From patchwork Wed Oct 23 08:38:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yury Khrustalev <yury.khrustalev@arm.com>
X-Patchwork-Id: 2000842
Return-Path: <libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org;
 envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=patchwork.ozlabs.org)
Received: from server2.sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4XYMtn2yT9z1xwy
	for <incoming@patchwork.ozlabs.org>; Wed, 23 Oct 2024 19:40:16 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id A10EA3858C56
	for <incoming@patchwork.ozlabs.org>; Wed, 23 Oct 2024 08:40:12 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by sourceware.org (Postfix) with ESMTP id 9A9F63858D28
 for <libc-alpha@sourceware.org>; Wed, 23 Oct 2024 08:39:54 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A9F63858D28
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=arm.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=arm.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9A9F63858D28
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=217.140.110.172
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1729672796; cv=none;
 b=RoZHgzogiKEvMK+MPgpmSX1Bimi9rD+f8upy3NpqndBWEvJ4E1SwpYiek4PhPs/6w7OaVgzYfRzSXwuRlBR1Uuh1szxuu35seExXlw8XIAdmRtUxVx4Ul1tNIgMl2fCFzkSHtGodYeEXLLzSi27kZ0O88vtJCDIBIh/CM7tYI2k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1729672796; c=relaxed/simple;
 bh=1CoTNt8DnPJut/S7vKfk8guEfHl5JFyWlwL0f5u81bY=;
 h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=rZTOqt+D9ZqYT81Gnb4rbmMpQWNKeCM72X3oxuJ04l9RJO1ZyTnd1DH6XKiXzlp1MPY1RVomtfeSyF4ZC10Lq9VzfQkRLWYV/tfU3D+hk/O0vtkae2eumGOn1jiHNsspxaGEKvb79c2bRkaHTnwvpTmZ7EQKVYb96jBatb52b+E=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EFD86339;
 Wed, 23 Oct 2024 01:40:23 -0700 (PDT)
Received: from udebian.localdomain (unknown [10.1.39.30])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 947563F528;
 Wed, 23 Oct 2024 01:39:53 -0700 (PDT)
From: Yury Khrustalev <yury.khrustalev@arm.com>
To: libc-alpha@sourceware.org
Cc: fweimer@redhat.com, adhemerval.zanella@linaro.org, codonell@redhat.com,
 nsz@gcc.gnu.org
Subject: [PATCH v3 00/23] aarch64: Add support for Guarded Control Stack
 extension
Date: Wed, 23 Oct 2024 09:38:57 +0100
Message-Id: <20241023083920.466015-1-yury.khrustalev@arm.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, KAM_DMARC_NONE,
 KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_SHORT, SPF_HELO_NONE,
 SPF_NONE,
 TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org

This patch series adds support for the Guarded Control Stack extension [1] that
allows to use shadow stacks on AArch64 systems with enabled GCS.

This patch series includes:
 - New tunables glibc.cpu.aarch64_gcs and glibc.cpu.aarch64_gcs_policy
 - Definition of jmp_buf offset for GCS
 - GCS support in longjmp, vfork, setcontext, makecontext
 - GCS support in static startup code and dynamic linker
 - Handling of GCS marking in dynamic binaries and DSOs
 - Handling of GCS marking in static binaries
 - Mark swapcontext with indirect_return
 - HWCAP_GCS

Corresponding Linux kernel patches [2] are in progress but are very close
to stable ABI.

GCS marking for binaries is specified in [3].

Regression tested on AArch64 and no regressions have been found.

Any feedback is welcome and appreciated.

Sources and branches:
 - binutils-gdb: sourceware.org/git/binutils-gdb.git users/ARM/gcs
 - gcc: gcc.gnu.org/git/gcc.git vendors/ARM/gcs-v3
   see https://gcc.gnu.org/gitwrite.html#vendor for setup details
 - glibc: this patch series, or
   sourceware.org/git/glibc.git arm/gcs-v2
 - kernel: git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/gcs

Cross-building the toolchain for target aarch64-none-linux-gnu:
 - build and install binutils-gdb
 - build and install GCC stage 1
 - install kernel headers
 - install glibc headers
 - build and install GCC stage 2 configuring with --enable-standard-branch-protection
 - build and install glibc
 - build and install GCC stage 3 along with target libraries configuring with --enable-standard-branch-protection

FVP model provided by the Shrinkwrap tool [4] can be used for testing.

Run tests with environment var

  GLIBC_TUNABLES=glibc.cpu.aarch64_gcs=1:glibc.cpu.aarch64_gcs_policy=2

By default both tunables are 0, the meaning is:
 - glibc.cpu.aarch64_gcs_policy=0:
   GCS is enabled if glibc.cpu.aarch64_gcs is set
 - glibc.cpu.aarch64_gcs_policy=1:
   GCS is enabled if glibc.cpu.aarch64_gcs is set and binary is marked
   if GCS is enabled, an incompatible dlopen is an error
 - glibc.cpu.aarch64_gcs_policy=2:
   GCS is enabled if glibc.cpu.aarch64_gcs is set
   if GCS is enabled, any incompatible binary is an error

[1] https://developer.arm.com/documentation/ddi0487/ka/ (chapter D11)
[2] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/gcs
[3] https://github.com/ARM-software/abi-aa/blob/main/sysvabi64/sysvabi64.rst
[4] https://git.gitlab.arm.com/tooling/shrinkwrap.git
---

Szabolcs Nagy (23):
  aarch64: Add HWCAP_GCS
  aarch64: Add asm helpers for GCS
  elf.h: Define GNU_PROPERTY_AARCH64_FEATURE_1_GCS
  aarch64: Define jmp_buf offset for GCS
  aarch64: Add GCS support to longjmp
  aarch64: Add GCS support to vfork
  aarch64: Add GCS support for setcontext
  aarch64: Mark swapcontext with indirect_return
  aarch64: Add GCS support for makecontext
  aarch64: Try to free the GCS of makecontext
  aarch64: Add glibc.cpu.aarch64_gcs tunable
  aarch64: Enable GCS in static linked exe
  aarch64: Enable GCS in dynamic linked exe
  aarch64: Mark objects with GCS property note
  aarch64: Add glibc.cpu.aarch64_gcs_policy
  aarch64: Use l_searchlist.r_list for bti
  aarch64: Handle gcs marking
  aarch64: Use l_searchlist.r_list for gcs
  aarch64: Ignore GCS property of ld.so
  aarch64: Process gnu properties in static exe
  aarch64: Add GCS user-space allocation logic
  aarch64: use __alloc_gcs in makecontext
  doc: Add plain text readme for using GCS

 README                                        | 68 +++++++++++++
 elf/elf.h                                     |  1 +
 include/set-freeres.h                         |  4 +
 malloc/thread-freeres.c                       |  3 +
 sysdeps/aarch64/Makefile                      | 11 ++-
 sysdeps/aarch64/__alloc_gcs.c                 | 66 +++++++++++++
 sysdeps/aarch64/__longjmp.S                   | 30 ++++++
 sysdeps/aarch64/aarch64-gcs.h                 | 36 +++++++
 sysdeps/aarch64/bits/indirect-return.h        | 36 +++++++
 sysdeps/aarch64/dl-bti.c                      |  5 +-
 sysdeps/aarch64/dl-gcs.c                      | 64 ++++++++++++
 sysdeps/aarch64/dl-prop.h                     | 15 ++-
 sysdeps/aarch64/dl-start.S                    | 23 ++++-
 sysdeps/aarch64/dl-tunables.list              | 10 ++
 sysdeps/aarch64/jmpbuf-offsets.h              | 63 ++++++++++++
 sysdeps/aarch64/linkmap.h                     |  1 +
 sysdeps/aarch64/rtld-global-offsets.sym       |  5 +
 sysdeps/aarch64/setjmp.S                      | 10 ++
 sysdeps/aarch64/sysdep.h                      | 12 ++-
 sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h  |  1 +
 .../unix/sysv/linux/aarch64/cpu-features.c    |  9 ++
 sysdeps/unix/sysv/linux/aarch64/dl-procinfo.c | 13 +++
 .../unix/sysv/linux/aarch64/dl-procruntime.c  | 37 +++++++
 sysdeps/unix/sysv/linux/aarch64/getcontext.S  | 17 +++-
 sysdeps/unix/sysv/linux/aarch64/libc-start.h  | 61 ++++++++++++
 sysdeps/unix/sysv/linux/aarch64/makecontext.c | 97 ++++++++++++++++++-
 sysdeps/unix/sysv/linux/aarch64/setcontext.S  | 57 ++++++++++-
 sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 32 ++++--
 sysdeps/unix/sysv/linux/aarch64/sysdep.h      |  6 +-
 .../sysv/linux/aarch64/ucontext-internal.h    |  5 +
 sysdeps/unix/sysv/linux/aarch64/vfork.S       |  8 +-
 31 files changed, 777 insertions(+), 29 deletions(-)
 create mode 100644 sysdeps/aarch64/__alloc_gcs.c
 create mode 100644 sysdeps/aarch64/aarch64-gcs.h
 create mode 100644 sysdeps/aarch64/bits/indirect-return.h
 create mode 100644 sysdeps/aarch64/dl-gcs.c
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/dl-procruntime.c
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/libc-start.h