Unverified Commit 24005d18 authored by Palmer Dabbelt's avatar Palmer Dabbelt
Browse files

Merge patch series "riscv: SCS support" 

Sami Tolvanen <samitolvanen@google.com> says:

This series adds Shadow Call Stack (SCS) support for RISC-V. SCS
uses compiler instrumentation to store return addresses in a
separate shadow stack to protect them against accidental or
malicious overwrites. More information about SCS can be found
here:

  https://clang.llvm.org/docs/ShadowCallStack.html

Patch 1 is from Deepak, and it simplifies VMAP_STACK overflow
handling by adding support for accessing per-CPU variables
directly in assembly. The patch is included in this series to
make IRQ stack switching cleaner with SCS, and I've simply
rebased it and fixed a couple of minor issues. Patch 2 uses this
functionality to clean up the stack switching by moving duplicate
code into a single function. On RISC-V, the compiler uses the
gp register for storing the current shadow call stack pointer,
which is incompatible with global pointer relaxation. Patch 3
moves global pointer loading into a macro that can be easily
disabled with SCS. Patch 4 implements SCS register loading and
switching, and allows the feature to be enabled, and patch 5 adds
separate per-CPU IRQ shadow call stacks when CONFIG_IRQ_STACKS is
enabled. Patch 6 fixes the backward-edge CFI test in lkdtm for
RISC-V.

Note that this series requires Clang 17. Earlier Clang versions
support SCS on RISC-V, but use the x18 register instead of gp,
which isn't ideal. gcc has SCS support for arm64, but I'm not
aware of plans to support RISC-V. Once the Zicfiss extension is
ratified, it's probably preferable to use hardware-backed shadow
stacks instead of SCS on hardware that supports the extension,
and we may want to consider implementing CONFIG_DYNAMIC_SCS to
patch between the implementation at runtime (similarly to the
arm64 implementation, which switches to SCS when hardware PAC
support isn't available).

* b4-shazam-merge:
  lkdtm: Fix CFI_BACKWARD on RISC-V
  riscv: Use separate IRQ shadow call stacks
  riscv: Implement Shadow Call Stack
  riscv: Move global pointer loading to a macro
  riscv: Deduplicate IRQ stack switching
  riscv: VMAP_STACK overflow detection thread-safe

Link: https://lore.kernel.org/r/20230927224757.1154247-8-samitolvanen@google.com


Signed-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
parents 4630d6da 245561ba

arch/riscv/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -49,6 +49,7 @@ config RISCV 
	select ARCH_SUPPORTS_HUGETLBFS if MMU

	select ARCH_SUPPORTS_PAGE_TABLE_CHECK if MMU

	select ARCH_SUPPORTS_PER_VMA_LOCK if MMU

	select ARCH_SUPPORTS_SHADOW_CALL_STACK if HAVE_SHADOW_CALL_STACK

	select ARCH_USE_MEMTEST

	select ARCH_USE_QUEUED_RWLOCKS

	select ARCH_USES_CFI_TRAPS if CFI_CLANG
@@ -175,6 +176,11 @@ config GCC_SUPPORTS_DYNAMIC_FTRACE 
	def_bool CC_IS_GCC

	depends on $(cc-option,-fpatchable-function-entry=8)



config HAVE_SHADOW_CALL_STACK

	def_bool $(cc-option,-fsanitize=shadow-call-stack)

	# https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a484e843e6eeb51f0cb7b8819e50da6d2444d769

	depends on $(ld-option,--no-relax-gp)



config ARCH_MMAP_RND_BITS_MIN

	default 18 if 64BIT

	default 8

arch/riscv/Makefile

+4 −0
Original line number Diff line number Diff line
@@ -55,6 +55,10 @@ endif 
endif

endif



ifeq ($(CONFIG_SHADOW_CALL_STACK),y)

	KBUILD_LDFLAGS += --no-relax-gp

endif



# ISA string setting

riscv-march-$(CONFIG_ARCH_RV32I)	:= rv32ima

riscv-march-$(CONFIG_ARCH_RV64I)	:= rv64ima

arch/riscv/include/asm/asm-prototypes.h

+0 −1
Original line number Diff line number Diff line
@@ -25,7 +25,6 @@ DECLARE_DO_ERROR_INFO(do_trap_ecall_s); 
DECLARE_DO_ERROR_INFO(do_trap_ecall_m);

DECLARE_DO_ERROR_INFO(do_trap_break);



asmlinkage unsigned long get_overflow_stack(void);

asmlinkage void handle_bad_stack(struct pt_regs *regs);

asmlinkage void do_page_fault(struct pt_regs *regs);

asmlinkage void do_irq(struct pt_regs *regs);

arch/riscv/include/asm/asm.h

+41 −0
Original line number Diff line number Diff line
@@ -82,6 +82,47 @@ 
	.endr

.endm



#ifdef CONFIG_SMP

#ifdef CONFIG_32BIT

#define PER_CPU_OFFSET_SHIFT 2

#else

#define PER_CPU_OFFSET_SHIFT 3

#endif



.macro asm_per_cpu dst sym tmp

	REG_L \tmp, TASK_TI_CPU_NUM(tp)

	slli  \tmp, \tmp, PER_CPU_OFFSET_SHIFT

	la    \dst, __per_cpu_offset

	add   \dst, \dst, \tmp

	REG_L \tmp, 0(\dst)

	la    \dst, \sym

	add   \dst, \dst, \tmp

.endm

#else /* CONFIG_SMP */

.macro asm_per_cpu dst sym tmp

	la    \dst, \sym

.endm

#endif /* CONFIG_SMP */



.macro load_per_cpu dst ptr tmp

	asm_per_cpu \dst \ptr \tmp

	REG_L \dst, 0(\dst)

.endm



#ifdef CONFIG_SHADOW_CALL_STACK

/* gp is used as the shadow call stack pointer instead */

.macro load_global_pointer

.endm

#else

/* load __global_pointer to gp */

.macro load_global_pointer

.option push

.option norelax

	la gp, __global_pointer$

.option pop

.endm

#endif /* CONFIG_SHADOW_CALL_STACK */



	/* save all GPs except x1 ~ x5 */

	.macro save_from_x6_to_x31

	REG_S x6,  PT_T1(sp)

arch/riscv/include/asm/irq_stack.h

+3 −0
Original line number Diff line number Diff line
@@ -12,6 +12,9 @@ 


DECLARE_PER_CPU(ulong *, irq_stack_ptr);



asmlinkage void call_on_irq_stack(struct pt_regs *regs,

				  void (*func)(struct pt_regs *));



#ifdef CONFIG_VMAP_STACK

/*

 * To ensure that VMAP'd stack overflow detection works correctly, all VMAP'd