On Wed, Apr 29, 2020 at 03:07:32PM -0700, Yu-cheng Yu wrote:
> arch_prctl(ARCH_X86_CET_STATUS, u64 *args)
> Get CET feature status.
>
> The parameter 'args' is a pointer to a user buffer. The kernel returns
> the following information:
>
> *args = shadow stack/IBT status
> *(args + 1) = shadow stack base address
> *(args + 2) = shadow stack size
>
> arch_prctl(ARCH_X86_CET_DISABLE, u64 features)
> Disable CET features specified in 'features'. Return -EPERM if CET is
> locked.
>
> arch_prctl(ARCH_X86_CET_LOCK)
> Lock in CET features.
>
> arch_prctl(ARCH_X86_CET_ALLOC_SHSTK, u64 *args)
> Allocate a new shadow stack.
>
> The parameter 'args' is a pointer to a user buffer containing the
> desired size to allocate. The kernel returns the allocated shadow
> stack address in *args.
Hi! Just a quick note about getting these designs right -- prctl() (and
similar APIs) needs to make sure they're examining all "unknown" flags
as zero, or we run the risk of breaking sloppy userspace callers who
accidentally set flags and then later the kernel gives meaning to those
flags. Notes below...
>
> Signed-off-by: Yu-cheng Yu
> ---
> v10:
> - Verify CET is enabled before handling arch_prctl.
> - Change input parameters from unsigned long to u64, to make it clear they
> are 64-bit.
>
> arch/x86/include/asm/cet.h| 4 ++
> arch/x86/include/uapi/asm/prctl.h | 5 ++
> arch/x86/kernel/Makefile | 2 +-
> arch/x86/kernel/cet.c | 29 +++
> arch/x86/kernel/cet_prctl.c | 87 +++
> arch/x86/kernel/process.c | 4 +-
> 6 files changed, 128 insertions(+), 3 deletions(-)
> create mode 100644 arch/x86/kernel/cet_prctl.c
>
> diff --git a/arch/x86/include/asm/cet.h b/arch/x86/include/asm/cet.h
> index 71dc92acd2f2..99e6e741d28c 100644
> --- a/arch/x86/include/asm/cet.h
> +++ b/arch/x86/include/asm/cet.h
> @@ -14,16 +14,20 @@ struct sc_ext;
> struct cet_status {
> unsigned long shstk_base;
> unsigned long shstk_size;
> + unsigned intlocked:1;
> };
>
> #ifdef CONFIG_X86_INTEL_CET
> +int prctl_cet(int option, u64 arg2);
> int cet_setup_shstk(void);
> int cet_setup_thread_shstk(struct task_struct *p);
> +int cet_alloc_shstk(unsigned long *arg);
> void cet_disable_free_shstk(struct task_struct *p);
> int cet_verify_rstor_token(bool ia32, unsigned long ssp, unsigned long
> *new_ssp);
> void cet_restore_signal(struct sc_ext *sc);
> int cet_setup_signal(bool ia32, unsigned long rstor, struct sc_ext *sc);
> #else
> +static inline int prctl_cet(int option, u64 arg2) { return -EINVAL; }
> static inline int cet_setup_thread_shstk(struct task_struct *p) { return 0; }
> static inline void cet_disable_free_shstk(struct task_struct *p) {}
> static inline void cet_restore_signal(struct sc_ext *sc) { return; }
> diff --git a/arch/x86/include/uapi/asm/prctl.h
> b/arch/x86/include/uapi/asm/prctl.h
> index 5a6aac9fa41f..d962f0ec9ccf 100644
> --- a/arch/x86/include/uapi/asm/prctl.h
> +++ b/arch/x86/include/uapi/asm/prctl.h
> @@ -14,4 +14,9 @@
> #define ARCH_MAP_VDSO_32 0x2002
> #define ARCH_MAP_VDSO_64 0x2003
>
> +#define ARCH_X86_CET_STATUS 0x3001
> +#define ARCH_X86_CET_DISABLE 0x3002
> +#define ARCH_X86_CET_LOCK0x3003
> +#define ARCH_X86_CET_ALLOC_SHSTK 0x3004
> +
> #endif /* _ASM_X86_PRCTL_H */
> diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
> index e9cc2551573b..0b621e2afbdc 100644
> --- a/arch/x86/kernel/Makefile
> +++ b/arch/x86/kernel/Makefile
> @@ -144,7 +144,7 @@ obj-$(CONFIG_UNWINDER_ORC)+= unwind_orc.o
> obj-$(CONFIG_UNWINDER_FRAME_POINTER) += unwind_frame.o
> obj-$(CONFIG_UNWINDER_GUESS) += unwind_guess.o
>
> -obj-$(CONFIG_X86_INTEL_CET) += cet.o
> +obj-$(CONFIG_X86_INTEL_CET) += cet.o cet_prctl.o
>
> ###
> # 64 bit specific files
> diff --git a/arch/x86/kernel/cet.c b/arch/x86/kernel/cet.c
> index 121552047b86..c1b9b540c03e 100644
> --- a/arch/x86/kernel/cet.c
> +++ b/arch/x86/kernel/cet.c
> @@ -145,6 +145,35 @@ static int create_rstor_token(bool ia32, unsigned long
> ssp,
> return 0;
> }
>
> +int cet_alloc_shstk(unsigned long *arg)
> +{
> + unsigned long len = *arg;
> + unsigned long addr;
> + unsigned long token;
> + unsigned long ssp;
> +
> + addr = alloc_shstk(round_up(len, PAGE_SIZE));
> +
> + if (IS_ERR((void *)addr))
> + return PTR_ERR((void *)addr);
> +
> + /* Restore token is 8 bytes and aligned to 8 bytes */
> + ssp = addr + len;
> + token = ssp;
> +
> + if (!in_ia32_syscall())
> + token |= TOKEN_MODE_64;
> + ssp -= 8;
> +
> + if (write_user_shstk_64(ssp, token)) {
> + vm_munmap(addr, len);
> + return -EINVAL;
> + }
> +
> + *arg = addr;
> + return 0;
> +}
> +
> int cet_setup_shstk(void)
> {
> unsigned long addr, siz