On Mon, Sep 02, 2024 at 07:56:32PM +0100, Catalin Marinas wrote:
> On Thu, Aug 29, 2024 at 12:27:42AM +0100, Mark Brown wrote:
> > +static int gcs_get(struct task_struct *target,
> > + const struct user_regset *regset,
> > + struct membuf to
On Mon, Sep 02, 2024 at 02:22:38PM +0200, Christophe Leroy wrote:
> When vdso_test_getcpu doesn't find the vDSO entry point, it prints an error
> text and returns KSFT_SKIP
> I thought it would be more correct to have the same behaviour on
> vdso_test_getrandom instead of trying to build it only
On Fri, Aug 30, 2024 at 05:54:35PM +0200, Jason A. Donenfeld wrote:
> From: Mark Brown
>
> Unlike the check for the standalone x86 test, the check for building the
> vDSO getrandom and chacaha tests looks at the architecture for the host
> rather than the architecture for
On Fri, Aug 30, 2024 at 05:34:13PM +0200, Jason A. Donenfeld wrote:
> > +ifeq ($(ARCH),$(filter $(ARCH),x86_64))
> Actually... this doesn't work. Because:
> ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
> The x86_64 gets turned into an x86. It's a little trickier when
>
On Fri, Aug 30, 2024 at 05:30:07PM +0200, Jason A. Donenfeld wrote:
> On Fri, Aug 30, 2024 at 03:06:35PM +0100, Mark Brown wrote:
> > The x86_64 build is still broken for me because nothing installs
> > tools/arch/x86_64/vdso/vgetrandom-chacha.S (I beleive it's supposed t
cross building with x86 as either the target or host is broken. Use
a check for ARCH instead.
Fixes: 4920a2590e91 ("selftests/vDSO: add tests for vgetrandom")
Signed-off-by: Mark Brown
---
The x86_64 build is still broken for me because nothing installs
tools/arch/x86_64/vdso/vgetrandom-c
On Fri, Aug 30, 2024 at 10:59:11AM +0530, Dev Jain wrote:
> A "%s" is missing in ksft_exit_fail_msg(); instead, use the newly
> introduced ksft_exit_fail_perror().
Reviewed-by: Mark Brown
signature.asc
Description: PGP signature
On Thu, Aug 22, 2024 at 04:10:59PM +0100, Joey Gouly wrote:
> +static bool fault_from_pkey(unsigned long esr, struct vm_area_struct *vma,
> + unsigned int mm_flags)
> +{
> + unsigned long iss2 = ESR_ELx_ISS2(esr);
> +
> + if (!system_supports_poe())
> + retu
est to actually
cover the thing it's supposed to test.
Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests")
Signed-off-by: Mark Brown
---
.../arm64/signal/testcases/fake_sigreturn_sme_change_vl.c | 14 +++---
1 file changed, 7 insertions(+), 7 del
On Wed, Aug 28, 2024 at 10:55:22PM +, jef...@chromium.org wrote:
> Add more testcases and increase test coverage, e.g. add
> get_vma_size to check VMA size and prot bits.
I think this needs to be split into multiple patches, for example the
new test cases done separately to the additions to t
On Thu, Aug 29, 2024 at 11:55:33AM +0530, Dev Jain wrote:
> On 8/28/24 16:10, Mark Brown wrote:
> > > - ksft_exit_fail_msg("raise(SIGSTOP)", strerror(errno));
> > > + ksft_exit_fail_perror("raise(SIGSTOP)");
> > The idea with these
GCS adds new registers GCSCR_EL1, GCSCRE0_EL1, GCSPR_EL1 and GCSPR_EL0. Add
these to those validated by get-reg-list.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/kvm/aarch64/get-reg-list.c | 28 ++
1 file changed, 28 insertions
they continue to work as before on systems without GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/fp/assembler.h | 15 +++
tools/testing/selftests/arm64/fp/fpsimd-test.S | 2 ++
tools/testing/selftests/arm64/fp/sve-test.S
are inserted when moving a GCS using task to another CPU. The test runs for
a configurable amount of time, defaulting to 10 seconds.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/gcs/.gitignore | 2 +
tools/testing/selftests/arm64/gcs
Do some testing of the signal handling for GCS, checking that a GCS
frame has the expected information in it and that the expected signals
are delivered with invalid operations.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/.gitignore
to not do that in the build system but there are no
such toolchains yet so it is not yet an issue.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/gcs/.gitignore| 1 +
tools/testing/selftests/arm64/gcs/Makefile | 2 +-
tools/testing/selft
There are things like threads which nolibc struggles with which we want
to add coverage for, and the ABI allows us to test most of these even if
libc itself does not understand GCS so add a test application built
using the system libc.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
This test program just covers the basic GCS ABI, covering aspects of the
ABI as standalone features without attempting to integrate things.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/Makefile| 2 +-
tools/testing/selftests/arm64/gcs
anything with stacks that would cause problems with GCS we can sidestep
this issue by unconditionally enabling GCS on startup and exiting with a
call to exit() rather than a return from main().
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
.../testing/selftests/arm64/signal
: Mark Brown
---
.../testing/selftests/arm64/signal/test_signals.h | 4 +++
.../selftests/arm64/signal/test_signals_utils.c| 29 ++
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/arm64/signal/test_signals.h
b/tools/testing
Teach the framework about the GCS signal context, avoiding warnings on
the unknown context.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/testcases/testcases.c | 7 +++
tools/testing/selftests/arm64/signal/testcases/testcases.h | 1
In preparation for testing GCS related signal handling add it as a feature
we check for in the signal handling support code.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/test_signals.h | 2 ++
tools/testing/selftests/arm64/signal
Add coverage of the GCS hwcap to the hwcap selftest, using a read of
GCSPR_EL0 to generate SIGILL without having to worry about enabling GCS.
Reviewed-by: Thiago Jung Bauermann
Tested-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/abi/hwcap.c | 19
Provide a Kconfig option allowing the user to select if GCS support is
built into the kernel.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/Kconfig | 21 +
1 file changed, 21 insertions(+)
diff --git a/arch/arm64
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/ptrace.h | 8 ++
arch/arm64/kernel/ptrace.c | 54
include/uapi/linux/elf.h | 1 +
3 files changed, 63 insertions(+)
diff --git a/arch/arm64
, there is a conflict
between specifying GCSPR_EL0 and allocation of a new GCS and this is not
an ancticipated use case. We also enforce GCS configuration locking on
signal return.
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/sigcontext.h | 9 +++
arch/arm64/kernel/signal.c
;t be interpreted as
a valid token or address.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 1 +
arch/arm64/kernel/signal.c | 118 +--
2 files changed, 114 insertions(+), 5 dele
hiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/mm/gcs.c | 64 +
1 file changed, 64 insertions(+)
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 979e02cece93..cdd4a9d7ff7d 100644
--- a/arc
-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 22 +++
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/mm/gcs.c| 79 ++
3 files changed, 102 insertions(+)
diff --git a/arch/arm64/include
-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 9 ++
arch/arm64/kernel/process.c | 26
arch/arm64/mm/gcs.c | 70
3 files changed, 105 insertions(+)
diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include
been disabled.
Reviewed-by: Catalin Marinas
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 24 +++
arch/arm64/include/asm/processor.h | 6
arch/arm64/kernel/process.c| 62
it
attempts to do GCS operations outside a GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/mm/fault.c | 40
1 file changed, 40 insertions(+)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 451ba7cbd5ad
ating any GCS
fault as fatal.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/esr.h | 28 +++-
arch/arm64/include/asm/exception.h | 2 ++
arch/arm64/kernel/entry-common.c
Provide a hwcap to enable userspace to detect support for GCS.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/elf_hwcaps.rst | 2 ++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/uapi/asm/hwcap.h
Hook up an override for GCS, allowing it to be disabled from the command
line by specifying arm64.nogcs in case there are problems.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Acked-by: Catalin Marinas
Signed-off-by: Mark Brown
---
Documentation/admin-guide/kernel
deliberately conservative choice to avoid errors due to oversights.
Further fields should be made writable in future.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/kvm_host.h | 12
arch/arm64/include/asm/vncr_mapping.h | 2 ++
arch/arm64/kvm
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/mman.h | 9 +
arch/arm64/mm/mmap.c | 9 -
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h
index c21849ffdd88..37dfd2882f04 100644
--- a/arch
Use VM_HIGH_ARCH_5 for guarded control stack pages.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
Documentation/filesystems/proc.rst | 2 +-
include/linux/mm.h | 12 +++-
2 files changed, 12 insertions(+), 2 deletions
-by: Mark Brown
---
arch/arm64/include/asm/pgtable-prot.h | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/pgtable-prot.h
b/arch/arm64/include/asm/pgtable-prot.h
index b11cfb9fdd37..545d54c88520 100644
--- a/arch/arm64/include/asm/pgtable
Add a cpufeature for GCS, allowing other code to conditionally support it
at runtime.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/cpufeature.h | 6 ++
arch/arm64/kernel/cpufeature.c | 9 +
arch/arm64
function call instructions without faulting regardless of the
state when the kernel is started.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/el2_setup.h | 29 +
1 file changed, 29 insertions(+)
diff
In order for EL1 to write to an EL0 GCS it must use the GCSSTTR instruction
rather than a normal STTR. Provide a put_user_gcs() which does this.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/uaccess.h | 18
sufficiently fast paths for this to be a problem.
Note that GCSSTTR is used to store to EL0.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 51
arch/arm64/include/asm/uaccess.h | 22
The architecture defines a format for guarded control stack caps, used
to mark the top of an unused GCS in order to limit the potential for
exploitation via stack switching. Add definitions associated with these.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark
Add some documentation of the userspace ABI for Guarded Control Stacks.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/gcs.rst | 230 +
Documentation/arch/arm64/index.rst | 1 +
2
: Catalin Marinas
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/booting.rst | 32
1 file changed, 32 insertions(+)
diff --git a/Documentation/arch/arm64/booting.rst
b/Documentation/arch/arm64/booting.rst
index b57776a68f15..aed6e9f47cf3 100644
--- a
stack marker suitable for use by unwinders should be added
above that.
For arm64 the top of stack marker is all bits 0.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/x86/include/uapi/asm/mman.h | 3 ---
include/uapi/asm-generic/mman.h | 4
locking interface reworked. The set status prctl()
is also reworked to just set flags, if setting/reading the shadow stack
pointer is required this could be a separate prctl.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
include/linux/mm.h
.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/mman.h | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h
index 5966ee4a6154
Gupta
Reviewed-by: Rick Edgecombe
Reviewed-by: Mike Rapoport (IBM)
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux
-1-de...@rivosinc.com/
Signed-off-by: Mark Brown
---
Changes in v12:
- Clarify and simplify the signal handling code so we work with the
register state.
- When checking for write aborts to shadow stack pages ensure the fault
is a data abort.
- Depend on !UPROBES.
- Comment cleanups.
- Link t
On Mon, Aug 26, 2024 at 01:00:09PM +0300, Catalin Marinas wrote:
> On Fri, Aug 23, 2024 at 11:01:13PM +0100, Mark Brown wrote:
> > On Fri, Aug 23, 2024 at 04:59:11PM +0100, Catalin Marinas wrote:
> gcs_preserve_current_state() only a context switch thing. Would it work
> if we
On Tue, Aug 27, 2024 at 01:33:47PM +0100, Will Deacon wrote:
> On Tue, Aug 27, 2024 at 10:48:51AM +0530, Dev Jain wrote:
> > A "%s" is missing in ksft_exit_fail_msg(); instead, use the newly
> > introduced ksft_exit_fail_perror(). Also, uint64_t corresponds to
> > unsigned 64-bit integer, so use %l
On Tue, Aug 27, 2024 at 10:48:51AM +0530, Dev Jain wrote:
> - ksft_exit_fail_msg("PTRACE_TRACEME", strerror(errno));
> + ksft_exit_fail_perror("PTRACE_TRACEME");
>
> if (raise(SIGSTOP))
> - ksft_exit_fail_msg("raise(SIGSTOP)", strerror(errno));
> +
On Fri, Aug 23, 2024 at 04:59:11PM +0100, Catalin Marinas wrote:
> On Fri, Aug 23, 2024 at 11:25:30AM +0100, Mark Brown wrote:
> > We could store either the cap token or the interrupted GCSPR_EL0 (the
> > address below the cap token). It felt more joined up to go with the cap
On Fri, Aug 23, 2024 at 10:37:19AM +0100, Catalin Marinas wrote:
> On Thu, Aug 22, 2024 at 02:15:28AM +0100, Mark Brown wrote:
> > + gcs_preserve_current_state();
> > + gcspr = current->thread.gcspr_el0 - 8;
> > + __put_user_error(gcspr, &ctx->gcspr, err);
On Thu, Aug 22, 2024 at 06:19:38PM +0100, Catalin Marinas wrote:
> On Thu, Aug 22, 2024 at 05:44:19PM +0100, Mark Brown wrote:
> > On Thu, Aug 22, 2024 at 05:12:30PM +0100, Catalin Marinas wrote:
> > > On Thu, Aug 22, 2024 at 02:15:22AM +0100, Mark Brown wrote:
> &g
On Thu, Aug 22, 2024 at 05:12:30PM +0100, Catalin Marinas wrote:
> On Thu, Aug 22, 2024 at 02:15:22AM +0100, Mark Brown wrote:
> > +static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
> > + } else if (unlikely(vma->vm_flags & VM_SHADOW_STACK)) {
>
On Thu, Aug 22, 2024 at 04:44:12PM +0100, Catalin Marinas wrote:
> On Thu, Aug 22, 2024 at 02:15:21AM +0100, Mark Brown wrote:
> > +void do_el0_gcs(struct pt_regs *regs, unsigned long esr)
> > +{
> > + force_signal_inject(SIGSEGV, SEGV_CPERR, regs->pc, 0);
> >
On Thu, Aug 22, 2024 at 05:17:14PM +0100, Catalin Marinas wrote:
> > /*
> > -* Ensure that GCS changes are observable by/from other PEs in
> > -* case of migration.
> > +* Ensure that GCS memory effects of the 'prev' thread are
> > +* ordered before other memory accesses with r
GCS adds new registers GCSCR_EL1, GCSCRE0_EL1, GCSPR_EL1 and GCSPR_EL0. Add
these to those validated by get-reg-list.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/kvm/aarch64/get-reg-list.c | 28 ++
1 file changed, 28 insertions
they continue to work as before on systems without GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/fp/assembler.h | 15 +++
tools/testing/selftests/arm64/fp/fpsimd-test.S | 2 ++
tools/testing/selftests/arm64/fp/sve-test.S
are inserted when moving a GCS using task to another CPU. The test runs for
a configurable amount of time, defaulting to 10 seconds.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/gcs/.gitignore | 2 +
tools/testing/selftests/arm64/gcs
Do some testing of the signal handling for GCS, checking that a GCS
frame has the expected information in it and that the expected signals
are delivered with invalid operations.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/.gitignore
to not do that in the build system but there are no
such toolchains yet so it is not yet an issue.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/gcs/.gitignore| 1 +
tools/testing/selftests/arm64/gcs/Makefile | 2 +-
tools/testing/selft
There are things like threads which nolibc struggles with which we want
to add coverage for, and the ABI allows us to test most of these even if
libc itself does not understand GCS so add a test application built
using the system libc.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
This test program just covers the basic GCS ABI, covering aspects of the
ABI as standalone features without attempting to integrate things.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/Makefile| 2 +-
tools/testing/selftests/arm64/gcs
anything with stacks that would cause problems with GCS we can sidestep
this issue by unconditionally enabling GCS on startup and exiting with a
call to exit() rather than a return from main().
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
.../testing/selftests/arm64/signal
: Mark Brown
---
.../testing/selftests/arm64/signal/test_signals.h | 4 +++
.../selftests/arm64/signal/test_signals_utils.c| 29 ++
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/arm64/signal/test_signals.h
b/tools/testing
Teach the framework about the GCS signal context, avoiding warnings on
the unknown context.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/testcases/testcases.c | 7 +++
tools/testing/selftests/arm64/signal/testcases/testcases.h | 1
In preparation for testing GCS related signal handling add it as a feature
we check for in the signal handling support code.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/signal/test_signals.h | 2 ++
tools/testing/selftests/arm64/signal
Add coverage of the GCS hwcap to the hwcap selftest, using a read of
GCSPR_EL0 to generate SIGILL without having to worry about enabling GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
tools/testing/selftests/arm64/abi/hwcap.c | 19 +++
1 file changed, 19
Provide a Kconfig option allowing the user to select if GCS support is
built into the kernel.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/Kconfig | 20
1 file changed, 20 insertions(+)
diff --git a/arch/arm64
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/ptrace.h | 8 ++
arch/arm64/kernel/ptrace.c | 54
include/uapi/linux/elf.h | 1 +
3 files changed, 63 insertions(+)
diff --git a/arch/arm64/include/uapi/asm/ptrace.h
b
, there is a conflict
between specifying GCSPR_EL0 and allocation of a new GCS and this is not
an ancticipated use case. We also enforce GCS configuration locking on
signal return.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/uapi/asm/sigcontext.h | 9
;t be interpreted as
a valid token or address.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 1 +
arch/arm64/kernel/signal.c | 112 +--
arch/arm64/mm/gcs.c | 1 +
3 files changed, 109 insertions(
hiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/mm/gcs.c | 64 +
1 file changed, 64 insertions(+)
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 5eb746fdd872..d9614900c910 100644
--- a/arc
-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 22 +++
arch/arm64/include/asm/processor.h | 1 +
arch/arm64/mm/gcs.c| 79 ++
3 files changed, 102 insertions(+)
diff --git a/arch/arm64/include
allocate
min(RLIMIT_STACK, 2G). Since the GCS only stores the call stack and not
any variables this should be more than sufficient for most applications.
GCSs allocated via this mechanism will be freed when the thread exits.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 9
been disabled.
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 24
arch/arm64/include/asm/processor.h | 6
arch/arm64/kernel/process.c| 56 ++
arch/arm64/mm/Makefile | 1 +
arch/arm64/mm/gcs.c
it
attempts to do GCS operations outside a GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/mm/fault.c | 40
1 file changed, 40 insertions(+)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 451ba7cbd5ad
ating any GCS
fault as fatal.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/esr.h | 28 +++-
arch/arm64/include/asm/exception.h | 2 ++
arch/arm64/kernel/entry-common.c | 23 +++
arch/arm64/kernel/tr
Provide a hwcap to enable userspace to detect support for GCS.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/elf_hwcaps.rst | 2 ++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/uapi/asm/hwcap.h | 1 +
arch/arm64/kernel
Hook up an override for GCS, allowing it to be disabled from the command
line by specifying arm64.nogcs in case there are problems.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
arch/arm64/kernel/pi/idreg-override.c
deliberately conservative choice to avoid errors due to oversights.
Further fields should be made writable in future.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/kvm_host.h | 12
arch/arm64/include/asm/vncr_mapping.h | 2 ++
arch/arm64/kvm
Map pages flagged as being part of a GCS as such rather than using the
full set of generic VM flags.
This is done using a conditional rather than extending the size of
protection_map since that would make for a very sparse array.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
Use VM_HIGH_ARCH_5 for guarded control stack pages.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/filesystems/proc.rst | 2 +-
include/linux/mm.h | 12 +++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/Documentation
-by: Mark Brown
---
arch/arm64/include/asm/pgtable-prot.h | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/pgtable-prot.h
b/arch/arm64/include/asm/pgtable-prot.h
index b11cfb9fdd37..545d54c88520 100644
--- a/arch/arm64/include/asm/pgtable
Add a cpufeature for GCS, allowing other code to conditionally support it
at runtime.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/cpufeature.h | 6 ++
arch/arm64/kernel/cpufeature.c | 9 +
arch/arm64
function call instructions without faulting regardless of the
state when the kernel is started.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/el2_setup.h | 29 +
1 file changed, 29 insertions(+)
diff
In order for EL1 to write to an EL0 GCS it must use the GCSSTTR instruction
rather than a normal STTR. Provide a put_user_gcs() which does this.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/uaccess.h | 18
sufficiently fast paths for this to be a problem.
Note that GCSSTTR is used to store to EL0.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/gcs.h | 51
arch/arm64/include/asm/uaccess.h | 22
The architecture defines a format for guarded control stack caps, used
to mark the top of an unused GCS in order to limit the potential for
exploitation via stack switching. Add definitions associated with these.
Reviewed-by: Thiago Jung Bauermann
Acked-by: Catalin Marinas
Signed-off-by: Mark
Add some documentation of the userspace ABI for Guarded Control Stacks.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark Brown
---
Documentation/arch/arm64/gcs.rst | 230 +
Documentation/arch/arm64/index.rst | 1 +
2 files changed, 231 insertions
fault
we also require that the feature be specifically disabled, existing
kernels implicitly have this requirement and especially given that the
MMU must be disabled it is difficult to see a situation where leaving
GCS enabled would be reasonable.
Reviewed-by: Thiago Jung Bauermann
Signed-off-by: Mark
stack marker suitable for use by unwinders should be added
above that.
For arm64 the top of stack marker is all bits 0.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/x86/include/uapi/asm/mman.h | 3 ---
include/uapi/asm-generic/mman.h | 4
locking interface reworked. The set status prctl()
is also reworked to just set flags, if setting/reading the shadow stack
pointer is required this could be a separate prctl.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
include/linux/mm.h
.
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Catalin Marinas
Signed-off-by: Mark Brown
---
arch/arm64/include/asm/mman.h | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h
index 5966ee4a6154
Gupta
Reviewed-by: Rick Edgecombe
Reviewed-by: Mike Rapoport (IBM)
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Tested-by: Kees Cook
Acked-by: Shuah Khan
Signed-off-by: Mark Brown
---
arch/x86/Kconfig | 1 +
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
mm/Kconfig | 6
hadow-stack-v9-0-962d74f99...@kernel.org
Previous versions of this series depended on that, this dependency has
been removed in order to make merging easier.
[1] https://lore.kernel.org/lkml/20230213045351.3945824-1-de...@rivosinc.com/
Signed-off-by: Mark Brown
---
Changes in v11:
- Remove the depen
1 - 100 of 873 matches
Mail list logo
