From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B28ABC25B75
	for <linux-mm@archiver.kernel.org>; Thu, 23 May 2024 14:59:45 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2FB806B0096; Thu, 23 May 2024 10:59:45 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 284926B0098; Thu, 23 May 2024 10:59:45 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 126936B0099; Thu, 23 May 2024 10:59:45 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id E7E4D6B0096
	for <linux-mm@kvack.org>; Thu, 23 May 2024 10:59:44 -0400 (EDT)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id AC7C280172
	for <linux-mm@kvack.org>; Thu, 23 May 2024 14:59:44 +0000 (UTC)
X-FDA: 82149969888.22.810EBDD
Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46])
	by imf16.hostedemail.com (Postfix) with ESMTP id A9AAB18002C
	for <linux-mm@kvack.org>; Thu, 23 May 2024 14:59:42 +0000 (UTC)
Authentication-Results: imf16.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=oaVvOsz2;
	dmarc=none;
	spf=pass (imf16.hostedemail.com: domain of alexghiti@rivosinc.com designates 209.85.218.46 as permitted sender) smtp.mailfrom=alexghiti@rivosinc.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1716476382;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=fJf8nECqEBzmEqcVWslv5AXViIlFFnTcWLmUE5Gi6ig=;
	b=vkfxJgvaGNVYeb7MQUnE8VAn0N/+TyhSU24l7D4y8wtXBt/nkbHXRqNCNF9GQTb1pBlma3
	1UBRNtHe0VHDeSydFcaGbcbD2eiSaOkhhLzp4yuKW2ASSlhWQ4K7LfVOWOMbQx0OYYgCc9
	JSpZLb7XGfQBq+IFsaC4FLa2tXij1oY=
ARC-Authentication-Results: i=1;
	imf16.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=oaVvOsz2;
	dmarc=none;
	spf=pass (imf16.hostedemail.com: domain of alexghiti@rivosinc.com designates 209.85.218.46 as permitted sender) smtp.mailfrom=alexghiti@rivosinc.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716476382; a=rsa-sha256;
	cv=none;
	b=xfVwwteSmlt+LTKvgaJYTirBC2/FKzPcJVPZQZVBvks+XOPaE2c+p9R7pbkVMUbqGDKwcw
	TZDqgN2DLSZKPp6VhVKSGhNdNQyH/x6r1lfe3ncBcwZ+6Vbb62p33PPOHL4sbXEAGbLIRV
	gHjhKoKUtcKc43AMO0GLUihIhjWpdk8=
Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-a59b178b75bso847963766b.0
        for <linux-mm@kvack.org>; Thu, 23 May 2024 07:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1716476381; x=1717081181; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=fJf8nECqEBzmEqcVWslv5AXViIlFFnTcWLmUE5Gi6ig=;
        b=oaVvOsz2xl5FA8TsM6xDg6HVYXISYUzUGUTFLjfnKSUupWUHyENgM3KdbtrN19KQ+6
         Xg8irk/QTtXhL7AyNwnm5fNKXa00bGwTrwiOEbjxeu+ieJ6T3Xz4nx3A+AoNAH09TghO
         ts5IM3iryWerhOb7XJ/FPBylHKA7rSpEL1f3G85vrIsai5cdi25yfwuLQ0svWalGzZ85
         HAQEJ91vxDMYR1FQ0JR323cC8me2p0YQsCs4qQMUiX2bSGsfcJsDLoxJPnLfWs2BAW3n
         19SXNI4v7Tn/VFDGLfhi7038nr04NjloooGaYwFJ35uvNZNbBEtKqxh8ja9elVDaJAfP
         vUlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716476381; x=1717081181;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=fJf8nECqEBzmEqcVWslv5AXViIlFFnTcWLmUE5Gi6ig=;
        b=YOnDMBAYrXcK7apQHOQxQkTrRDy6QOq3ILf8BDHpA32O6HLDV0F0N/W9WTUAteHiom
         zRWyB+Jdfoz1efZZn1jCmAq//7+o3RystUnx8FufjCrc98Eff0lPf9lihsS5E/ei3Dxc
         hi5x2a2P1fComzcRUkuPGvdq3vdz4JJ2ojm+VJQ26wpyerjM6WSRtTfp7lHyFGlFwIfV
         DflOAVhmKeKuffkFO16Y4JtUaBCsdBZH4owthR05WGbi1fHiUqhvaOeugaLj0nlRpRPL
         Kudi8nSBtstwSAzmFDF0ljZaSWdSbCYWs1cVNko9PE77gPdKldNmOKtHpQoQyYaxc77g
         2yYQ==
X-Forwarded-Encrypted: i=1; AJvYcCX+u3dHFJDmmB18QbNzGHXXoc1/8FlqPSIBSKn+0jJhJPWkG8r7IvxwBHI8RKjNNqDuKuyNg21gE0ytfUr2hvDrOXc=
X-Gm-Message-State: AOJu0YxXlgy94XtV2aAiJE3CeDUsjYQV/i9iKx8bn3lFXuXqMTPlu3hM
	8lEtHAVG8oDuLcYOCL9d9AQMjsQh7qhZbJ7RM6wZzm2RRkwBijdYfg/Hnt37LtLbXqlciHEvc31
	XaM0E2HJUO9WXe0RKJlFYLXUdFqP/eCUV3EZTPA==
X-Google-Smtp-Source: AGHT+IH96ZBYqe4cc+1wFeLH7NX/PsHsWO2WigAasUwgg3Elfr20rtzmvQZZHOI45ry8NHHXFtdf/BIf5ZeuawftPVg=
X-Received: by 2002:a17:906:5296:b0:a5a:5c0b:ff77 with SMTP id
 a640c23a62f3a-a622806c0camr321589066b.19.1716476381026; Thu, 23 May 2024
 07:59:41 -0700 (PDT)
MIME-Version: 1.0
References: <20240403234054.2020347-1-debug@rivosinc.com> <20240403234054.2020347-14-debug@rivosinc.com>
 <276fa17b-cd62-433d-b0ec-fa98c65a46ca@ghiti.fr> <ZkJOs6ENmDHFsq/U@debug.ba.rivosinc.com>
In-Reply-To: <ZkJOs6ENmDHFsq/U@debug.ba.rivosinc.com>
From: Alexandre Ghiti <alexghiti@rivosinc.com>
Date: Thu, 23 May 2024 16:59:30 +0200
Message-ID: <CAHVXubhS3CJ87DxC+9+8z6CiWDV1bQ8nK+iOZUDvMiT7vszFLA@mail.gmail.com>
Subject: Re: [PATCH v3 13/29] riscv mmu: write protect and shadow stack
To: Deepak Gupta <debug@rivosinc.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>, paul.walmsley@sifive.com, rick.p.edgecombe@intel.com, 
	broonie@kernel.org, Szabolcs.Nagy@arm.com, kito.cheng@sifive.com, 
	keescook@chromium.org, ajones@ventanamicro.com, conor.dooley@microchip.com, 
	cleger@rivosinc.com, atishp@atishpatra.org, bjorn@rivosinc.com, 
	samuel.holland@sifive.com, conor@kernel.org, linux-doc@vger.kernel.org, 
	linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, 
	devicetree@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, 
	linux-kselftest@vger.kernel.org, corbet@lwn.net, palmer@dabbelt.com, 
	aou@eecs.berkeley.edu, robh+dt@kernel.org, krzysztof.kozlowski+dt@linaro.org, 
	oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de, 
	ebiederm@xmission.com, Liam.Howlett@oracle.com, vbabka@suse.cz, 
	lstoakes@gmail.com, shuah@kernel.org, brauner@kernel.org, 
	andy.chiu@sifive.com, jerry.shih@sifive.com, hankuan.chen@sifive.com, 
	greentime.hu@sifive.com, evan@rivosinc.com, xiao.w.wang@intel.com, 
	charlie@rivosinc.com, apatel@ventanamicro.com, mchitale@ventanamicro.com, 
	dbarboza@ventanamicro.com, sameo@rivosinc.com, shikemeng@huaweicloud.com, 
	willy@infradead.org, vincent.chen@sifive.com, guoren@kernel.org, 
	samitolvanen@google.com, songshuaishuai@tinylab.org, gerg@kernel.org, 
	heiko@sntech.de, bhe@redhat.com, jeeheng.sia@starfivetech.com, 
	cyy@cyyself.name, maskray@google.com, ancientmodern4@gmail.com, 
	mathis.salmen@matsal.de, cuiyunhui@bytedance.com, bgray@linux.ibm.com, 
	mpe@ellerman.id.au, baruch@tkos.co.il, alx@kernel.org, david@redhat.com, 
	catalin.marinas@arm.com, revest@chromium.org, josh@joshtriplett.org, 
	shr@devkernel.io, deller@gmx.de, omosnace@redhat.com, ojeda@kernel.org, 
	jhubbard@nvidia.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: A9AAB18002C
X-Stat-Signature: bk3ns6ukmjn8qtcsy5m7i8cfjy71kzmr
X-Rspam-User: 
X-Rspamd-Server: rspam11
X-HE-Tag: 1716476382-681520
X-HE-Meta: U2FsdGVkX1/Q9M0NL3nDOPVu2V+b2Fg/I1t0/+HgEGkkoBwwj7ojknzANqSr/rjv4JblT1UzPSkXQXwD918wI3wlyv9fcswK7Xlsiu2dvRO6vH6eCdAfKzKty9Xgor9YB46rYUbw+Yz/RkXRO+yRgFuUfiXatnH01CwWPqG59XlstEuXPI3BD2vowLQE6PG6B+Ov2anBw4NUeu1/dHucE8ZGrJ0RR80JqnJmQ5BPiVNw2OgcX25UNxGj4jIXiXS7VsBe8QHLsqwv0zlGaSwaZU01VG600DjRoSeCNLrVpJjQ9+2mJJI+NNkk6NPAAfsrdrgjDF4+49Gthcx9EG9iSU6r08hSYz4dYhxabfMJNikWJtkTp2R6XhWbQbEIRuPEe+anBrTweAn95W5nKUN5UzPMeDXM7whLB8TX7cyecICQJmqIAgw8mUYcwVDhL9ydfsahzEGxWNvLNcmHt8cj6cuIl/dops6cxlFYsbO9egHg3FRYihw5il2p676JX9Zq3Tcb5QeVGKQb+ZvxMejjwhYt8deZ9XSGDOIMJxx7+pDRFxgBxRFNo1chkiUOFEPOF/7nfgn5EC1XmnEiC9x3EoDNJhcxz73ypx/faUNaENty1DgxcHvfp3O8qChdPtWKpA1NYl5dH9coYugwVZzaq+1YAdzzHlz5iX3h5i/S6o9tiFZYDCFwny84pqHgb2feer6iHYKHQQKhsuua9HNf+X36BOu++VWID5yX/ZMOZqbeB3+mHuYRexbpMXZEK1mqzcKqEr8tkTe0wWCzGlcVYEk//jKyhsQB3Lhd+eeBcCTByvJY7TSmsi0432RdTB7FEPKLFc9y8TZSMTBcdrlNlybXa6wHkHxNymagJ0PxQZ5zOEP6Y8nG8UZ5bckP1rCllvSX5Nz3DvQSKS8GJMQJIehty7z1cCpXqXung/hjE34FJT/ioxxTZYTA0NWnsh0LqTOLLYReOtVW3Ohdr3p
 QaE2H2Uu
 /ycLt+4FZfX0z7z+Xd9KD7T7Ur9MQ+gQU4/jHauTj1kU+MXn9oCxkEvlaz0RBVX6sskfKFxWiM6tlHFVV0Vej5pPAx/DYxqIFSmLVHPuGuv7KJoD6lh7LOR8eN5E8trnR7qx2jSkE3LW7IcgMcMgmKpthmi6dcKCYmgdumddtPDHwOcZHwzHzY6C8yYG9Weg5HyS7yN9+6Kb3D6WrO+FPeS1w/AN50/1weUpWFV3bVWW3Rk+eNQxKjFAguCaVUNYeE2GSPvDNVaOI879sZ0I9a7pj3O3FlenkXOua6lCxl+nDm4tuUVEkbcV2Zv7lpF70cSFZhij4FWEL0PYcX38cGKJTNQorSME50SFkjWoYWoBCVtOB8hOYTaTbpluC1nkywCqr0inqBYRh0cV2D35uzaIV8Q==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Hi Deepak,

On Mon, May 13, 2024 at 7:32=E2=80=AFPM Deepak Gupta <debug@rivosinc.com> w=
rote:
>
> On Sun, May 12, 2024 at 06:31:24PM +0200, Alexandre Ghiti wrote:
> >On 04/04/2024 01:35, Deepak Gupta wrote:
> >>`fork` implements copy on write (COW) by making pages readonly in child
> >>and parent both.
> >>
> >>ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE.
> >>Assumption is that page is readable and on fault copy on write happens.
> >>
> >>To implement COW on such pages,
> >
> >
> >I guess you mean "shadow stack pages" here.
>
> Yes I meant shadow stack pages. Will fix the message.
>
> >
> >
> >>  clearing up W bit makes them XWR =3D 000.
> >>This will result in wrong PTE setting which says no perms but V=3D1 and=
 PFN
> >>field pointing to final page. Instead desired behavior is to turn it in=
to
> >>a readable page, take an access (load/store) fault on sspush/sspop
> >>(shadow stack) and then perform COW on such pages.
> >>This way regular reads
> >>would still be allowed and not lead to COW maintaining current behavior
> >>of COW on non-shadow stack but writeable memory.
> >>
> >>On the other hand it doesn't interfere with existing COW for read-write
> >>memory. Assumption is always that _PAGE_READ must have been set and thu=
s
> >>setting _PAGE_READ is harmless.
> >>
> >>Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> >>---
> >>  arch/riscv/include/asm/pgtable.h | 12 ++++++++++--
> >>  1 file changed, 10 insertions(+), 2 deletions(-)
> >>
> >>diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/=
pgtable.h
> >>index 9b837239d3e8..7a1c2a98d272 100644
> >>--- a/arch/riscv/include/asm/pgtable.h
> >>+++ b/arch/riscv/include/asm/pgtable.h
> >>@@ -398,7 +398,7 @@ static inline int pte_special(pte_t pte)
> >>  static inline pte_t pte_wrprotect(pte_t pte)
> >>  {
> >>-     return __pte(pte_val(pte) & ~(_PAGE_WRITE));
> >>+     return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ));
> >>  }
> >>  /* static inline pte_t pte_mkread(pte_t pte) */
> >>@@ -581,7 +581,15 @@ static inline pte_t ptep_get_and_clear(struct mm_s=
truct *mm,
> >>  static inline void ptep_set_wrprotect(struct mm_struct *mm,
> >>                                    unsigned long address, pte_t *ptep)
> >>  {
> >>-     atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)pte=
p);
> >>+     volatile pte_t read_pte =3D *ptep;

Sorry I missed this ^. You need to use ptep_get() to get the value of
a pte. And why do you need the volatile here?

> >>+     /*
> >>+      * ptep_set_wrprotect can be called for shadow stack ranges too.
> >>+      * shadow stack memory is XWR =3D 010 and thus clearing _PAGE_WRI=
TE will lead to
> >>+      * encoding 000b which is wrong encoding with V =3D 1. This shoul=
d lead to page fault
> >>+      * but we dont want this wrong configuration to be set in page ta=
bles.
> >>+      */
> >>+     atomic_long_set((atomic_long_t *)ptep,
> >>+                     ((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE=
) | _PAGE_READ));
> >>  }
> >>  #define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH
> >
> >
> >Doesn't making the shadow stack page readable allow "normal" loads to
> >access the page? If it does, isn't that an issue (security-wise)?
>
> When shadow stack permissions are there (i.e. R=3D0, W=3D1, X=3D0), then =
also shadow stack is
> readable through "normal" loads. So nothing changes when it converts into=
 a readonly page
> from page permissions perspective.
>
> Security-wise it's not a concern because from threat modeling perspective=
, if attacker had
> read-write primitives (via some bug in program) available to read and wri=
te address space
> of process/task; then they would have availiblity of return addresses on =
normal stack. It's
> the write primitive that is concerning and to be protected against. And t=
hat's why shadow stack
> is not writeable using "normal" stores.
>
> >

Thanks for the explanation!

With the use of ptep_get(), you can add:

Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>

Thanks,

Alex