from fork().
>
>&
Mark Brown writes:
> [[PGP Signed Part:Undecided]]
> On Thu, Feb 22, 2024 at 11:24:59PM -0300, Thiago Jung Bauermann wrote:
>> Mark Brown writes:
>
>> My rootfs is Ubuntu 22.04.3. In case it's useful, my kernel config is
>> here:
>
>> https://peopl
Mark Brown writes:
> [[PGP Signed Part:Undecided]]
> On Thu, Feb 22, 2024 at 11:24:59PM -0300, Thiago Jung Bauermann wrote:
>> Mark Brown writes:
>
>> > I believe based on prior discussions that you're running this using
>> > shrinkwrap - can you confir
Hello,
> diff --git a/mm/Kconfig b/mm/Kconfig
> index b4cb45255a54..45416916dec1 100644
> --- a/mm/Kconfig
> +++ b/mm/Kconfig
> @@ -1249,6 +1249,12 @@ config IOMMU_MM_DATA
> config EXECMEM
> bool
>
> +config ARCH_HAS_USER_SHADOW_STACK
> + bool
> + help
> + The architecture
Mark Brown writes:
> +3. Allocation of Guarded Control Stacks
> +
> +
> +* When GCS is enabled for a thread a new Guarded Control Stack will be
> + allocated for it of size RLIMIT_STACK or 4 gigabytes, whichever is
s/4 gigabytes/2 gigabytes/
> + smalle
Mark Brown writes:
> diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
> index b0a67efc522b..4a3ce8e3bdfb 100644
> --- a/arch/arm64/mm/gcs.c
> +++ b/arch/arm64/mm/gcs.c
> @@ -8,6 +8,139 @@
> #include
> #include
>
> +static unsigned long alloc_gcs(unsigned long addr, unsigned long size,
Mark Brown writes:
> There are things like threads which nolibc struggles with which we want
> to add coverage for, and the ABI allows us to test most of these even if
> libc itself does not understand GCS so add a test application built
> using the system libc.
>
> Review
Mark Brown writes:
> On Thu, Jul 18, 2024 at 01:14:41PM -0300, Thiago Jung Bauermann wrote:
>
>> In my FVP VM, this test gets a GCS SIGSEGV before running the first test:
>
> Do you have THP enabled? That still doesn't work (I'm expecting it to
> be fixed wit
Mark Brown writes:
> Do some testing of the signal handling for GCS, checking that a GCS
> frame has the expected information in it and that the expected signals
> are delivered with invalid operations.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
>
for example failure to ensure that barriers
> are inserted when moving a GCS using task to another CPU. The test runs for
> a configurable amount of time, defaulting to 10 seconds.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests
Thiago Jung Bauermann writes:
> # # Finishing up...
> # # Thread-4030 exited with error code 255
> # not ok 1 Thread-4030
> # # Thread-4031 exited with error code 255
> # not ok 2 Thread-4031
> # # Thread-4032 exited with error code 255
> # not ok 3 Thread-4032
> # #
Hello,
Mark Brown writes:
> Add coverage of the GCS hwcap to the hwcap selftest, using a read of
> GCSPR_EL0 to generate SIGILL without having to worry about enabling GCS.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selfte
+++
> 1 file changed, 26 insertions(+)
Reviewed-by: Thiago Jung Bauermann
The clone3 test passes on my FVP setup:
Tested-by: Thiago Jung Bauermann
--
Thiago
Mark Brown writes:
> This test program just covers the basic GCS ABI, covering aspects of the
> ABI as standalone features without attempting to integrate things.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests/arm64/
> +++
> 4 files changed, 750 insertions(+), 1 deletion(-)
The libc-gcs test passes on my FVP setup:
Tested-by: Thiago Jung Bauermann
--
Thiago
toolchains with support for enabling GCS by default we will
> need to take care to not do that in the build system but there are no
> such toolchains yet so it is not yet an issue.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests/
Mark Brown writes:
> Do some testing of the signal handling for GCS, checking that a GCS
> frame has the expected information in it and that the expected signals
> are delivered with invalid operations.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
>
for example failure to ensure that barriers
> are inserted when moving a GCS using task to another CPU. The test runs for
> a configurable amount of time, defaulting to 10 seconds.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests
Mark Brown writes:
> On Wed, Aug 07, 2024 at 07:39:54PM -0300, Thiago Jung Bauermann wrote:
>
>> # # Thread-4870: Failed to enable GCS
>
> which is printed if a basic PR_SET_SHADOW_STACK_STATUS fails immediately
> the program starts executing:
>
> function _star
sts enable GCS on startup, ignoring failures so
> they continue to work as before on systems without GCS.
>
> Reviewed-by: Thiago Jung Bauermann
> Signed-off-by: Mark Brown
> ---
> tools/testing/selftests/arm64/fp/assembler.h | 15 +++
> tools/testing/selftests/a
37 matches
Mail list logo
