From: Deepak Gupta <debug@rivosinc.com>
To: "Radim Krčmář" <rkrcmar@ventanamicro.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Conor Dooley <conor@kernel.org>, Rob Herring <robh@kernel.org>,
Krzysztof Kozlowski <krzk+dt@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Christian Brauner <brauner@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Oleg Nesterov <oleg@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
Kees Cook <kees@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <shuah@kernel.org>, Jann Horn <jannh@google.com>,
Conor Dooley <conor+dt@kernel.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-riscv@lists.infradead.org,
devicetree@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org,
alistair.francis@wdc.com, richard.henderson@linaro.org,
jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com,
charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com,
cleger@rivosinc.com, alexghiti@rivosinc.com,
samitolvanen@google.com, broonie@kernel.org,
rick.p.edgecombe@intel.com, Zong Li <zong.li@sifive.com>,
linux-riscv <linux-riscv-bounces@lists.infradead.org>
Subject: Re: [PATCH v12 22/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call
Date: Thu, 20 Mar 2025 15:42:44 -0700 [thread overview]
Message-ID: <CAKC1njTyiaBkmHvAM8VT_MG4Cdch=H9P8r3C-m-=QQEuzyrRNA@mail.gmail.com> (raw)
In-Reply-To: <D8LFQYX4EHF8.2AJ01XL34WK0W@ventanamicro.com>
On Thu, Mar 20, 2025 at 3:10 PM Radim Krčmář <rkrcmar@ventanamicro.com> wrote:
>
> 2025-03-14T14:39:41-07:00, Deepak Gupta <debug@rivosinc.com>:
> > Kernel will have to perform shadow stack operations on user shadow stack.
> > Like during signal delivery and sigreturn, shadow stack token must be
> > created and validated respectively. Thus shadow stack access for kernel
> > must be enabled.
>
> Why can't kernel access the user shadow stack through an aliased WR
> mapping?
It can, although that opens up a can of worms. If this alternating
mapping is user mode
then ensuring that another threat in userspace can't write to this
address in this window
of signal handling. A kernel alternate mapping can be created, but
that can lead to all
sorts of requirements of ensuring the page is pinned down. IIRC, It
has been debated
on x86 shadow stack merge time as well on how a flaky alias mapping approach can
become and weaken the threat model it is supposed to protect against.
Simply using `ssamoswap` is simple and serves the purpose. Enabling shadow stack
access for the kernel doesn't have any adverse effect on the kernel.
>
> > In future when kernel shadow stacks are enabled for linux kernel, it must
> > be enabled as early as possible for better coverage and prevent imbalance
> > between regular stack and shadow stack. After `relocate_enable_mmu` has
> > been done, this is as early as possible it can enabled.
> >
> > Reviewed-by: Zong Li <zong.li@sifive.com>
> > Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> > ---
> > diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S
> > @@ -320,6 +326,12 @@ SYM_CODE_START(_start_kernel)
> > la tp, init_task
> > la sp, init_thread_union + THREAD_SIZE
> > addi sp, sp, -PT_SIZE_ON_STACK
> > + li a7, SBI_EXT_FWFT
> > + li a6, SBI_EXT_FWFT_SET
> > + li a0, SBI_FWFT_SHADOW_STACK
> > + li a1, 1 /* enable supervisor to access shadow stack access */
> > + li a2, SBI_FWFT_SET_FLAG_LOCK
> > + ecall
>
> I think the ecall can fail even on machines that have Zicfiss, so it
> would be good to disable user shadow stack if that happens.
next prev parent reply other threads:[~2025-03-20 22:43 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-14 21:39 [PATCH v12 00/28] riscv control-flow integrity for usermode Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 01/28] mm: VM_SHADOW_STACK definition for riscv Deepak Gupta
2025-04-07 15:45 ` Alexandre Ghiti
2025-03-14 21:39 ` [PATCH v12 02/28] dt-bindings: riscv: zicfilp and zicfiss in dt-bindings (extensions.yaml) Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 03/28] riscv: zicfiss / zicfilp enumeration Deepak Gupta
2025-04-07 15:48 ` Alexandre Ghiti
2025-04-09 14:43 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 04/28] riscv: zicfiss / zicfilp extension csr and bit definitions Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 05/28] riscv: usercfi state for task and save/restore of CSR_SSP on trap entry/exit Deepak Gupta
2025-04-08 8:05 ` Alexandre Ghiti
2025-04-10 11:04 ` Radim Krčmář
2025-04-24 0:00 ` Deepak Gupta
2025-04-24 11:52 ` Radim Krčmář
2025-04-24 17:56 ` Deepak Gupta
2025-04-25 11:27 ` Radim Krčmář
2025-04-24 0:23 ` Deepak Gupta
2025-04-24 12:16 ` Radim Krčmář
2025-04-24 18:03 ` Deepak Gupta
2025-04-25 11:32 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 06/28] riscv/mm : ensure PROT_WRITE leads to VM_READ | VM_WRITE Deepak Gupta
2025-04-08 10:39 ` Alexandre Ghiti
2025-04-10 10:03 ` Radim Krčmář
2025-04-24 0:45 ` Deepak Gupta
2025-04-24 12:23 ` Radim Krčmář
2025-04-24 12:43 ` Arnd Bergmann
2025-03-14 21:39 ` [PATCH v12 07/28] riscv mm: manufacture shadow stack pte Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 08/28] riscv mmu: teach pte_mkwrite to manufacture shadow stack PTEs Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 09/28] riscv mmu: write protect and shadow stack Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 10/28] riscv/mm: Implement map_shadow_stack() syscall Deepak Gupta
2025-04-07 4:50 ` Zong Li
2025-04-09 14:19 ` Deepak Gupta
2025-04-10 9:56 ` Radim Krčmář
2025-04-24 3:16 ` Deepak Gupta
2025-04-24 12:51 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 11/28] riscv/shstk: If needed allocate a new shadow stack on clone Deepak Gupta
2025-04-08 10:51 ` Alexandre Ghiti
2025-04-09 14:31 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 12/28] riscv: Implements arch agnostic shadow stack prctls Deepak Gupta
2025-03-17 1:29 ` Zong Li
2025-04-10 9:45 ` Radim Krčmář
2025-04-24 4:44 ` Deepak Gupta
2025-04-24 13:36 ` Radim Krčmář
2025-04-24 18:16 ` Deepak Gupta
2025-04-25 11:42 ` Radim Krčmář
2025-04-25 16:39 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 13/28] prctl: arch-agnostic prctl for indirect branch tracking Deepak Gupta
2025-03-17 1:29 ` Zong Li
2025-04-09 8:03 ` Alexandre Ghiti
2025-04-09 14:26 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 14/28] riscv: Implements arch agnostic indirect branch tracking prctls Deepak Gupta
2025-03-17 1:29 ` Zong Li
2025-03-14 21:39 ` [PATCH v12 15/28] riscv/traps: Introduce software check exception Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 16/28] riscv: signal: abstract header saving for setup_sigcontext Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 17/28] riscv/signal: save and restore of shadow stack for signal Deepak Gupta
2025-04-10 8:49 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 18/28] riscv/kernel: update __show_regs to print shadow stack register Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 19/28] riscv/ptrace: riscv cfi status and state via ptrace and in core files Deepak Gupta
2025-03-20 22:24 ` Radim Krčmář
2025-03-20 23:09 ` Deepak Gupta
2025-03-21 7:22 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 20/28] riscv/hwprobe: zicfilp / zicfiss enumeration in hwprobe Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 21/28] riscv: Add Firmware Feature SBI extensions definitions Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 22/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call Deepak Gupta
2025-03-20 22:10 ` Radim Krčmář
2025-03-20 22:42 ` Deepak Gupta [this message]
2025-03-21 7:35 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 23/28] riscv: kernel command line option to opt out of user cfi Deepak Gupta
2025-03-20 21:35 ` Radim Krčmář
2025-03-20 22:31 ` Deepak Gupta
2025-03-21 7:31 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 24/28] arch/riscv: compile vdso with landing pad Deepak Gupta
2025-04-08 12:45 ` Alexandre Ghiti
2025-04-09 14:28 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 25/28] riscv: create a config for shadow stack and landing pad instr support Deepak Gupta
2025-03-20 21:25 ` Radim Krčmář
2025-03-20 22:29 ` Deepak Gupta
2025-03-21 7:51 ` Radim Krčmář
2025-03-14 21:39 ` [PATCH v12 26/28] riscv: Documentation for landing pad / indirect branch tracking Deepak Gupta
2025-04-08 8:36 ` Alexandre Ghiti
2025-03-14 21:39 ` [PATCH v12 27/28] riscv: Documentation for shadow stack on riscv Deepak Gupta
2025-04-08 8:48 ` Alexandre Ghiti
2025-04-10 5:24 ` Deepak Gupta
2025-03-14 21:39 ` [PATCH v12 28/28] kselftest/riscv: kselftest for user mode cfi Deepak Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKC1njTyiaBkmHvAM8VT_MG4Cdch=H9P8r3C-m-=QQEuzyrRNA@mail.gmail.com' \
--to=debug@rivosinc.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alexghiti@rivosinc.com \
--cc=alistair.francis@wdc.com \
--cc=andybnac@gmail.com \
--cc=aou@eecs.berkeley.edu \
--cc=arnd@arndb.de \
--cc=atishp@rivosinc.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=charlie@rivosinc.com \
--cc=cleger@rivosinc.com \
--cc=conor+dt@kernel.org \
--cc=conor@kernel.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=devicetree@vger.kernel.org \
--cc=ebiederm@xmission.com \
--cc=evan@rivosinc.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jim.shu@sifive.com \
--cc=kees@kernel.org \
--cc=kito.cheng@sifive.com \
--cc=krzk+dt@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv-bounces@lists.infradead.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=peterz@infradead.org \
--cc=richard.henderson@linaro.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rkrcmar@ventanamicro.com \
--cc=robh@kernel.org \
--cc=samitolvanen@google.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
--cc=zong.li@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox