diff mbox series

[v2,09/16] x86: Modularize sysdeps/x86/dl-cet.c

Message ID 20231216165325.2584919-10-hjl.tools@gmail.com
State New
Headers show
Series x86/cet: Update CET kernel interface | expand

Commit Message

H.J. Lu Dec. 16, 2023, 4:53 p.m. UTC
Improve readability and make maintenance easier for dl-feature.c by
modularizing sysdeps/x86/dl-cet.c:
1. Support processors with:
   a. Only IBT.  Or
   b. Only SHSTK.  Or
   c. Both IBT and SHSTK.
2. Lock CET features only if IBT or SHSTK are enabled and are not
enabled permissively.
---
 sysdeps/x86/dl-cet.c | 456 ++++++++++++++++++++++++++-----------------
 1 file changed, 280 insertions(+), 176 deletions(-)
diff mbox series

Patch

diff --git a/sysdeps/x86/dl-cet.c b/sysdeps/x86/dl-cet.c
index 60ea1cb558..67c51ee8c2 100644
--- a/sysdeps/x86/dl-cet.c
+++ b/sysdeps/x86/dl-cet.c
@@ -32,206 +32,310 @@ 
 # error GNU_PROPERTY_X86_FEATURE_1_SHSTK != X86_FEATURE_1_SHSTK
 #endif
 
-/* Check if object M is compatible with CET.  */
+struct dl_cet_info
+{
+  const char *program;
+
+  /* Check how IBT and SHSTK should be enabled.  */
+  enum dl_x86_cet_control enable_ibt_type;
+  enum dl_x86_cet_control enable_shstk_type;
+
+  /* If IBT and SHSTK were previously enabled.  */
+  unsigned int feature_1_enabled;
+
+  /* If IBT and SHSTK should be enabled.  */
+  unsigned int enable_feature_1;
+
+  /* If there are any legacy shared object.  */
+  unsigned int feature_1_legacy;
+
+  /* Which shared object is the first legacy shared object.  */
+  unsigned int feature_1_legacy_ibt;
+  unsigned int feature_1_legacy_shstk;
+};
+
+/* Check if the object M and its dependencies are legacy object.  */
 
 static void
-dl_cet_check (struct link_map *m, const char *program)
+dl_check_legacy_object (struct link_map *m,
+			struct dl_cet_info *info)
 {
-  /* Check how IBT should be enabled.  */
-  enum dl_x86_cet_control enable_ibt_type
-    = GL(dl_x86_feature_control).ibt;
-  /* Check how SHSTK should be enabled.  */
-  enum dl_x86_cet_control enable_shstk_type
-    = GL(dl_x86_feature_control).shstk;
-
-  /* No legacy object check if both IBT and SHSTK are always on.  */
-  if (enable_ibt_type == cet_always_on
-      && enable_shstk_type == cet_always_on)
+  unsigned int i;
+  struct link_map *l = NULL;
+
+  i = m->l_searchlist.r_nlist;
+  while (i-- > 0)
     {
-      THREAD_SETMEM (THREAD_SELF, header.feature_1, GL(dl_x86_feature_1));
-      return;
-    }
+      /* Check each shared object to see if IBT and SHSTK are enabled.  */
+      l = m->l_initfini[i];
 
-  /* Check if IBT is enabled by kernel.  */
-  bool ibt_enabled
-    = (GL(dl_x86_feature_1) & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0;
-  /* Check if SHSTK is enabled by kernel.  */
-  bool shstk_enabled
-    = (GL(dl_x86_feature_1) & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0;
+      if (l->l_init_called)
+        continue;
 
-  if (ibt_enabled || shstk_enabled)
-    {
-      struct link_map *l = NULL;
-      unsigned int ibt_legacy = 0, shstk_legacy = 0;
-      bool found_ibt_legacy = false, found_shstk_legacy = false;
-
-      /* Check if IBT and SHSTK are enabled in object.  */
-      bool enable_ibt = (ibt_enabled
-			 && enable_ibt_type != cet_always_off);
-      bool enable_shstk = (shstk_enabled
-			   && enable_shstk_type != cet_always_off);
-      if (program)
+#ifdef SHARED
+      /* Skip check for ld.so since it has the features enabled.  The
+         features will be disabled later if they are not enabled in
+	 executable.  */
+      if (l == &GL(dl_rtld_map)
+          || l->l_real == &GL(dl_rtld_map)
+          || (info->program != NULL && l == m))
+         continue;
+#endif
+
+      /* IBT and SHSTK set only if enabled in executable and all DSOs.
+	 NB: cet_always_on is handled outside of the loop.  */
+      info->enable_feature_1 &= ((l->l_x86_feature_1_and
+				  & (GNU_PROPERTY_X86_FEATURE_1_IBT
+				     | GNU_PROPERTY_X86_FEATURE_1_SHSTK))
+				 | ~(GNU_PROPERTY_X86_FEATURE_1_IBT
+				     | GNU_PROPERTY_X86_FEATURE_1_SHSTK));
+      if ((info->feature_1_legacy
+	   & GNU_PROPERTY_X86_FEATURE_1_IBT) == 0
+	  && ((info->enable_feature_1
+	       & GNU_PROPERTY_X86_FEATURE_1_IBT)
+	      != (info->feature_1_enabled
+		  & GNU_PROPERTY_X86_FEATURE_1_IBT)))
 	{
-	  /* Enable IBT and SHSTK only if they are enabled in executable.
-	     NB: IBT and SHSTK may be disabled by environment variable:
-
-	     GLIBC_TUNABLES=glibc.cpu.hwcaps=-IBT,-SHSTK
-	   */
-	  enable_ibt &= (CPU_FEATURE_USABLE (IBT)
-			 && (enable_ibt_type == cet_always_on
-			     || (m->l_x86_feature_1_and
-				 & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0));
-	  enable_shstk &= (CPU_FEATURE_USABLE (SHSTK)
-			   && (enable_shstk_type == cet_always_on
-			       || (m->l_x86_feature_1_and
-				   & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0));
+	  info->feature_1_legacy_ibt = i;
+	  info->feature_1_legacy |= GNU_PROPERTY_X86_FEATURE_1_IBT;
 	}
 
-      /* ld.so is CET-enabled by kernel.  But shared objects may not
-	 support IBT nor SHSTK.  */
-      if (enable_ibt || enable_shstk)
-	{
-	  unsigned int i;
+      if ((info->feature_1_legacy
+	   & GNU_PROPERTY_X86_FEATURE_1_SHSTK) == 0
+	  && ((info->enable_feature_1
+	       & GNU_PROPERTY_X86_FEATURE_1_SHSTK)
+	      != (info->feature_1_enabled
+		  & GNU_PROPERTY_X86_FEATURE_1_SHSTK)))
+        {
+	  info->feature_1_legacy_shstk = i;
+	  info->feature_1_legacy |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+        }
+    }
 
-	  i = m->l_searchlist.r_nlist;
-	  while (i-- > 0)
-	    {
-	      /* Check each shared object to see if IBT and SHSTK are
-		 enabled.  */
-	      l = m->l_initfini[i];
+  /* Handle cet_always_on.  */
+  if ((info->feature_1_enabled
+       & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0
+      && info->enable_ibt_type == cet_always_on)
+    {
+      info->feature_1_legacy &= ~GNU_PROPERTY_X86_FEATURE_1_IBT;
+      info->enable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+    }
 
-	      if (l->l_init_called)
-		continue;
+  if ((info->feature_1_enabled
+       & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0
+      && info->enable_shstk_type == cet_always_on)
+    {
+      info->feature_1_legacy &= ~GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+      info->enable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+    }
+}
 
 #ifdef SHARED
-	      /* Skip CET check for ld.so since ld.so is CET-enabled.
-		 CET will be disabled later if CET isn't enabled in
-		 executable.  */
-	      if (l == &GL(dl_rtld_map)
-		  ||  l->l_real == &GL(dl_rtld_map)
-		  || (program && l == m))
-		continue;
+/* Enable IBT and SHSTK only if they are enabled in executable.  Set
+   feature bits properly at the start of the program.  */
+
+static void
+dl_cet_check_startup (struct link_map *m, struct dl_cet_info *info)
+{
+  /* NB: IBT and SHSTK may be disabled by environment variable:
+
+     GLIBC_TUNABLES=glibc.cpu.hwcaps=-IBT,-SHSTK.
+   */
+  if (CPU_FEATURE_USABLE (IBT))
+    {
+      if (info->enable_ibt_type == cet_always_on)
+	info->enable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+      else
+	info->enable_feature_1 &= ((m->l_x86_feature_1_and
+				    & GNU_PROPERTY_X86_FEATURE_1_IBT)
+				   | ~GNU_PROPERTY_X86_FEATURE_1_IBT);
+    }
+  else
+    info->enable_feature_1 &= ~GNU_PROPERTY_X86_FEATURE_1_IBT;
+
+  if (CPU_FEATURE_USABLE (SHSTK))
+    {
+      if (info->enable_shstk_type == cet_always_on)
+	info->enable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+      else
+	info->enable_feature_1 &= ((m->l_x86_feature_1_and
+				    & GNU_PROPERTY_X86_FEATURE_1_SHSTK)
+				   | ~GNU_PROPERTY_X86_FEATURE_1_SHSTK);
+    }
+  else
+    info->enable_feature_1 &= ~GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+
+  if (info->enable_feature_1 != 0)
+    dl_check_legacy_object (m, info);
+
+  unsigned int disable_feature_1
+    = info->enable_feature_1 ^ info->feature_1_enabled;
+  if (disable_feature_1 != 0)
+    {
+      /* Disable features in the kernel because of legacy objects or
+	 cet_always_off.  */
+      if (dl_cet_disable_cet (disable_feature_1) != 0)
+	_dl_fatal_printf ("%s: can't disable x86 Features\n",
+			  info->program);
+
+      /* Clear the disabled bits.  Sync dl_x86_feature_1 and
+         info->feature_1_enabled with info->enable_feature_1.  */
+      info->feature_1_enabled = info->enable_feature_1;
+      GL(dl_x86_feature_1) = info->enable_feature_1;
+    }
+
+  if (HAS_CPU_FEATURE (IBT) || HAS_CPU_FEATURE (SHSTK))
+    {
+      /* Lock CET features only if IBT or SHSTK are enabled and are not
+         enabled permissively.  */
+      unsigned int feature_1_lock = 0;
+
+      if (((info->feature_1_enabled & GNU_PROPERTY_X86_FEATURE_1_IBT)
+	   != 0)
+	  && info->enable_ibt_type != cet_permissive)
+	feature_1_lock |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+
+      if (((info->feature_1_enabled & GNU_PROPERTY_X86_FEATURE_1_SHSTK)
+	   != 0)
+	  && info->enable_shstk_type != cet_permissive)
+	feature_1_lock |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+
+      if (feature_1_lock != 0
+	  && dl_cet_lock_cet () != 0)
+	_dl_fatal_printf ("%s: can't lock CET\n", info->program);
+    }
+
+  THREAD_SETMEM (THREAD_SELF, header.feature_1, GL(dl_x86_feature_1));
+}
 #endif
 
-	      /* IBT is enabled only if it is enabled in executable as
-		 well as all shared objects.  */
-	      enable_ibt &= (enable_ibt_type == cet_always_on
-			     || (l->l_x86_feature_1_and
-				 & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0);
-	      if (!found_ibt_legacy && enable_ibt != ibt_enabled)
-		{
-		  found_ibt_legacy = true;
-		  ibt_legacy = i;
-		}
-
-	      /* SHSTK is enabled only if it is enabled in executable as
-		 well as all shared objects.  */
-	      enable_shstk &= (enable_shstk_type == cet_always_on
-			       || (l->l_x86_feature_1_and
-				   & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0);
-	      if (enable_shstk != shstk_enabled)
-		{
-		  found_shstk_legacy = true;
-		  shstk_legacy = i;
-		}
-	    }
-	}
+/* Check feature bits when dlopening the shared object M.  */
+
+static void
+dl_cet_check_dlopen (struct link_map *m, struct dl_cet_info *info)
+{
+  /* Check if there are any legacy objects loaded.  */
+  if (info->enable_feature_1 != 0)
+    {
+      dl_check_legacy_object (m, info);
 
-      bool cet_feature_changed = false;
+      /* Skip if there are no legacy shared objects loaded.  */
+      if (info->feature_1_legacy == 0)
+	return;
+    }
 
-      if (enable_ibt != ibt_enabled || enable_shstk != shstk_enabled)
-	{
-	  if (!program)
-	    {
-	      if (enable_ibt_type != cet_permissive)
-		{
-		  /* When IBT is enabled, we cannot dlopen a shared
-		     object without IBT.  */
-		  if (found_ibt_legacy)
-		    _dl_signal_error (0,
-				      m->l_initfini[ibt_legacy]->l_name,
-				      "dlopen",
-				      N_("rebuild shared object with IBT support enabled"));
-		}
-
-	      if (enable_shstk_type != cet_permissive)
-		{
-		  /* When SHSTK is enabled, we cannot dlopen a shared
-		     object without SHSTK.  */
-		  if (found_shstk_legacy)
-		    _dl_signal_error (0,
-				      m->l_initfini[shstk_legacy]->l_name,
-				      "dlopen",
-				      N_("rebuild shared object with SHSTK support enabled"));
-		}
-
-	      if (enable_ibt_type != cet_permissive
-		  && enable_shstk_type != cet_permissive)
-		return;
-	    }
-
-	  /* Disable IBT and/or SHSTK if they are enabled by kernel, but
-	     disabled in executable or shared objects.  */
-	  unsigned int cet_feature = 0;
-
-	  if (!enable_ibt)
-	    cet_feature |= GNU_PROPERTY_X86_FEATURE_1_IBT;
-	  if (!enable_shstk)
-	    cet_feature |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
-
-	  int res = dl_cet_disable_cet (cet_feature);
-	  if (res != 0)
-	    {
-	      if (program)
-		_dl_fatal_printf ("%s: can't disable CET\n", program);
-	      else
-		{
-		  if (found_ibt_legacy)
-		    l = m->l_initfini[ibt_legacy];
-		  else
-		    l = m->l_initfini[shstk_legacy];
-		  _dl_signal_error (-res, l->l_name, "dlopen",
-				    N_("can't disable CET"));
-		}
-	    }
-
-	  /* Clear the disabled bits in dl_x86_feature_1.  */
-	  GL(dl_x86_feature_1) &= ~cet_feature;
-
-	  cet_feature_changed = true;
-	}
+  unsigned int disable_feature_1 = 0;
+  unsigned int legacy_obj = 0;
+  const char *msg = NULL;
 
-#ifdef SHARED
-      if (program && (ibt_enabled || shstk_enabled))
+  if ((info->feature_1_enabled
+       & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0
+      && (info->feature_1_legacy
+	  & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0)
+    {
+      if (info->enable_ibt_type != cet_permissive)
 	{
-	  if ((!ibt_enabled
-	       || enable_ibt_type != cet_permissive)
-	      && (!shstk_enabled
-		  || enable_shstk_type != cet_permissive))
-	    {
-	      /* Lock CET if IBT or SHSTK is enabled in executable unless
-	         IBT or SHSTK is enabled permissively.  */
-	      int res = dl_cet_lock_cet ();
-	      if (res != 0)
-		_dl_fatal_printf ("%s: can't lock CET\n", program);
-	    }
-
-	  /* Set feature_1 if IBT or SHSTK is enabled in executable.  */
-	  cet_feature_changed = true;
+	  legacy_obj = info->feature_1_legacy_ibt;
+	  msg = N_("rebuild shared object with IBT support enabled");
 	}
-#endif
+      else
+        disable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_IBT;
+    }
 
-      if (cet_feature_changed)
+  /* Check the next feature only if there is no error.  */
+  if (msg == NULL
+      && (info->feature_1_enabled
+	  & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0
+      && (info->feature_1_legacy
+	  & GNU_PROPERTY_X86_FEATURE_1_SHSTK) != 0)
+    {
+      if (info->enable_shstk_type != cet_permissive)
 	{
-	  unsigned int feature_1 = 0;
-	  if (enable_ibt)
-	    feature_1 |= GNU_PROPERTY_X86_FEATURE_1_IBT;
-	  if (enable_shstk)
-	    feature_1 |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
-	  struct pthread *self = THREAD_SELF;
-	  THREAD_SETMEM (self, header.feature_1, feature_1);
+	  legacy_obj = info->feature_1_legacy_shstk;
+	  msg = N_("rebuild shared object with SHSTK support enabled");
 	}
+      else
+        disable_feature_1 |= GNU_PROPERTY_X86_FEATURE_1_SHSTK;
+    }
+
+  /* If there is an error, long jump back to the caller.  */
+  if (msg != NULL)
+    _dl_signal_error (0, m->l_initfini[legacy_obj]->l_name, "dlopen",
+		      msg);
+
+  if (disable_feature_1 != 0)
+    {
+      int res = dl_cet_disable_cet (disable_feature_1);
+      if (res)
+        {
+	  if ((disable_feature_1
+	       & GNU_PROPERTY_X86_FEATURE_1_IBT) != 0)
+	    msg = N_("can't disable IBT");
+	  else
+	    msg = N_("can't disable SHSTK");
+	  /* Long jump back to the caller on error.  */
+	  _dl_signal_error (-res, m->l_initfini[legacy_obj]->l_name,
+			    "dlopen", msg);
+       }
+
+      /* Clear the disabled bits in dl_x86_feature_1.  */
+      GL(dl_x86_feature_1) &= ~disable_feature_1;
+
+      THREAD_SETMEM (THREAD_SELF, header.feature_1,
+		     GL(dl_x86_feature_1));
+    }
+}
+
+static void
+dl_cet_check (struct link_map *m, const char *program)
+{
+  struct dl_cet_info info;
+
+  /* Check how IBT and SHSTK should be enabled. */
+  info.enable_ibt_type = GL(dl_x86_feature_control).ibt;
+  info.enable_shstk_type = GL(dl_x86_feature_control).shstk;
+
+  info.feature_1_enabled = GL(dl_x86_feature_1);
+
+  /* No legacy object check if IBT and SHSTK are always on.  */
+  if (info.enable_ibt_type == cet_always_on
+      && info.enable_shstk_type == cet_always_on)
+    {
+#ifdef SHARED
+      /* Set it only during startup.  */
+      if (program != NULL)
+	THREAD_SETMEM (THREAD_SELF, header.feature_1,
+		       info.feature_1_enabled);
+#endif
+      return;
     }
+
+  /* Check if IBT and SHSTK were enabled by kernel.  */
+  if (info.feature_1_enabled == 0)
+    return;
+
+  info.program = program;
+
+  /* Check which features should be enabled.  */
+  info.enable_feature_1 = 0;
+  if (info.enable_ibt_type != cet_always_off)
+    info.enable_feature_1 |= (info.feature_1_enabled
+			      & GNU_PROPERTY_X86_FEATURE_1_IBT);
+  if (info.enable_shstk_type != cet_always_off)
+    info.enable_feature_1 |= (info.feature_1_enabled
+			      & GNU_PROPERTY_X86_FEATURE_1_SHSTK);
+
+  /* Start with no legacy objects.  */
+  info.feature_1_legacy = 0;
+  info.feature_1_legacy_ibt = 0;
+  info.feature_1_legacy_shstk = 0;
+
+#ifdef SHARED
+  if (program)
+    dl_cet_check_startup (m, &info);
+  else
+#endif
+    dl_cet_check_dlopen (m, &info);
 }
 
 void