[RFC PATCH v1 11/28] riscv: Implementing "PROT_SHADOWSTACK" on riscv

debug Wed, 24 Jan 2024 22:32:39 -0800

From: Deepak Gupta <de...@rivosinc.com>

This patch implements new risc-v specific protection flag
`PROT_SHADOWSTACK` (only for kernel) on riscv.


`PROT_SHADOWSTACK` protection flag is only limited to kernel and not exposed
to userspace. Shadow stack is a security construct to prevent against ROP 
attacks.
`map_shadow_stack` is a new syscall to manufacture shadow stack. In order to 
avoid
multiple methods to create shadow stack, `PROT_SHADOWSTACK` is not allowed for 
user
space `mmap` call. `mprotect` wouldn't allow because `arch_validate_prot` 
already
takes care of this for risc-v.

`arch_calc_vm_prot_bits` is implemented on risc-v to return VM_SHADOW_STACK 
(alias
for VM_WRITE) if PROT_SHADOWSTACK is supplied (such as call to `do_mmap` will) 
and
underlying CPU supports shadow stack. `PROT_WRITE` will be converted to 
`VM_READ |
`VM_WRITE` so that existing case where `PROT_WRITE` is specified keep working 
but
don't collide with `VM_WRITE` only encoding which now denotes a shadow stack.

risc-v `mmap` wrapper enforces if PROT_WRITE is specified and PROT_READ is left 
out
then PROT_READ is enforced.

Earlier `protection_map[VM_WRITE]` used to pick read-write (and copy on write) 
PTE
encodings. Now all non-shadow stack writeable mappings will pick 
`protection_map[VM_WRITE
| VM_READ] PTE encodings. `protection[VM_WRITE]` are programmed to pick 
PAGE_SHADOWSTACK
PTE encordings.

Signed-off-by: Deepak Gupta <de...@rivosinc.com>
---
 arch/riscv/include/asm/mman.h    | 17 +++++++++++++++++
 arch/riscv/include/asm/pgtable.h |  1 +
 arch/riscv/kernel/sys_riscv.c    | 19 +++++++++++++++++++
 arch/riscv/mm/init.c             |  2 +-
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/include/asm/mman.h b/arch/riscv/include/asm/mman.h
index 4902d837e93c..bc09a9c0e81f 100644
--- a/arch/riscv/include/asm/mman.h
+++ b/arch/riscv/include/asm/mman.h
@@ -22,4 +22,21 @@
  */
 #define PROT_SHADOWSTACK       0x40
 
+static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot,
+       unsigned long pkey __always_unused)
+{
+       unsigned long ret = 0;
+
+       if (cpu_supports_shadow_stack())
+               ret = (prot & PROT_SHADOWSTACK) ? VM_SHADOW_STACK : 0;
+       /*
+        * If PROT_WRITE was specified, force it to VM_READ | VM_WRITE.
+        * Only VM_WRITE means shadow stack.
+        */
+       if (prot & PROT_WRITE)
+               ret = (VM_READ | VM_WRITE);
+       return ret;
+}
+#define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey)
+
 #endif /* ! __ASM_MMAN_H__ */
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 294044429e8e..54a8dde29504 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -184,6 +184,7 @@ extern struct pt_alloc_ops pt_ops __initdata;
 #define PAGE_READ_EXEC         __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_EXEC)
 #define PAGE_WRITE_EXEC                __pgprot(_PAGE_BASE | _PAGE_READ |      
\
                                         _PAGE_EXEC | _PAGE_WRITE)
+#define PAGE_SHADOWSTACK       __pgprot(_PAGE_BASE | _PAGE_WRITE)
 
 #define PAGE_COPY              PAGE_READ
 #define PAGE_COPY_EXEC         PAGE_READ_EXEC
diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c
index a2ca5b7756a5..2a7cf28a6fe0 100644
--- a/arch/riscv/kernel/sys_riscv.c
+++ b/arch/riscv/kernel/sys_riscv.c
@@ -16,6 +16,7 @@
 #include <asm/unistd.h>
 #include <asm-generic/mman-common.h>
 #include <vdso/vsyscall.h>
+#include <asm/mman.h>
 
 static long riscv_sys_mmap(unsigned long addr, unsigned long len,
                           unsigned long prot, unsigned long flags,
@@ -25,6 +26,24 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long 
len,
        if (unlikely(offset & (~PAGE_MASK >> page_shift_offset)))
                return -EINVAL;
 
+       /*
+        * If only PROT_WRITE is specified then extend that to PROT_READ
+        * protection_map[VM_WRITE] is now going to select shadow stack 
encodings.
+        * So specifying PROT_WRITE actually should select protection_map 
[VM_WRITE | VM_READ]
+        * If user wants to create shadow stack then they should use 
`map_shadow_stack` syscall.
+        */
+       if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ)))
+               prot |= PROT_READ;
+
+       /*
+        * PROT_SHADOWSTACK is a kernel only protection flag on risc-v.
+        * mmap doesn't expect PROT_SHADOWSTACK to be set by user space.
+        * User space can rely on `map_shadow_stack` syscall to create
+        * shadow stack pages.
+        */
+       if (unlikely(prot & PROT_SHADOWSTACK))
+               return -EINVAL;
+
        return ksys_mmap_pgoff(addr, len, prot, flags, fd,
                               offset >> (PAGE_SHIFT - page_shift_offset));
 }
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 2e011cbddf3a..f71c2d2c6cbf 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -296,7 +296,7 @@ pgd_t early_pg_dir[PTRS_PER_PGD] __initdata 
__aligned(PAGE_SIZE);
 static const pgprot_t protection_map[16] = {
        [VM_NONE]                                       = PAGE_NONE,
        [VM_READ]                                       = PAGE_READ,
-       [VM_WRITE]                                      = PAGE_COPY,
+       [VM_WRITE]                                      = PAGE_SHADOWSTACK,
        [VM_WRITE | VM_READ]                            = PAGE_COPY,
        [VM_EXEC]                                       = PAGE_EXEC,
        [VM_EXEC | VM_READ]                             = PAGE_READ_EXEC,
-- 
2.43.0

[RFC PATCH v1 11/28] riscv: Implementing "PROT_SHADOWSTACK" on riscv

Reply via email to