There are dedicated hashstp and hashchkp instructions that can be inserted into a guest kernel to give it hypervisor managed ROP protection (the hypervisor sets the secret hash key and handles hashstp exceptions).
In testing, the kernel appears to handle the compiler generated hash protection just fine, without any changes. This makes sense, as any 'weird' stack interactions will normally be done in hand written assembly. We can expect that a compiler generated function prologue will be matched with a compiler generated function epilogue with the stack as expected by the compiler (in some sense, the hash value stored on the stack is just like any other local variable). GCC requires ELF ABI v2, and Clang only works with ELF ABI v2 anyway, so add it as a dependency. GCC will only insert these instructions if the target CPU is specified to be Power10 (possibly a bug; the documentation says they are inserted for Power8 or higher). Signed-off-by: Benjamin Gray <bg...@linux.ibm.com> --- arch/powerpc/Makefile | 3 +++ arch/powerpc/platforms/Kconfig.cputype | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile index 65261cbe5bfd..bfaa3c754ae2 100644 --- a/arch/powerpc/Makefile +++ b/arch/powerpc/Makefile @@ -168,6 +168,9 @@ endif CFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU) AFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU) +CFLAGS-$(CONFIG_PPC_KERNEL_ROP_PROTECT) += $(call cc-option,-mrop-protect) +CFLAGS-$(CONFIG_PPC_KERNEL_ROP_PROTECT) += $(call cc-option,-mprivileged) + CFLAGS-y += $(CONFIG_TUNE_CPU) asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1) diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype index b2d8c0da2ad9..a95b11782379 100644 --- a/arch/powerpc/platforms/Kconfig.cputype +++ b/arch/powerpc/platforms/Kconfig.cputype @@ -517,6 +517,18 @@ config PPC_KUAP_DEBUG Add extra debugging for Kernel Userspace Access Protection (KUAP) If you're unsure, say N. +config PPC_KERNEL_ROP_PROTECT + bool "Kernel ROP Protection" + default y + depends on PPC64_ELF_ABI_V2 + depends on !CC_IS_GCC || TARGET_CPU = "power10" + help + This tells the compiler to insert hashstp/hashckp instructions + in the prologue and epilogue of every kernel function. The kernel + also turns on the DEXCR[PHIE] aspect to cause an exception if the + hashchkp does not agree with the hash calculated by the matching + hashstp. + config PPC_PKEY def_bool y depends on PPC_BOOK3S_64 -- 2.44.0