Adds basic support for x86 userspace IBT.
IBT is part of Intel CET. It requires indirect call and jump targets
to start with an endbr{32,64} instruction, otherwise throwing #CP.
In summary, this patch does 3 things:
- Config wiring ensuring supervisor XSAVE contains IBT state
- Allow userspace to enable IBT via prctl(PR_CFI_*) for an entire thread
- Enable IBT support (ENDBR instructions) in VDSO
Unlike the arm64 BTI API:
- does not support mixed usermode (all or nothing)
- does not touch page table code
- not enabled automatically (no ELF GNU note parsing)
- temporarily disables IBT enforcement when handling signals
These can all be cleanly added later.
The main question is whether glibc is happy with this prctl syscall API.
Changes from v1:
- Removed all signal handler changes
- Removed all uapi changes
(v1 saved state via a redundant uc_flags bit, which was a complete
mess, and not compatible with sigframe_ia32)
- Don't allow unknown PR_CFI_* syscall flags
see RISC-V patch:
https://lore.kernel.org/lkml/[email protected]/
- Added 32-bit support
The original usermode IBT patches were written by Yu Cheng years ago,
but are quite different (no syscall API to enable IBT, no FRED support)
https://lore.kernel.org/all/[email protected]/
There is one notable gap in this patch series, to do with signals:
000a: mov rax, 0x100a
000f: jmp rax
*** signal occurs ***
*** signal handler runs, does sigreturn ***
100a: nop
The above sequence does not crash.
With IBT, it should crash at the nop (because an endr64 is expected there).
The IBT state (WAIT_FOR_ENDBR in IA32_U_CET MSR) is not backed up to the
signal frame though. So, when userland does a sigreturn, the CPU has
forgotten that it was doing an indirect branch before the signal.
(This specifically only occurs with signal handlers that sigreturn.)
This is because IA32_U_CET is part of XSAVE 'supervisor' state, so
regular XSAVE/XRSTOR can't access it. Doing a manual backup is tricky.
A related problem is that the signal handler routine is not checked for
endbr preamble.
Basic IBT is better than no IBT, though.
Richard Patel (5):
x86: add userspace IBT config option
x86: shstk: don't clobber IBT bits in U_CET MSR
x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS
x86/entry/vdso: build with IBT support
selftests/x86: test usermode IBT
arch/x86/Kconfig | 18 ++
arch/x86/entry/vdso/common/Makefile.include | 3 +-
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/ibt.h | 14 ++
arch/x86/include/asm/processor.h | 5 +
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/cet.c | 3 +-
arch/x86/kernel/cpu/common.c | 14 +-
arch/x86/kernel/ibt.c | 98 ++++++++
arch/x86/kernel/process_64.c | 2 +
arch/x86/kernel/shstk.c | 12 +-
tools/arch/x86/include/asm/cpufeatures.h | 1 +
tools/testing/selftests/x86/Makefile | 5 +-
tools/testing/selftests/x86/user_ibt.c | 247 ++++++++++++++++++++
14 files changed, 416 insertions(+), 8 deletions(-)
create mode 100644 arch/x86/kernel/ibt.c
create mode 100644 tools/testing/selftests/x86/user_ibt.c
--
2.47.3
