From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EACBDC369AB for ; Thu, 24 Apr 2025 07:21:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6F86D6B009A; Thu, 24 Apr 2025 03:21:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6A7BB6B009B; Thu, 24 Apr 2025 03:21:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4F94F6B009C; Thu, 24 Apr 2025 03:21:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 30BBC6B009A for ; Thu, 24 Apr 2025 03:21:33 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id A684D5CE51 for ; Thu, 24 Apr 2025 07:21:34 +0000 (UTC) X-FDA: 83368092108.07.CE1E7A2 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by imf04.hostedemail.com (Postfix) with ESMTP id A2E814000D for ; Thu, 24 Apr 2025 07:21:32 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=WIFWHSiq; dmarc=none; spf=pass (imf04.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.177 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1745479292; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mcntQok0wk3iJ8iZbS6V998dXaV1Hr+80902cU7ySpE=; b=SaEjC8Jr8J3NJvdAgveiwJYMne+jN94n3Heh4+RdikGlXb1Se62UBAkX+1iPJuHMfxjHc8 GSOFtapC5P/rfu58wvju/NG3Tr3WBzCQ4I4lFYlpMViBN1owXuhI4H2NndRoMct5plqlAL PNI8fccCj/Dxq96bfW/axt+mscUOmmQ= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=WIFWHSiq; dmarc=none; spf=pass (imf04.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.177 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745479292; a=rsa-sha256; cv=none; b=dKtkUhA+Hi0YqaKAxxPhHyF5f0TPQWDRf+3NizHMO77ql3LDxbGt5A4a+pdmzMmrjlGRkQ CGKyA+eeRzx5MHeUsb0u8YFlcwAeJk2VXfhpuDEXHJ175GCbpmU3wV7Uhz4ZKk2dnVvt0U iUZGuRXYhAAoo4f5pumoJaPeZlC1edY= Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-224171d6826so10030545ad.3 for ; Thu, 24 Apr 2025 00:21:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1745479291; x=1746084091; darn=kvack.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=mcntQok0wk3iJ8iZbS6V998dXaV1Hr+80902cU7ySpE=; b=WIFWHSiqShZyTdbdIdRDSotKuhiX4tVowXwYhLDtWglHGRMLX3gB+8OsFE4kDuAemD JVYMnEvQlnnSwsnDjWYPWSFWvoEBEs6/3C1JMcoi3+f7ddTEwmlRGkN7BniVosbaKOhd 58jwT9GZK4Xya8+Y2orzw+E+PfeUu4uZOmEIMSDoHXk7+lij6T9oIHQxVbOfDBWhUij7 TurhYY82yL0uWJsaVgE42NKVkgLdtOD6lx7jCyRdhJKSChJ1bef4DZFF5/6T/3k/23fX i569w+U3KSNkye4pMwMe6p0HFrPSfzJ9JQ+mdkmdODsIWwqygNCrFyyLHlqHWBKUkjhv ii0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745479291; x=1746084091; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mcntQok0wk3iJ8iZbS6V998dXaV1Hr+80902cU7ySpE=; b=vLhvgEp/35O4dB81LIVGwQiBlZR/1pxg3weyExQ86EqY+ZpfBuhz5RJjKgExuerZKq 2tgEluM8Y13wyT+zbVtkJJc/m/3UACXndBiHRPmM9qPtMobpk+polBx3NOBJPGSC4J47 3tH0E9nfr7iMgbET6jSeYiq8DDT4zvRT7sDEedvIVondwwIFxGW7Eo6YRSV7pXYrCWZz bl0QduE0WVwzzxfWkyxFvQY2Ui3tU/xFQdpTa+MWx4amijASob3MWgmtiZhNXrvEoT33 WsjEasZqC3UP2iGqlMXN1+5PJ3JpZk2YzLR5NluMUpjP22uVFRjTCHKGsveoXPZYLv8s PHow== X-Forwarded-Encrypted: i=1; AJvYcCUY3MAETv4QTRXqjSLatLdnbH5absVp3yx9vRMkh0esNisofnJPCbwLUI/53IngxjtpkhEbLsLAfA==@kvack.org X-Gm-Message-State: AOJu0YwldEm/k3DXJ4WLHgVcJbrWjPT//DCSZh+LJzvakTdFTQVDPpbV xztC3ZTEn7e6d+AMfPK7XBVHBTDq9NaIrucFHsemNLQYxVyhgFLidJHDCbCXrP8= X-Gm-Gg: ASbGncva5YlN4044Nqz8dtGjxT+HOd0hPbJKWyIVNn3Kk3ADidUolI/6eYYaaNpVkRM fKR4+N16WbX/abgieJ1QIjiyMn4tFPYetAtZMmG1e8B4yL+TOMTqQBKtQE15bNAPGRW2qLO/xIt vf7tmI80cqWhn5NIV29vU8x0K1XU4h3Zb7M9aj1GfhPeHReqaaPIpwaF92LbWUAyHGNElnscvjD FMDe6WDR8vBT4t6X+/kLDhh/WuRcyRi2edcC0xa6+us/zQozE4dYiLVjFZKyQ39veoep3LZ3maW oihCQQeZUUTJqtqdAFpMNOd4NmbnOeBfUPo1oxqMTD0YAxxa99c= X-Google-Smtp-Source: AGHT+IFbZQBplGGPUh5yKjE/KcQHZAlRCUHXnAaHGx00BmEziifJsSdazDIx9PeaOfdMrQHkRGw+Zw== X-Received: by 2002:a17:902:ebc3:b0:223:5379:5e4e with SMTP id d9443c01a7336-22db3ba02edmr26388545ad.10.1745479291499; Thu, 24 Apr 2025 00:21:31 -0700 (PDT) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22db52163d6sm6240765ad.214.2025.04.24.00.21.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Apr 2025 00:21:31 -0700 (PDT) From: Deepak Gupta Date: Thu, 24 Apr 2025 00:20:36 -0700 Subject: [PATCH v13 21/28] riscv: kernel command line option to opt out of user cfi MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250424-v5_user_cfi_series-v13-21-971437de586a@rivosinc.com> References: <20250424-v5_user_cfi_series-v13-0-971437de586a@rivosinc.com> In-Reply-To: <20250424-v5_user_cfi_series-v13-0-971437de586a@rivosinc.com> To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan , Jann Horn , Conor Dooley , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org, Deepak Gupta X-Mailer: b4 0.13.0 X-Stat-Signature: x3zb95jwnpsfwsa7zcojboydsrzzimh4 X-Rspamd-Queue-Id: A2E814000D X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1745479292-25539 X-HE-Meta: U2FsdGVkX19KPjbuQHcbpWpDIgwItF7039zqO9Vuycrom9UCsr/ewDniDpVUwh2Py2GSqwCLnVWt6ICYcePFzgV2r2MyzA70U+dHgQ+yp5t/DvVfn+HhLVle5TCOosjo1yEBWc6TFv3lRRoLJbAxNP19O9XKjYfocj6jzxZPTp7k9prB9+SNkQ1NCKwARpFT3I0VUORVtKE7i8WjLtRmbAg6vV2mTEMsgP8B1ju48vBhleRfGG28vYJHdAf0o6oGTCgnklM4iAd/+zPOaTeON/I+IC15O79aDBS5fIsUh7bNBNHdO5WKafCHw2T2IPqsu0kTRk0UbXrGcrLMTBD/WyKOw/t/UQOe/dEqly1LnwfTQ/0XFJ4/Qf6CNP7a40yj5dspn2IDSdHFyjKH1MrX3re87R7FRoEwvzAI7vr54F/SAmVlGaEbbgw80ACBaNSuOMOuCStVv53sJZegZV0q4IVYkl3KT525n2wyMnblQr2tg57L2fh/I2+96fyL6Os46WiVqCTpot5UwF4uZms6U0Gws7ESjOv0cGLlqiZt4v3LGO6/5YnHayaivoOSQu5ht8UAKaVW5TwHjRvt8lnruDefAcSHVwFDSPPzrfAoM4rx1deravP/cZABIRdr6FfCcy2ehxo6jafUgAlRuCAJfZhGPS3hlAbUTHRRUXkbTaHKeGpTWlJ87lo+WLSvm+V6QxfJ7aDNUjs004PJSEhJ6JrqviuZYYxsHGmpFwqgHBj4vFwfjZ/KoX/1XlTvXHRByTRD138l+icYNA+DHHJPopvhI9tyeBeQLRUVQFNW1Y2oQurTgeu6ifUzsxNcN0cKhmCrdr+Pud57Y3k5zaUsRLQzwXK1URY9kGskOpRoiSp52R9Ze4Cih3y0bpn7lm9sqOkkJcUm2bIESoWQVFSrYJCw+48x1wYHkIdSzJFjhUNaxeFqU2os98V1axxFWGH0Sm3h4D4gMA87tccuq7F AVhfGtWV CfmQgRQvtVhTLE799O1WYMx7u/j/pK12vC8ex+vUa5KZ7hxZIAzv6hNtAHEIY66bifAFmONWjXWCyIHDUBlArHW1mkUW4lpqxXOe2U/euY4dkit1YQDgdZln/gTjdqMyIBRWtVcmsSTT8iAVwh9FNEkHfPuqhnHiicM5zQlL+1qKv+Q3A5cWgRjzAQYoENB/XiGyrcDma2+ReND1yphCnVHDa/3Yv0MvSNOHvNJUktSgseI/VOMQTEkNTBMjdlWQIFpdBOKTyq6jOxkeA98o+weam6GBpc4s2gXN4P1W1jRUOVb+a8Uk7hC4F8XSzfTtwjP+7KRyvs63MH3Bq6WhDDCucdvDPC7Jp3g2yAI5qHbwEppd5gEqCXUx3is6L8K+n2gzolL5v1z1nl+sCnhefMHPDV17qE+2mkC+qK5HT+WpcR83CIE5MRq5DztvR56UM8/dnYs+7DlLTrDY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This commit adds a kernel command line option using which user cfi can be disabled. User backward cfi and forward cfi can be enabled independently. Kernel command line parameter "riscv_nousercfi" can take below values: - "all" : Disable forward and backward cfi both. - "bcfi" : Disable backward cfi. - "fcfi" : Disable forward cfi Signed-off-by: Deepak Gupta --- Documentation/admin-guide/kernel-parameters.txt | 8 ++++ arch/riscv/include/asm/usercfi.h | 7 +++ arch/riscv/kernel/usercfi.c | 59 ++++++++++++++++++++----- 3 files changed, 63 insertions(+), 11 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index fb8752b42ec8..76a5ceb59c2f 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6192,6 +6192,14 @@ replacement properties are not found. See the Kconfig entry for RISCV_ISA_FALLBACK. + riscv_nousercfi= + all Disable user cfi ABI to userspace even if cpu extension + are available. + bcfi Disable user backward cfi ABI to userspace even if + shadow stack extension is available. + fcfi Disable user forward cfi ABI to userspace even if landing + pad extension is available. + ro [KNL] Mount root device read-only on boot rodata= [KNL,EARLY] diff --git a/arch/riscv/include/asm/usercfi.h b/arch/riscv/include/asm/usercfi.h index 361f59edbdef..0177b86f6a67 100644 --- a/arch/riscv/include/asm/usercfi.h +++ b/arch/riscv/include/asm/usercfi.h @@ -5,6 +5,10 @@ #ifndef _ASM_RISCV_USERCFI_H #define _ASM_RISCV_USERCFI_H +#define CMDLINE_DISABLE_RISCV_USERCFI_FCFI 1 +#define CMDLINE_DISABLE_RISCV_USERCFI_BCFI 2 +#define CMDLINE_DISABLE_RISCV_USERCFI 3 + #ifndef __ASSEMBLY__ #include #include @@ -84,6 +88,9 @@ void set_indir_lp_lock(struct task_struct *task); #endif /* CONFIG_RISCV_USER_CFI */ +bool is_user_shstk_enabled(void); +bool is_user_lpad_enabled(void); + #endif /* __ASSEMBLY__ */ #endif /* _ASM_RISCV_USERCFI_H */ diff --git a/arch/riscv/kernel/usercfi.c b/arch/riscv/kernel/usercfi.c index 8bc3e1e3f712..5ef357f43ad7 100644 --- a/arch/riscv/kernel/usercfi.c +++ b/arch/riscv/kernel/usercfi.c @@ -17,6 +17,8 @@ #include #include +unsigned int riscv_nousercfi; + #define SHSTK_ENTRY_SIZE sizeof(void *) bool is_shstk_enabled(struct task_struct *task) @@ -59,7 +61,7 @@ unsigned long get_active_shstk(struct task_struct *task) void set_shstk_status(struct task_struct *task, bool enable) { - if (!cpu_supports_shadow_stack()) + if (!is_user_shstk_enabled()) return; task->thread_info.user_cfi_state.ubcfi_en = enable ? 1 : 0; @@ -89,7 +91,7 @@ bool is_indir_lp_locked(struct task_struct *task) void set_indir_lp_status(struct task_struct *task, bool enable) { - if (!cpu_supports_indirect_br_lp_instr()) + if (!is_user_lpad_enabled()) return; task->thread_info.user_cfi_state.ufcfi_en = enable ? 1 : 0; @@ -259,7 +261,7 @@ SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsi bool set_tok = flags & SHADOW_STACK_SET_TOKEN; unsigned long aligned_size = 0; - if (!cpu_supports_shadow_stack()) + if (!is_user_shstk_enabled()) return -EOPNOTSUPP; /* Anything other than set token should result in invalid param */ @@ -306,7 +308,7 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *tsk, unsigned long addr, size; /* If shadow stack is not supported, return 0 */ - if (!cpu_supports_shadow_stack()) + if (!is_user_shstk_enabled()) return 0; /* @@ -352,7 +354,7 @@ void shstk_release(struct task_struct *tsk) { unsigned long base = 0, size = 0; /* If shadow stack is not supported or not enabled, nothing to release */ - if (!cpu_supports_shadow_stack() || !is_shstk_enabled(tsk)) + if (!is_user_shstk_enabled() || !is_shstk_enabled(tsk)) return; /* @@ -381,7 +383,7 @@ int arch_get_shadow_stack_status(struct task_struct *t, unsigned long __user *st { unsigned long bcfi_status = 0; - if (!cpu_supports_shadow_stack()) + if (!is_user_shstk_enabled()) return -EINVAL; /* this means shadow stack is enabled on the task */ @@ -395,7 +397,7 @@ int arch_set_shadow_stack_status(struct task_struct *t, unsigned long status) unsigned long size = 0, addr = 0; bool enable_shstk = false; - if (!cpu_supports_shadow_stack()) + if (!is_user_shstk_enabled()) return -EINVAL; /* Reject unknown flags */ @@ -448,7 +450,7 @@ int arch_lock_shadow_stack_status(struct task_struct *task, unsigned long arg) { /* If shtstk not supported or not enabled on task, nothing to lock here */ - if (!cpu_supports_shadow_stack() || + if (!is_user_shstk_enabled() || !is_shstk_enabled(task) || arg != 0) return -EINVAL; @@ -461,7 +463,7 @@ int arch_get_indir_br_lp_status(struct task_struct *t, unsigned long __user *sta { unsigned long fcfi_status = 0; - if (!cpu_supports_indirect_br_lp_instr()) + if (!is_user_lpad_enabled()) return -EINVAL; /* indirect branch tracking is enabled on the task or not */ @@ -474,7 +476,7 @@ int arch_set_indir_br_lp_status(struct task_struct *t, unsigned long status) { bool enable_indir_lp = false; - if (!cpu_supports_indirect_br_lp_instr()) + if (!is_user_lpad_enabled()) return -EINVAL; /* indirect branch tracking is locked and further can't be modified by user */ @@ -498,7 +500,7 @@ int arch_lock_indir_br_lp_status(struct task_struct *task, * If indirect branch tracking is not supported or not enabled on task, * nothing to lock here */ - if (!cpu_supports_indirect_br_lp_instr() || + if (!is_user_lpad_enabled() || !is_indir_lp_enabled(task) || arg != 0) return -EINVAL; @@ -506,3 +508,38 @@ int arch_lock_indir_br_lp_status(struct task_struct *task, return 0; } + +bool is_user_shstk_enabled(void) +{ + return (cpu_supports_shadow_stack() && + !(riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_BCFI)); +} + +bool is_user_lpad_enabled(void) +{ + return (cpu_supports_indirect_br_lp_instr() && + !(riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_FCFI)); +} + +static int __init setup_global_riscv_enable(char *str) +{ + if (strcmp(str, "all") == 0) + riscv_nousercfi = CMDLINE_DISABLE_RISCV_USERCFI; + + if (strcmp(str, "fcfi") == 0) + riscv_nousercfi |= CMDLINE_DISABLE_RISCV_USERCFI_FCFI; + + if (strcmp(str, "bcfi") == 0) + riscv_nousercfi |= CMDLINE_DISABLE_RISCV_USERCFI_BCFI; + + if (riscv_nousercfi) + pr_info("riscv user cfi disabled via cmdline" + "shadow stack status : %s, landing pad status : %s\n", + (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_BCFI) ? "disabled" : + "enabled", (riscv_nousercfi & CMDLINE_DISABLE_RISCV_USERCFI_FCFI) ? + "disabled" : "enabled"); + + return 1; +} + +__setup("riscv_nousercfi=", setup_global_riscv_enable); -- 2.43.0