Your talk was interesting at Linux Plumbers.
https://www.youtube.com/watch?v=oE73eVSyFXQ [time +2:35]
This is probably a stupid question, but why not just add something to
call_driver_probe() which creates a sysfs directory tree with all the
driver information?
regards,
dan carpenter
Move those pmu helper function into lib/, thus it can be used by other
pmu test.
Signed-off-by: Shaoqin Huang
---
.../kvm/aarch64/vpmu_counter_access.c | 118 -
.../selftests/kvm/include/aarch64/vpmu.h | 119 ++
2 files changed, 119 insertions(+),
Move the [create|destroy]_vpmu_vm() into the lib/, which makes those
function can be used by other tests. Install the handler is specific to
the vpmu_counter_access test, so create a wrapper function for it, and
only move the common part.
No functional change.
Signed-off-by: Shaoqin Huang
---
Introduce pmu_event_filter_test for arm64 platforms. The test configures
PMUv3 for a vCPU, and sets different pmu event filter for the vCPU, and
check if the guest can use those events which user allow and can't use
those events which use deny.
This test refactor the create_vpmu_vm() and make it
The test is inspired by the pmu_event_filter_test which implemented by x86. On
the arm64 platform, there is the same ability to set the pmu_event_filter
through the KVM_ARM_VCPU_PMU_V3_FILTER attribute. So add the test for arm64.
The series first move some pmu common code from vpmu_counter_access
On Wed, Nov 22, 2023 at 4:13 PM Andrew Jones wrote:
>
> On Sun, Oct 08, 2023 at 10:58:57AM +0800, Haibo Xu wrote:
> > On Tue, Oct 3, 2023 at 6:28 PM Andrew Jones wrote:
> > >
> > > On Thu, Sep 14, 2023 at 09:36:56AM +0800, Haibo Xu wrote:
> > > > A separate makefile rule was used for split
Hi Shuah,
Any comments for this?
Thanks
Hangbin
On Thu, Nov 02, 2023 at 03:50:17PM +0800, Hangbin Liu wrote:
> By default, all the test output will be printed to stdout or output.log if
> -s supplied. The kselftest/runner.sh also supports per test log if the
> variable per_test_logging is set.
On Wed, Nov 22, 2023 at 10:21 AM Daniel Xu wrote:
>
> +
> + bpf_printk("replay-window %d\n", x->replay_esn->replay_window);
Pls no printk in tests. Find a different way to validate.
insertions(+), 20 deletions(-)
---
base-commit: 0dbd4651f3f80151910a36416fa0df28a10c3b0a
change-id: 20231122-nolibc-rlimit-bb5b1f264fc4
Best regards,
--
Thomas Weißschuh
A future commit will include linux/resource.h, which will conflict with
the private definition of struct rusage in nolibc.
Avoid the conflict by dropping the private definition and use the one
from the UAPI headers.
Signed-off-by: Thomas Weißschuh
---
tools/include/nolibc/types.h | 21
The implementation uses the prlimit64 systemcall as that is available on
all architectures.
Signed-off-by: Thomas Weißschuh
---
tools/include/nolibc/sys.h | 38
tools/testing/selftests/nolibc/nolibc-test.c | 29 +
2 files
qemu-user does has its own implementation of coredumping.
That implementation does not respect the call to
prctl(PR_SET_DUMPABLE, 0) in run_protection().
This leads to a coredump for every test run under qemu-user.
Use also setrlimit() to inhibit coredump creation which is respected by
qemu-user.
On Wed, Nov 22, 2023 at 08:17:46AM -0800, Darrick J. Wong wrote:
> On Wed, Nov 22, 2023 at 04:44:58PM +0200, Nikolai Kondrashov wrote:
> > On 11/20/23 00:54, Theodore Ts'o wrote:
> > > So as for *me*, I'm going to point people at:
> > >
> > >
This commit extends test_tunnel selftest to test the new XDP xfrm state
lookup kfunc.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
.../selftests/bpf/progs/test_tunnel_kern.c| 49 +++
tools/testing/selftests/bpf/test_tunnel.sh
Previously, if bpffs was not already mounted, then the test suite would
fail during object file pinning steps. Fix by mounting bpffs if
necessary.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
tools/testing/selftests/bpf/test_tunnel.sh | 13
vmlinux.h declarations are more ergnomic, especially when working with
kfuncs. The uapi headers are often incomplete for kfunc definitions.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
.../selftests/bpf/progs/bpf_tracing_net.h | 1 +
This patchset adds two kfunc helpers, bpf_xdp_get_xfrm_state() and
bpf_xdp_xfrm_state_release() that wrap xfrm_state_lookup() and
xfrm_state_put(). The intent is to support software RSS (via XDP) for
the ongoing/upcoming ipsec pcpu work [0]. Recent experiments performed
on (hopefully)
Switching to vmlinux.h definitions seems to make the verifier very
unhappy with bitfield accesses. The error is:
; md.u.md2.dir = direction;
33: (69) r1 = *(u16 *)(r2 +11)
misaligned stack access off (0x0; 0x0)+-64+11 size 2
It looks like disabling CO-RE relocations seem to make the
The ping6 binary went away over 7 years ago [0].
[0]:
https://github.com/iputils/iputils/commit/ebad35fee3de851b809c7b72ccc654a72b6af61d
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
tools/testing/selftests/bpf/test_tunnel.sh | 18
On 11/22/23 18:17, Darrick J. Wong wrote:
On Wed, Nov 22, 2023 at 04:44:58PM +0200, Nikolai Kondrashov wrote:
On 11/20/23 00:54, Theodore Ts'o wrote:
I already queued a switch to the kernel.org URL, which Darrick has suggested.
I'll drop it now, but you guys would have to figure it out between
Hi Gustavo,
On 11/20/23 14:40, Gustavo Padovan wrote:
On Thursday, November 16, 2023 09:14 -03, Nikolai Kondrashov
wrote:
On 11/15/23 22:38, Konstantin Ryabitsev wrote:
On Wed, Nov 15, 2023 at 07:43:49PM +0200, Nikolai Kondrashov wrote:
Introduce a new tag, 'Tested-with:', documented in
On 11/20/23 20:48, Daniel Latypov wrote:
On Wed, Nov 15, 2023 at 9:52 AM Nikolai Kondrashov
wrote:
+kunit core
+--
+
+:Summary: KUnit tests for the framework itself
+:Superset: kunit
+:Command: tools/testing/kunit/kunit.py run --kunitconfig lib/kunit
Note: we'd want this to instead
On 11/21/23 12:36, David Gow wrote:
Thanks so much for doing this! I think everyone agrees that we need
_some_ way of documenting which tests to run, and I think this is our
best option.
Awesome :D
In any case, this patch does a lot, and I'll comment on them
one-by-one. (It may be worth
On Wed, Nov 22, 2023 at 04:44:58PM +0200, Nikolai Kondrashov wrote:
> On 11/20/23 00:54, Theodore Ts'o wrote:
> > So as for *me*, I'm going to point people at:
> >
> > https://github.com/tytso/xfstests-bld/blob/master/Documentation/kvm-quickstart.md
>
> ...
>
> > (And note that I keep the
On Tue, Nov 21, 2023 at 01:27:44PM +, Mark Brown wrote:
> > (I don't need to see all of the tests that passes; it's the test
> > failures or the test flakes that are significant.)
>
> The listing of tests does get a bit more complex when you mix in running
> on different platforms.
Yeah,
On 11/20/23 00:54, Theodore Ts'o wrote:
So as for *me*, I'm going to point people at:
https://github.com/tytso/xfstests-bld/blob/master/Documentation/kvm-quickstart.md
...
(And note that I keep the xfstests-bld repo's on kernel.org and
github.com both uptodate, and I prefer using the using
On Wed, Nov 22, 2023 at 04:58:24AM +, Tian, Kevin wrote:
> As Yi/Baolu discussed there is an issue in intel-iommu driver which
> incorrectly skips devtlb invalidation in the guest with the assumption
> that the host combines iotlb/devtlb invalidation together. This is
> incorrect and should
On Wed, Nov 22, 2023 at 12:19:49PM +0100, Anders Roxell wrote:
> On 2023-11-20 23:54, Mark Brown wrote:
> > +#ifndef ENABLE_SHADOW_STACK
> Should this be ENABLED_SHADOW_STACK ?
Yes, I already fixed this locally.
Please delete unneeded context from mails when replying. Doing this
makes it much
On 2023-11-20 23:54, Mark Brown wrote:
> Add basic test coverage for specifying the shadow stack for a newly
> created thread via clone3(), including coverage of the newly extended
> argument structure.
>
> In order to facilitate testing on systems without userspace shadow stack
> support we
In order to allow testing without full userspace support for shadow stacks
the clone3() selftests open code enabling them at runtime, hook up arm64
support.
Signed-off-by: Mark Brown
---
tools/testing/selftests/clone3/clone3.c | 37 +
1 file changed, 37
While it's a bit off topic for them the floating point stress tests do give
us some coverage of context thrashing cases, and also of active signal
delivery separate to the relatively complicated framework in the actual
signals tests. Have the tests enable GCS on startup, ignoring failures so
they
Add a stress test which runs one more process than we have CPUs spinning
through a very recursive function with frequent syscalls immediately prior
to return and signals being injected every 100ms. The goal is to flag up
any scheduling related issues, for example failure to ensure that barriers
Do some testing of the signal handling for GCS, checking that a GCS
frame has the expected information in it and that the expected signals
are delivered with invalid operations.
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/.gitignore| 1 +
Verify that we can lock individual GCS mode bits, that other modes
aren't affected and as a side effect also that every combination of
modes can be enabled.
Normally the inability to reenable GCS after disabling it would be an
issue with testing but fortunately the kselftest_harness runs each
There are things like threads which nolibc struggles with which we want
to add coverage for, and the ABI allows us to test most of these even if
libc itself does not understand GCS so add a test application built
using the system libc.
Signed-off-by: Mark Brown
---
This test program just covers the basic GCS ABI, covering aspects of the
ABI as standalone features without attempting to integrate things.
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/Makefile| 2 +-
tools/testing/selftests/arm64/gcs/.gitignore | 1 +
Since it is not possible to return from the function that enabled GCS
without disabling GCS it is very inconvenient to use the signal handling
tests to cover GCS when GCS is not enabled by the toolchain and runtime,
something that no current distribution does. Since none of the testcases
do
Currently we ignore si_code unless the expected signal is a SIGSEGV, in
which case we enforce it being SEGV_ACCERR. Allow test cases to specify
exactly which si_code should be generated so we can validate this, and
test for other segfault codes.
Signed-off-by: Mark Brown
---
Teach the framework about the GCS signal context, avoiding warnings on
the unknown context.
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/testcases/testcases.c | 7 +++
tools/testing/selftests/arm64/signal/testcases/testcases.h | 1 +
2 files changed, 8 insertions(+)
In preparation for testing GCS related signal handling add it as a feature
we check for in the signal handling support code.
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/test_signals.h | 2 ++
tools/testing/selftests/arm64/signal/test_signals_utils.c | 3 +++
2 files
Add coverage of the GCS hwcap to the hwcap selftest, using a read of
GCSPR_EL0 to generate SIGILL without having to worry about enabling GCS.
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/abi/hwcap.c | 19 +++
1 file changed, 19 insertions(+)
diff --git
Provide a Kconfig option allowing the user to select if GCS support is
built into the kernel.
Signed-off-by: Mark Brown
---
arch/arm64/Kconfig | 20
1 file changed, 20 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 7b071a00425d..05cffc0f5786
Provide a new register type NT_ARM_GCS reporting the current GCS mode
and pointer for EL0. Due to the interactions with allocation and
deallocation of Guarded Control Stacks we do not permit any changes to
the GCS mode via ptrace, only GCSPR_EL0 may be changed.
Signed-off-by: Mark Brown
---
Add a context for the GCS state and include it in the signal context when
running on a system that supports GCS. We reuse the same flags that the
prctl() uses to specify which GCS features are enabled and also provide the
current GCS pointer.
We do not support enabling GCS via signal return,
When invoking a signal handler we use the GCS configuration and stack
for the current thread.
Since we implement signal return by calling the signal handler with a
return address set up pointing to a trampoline in the vDSO we need to
also configure any active GCS for this by pushing a frame for
As discussed extensively in the changelog for the addition of this
syscall on x86 ("x86/shstk: Introduce map_shadow_stack syscall") the
existing mmap() and madvise() syscalls do not map entirely well onto the
security requirements for guarded control stacks since they lead to
windows where memory
Implement the architecture neutral prtctl() interface for setting the
shadow stack status, this supports setting and reading the current GCS
configuration for the current thread.
Userspace can enable basic GCS functionality and additionally also
support for GCS pushes and arbatrary GCS stores.
When a new thread is created by a thread with GCS enabled the GCS needs
to be specified along with the regular stack. clone3() has been
extended to support this case, allowing userspace to explicitly request
the size for the GCS to be created, but plain clone() is not extensible
and existing
There are two registers controlling the GCS state of EL0, GCSPR_EL0 which
is the current GCS pointer and GCSCRE0_EL1 which has enable bits for the
specific GCS functionality enabled for EL0. Manage these on context switch
and process lifetime events, GCS is reset on exec(). Also ensure that
any
All GCS operations at EL0 must happen on a page which is marked as
having UnprivGCS access, including read operations. If a GCS operation
attempts to access a page without this then it will generate a data
abort with the GCS bit set in ESR_EL1.ISS2.
EL0 may validly generate such faults, for
A new exception code is defined for GCS specific faults other than
standard load/store faults, for example GCS token validation failures,
add handling for this. These faults are reported to userspace as
segfaults with code SEGV_CPERR (protection error), mirroring the
reporting for x86 shadow stack
Provide a hwcap to enable userspace to detect support for GCS.
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/elf_hwcaps.rst | 3 +++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/uapi/asm/hwcap.h | 1 +
arch/arm64/kernel/cpufeature.c | 3 +++
Hook up an override for GCS, allowing it to be disabled from the command
line by specifying arm64.nogcs in case there are problems.
Signed-off-by: Mark Brown
---
Documentation/admin-guide/kernel-parameters.txt | 6 ++
arch/arm64/kernel/idreg-override.c | 2 ++
2 files changed,
There is a control HCRX_EL2.GCSEn which must be set to allow GCS
features to take effect at lower ELs and also fine grained traps for GCS
usage at EL0 and EL1. Configure all these to allow GCS usage by EL0 and
EL1.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/el2_setup.h | 17
GCS introduces a number of system registers for EL1 and EL0, on systems
with GCS we need to context switch them and expose them to VMMs to allow
guests to use GCS. Traps are already disabled.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/kvm_host.h | 12
Map pages flagged as being part of a GCS as such rather than using the
full set of generic VM flags.
This is done using a conditional rather than extending the size of
protection_map since that would make for a very sparse array.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/mman.h | 9
Use VM_HIGH_ARCH_5 for guarded control stack pages.
Signed-off-by: Mark Brown
---
Documentation/filesystems/proc.rst | 2 +-
fs/proc/task_mmu.c | 3 +++
include/linux/mm.h | 12 +++-
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git
Pages used for guarded control stacks need to be described to the hardware
using the Permission Indirection Extension, GCS is not supported without
PIE. In order to support copy on write for guarded stacks we allocate two
values, one for active GCSs and one for GCS pages marked as read only prior
Add a cpufeature for GCS, allowing other code to conditionally support it
at runtime.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/cpufeature.h | 6 ++
arch/arm64/kernel/cpufeature.c | 16
arch/arm64/tools/cpucaps| 1 +
3 files changed, 23
In order for EL1 to write to an EL0 GCS it must use the GCSSTTR instruction
rather than a normal STTR. Provide a put_user_gcs() which does this.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/uaccess.h | 18 ++
1 file changed, 18 insertions(+)
diff --git
Define C callable functions for GCS instructions used by the kernel. In
order to avoid ambitious toolchain requirements for GCS support these are
manually encoded, this means we have fixed register numbers which will be
a bit limiting for the compiler but none of these should be used in
The architecture defines a format for guarded control stack caps, used
to mark the top of an unused GCS in order to limit the potential for
exploitation via stack switching. Add definitions associated with these.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/sysreg.h | 20
FEAT_GCS introduces a number of new system registers. Add the registers
available up to EL2 to sysreg as per DDI0601 2022-12.
Signed-off-by: Mark Brown
---
arch/arm64/tools/sysreg | 55 +
1 file changed, 55 insertions(+)
diff --git
Add some documentation of the userspace ABI for Guarded Control Stacks.
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/gcs.rst | 233 +
Documentation/arch/arm64/index.rst | 1 +
2 files changed, 234 insertions(+)
diff --git
FEAT_GCS introduces a number of new system registers, we require that
access to these registers is not trapped when we identify that the feature
is detected.
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/booting.rst | 22 ++
1 file changed, 22 insertions(+)
diff
In preparation for adding arm64 GCS support make the map_shadow_stack()
SHADOW_STACK_SET_TOKEN flag generic and add _SET_MARKER. The existing
flag indicats that a token usable for stack switch should be added to
the top of the newly mapped GCS region while the new flag indicates that
a top of
Three architectures (x86, aarch64, riscv) have announced support for
shadow stacks with fairly similar functionality. While x86 is using
arch_prctl() to control the functionality neither arm64 nor riscv uses
that interface so this patch adds arch-agnostic prctl() support to
get and set status of
Currently arch_validate_flags() is written in a very non-extensible
fashion, returning immediately if MTE is not supported and writing the MTE
check as a direct return. Since we will want to add more checks for GCS
refactor the existing code to be more extensible, no functional change
intended.
The arm64 Guarded Control Stack (GCS) feature provides support for
hardware protected stacks of return addresses, intended to provide
hardening against return oriented programming (ROP) attacks and to make
it easier to gather call stacks for applications such as profiling.
When GCS is active a
On Sun, Oct 08, 2023 at 10:58:57AM +0800, Haibo Xu wrote:
> On Tue, Oct 3, 2023 at 6:28 PM Andrew Jones wrote:
> >
> > On Thu, Sep 14, 2023 at 09:36:56AM +0800, Haibo Xu wrote:
> > > A separate makefile rule was used for split targets which was added
> > > in patch(KVM: arm64: selftests: Split
70 matches
Mail list logo
