From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0669EC3DA6D for ; Tue, 20 May 2025 23:50:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8143E6B0092; Tue, 20 May 2025 19:50:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7C40B6B0093; Tue, 20 May 2025 19:50:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 664AB6B0095; Tue, 20 May 2025 19:50:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 3D3ED6B0092 for ; Tue, 20 May 2025 19:50:04 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id D53A71218CE for ; Tue, 20 May 2025 23:50:03 +0000 (UTC) X-FDA: 83464931886.16.2F18F00 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by imf10.hostedemail.com (Postfix) with ESMTP id B1AB5C0009 for ; Tue, 20 May 2025 23:50:01 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=uyojnzKZ; spf=pass (imf10.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.180 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747785001; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7V6JAaM7PGvs0d4fcyJrCuND3TSC3t95y9Y5/rd0tOQ=; b=hCY2r8R2wRJbtmjmtpBHI40k+0fjgFJa1/karjSiYtkSnAFgxBGJyoE7MMucuAyItkPAtb nkXVx/qkQsBuXc4QBzpxulVB5ciYv8anK8x4hdAwCrZbDev4kJB8MeT0EFkr7Qx5lpNyqw 8M71b+7hSbzMmjy5hSlxQMtp+f71I9Q= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747785001; a=rsa-sha256; cv=none; b=0Y7EpGdQWDgJLfhHqgfJlQ8id1aVlOoTGtZXSuObnKdv1yqlP97iGmNKHY05Nkp5AeU/sD YsgugPJx0f/pl14ApNOWajkx4mkr1qAgyw3idC9qDP0u6KnOILwIhUeJjCas79B7gG1muu +dONW1kEeQIEKOcYibwUnlkDf7BzYE0= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=uyojnzKZ; spf=pass (imf10.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.180 as permitted sender) smtp.mailfrom=debug@rivosinc.com; dmarc=none Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2301ac32320so67347715ad.1 for ; Tue, 20 May 2025 16:50:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1747785000; x=1748389800; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=7V6JAaM7PGvs0d4fcyJrCuND3TSC3t95y9Y5/rd0tOQ=; b=uyojnzKZFpwnUt56X+ecoMJBR1l+lLkYy9iLD5NguFsRipnr+BoZpE1XNzEJMINNYW KEmCd7NZ2Sz57/+GvanG+9zsI6xmlFlqCD7FhtOLh5dRjzsccjWpbSzZuKsO8odtS36c OSv9kUeMYsU8Jxb4M4bX25SVcU0QCwYFmHc2QFh0GNUfVS4jy/c86kpwMqmxAQ5pTUh2 kM5Sio+l4DEtUKfXXAQKEfRjwsgJGOMqlQl0UrufPZZF5eGaKm2lW5U0DyNc+oMKVchs YADj5hAx5cnvvVpY2d6uJBT65nv0dWqMBPmld3zG41YRfhMmm/q/O+nD8i2Dws8Mqf0H uERw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747785000; x=1748389800; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7V6JAaM7PGvs0d4fcyJrCuND3TSC3t95y9Y5/rd0tOQ=; b=niGVIpdc8CvBTJpM2OLZXyAphMYfV/sY1bt5/CI93JLTJwz+eUaIP+zLrQ9B0xrSUd T56+hN2NZT+YxfcTILL3qZJabw4/nPfeIGN+Gs3/IJiTCPbAEoRJNQ9d+KEeIVLYoycJ hzufp67ja1zmaL25kXU3o64cC7LNKRIBpjHFPPygHMW1ba3XrJvReYHYZo5j2dTVLh61 gGtIncOG1GiRG1Jp8otxwj0b+xqq0lT8uT5LqvfUAjJ6qjc7C7vyQMCHZrhMe+Ga06kn kLkoBhG46ixhTA+BShhc5bZoBdiewX3WI3rsAS/x2zIrD6KWoUvqKIvv84NmXDSqCMKx htrQ== X-Forwarded-Encrypted: i=1; AJvYcCU/VUMt53EdW7yKpA72JbC8zWYcFwfXoVXyyPHcvtd8sBib7FilNW1slagdvUTN/6vVEkYvLd7Nkw==@kvack.org X-Gm-Message-State: AOJu0YygG2bLuWptMqexJHDkVp/QHoy997f0aeYrqT3XJsXZHoVntSrV R1bXv3gEgCac1gI2gBAR1s9YQE4kvSjdh2B2GokDuULcgpejX+HbPlEyE80t+rzNAbI= X-Gm-Gg: ASbGncsNyTqW75RDL/RRldhD8/gHj1KVwLahAUfuI+69JSZjeGz/RfexBGgy2zcUqe5 qgundvXaZ37aAH7d3Gli+5Hf+AXJyQNVbNBZ4IvP9pBpKxyaVYytfOsVSKeOWpSQmTc6cEY0Wji RSiouN33n/b1ATodGnfHY3vP9PnO8kvtVaFOOQ7QAt0j31FR2hfuY9xnVdQtO2QbWayxRkWvHhg h5C2wB6z/z70QCCx5XF+CimNBRiUlAyTBzsZOywJuHJQXL9vCYrK3MUlrB+oCrgYc0c8YgWNUU4 huypcXkJnlp9KAmdsUfHMaqYKEyu8N4Sa+TWjom3HjU0XDbvZxqk6meFLDsZLQ== X-Google-Smtp-Source: AGHT+IH3ioZnNVeljr6l/fGStxai2RU/k0UfBKno6M6BvCClwyOv9qYdvsPWiMW93ArFs+Ud5rGQWg== X-Received: by 2002:a17:902:da86:b0:22e:50f2:1451 with SMTP id d9443c01a7336-231d459a6f7mr246365295ad.37.1747785000291; Tue, 20 May 2025 16:50:00 -0700 (PDT) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-231d4ed5426sm82117575ad.237.2025.05.20.16.49.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 May 2025 16:49:59 -0700 (PDT) Date: Tue, 20 May 2025 16:49:55 -0700 From: Deepak Gupta To: Charlie Jenkins Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan , Jann Horn , Conor Dooley , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org Subject: Re: [PATCH v15 27/27] kselftest/riscv: kselftest for user mode cfi Message-ID: References: <20250502-v5_user_cfi_series-v15-0-914966471885@rivosinc.com> <20250502-v5_user_cfi_series-v15-27-914966471885@rivosinc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Stat-Signature: xexjf4i35thcmygubicxpxutko58e18x X-Rspamd-Queue-Id: B1AB5C0009 X-Rspam-User: X-Rspamd-Server: rspam02 X-HE-Tag: 1747785001-760803 X-HE-Meta: U2FsdGVkX18G3LqtKQsO6LGuvZIbEBXTPNbkugjZHk3+0EGmuVe8wZDxioP/QbTdwDj1dkADeRD33waPINBhJDDSHevDbkuhoo5SlImEyI5ykUcOYLcjZXLeJ6UCeD4R//WrEbDAGCTQ0+iu/GHeaeePIZBIHmZ9E6Z8432CqXrzJGwCMQo0/X3jkEuzTWU/ykpKXBpwEF5QJ7mrNHEExnAyYmh7AtwwZFG3pw85gHxghgmpm+0r+jwQaiy2yVqMBpUCI/Uhlq0gA3f4V5voo4UVZouciHo6WdugFySeSuF4BYFVPY1RYfVLWcIDZxKkMttz0hHjIu7qTxToqZO9hDVW0pfrGzt4cl3WKDZmBfNSUK3q28tXlT6E01gqHWao7YEBisHa9i3ej65jWm9WXS67J+M9ZkvYjhPAk2y0NcVQWIABEF3zHCh1GAkdFKH7HUYW4ZrlMSW99WKReHLwfrMlCbWKL8o/57OOqQkxRI8U7oKUkkTnFvJZ8WQpLGUh4AO0LUQJPJd4LjwYX6UAWTblxAfkGwC4ov3WmSHGmy+lmx0KTG9bD7plbNvZugrCWPpXNQf/Au0uTSbwdGgSsHV6uulhVItcgiGghUbqKmEsxMZAiTkEbXWO3MdEGwRVW8d5fHCgdjUPq5v1uTeac+jRhmvLOsnrjwvYmomP/QYQp/qXm2Hz1AuoC8HlNKQZNhXk5R8GQMk4uMAvaKp4s8MaXOhARilohUjTWoOOncy+CnZQWxyz8lDnMxfdVWwhW/fvP+7PNYUIk4jxby1OHu87LsVA7PAZABzMS/1kYJd4QOJgBBFmnedqYGF58Bah4fqk4U2bBzEuRT1z24oFZ8ggc2LsXWl5kLrTLSiARhqlsForfdVkN9syDt76WXgvQwFdWU5xiRfTPJzHEd6kW3sMAiMImNt4iQwWbkZFgMRVzxtEHvtlY3e6I3JBWPdKCXshoVqvFQxIIXVPWDO /Mhj/TMM fpljrJx1rPlh6pyPJrd8FKSPccTNj/c5P/whvdZcWmK/KV6jiD0MklPf60ughEx1Ft5i+9DosG5Er60re0K5nBm0aAy5y+Wm9mfTmtaUJXwSwLjjqqDjDxjUlW4N7oTONGRNI2+gt0iIPCVdJ0bq7UXB/KhMqpZ+UNCMHd/PfoxyxiiOKobcPfRh0KNWzvUYvHOZx5RGPbzX6t/lsdghImJx4h4bLW0jad2K9VVKXPa1EhF8wt46bcF+7VF+0UCeEET1L7Ll3EJRQfaK9Q73yVBaQlLLuTETb9fR5fUJgT6+NzHKnKFWbfzeN8ldOYW89JWO2XpapAs5/AoMmthU+sBNwXkefO3yVHUHv/QHtOM33iNHe+hax8UeS7ciEqkxJ5Fp8Oo6JqT+RqE+Q5owI6I9l55vVbVhnXw6H85yIdiif8VQJfEwwONrcDe78ZNLlTdmsUSt+Pb0xw0iG+KUEa6Aj/bFdk2Ssxg1ZKFMlKuo5IbIzGqEH/XWpIg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, May 19, 2025 at 11:02:17PM -0700, Charlie Jenkins wrote: >On Fri, May 02, 2025 at 04:30:58PM -0700, Deepak Gupta wrote: >> Adds kselftest for RISC-V control flow integrity implementation for user >> mode. There is not a lot going on in kernel for enabling landing pad for >> user mode. cfi selftest are intended to be compiled with zicfilp and >> zicfiss enabled compiler. Thus kselftest simply checks if landing pad / >> shadow stack for the process are enabled or not and executes ptrace >> selftests on cfi. selftest then register a signal handler for SIGSEGV. >> Any control flow violation are reported as SIGSEGV with si_code = >> SEGV_CPERR. Test will fail on receiving any SEGV_CPERR. Shadow stack part >> has more changes in kernel and thus there are separate tests for that >> >> - Exercise `map_shadow_stack` syscall >> - `fork` test to make sure COW works for shadow stack pages >> - gup tests >> Kernel uses FOLL_FORCE when access happens to memory via >> /proc//mem. Not breaking that for shadow stack. >> - signal test. Make sure signal delivery results in token creation on >> shadow stack and consumes (and verifies) token on sigreturn >> - shadow stack protection test. attempts to write using regular store >> instruction on shadow stack memory must result in access faults >> - ptrace test: adds landing pad violation, clears ELP and continues >> >> Test outut >> ========== >> >> """ >> TAP version 13 >> 1..5 >> This is to ensure shadow stack is indeed enabled and working >> This is to ensure shadow stack is indeed enabled and working >> ok 1 shstk fork test >> ok 2 map shadow stack syscall >> ok 3 shadow stack gup tests >> ok 4 shadow stack signal tests >> ok 5 memory protections of shadow stack memory >> """ >> >> Signed-off-by: Deepak Gupta >> >> squash >> >> Signed-off-by: Deepak Gupta >> --- >> tools/testing/selftests/riscv/Makefile | 2 +- >> tools/testing/selftests/riscv/cfi/.gitignore | 3 + >> tools/testing/selftests/riscv/cfi/Makefile | 10 + >> tools/testing/selftests/riscv/cfi/cfi_rv_test.h | 82 +++++ >> tools/testing/selftests/riscv/cfi/riscv_cfi_test.c | 173 +++++++++ >> tools/testing/selftests/riscv/cfi/shadowstack.c | 385 +++++++++++++++++++++ >> tools/testing/selftests/riscv/cfi/shadowstack.h | 27 ++ >> 7 files changed, 681 insertions(+), 1 deletion(-) >> >> diff --git a/tools/testing/selftests/riscv/Makefile b/tools/testing/selftests/riscv/Makefile >> index 099b8c1f46f8..5671b4405a12 100644 >> --- a/tools/testing/selftests/riscv/Makefile >> +++ b/tools/testing/selftests/riscv/Makefile >> @@ -5,7 +5,7 @@ >> ARCH ?= $(shell uname -m 2>/dev/null || echo not) >> >> ifneq (,$(filter $(ARCH),riscv)) >> -RISCV_SUBTARGETS ?= abi hwprobe mm sigreturn vector >> +RISCV_SUBTARGETS ?= abi hwprobe mm sigreturn vector cfi >> else >> RISCV_SUBTARGETS := >> endif >> diff --git a/tools/testing/selftests/riscv/cfi/.gitignore b/tools/testing/selftests/riscv/cfi/.gitignore >> new file mode 100644 >> index 000000000000..82545863bac6 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/.gitignore >> @@ -0,0 +1,3 @@ >> +cfitests >> +riscv_cfi_test >> +shadowstack >> diff --git a/tools/testing/selftests/riscv/cfi/Makefile b/tools/testing/selftests/riscv/cfi/Makefile >> new file mode 100644 >> index 000000000000..1fa27cc10fb5 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/Makefile >> @@ -0,0 +1,10 @@ >> +CFLAGS += -I$(top_srcdir)/tools/include >> + >> +CFLAGS += -march=rv64gc_zicfilp_zicfiss -fcf-protection=full > >I am worried about the developer workflows that this will impact. Trying >to build kselftest with TARGETS=riscv will fail if the toolchain does >not support -fcf-protection=full. How about we skip these tests if the >compiler can't compile it instead? > >Something like: Yeah make sense to me. Alex, You want me to spin up a v16 with this change? -Deepak > >>From 334f5c821d84751494d269272a875636a9e0d68f Mon Sep 17 00:00:00 2001 >From: Charlie Jenkins >Date: Mon, 19 May 2025 22:44:05 -0700 >Subject: [PATCH] fixup! kselftest/riscv: kselftest for user mode cfi > >--- > tools/testing/selftests/riscv/cfi/Makefile | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/tools/testing/selftests/riscv/cfi/Makefile b/tools/testing/selftests/riscv/cfi/Makefile >index 1fa27cc10fb5..55165a93845f 100644 >--- a/tools/testing/selftests/riscv/cfi/Makefile >+++ b/tools/testing/selftests/riscv/cfi/Makefile >@@ -2,9 +2,15 @@ CFLAGS += -I$(top_srcdir)/tools/include > > CFLAGS += -march=rv64gc_zicfilp_zicfiss -fcf-protection=full > >+ifeq ($(shell $(CC) $(CFLAGS) -nostdlib -xc /dev/null -o /dev/null > /dev/null 2>&1; echo $$?),0) > TEST_GEN_PROGS := cfitests > > include ../../lib.mk > > $(OUTPUT)/cfitests: riscv_cfi_test.c shadowstack.c > $(CC) -o$@ $(CFLAGS) $(LDFLAGS) $^ >+else >+include ../../lib.mk >+ >+$(shell echo "Toolchain doesn't support CFI, skipping CFI kselftest." >&2) >+endif >-- >2.43.0 > > >> + >> +TEST_GEN_PROGS := cfitests >> + >> +include ../../lib.mk >> + >> +$(OUTPUT)/cfitests: riscv_cfi_test.c shadowstack.c >> + $(CC) -o$@ $(CFLAGS) $(LDFLAGS) $^ >> diff --git a/tools/testing/selftests/riscv/cfi/cfi_rv_test.h b/tools/testing/selftests/riscv/cfi/cfi_rv_test.h >> new file mode 100644 >> index 000000000000..1c8043f2b778 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/cfi_rv_test.h >> @@ -0,0 +1,82 @@ >> +/* SPDX-License-Identifier: GPL-2.0-only */ >> + >> +#ifndef SELFTEST_RISCV_CFI_H >> +#define SELFTEST_RISCV_CFI_H >> +#include >> +#include >> +#include "shadowstack.h" >> + >> +#define CHILD_EXIT_CODE_SSWRITE 10 >> +#define CHILD_EXIT_CODE_SIG_TEST 11 >> + >> +#define my_syscall5(num, arg1, arg2, arg3, arg4, arg5) \ >> +({ \ >> + register long _num __asm__ ("a7") = (num); \ >> + register long _arg1 __asm__ ("a0") = (long)(arg1); \ >> + register long _arg2 __asm__ ("a1") = (long)(arg2); \ >> + register long _arg3 __asm__ ("a2") = (long)(arg3); \ >> + register long _arg4 __asm__ ("a3") = (long)(arg4); \ >> + register long _arg5 __asm__ ("a4") = (long)(arg5); \ >> + \ >> + __asm__ volatile( \ >> + "ecall\n" \ >> + : "+r" \ >> + (_arg1) \ >> + : "r"(_arg2), "r"(_arg3), "r"(_arg4), "r"(_arg5), \ >> + "r"(_num) \ >> + : "memory", "cc" \ >> + ); \ >> + _arg1; \ >> +}) >> + >> +#define my_syscall3(num, arg1, arg2, arg3) \ >> +({ \ >> + register long _num __asm__ ("a7") = (num); \ >> + register long _arg1 __asm__ ("a0") = (long)(arg1); \ >> + register long _arg2 __asm__ ("a1") = (long)(arg2); \ >> + register long _arg3 __asm__ ("a2") = (long)(arg3); \ >> + \ >> + __asm__ volatile( \ >> + "ecall\n" \ >> + : "+r" (_arg1) \ >> + : "r"(_arg2), "r"(_arg3), \ >> + "r"(_num) \ >> + : "memory", "cc" \ >> + ); \ >> + _arg1; \ >> +}) >> + >> +#ifndef __NR_prctl >> +#define __NR_prctl 167 >> +#endif >> + >> +#ifndef __NR_map_shadow_stack >> +#define __NR_map_shadow_stack 453 >> +#endif >> + >> +#define CSR_SSP 0x011 >> + >> +#ifdef __ASSEMBLY__ >> +#define __ASM_STR(x) x >> +#else >> +#define __ASM_STR(x) #x >> +#endif >> + >> +#define csr_read(csr) \ >> +({ \ >> + register unsigned long __v; \ >> + __asm__ __volatile__ ("csrr %0, " __ASM_STR(csr) \ >> + : "=r" (__v) : \ >> + : "memory"); \ >> + __v; \ >> +}) >> + >> +#define csr_write(csr, val) \ >> +({ \ >> + unsigned long __v = (unsigned long)(val); \ >> + __asm__ __volatile__ ("csrw " __ASM_STR(csr) ", %0" \ >> + : : "rK" (__v) \ >> + : "memory"); \ >> +}) >> + >> +#endif >> diff --git a/tools/testing/selftests/riscv/cfi/riscv_cfi_test.c b/tools/testing/selftests/riscv/cfi/riscv_cfi_test.c >> new file mode 100644 >> index 000000000000..486a2e779053 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/riscv_cfi_test.c >> @@ -0,0 +1,173 @@ >> +// SPDX-License-Identifier: GPL-2.0-only >> + >> +#include "../../kselftest.h" >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "cfi_rv_test.h" >> + >> +/* do not optimize cfi related test functions */ >> +#pragma GCC push_options >> +#pragma GCC optimize("O0") >> + >> +void sigsegv_handler(int signum, siginfo_t *si, void *uc) >> +{ >> + struct ucontext *ctx = (struct ucontext *)uc; >> + >> + if (si->si_code == SEGV_CPERR) { >> + ksft_print_msg("Control flow violation happened somewhere\n"); >> + ksft_print_msg("PC where violation happened %lx\n", ctx->uc_mcontext.gregs[0]); >> + exit(-1); >> + } >> + >> + /* all other cases are expected to be of shadow stack write case */ >> + exit(CHILD_EXIT_CODE_SSWRITE); >> +} >> + >> +bool register_signal_handler(void) >> +{ >> + struct sigaction sa = {}; >> + >> + sa.sa_sigaction = sigsegv_handler; >> + sa.sa_flags = SA_SIGINFO; >> + if (sigaction(SIGSEGV, &sa, NULL)) { >> + ksft_print_msg("Registering signal handler for landing pad violation failed\n"); >> + return false; >> + } >> + >> + return true; >> +} >> + >> +long ptrace(int request, pid_t pid, void *addr, void *data); >> + >> +bool cfi_ptrace_test(void) >> +{ >> + pid_t pid; >> + int status, ret = 0; >> + unsigned long ptrace_test_num = 0, total_ptrace_tests = 2; >> + >> + struct user_cfi_state cfi_reg; >> + struct iovec iov; >> + >> + pid = fork(); >> + >> + if (pid == -1) { >> + ksft_exit_fail_msg("%s: fork failed\n", __func__); >> + exit(1); >> + } >> + >> + if (pid == 0) { >> + /* allow to be traced */ >> + ptrace(PTRACE_TRACEME, 0, NULL, NULL); >> + raise(SIGSTOP); >> + asm volatile ( >> + "la a5, 1f\n" >> + "jalr a5 \n" >> + "nop \n" >> + "nop \n" >> + "1: nop\n" >> + : : : "a5"); >> + exit(11); >> + /* child shouldn't go beyond here */ >> + } >> + >> + /* parent's code goes here */ >> + iov.iov_base = &cfi_reg; >> + iov.iov_len = sizeof(cfi_reg); >> + >> + while (ptrace_test_num < total_ptrace_tests) { >> + memset(&cfi_reg, 0, sizeof(cfi_reg)); >> + waitpid(pid, &status, 0); >> + if (WIFSTOPPED(status)) { >> + errno = 0; >> + ret = ptrace(PTRACE_GETREGSET, pid, (void *)NT_RISCV_USER_CFI, &iov); >> + if (ret == -1 && errno) >> + ksft_exit_fail_msg("%s: PTRACE_GETREGSET failed\n", __func__); >> + } else >> + ksft_exit_fail_msg("%s: child didn't stop, failed\n", __func__); >> + >> + switch (ptrace_test_num) { >> +#define CFI_ENABLE_MASK (PTRACE_CFI_LP_EN_STATE | \ >> + PTRACE_CFI_SS_EN_STATE | \ >> + PTRACE_CFI_SS_PTR_STATE) >> + case 0: >> + if ((cfi_reg.cfi_status.cfi_state & CFI_ENABLE_MASK) != CFI_ENABLE_MASK) >> + ksft_exit_fail_msg("%s: ptrace_getregset failed, %llu\n", __func__, >> + cfi_reg.cfi_status.cfi_state); >> + if (!cfi_reg.shstk_ptr) >> + ksft_exit_fail_msg("%s: NULL shadow stack pointer, test failed\n", >> + __func__); >> + break; >> + case 1: >> + if (!(cfi_reg.cfi_status.cfi_state & PTRACE_CFI_ELP_STATE)) >> + ksft_exit_fail_msg("%s: elp must have been set\n", __func__); >> + /* clear elp state. not interested in anything else */ >> + cfi_reg.cfi_status.cfi_state = 0; >> + >> + ret = ptrace(PTRACE_SETREGSET, pid, (void *)NT_RISCV_USER_CFI, &iov); >> + if (ret == -1 && errno) >> + ksft_exit_fail_msg("%s: PTRACE_GETREGSET failed\n", __func__); >> + break; >> + default: >> + ksft_exit_fail_msg("%s: unreachable switch case\n", __func__); >> + break; >> + } >> + ptrace(PTRACE_CONT, pid, NULL, NULL); >> + ptrace_test_num++; >> + } >> + >> + waitpid(pid, &status, 0); >> + if (WEXITSTATUS(status) != 11) >> + ksft_print_msg("%s, bad return code from child\n", __func__); >> + >> + ksft_print_msg("%s, ptrace test succeeded\n", __func__); >> + return true; >> +} >> + >> +int main(int argc, char *argv[]) >> +{ >> + int ret = 0; >> + unsigned long lpad_status = 0, ss_status = 0; >> + >> + ksft_print_header(); >> + >> + ksft_print_msg("Starting risc-v tests\n"); >> + >> + /* >> + * Landing pad test. Not a lot of kernel changes to support landing >> + * pad for user mode except lighting up a bit in senvcfg via a prctl >> + * Enable landing pad through out the execution of test binary >> + */ >> + ret = my_syscall5(__NR_prctl, PR_GET_INDIR_BR_LP_STATUS, &lpad_status, 0, 0, 0); >> + if (ret) >> + ksft_exit_fail_msg("Get landing pad status failed with %d\n", ret); >> + >> + if (!(lpad_status & PR_INDIR_BR_LP_ENABLE)) >> + ksft_exit_fail_msg("Landing pad is not enabled, should be enabled via glibc\n"); >> + >> + ret = my_syscall5(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &ss_status, 0, 0, 0); >> + if (ret) >> + ksft_exit_fail_msg("Get shadow stack failed with %d\n", ret); >> + >> + if (!(ss_status & PR_SHADOW_STACK_ENABLE)) >> + ksft_exit_fail_msg("Shadow stack is not enabled, should be enabled via glibc\n"); >> + >> + if (!register_signal_handler()) >> + ksft_exit_fail_msg("Registering signal handler for SIGSEGV failed\n"); >> + >> + ksft_print_msg("Landing pad and shadow stack are enabled for binary\n"); >> + cfi_ptrace_test(); >> + >> + execute_shadow_stack_tests(); >> + >> + return 0; >> +} >> + >> +#pragma GCC pop_options >> diff --git a/tools/testing/selftests/riscv/cfi/shadowstack.c b/tools/testing/selftests/riscv/cfi/shadowstack.c >> new file mode 100644 >> index 000000000000..53387dbd9cf5 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/shadowstack.c >> @@ -0,0 +1,385 @@ >> +// SPDX-License-Identifier: GPL-2.0-only >> + >> +#include "../../kselftest.h" >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include "shadowstack.h" >> +#include "cfi_rv_test.h" >> + >> +static struct shadow_stack_tests shstk_tests[] = { >> + { "shstk fork test\n", shadow_stack_fork_test }, >> + { "map shadow stack syscall\n", shadow_stack_map_test }, >> + { "shadow stack gup tests\n", shadow_stack_gup_tests }, >> + { "shadow stack signal tests\n", shadow_stack_signal_test}, >> + { "memory protections of shadow stack memory\n", shadow_stack_protection_test } >> +}; >> + >> +#define RISCV_SHADOW_STACK_TESTS ARRAY_SIZE(shstk_tests) >> + >> +/* do not optimize shadow stack related test functions */ >> +#pragma GCC push_options >> +#pragma GCC optimize("O0") >> + >> +void zar(void) >> +{ >> + unsigned long ssp = 0; >> + >> + ssp = csr_read(CSR_SSP); >> + ksft_print_msg("Spewing out shadow stack ptr: %lx\n" >> + " This is to ensure shadow stack is indeed enabled and working\n", >> + ssp); >> +} >> + >> +void bar(void) >> +{ >> + zar(); >> +} >> + >> +void foo(void) >> +{ >> + bar(); >> +} >> + >> +void zar_child(void) >> +{ >> + unsigned long ssp = 0; >> + >> + ssp = csr_read(CSR_SSP); >> + ksft_print_msg("Spewing out shadow stack ptr: %lx\n" >> + " This is to ensure shadow stack is indeed enabled and working\n", >> + ssp); >> +} >> + >> +void bar_child(void) >> +{ >> + zar_child(); >> +} >> + >> +void foo_child(void) >> +{ >> + bar_child(); >> +} >> + >> +typedef void (call_func_ptr)(void); >> +/* >> + * call couple of functions to test push pop. >> + */ >> +int shadow_stack_call_tests(call_func_ptr fn_ptr, bool parent) >> +{ >> + ksft_print_msg("dummy calls for sspush and sspopchk in context of %s\n", >> + parent ? "parent" : "child"); >> + >> + (fn_ptr)(); >> + >> + return 0; >> +} >> + >> +/* forks a thread, and ensure shadow stacks fork out */ >> +bool shadow_stack_fork_test(unsigned long test_num, void *ctx) >> +{ >> + int pid = 0, child_status = 0, parent_pid = 0, ret = 0; >> + unsigned long ss_status = 0; >> + >> + ksft_print_msg("Exercising shadow stack fork test\n"); >> + >> + ret = my_syscall5(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &ss_status, 0, 0, 0); >> + if (ret) { >> + ksft_exit_skip("Shadow stack get status prctl failed with errorcode %d\n", ret); >> + return false; >> + } >> + >> + if (!(ss_status & PR_SHADOW_STACK_ENABLE)) >> + ksft_exit_skip("Shadow stack is not enabled, should be enabled via glibc\n"); >> + >> + parent_pid = getpid(); >> + pid = fork(); >> + >> + if (pid) { >> + ksft_print_msg("Parent pid %d and child pid %d\n", parent_pid, pid); >> + shadow_stack_call_tests(&foo, true); >> + } else { >> + shadow_stack_call_tests(&foo_child, false); >> + } >> + >> + if (pid) { >> + ksft_print_msg("Waiting on child to finish\n"); >> + wait(&child_status); >> + } else { >> + /* exit child gracefully */ >> + exit(0); >> + } >> + >> + if (pid && WIFSIGNALED(child_status)) { >> + ksft_print_msg("Child faulted, fork test failed\n"); >> + return false; >> + } >> + >> + return true; >> +} >> + >> +/* exercise `map_shadow_stack`, pivot to it and call some functions to ensure it works */ >> +#define SHADOW_STACK_ALLOC_SIZE 4096 >> +bool shadow_stack_map_test(unsigned long test_num, void *ctx) >> +{ >> + unsigned long shdw_addr; >> + int ret = 0; >> + >> + ksft_print_msg("Exercising shadow stack map test\n"); >> + >> + shdw_addr = my_syscall3(__NR_map_shadow_stack, NULL, SHADOW_STACK_ALLOC_SIZE, 0); >> + >> + if (((long)shdw_addr) <= 0) { >> + ksft_print_msg("map_shadow_stack failed with error code %d\n", >> + (int)shdw_addr); >> + return false; >> + } >> + >> + ret = munmap((void *)shdw_addr, SHADOW_STACK_ALLOC_SIZE); >> + >> + if (ret) { >> + ksft_print_msg("munmap failed with error code %d\n", ret); >> + return false; >> + } >> + >> + return true; >> +} >> + >> +/* >> + * shadow stack protection tests. map a shadow stack and >> + * validate all memory protections work on it >> + */ >> +bool shadow_stack_protection_test(unsigned long test_num, void *ctx) >> +{ >> + unsigned long shdw_addr; >> + unsigned long *write_addr = NULL; >> + int ret = 0, pid = 0, child_status = 0; >> + >> + ksft_print_msg("Exercising shadow stack protection test (WPT)\n"); >> + >> + shdw_addr = my_syscall3(__NR_map_shadow_stack, NULL, SHADOW_STACK_ALLOC_SIZE, 0); >> + >> + if (((long)shdw_addr) <= 0) { >> + ksft_print_msg("map_shadow_stack failed with error code %d\n", >> + (int)shdw_addr); >> + return false; >> + } >> + >> + write_addr = (unsigned long *)shdw_addr; >> + pid = fork(); >> + >> + /* no child was created, return false */ >> + if (pid == -1) >> + return false; >> + >> + /* >> + * try to perform a store from child on shadow stack memory >> + * it should result in SIGSEGV >> + */ >> + if (!pid) { >> + /* below write must lead to SIGSEGV */ >> + *write_addr = 0xdeadbeef; >> + } else { >> + wait(&child_status); >> + } >> + >> + /* test fail, if 0xdeadbeef present on shadow stack address */ >> + if (*write_addr == 0xdeadbeef) { >> + ksft_print_msg("Shadow stack WPT failed\n"); >> + return false; >> + } >> + >> + /* if child reached here, then fail */ >> + if (!pid) { >> + ksft_print_msg("Shadow stack WPT failed: child reached unreachable state\n"); >> + return false; >> + } >> + >> + /* if child exited via signal handler but not for write on ss */ >> + if (WIFEXITED(child_status) && >> + WEXITSTATUS(child_status) != CHILD_EXIT_CODE_SSWRITE) { >> + ksft_print_msg("Shadow stack WPT failed: child wasn't signaled for write\n"); >> + return false; >> + } >> + >> + ret = munmap(write_addr, SHADOW_STACK_ALLOC_SIZE); >> + if (ret) { >> + ksft_print_msg("Shadow stack WPT failed: munmap failed, error code %d\n", >> + ret); >> + return false; >> + } >> + >> + return true; >> +} >> + >> +#define SS_MAGIC_WRITE_VAL 0xbeefdead >> + >> +int gup_tests(int mem_fd, unsigned long *shdw_addr) >> +{ >> + unsigned long val = 0; >> + >> + lseek(mem_fd, (unsigned long)shdw_addr, SEEK_SET); >> + if (read(mem_fd, &val, sizeof(val)) < 0) { >> + ksft_print_msg("Reading shadow stack mem via gup failed\n"); >> + return 1; >> + } >> + >> + val = SS_MAGIC_WRITE_VAL; >> + lseek(mem_fd, (unsigned long)shdw_addr, SEEK_SET); >> + if (write(mem_fd, &val, sizeof(val)) < 0) { >> + ksft_print_msg("Writing shadow stack mem via gup failed\n"); >> + return 1; >> + } >> + >> + if (*shdw_addr != SS_MAGIC_WRITE_VAL) { >> + ksft_print_msg("GUP write to shadow stack memory failed\n"); >> + return 1; >> + } >> + >> + return 0; >> +} >> + >> +bool shadow_stack_gup_tests(unsigned long test_num, void *ctx) >> +{ >> + unsigned long shdw_addr = 0; >> + unsigned long *write_addr = NULL; >> + int fd = 0; >> + bool ret = false; >> + >> + ksft_print_msg("Exercising shadow stack gup tests\n"); >> + shdw_addr = my_syscall3(__NR_map_shadow_stack, NULL, SHADOW_STACK_ALLOC_SIZE, 0); >> + >> + if (((long)shdw_addr) <= 0) { >> + ksft_print_msg("map_shadow_stack failed with error code %d\n", (int)shdw_addr); >> + return false; >> + } >> + >> + write_addr = (unsigned long *)shdw_addr; >> + >> + fd = open("/proc/self/mem", O_RDWR); >> + if (fd == -1) >> + return false; >> + >> + if (gup_tests(fd, write_addr)) { >> + ksft_print_msg("gup tests failed\n"); >> + goto out; >> + } >> + >> + ret = true; >> +out: >> + if (shdw_addr && munmap(write_addr, SHADOW_STACK_ALLOC_SIZE)) { >> + ksft_print_msg("munmap failed with error code %d\n", ret); >> + ret = false; >> + } >> + >> + return ret; >> +} >> + >> +volatile bool break_loop; >> + >> +void sigusr1_handler(int signo) >> +{ >> + break_loop = true; >> +} >> + >> +bool sigusr1_signal_test(void) >> +{ >> + struct sigaction sa = {}; >> + >> + sa.sa_handler = sigusr1_handler; >> + sa.sa_flags = 0; >> + sigemptyset(&sa.sa_mask); >> + if (sigaction(SIGUSR1, &sa, NULL)) { >> + ksft_print_msg("Registering signal handler for SIGUSR1 failed\n"); >> + return false; >> + } >> + >> + return true; >> +} >> + >> +/* >> + * shadow stack signal test. shadow stack must be enabled. >> + * register a signal, fork another thread which is waiting >> + * on signal. Send a signal from parent to child, verify >> + * that signal was received by child. If not test fails >> + */ >> +bool shadow_stack_signal_test(unsigned long test_num, void *ctx) >> +{ >> + int pid = 0, child_status = 0, ret = 0; >> + unsigned long ss_status = 0; >> + >> + ksft_print_msg("Exercising shadow stack signal test\n"); >> + >> + ret = my_syscall5(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &ss_status, 0, 0, 0); >> + if (ret) { >> + ksft_print_msg("Shadow stack get status prctl failed with errorcode %d\n", ret); >> + return false; >> + } >> + >> + if (!(ss_status & PR_SHADOW_STACK_ENABLE)) >> + ksft_print_msg("Shadow stack is not enabled, should be enabled via glibc\n"); >> + >> + /* this should be caught by signal handler and do an exit */ >> + if (!sigusr1_signal_test()) { >> + ksft_print_msg("Registering sigusr1 handler failed\n"); >> + exit(-1); >> + } >> + >> + pid = fork(); >> + >> + if (pid == -1) { >> + ksft_print_msg("Signal test: fork failed\n"); >> + goto out; >> + } >> + >> + if (pid == 0) { >> + while (!break_loop) >> + sleep(1); >> + >> + exit(11); >> + /* child shouldn't go beyond here */ >> + } >> + >> + /* send SIGUSR1 to child */ >> + kill(pid, SIGUSR1); >> + wait(&child_status); >> + >> +out: >> + >> + return (WIFEXITED(child_status) && >> + WEXITSTATUS(child_status) == 11); >> +} >> + >> +int execute_shadow_stack_tests(void) >> +{ >> + int ret = 0; >> + unsigned long test_count = 0; >> + unsigned long shstk_status = 0; >> + bool test_pass = false; >> + >> + ksft_print_msg("Executing RISC-V shadow stack self tests\n"); >> + ksft_set_plan(RISCV_SHADOW_STACK_TESTS); >> + >> + ret = my_syscall5(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &shstk_status, 0, 0, 0); >> + >> + if (ret != 0) >> + ksft_exit_fail_msg("Get shadow stack status failed with %d\n", ret); >> + >> + /* >> + * If we are here that means get shadow stack status succeeded and >> + * thus shadow stack support is baked in the kernel. >> + */ >> + while (test_count < RISCV_SHADOW_STACK_TESTS) { >> + test_pass = (*shstk_tests[test_count].t_func)(test_count, NULL); >> + ksft_test_result(test_pass, shstk_tests[test_count].name); >> + test_count++; >> + } >> + >> + ksft_finished(); >> + >> + return 0; >> +} >> + >> +#pragma GCC pop_options >> diff --git a/tools/testing/selftests/riscv/cfi/shadowstack.h b/tools/testing/selftests/riscv/cfi/shadowstack.h >> new file mode 100644 >> index 000000000000..0be510167de3 >> --- /dev/null >> +++ b/tools/testing/selftests/riscv/cfi/shadowstack.h >> @@ -0,0 +1,27 @@ >> +/* SPDX-License-Identifier: GPL-2.0-only */ >> + >> +#ifndef SELFTEST_SHADOWSTACK_TEST_H >> +#define SELFTEST_SHADOWSTACK_TEST_H >> +#include >> +#include >> + >> +/* >> + * a cfi test returns true for success or false for fail >> + * takes a number for test number to index into array and void pointer. >> + */ >> +typedef bool (*shstk_test_func)(unsigned long test_num, void *); >> + >> +struct shadow_stack_tests { >> + char *name; >> + shstk_test_func t_func; >> +}; >> + >> +bool shadow_stack_fork_test(unsigned long test_num, void *ctx); >> +bool shadow_stack_map_test(unsigned long test_num, void *ctx); >> +bool shadow_stack_protection_test(unsigned long test_num, void *ctx); >> +bool shadow_stack_gup_tests(unsigned long test_num, void *ctx); >> +bool shadow_stack_signal_test(unsigned long test_num, void *ctx); >> + >> +int execute_shadow_stack_tests(void); >> + >> +#endif >> >> -- >> 2.43.0 >>