Re: [PATCH v4 09/36] arm64/mm: Allocate PIE slots for EL0 guarded control stack

From: Catalin Marinas
Date: Fri Aug 11 2023 - 10:23:25 EST

Next message: Andy Shevchenko: "Re: [PATCH 2/2 v2] gpio: sim: simplify code with cleanup helpers"
Previous message: Shawn Guo: "Re: [PATCH v4 1/4] arm64: dts: imx8mp-debix: remove unused fec pinctrl node"
Next in thread: Mark Brown: "Re: [PATCH v4 09/36] arm64/mm: Allocate PIE slots for EL0 guarded control stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 07, 2023 at 11:00:14PM +0100, Mark Brown wrote:
> diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h
> index eed814b00a38..b157ae0420ed 100644
> --- a/arch/arm64/include/asm/pgtable-prot.h
> +++ b/arch/arm64/include/asm/pgtable-prot.h
> @@ -131,15 +131,23 @@ extern bool arm64_use_ng_mappings;
> /* 6: PTE_PXN | PTE_WRITE */
> /* 7: PAGE_SHARED_EXEC PTE_PXN | PTE_WRITE | PTE_USER */
> /* 8: PAGE_KERNEL_ROX PTE_UXN */
> -/* 9: PTE_UXN | PTE_USER */
> +/* 9: PAGE_GCS_RO PTE_UXN | PTE_USER */
> /* a: PAGE_KERNEL_EXEC PTE_UXN | PTE_WRITE */
> -/* b: PTE_UXN | PTE_WRITE | PTE_USER */
> +/* b: PAGE_GCS PTE_UXN | PTE_WRITE | PTE_USER */
> /* c: PAGE_KERNEL_RO PTE_UXN | PTE_PXN */
> /* d: PAGE_READONLY PTE_UXN | PTE_PXN | PTE_USER */
> /* e: PAGE_KERNEL PTE_UXN | PTE_PXN | PTE_WRITE */
> /* f: PAGE_SHARED PTE_UXN | PTE_PXN | PTE_WRITE | PTE_USER */
>
> +#define _PAGE_GCS (_PAGE_DEFAULT | PTE_UXN | PTE_WRITE | PTE_USER)
> +#define _PAGE_GCS_RO (_PAGE_DEFAULT | PTE_UXN | PTE_USER)
> +
> +#define PAGE_GCS __pgprot(_PAGE_GCS)
> +#define PAGE_GCS_RO __pgprot(_PAGE_GCS_RO)
> +
> #define PIE_E0 ( \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS), PIE_GCS) | \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_EXECONLY), PIE_X_O) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_READONLY_EXEC), PIE_RX) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_SHARED_EXEC), PIE_RWX) | \
> @@ -147,6 +155,8 @@ extern bool arm64_use_ng_mappings;
> PIRx_ELx_PERM(pte_pi_index(_PAGE_SHARED), PIE_RW))
>
> #define PIE_E1 ( \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS), PIE_RW) | \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \

Had some thoughts on this. Why do we need the EL1 GCS attributes to map
to RW? The instructions we'd use to write the shadow stack are the GCS
'T' variants that run as user already.

The only instructions we have in the kernel that would run as EL1 on a
user address are the exclusives (futex code or the old deprecated
emulation but we don't care about them in this context). So I wonder
whether the kernel PIE entry could simply be PIE_NONE_O. Would this be
too restrictive for future uses? Given the coherency between a GCS
access and a standard data access, we may want to restrict it now until
we have a use-case.

--
Catalin

Next message: Andy Shevchenko: "Re: [PATCH 2/2 v2] gpio: sim: simplify code with cleanup helpers"
Previous message: Shawn Guo: "Re: [PATCH v4 1/4] arm64: dts: imx8mp-debix: remove unused fec pinctrl node"
Next in thread: Mark Brown: "Re: [PATCH v4 09/36] arm64/mm: Allocate PIE slots for EL0 guarded control stack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]