| Message ID | 20231222165830.2100438-1-hjl.tools@gmail.com |
|---|---|
| Headers | show |
| Series | x86/cet: Update CET kernel interface | expand |
* H. J. Lu: > H.J. Lu (6): > x86/cet: Sync with Linux kernel 6.6 shadow stack interface > elf: Always provide _dl_get_dl_main_map in libc.a > x86/cet: Enable shadow stack during startup > x86/cet: Check feature_1 in TCB for active IBT and SHSTK > x86/cet: Don't set CET active by default > x86/cet: Run some CET tests with shadow stack I tested this on: vendor_id : AuthenticAMD cpu family : 25 model : 97 model name : AMD Ryzen 9 7950X 16-Core Processor stepping : 2 microcode : 0xa601206 and the CET tests pass, except elf/tst-cet-legacy-8 and elf/tst-cet-property-2, which are flagged as UNSUPPORTED because IBT is not available (as expected). What's missing is a fault test that verifies that an unmatched RET instruction results in a SIGSEGV with a code of SEGV_CPERR, but that can be added later.
On Thu, Dec 28, 2023 at 8:00 AM Florian Weimer <fw@deneb.enyo.de> wrote: > > * H. J. Lu: > > > H.J. Lu (6): > > x86/cet: Sync with Linux kernel 6.6 shadow stack interface > > elf: Always provide _dl_get_dl_main_map in libc.a > > x86/cet: Enable shadow stack during startup > > x86/cet: Check feature_1 in TCB for active IBT and SHSTK > > x86/cet: Don't set CET active by default > > x86/cet: Run some CET tests with shadow stack > > I tested this on: > > vendor_id : AuthenticAMD > cpu family : 25 > model : 97 > model name : AMD Ryzen 9 7950X 16-Core Processor > stepping : 2 > microcode : 0xa601206 > > and the CET tests pass, except elf/tst-cet-legacy-8 and > elf/tst-cet-property-2, which are flagged as UNSUPPORTED because IBT > is not available (as expected). Thanks for your feedback. > What's missing is a fault test that verifies that an unmatched RET > instruction results in a SIGSEGV with a code of SEGV_CPERR, but that > can be added later. We could add more shadow stack tests after the shadow stack is enabled. I will submit a patch to allow mixing longjmp with user contexts. I will check in the v5 patch series next week if there are no objections so that we can start validating shadow stack support in applications and libraries.
Changes in v5. 1. Rebase. 2. Move allocate-shadow-stack.[ch] to sysdeps/unix/sysv/linux/x86_64. Changes in v4. 1. Rebase. 2. Remove 3 patches which have been checked into master branch. Changes in v3: 1. Remove 7 test patches which have been checked into master branch. Changes in v2: 1. Add add extra 20 stack frames in shadow stack for signal handlers when allocating shadow stack for ucontexts. 2. Remove the "x86: Check PT_GNU_PROPERTY early" patch which has been checked into master branch. Linux kernel 6.6 added SHSTK support for x86-64. This patch set updates CET kernel interface to Linux kernel 6.6. The main difference from the current glibc assumption is that SHSTK is enabled by glibc, instead of kernel. Glibc enables SHSTK after verifying that the application and all dependency libraries are CET enabled. SHSTK can only be enabled in a function which will never return. Otherwise, shadow stack will underflow at the function return. Not all CET enabled applications and libraries have been properly tested in CET enabled environments. Some CET enabled applications or libraries will crash or misbehave when CET is enabled. Don't set CET active by default so that all applications and libraries will run normally regardless of whether CET is active or not. Shadow stack can be enabled by $ export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK at run-time if shadow stack can be enabled by kernel. Since only x86-64 is supported, i386 shadow stack codes are unchanged and CET shouldn't be enabled for i386. NB: This change can be reverted if it is OK to enable CET by default for all applications and libraries. Tested on Intel Tiger Lake under Linux kernel 6.6.7. H.J. Lu (6): x86/cet: Sync with Linux kernel 6.6 shadow stack interface elf: Always provide _dl_get_dl_main_map in libc.a x86/cet: Enable shadow stack during startup x86/cet: Check feature_1 in TCB for active IBT and SHSTK x86/cet: Don't set CET active by default x86/cet: Run some CET tests with shadow stack elf/dl-support.c | 2 - sysdeps/generic/ldsodefs.h | 8 +- sysdeps/unix/sysv/linux/x86/bits/mman.h | 5 ++ sysdeps/unix/sysv/linux/x86/dl-cet.h | 39 +++++++++- .../unix/sysv/linux/x86/include/asm/prctl.h | 37 ++++----- .../sysv/linux/x86/tst-cet-setcontext-1.c | 17 ++-- sysdeps/unix/sysv/linux/x86_64/Makefile | 2 +- .../unix/sysv/linux/x86_64/__start_context.S | 38 ++------- .../sysv/linux/x86_64/allocate-shadow-stack.c | 55 +++++++++++++ .../allocate-shadow-stack.h} | 32 ++------ sysdeps/unix/sysv/linux/x86_64/dl-cet.h | 47 +++++++++++ sysdeps/unix/sysv/linux/x86_64/getcontext.S | 30 ++------ sysdeps/unix/sysv/linux/x86_64/makecontext.c | 28 +++---- sysdeps/unix/sysv/linux/x86_64/swapcontext.S | 22 +----- sysdeps/x86/Makefile | 14 ++++ sysdeps/x86/bits/platform/x86.h | 8 ++ sysdeps/x86/cpu-features-offsets.sym | 1 + sysdeps/x86/cpu-features.c | 48 +----------- sysdeps/x86/cpu-tunables.c | 15 +++- sysdeps/x86/dl-cet.c | 77 +++++++++---------- sysdeps/x86/get-cpuid-feature-leaf.c | 13 +++- sysdeps/x86/include/cpu-features.h | 3 + sysdeps/x86/libc-start.h | 54 ++++++++++++- sysdeps/x86/sys/platform/x86.h | 17 ++++ sysdeps/x86/tst-shstk-legacy-1e-static.sh | 1 + sysdeps/x86/tst-shstk-legacy-1e.sh | 1 + sysdeps/x86/tst-shstk-legacy-1g.sh | 1 + sysdeps/x86_64/dl-machine.h | 12 ++- sysdeps/x86_64/nptl/tls.h | 2 +- 29 files changed, 381 insertions(+), 248 deletions(-) create mode 100644 sysdeps/unix/sysv/linux/x86_64/allocate-shadow-stack.c rename sysdeps/unix/sysv/linux/{x86/cpu-features.c => x86_64/allocate-shadow-stack.h} (53%) create mode 100644 sysdeps/unix/sysv/linux/x86_64/dl-cet.h