| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Aug 2023 15:23:12 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Mark Brown <broonie@...nel.org>
Cc: Will Deacon <will@...nel.org>, Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>,
Marc Zyngier <maz@...nel.org>,
Oliver Upton <oliver.upton@...ux.dev>,
James Morse <james.morse@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Arnd Bergmann <arnd@...db.de>, Oleg Nesterov <oleg@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
Shuah Khan <shuah@...nel.org>,
"Rick P. Edgecombe" <rick.p.edgecombe@...el.com>,
Deepak Gupta <debug@...osinc.com>,
Ard Biesheuvel <ardb@...nel.org>,
Szabolcs Nagy <Szabolcs.Nagy@....com>,
"H.J. Lu" <hjl.tools@...il.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org,
kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-mm@...ck.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-riscv@...ts.infradead.org
Subject: Re: [PATCH v4 09/36] arm64/mm: Allocate PIE slots for EL0 guarded
control stack
On Mon, Aug 07, 2023 at 11:00:14PM +0100, Mark Brown wrote:
> diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h
> index eed814b00a38..b157ae0420ed 100644
> --- a/arch/arm64/include/asm/pgtable-prot.h
> +++ b/arch/arm64/include/asm/pgtable-prot.h
> @@ -131,15 +131,23 @@ extern bool arm64_use_ng_mappings;
> /* 6: PTE_PXN | PTE_WRITE */
> /* 7: PAGE_SHARED_EXEC PTE_PXN | PTE_WRITE | PTE_USER */
> /* 8: PAGE_KERNEL_ROX PTE_UXN */
> -/* 9: PTE_UXN | PTE_USER */
> +/* 9: PAGE_GCS_RO PTE_UXN | PTE_USER */
> /* a: PAGE_KERNEL_EXEC PTE_UXN | PTE_WRITE */
> -/* b: PTE_UXN | PTE_WRITE | PTE_USER */
> +/* b: PAGE_GCS PTE_UXN | PTE_WRITE | PTE_USER */
> /* c: PAGE_KERNEL_RO PTE_UXN | PTE_PXN */
> /* d: PAGE_READONLY PTE_UXN | PTE_PXN | PTE_USER */
> /* e: PAGE_KERNEL PTE_UXN | PTE_PXN | PTE_WRITE */
> /* f: PAGE_SHARED PTE_UXN | PTE_PXN | PTE_WRITE | PTE_USER */
>
> +#define _PAGE_GCS (_PAGE_DEFAULT | PTE_UXN | PTE_WRITE | PTE_USER)
> +#define _PAGE_GCS_RO (_PAGE_DEFAULT | PTE_UXN | PTE_USER)
> +
> +#define PAGE_GCS __pgprot(_PAGE_GCS)
> +#define PAGE_GCS_RO __pgprot(_PAGE_GCS_RO)
> +
> #define PIE_E0 ( \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS), PIE_GCS) | \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_EXECONLY), PIE_X_O) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_READONLY_EXEC), PIE_RX) | \
> PIRx_ELx_PERM(pte_pi_index(_PAGE_SHARED_EXEC), PIE_RWX) | \
> @@ -147,6 +155,8 @@ extern bool arm64_use_ng_mappings;
> PIRx_ELx_PERM(pte_pi_index(_PAGE_SHARED), PIE_RW))
>
> #define PIE_E1 ( \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS), PIE_RW) | \
> + PIRx_ELx_PERM(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \
Had some thoughts on this. Why do we need the EL1 GCS attributes to map
to RW? The instructions we'd use to write the shadow stack are the GCS
'T' variants that run as user already.
The only instructions we have in the kernel that would run as EL1 on a
user address are the exclusives (futex code or the old deprecated
emulation but we don't care about them in this context). So I wonder
whether the kernel PIE entry could simply be PIE_NONE_O. Would this be
too restrictive for future uses? Given the coherency between a GCS
access and a standard data access, we may want to restrict it now until
we have a use-case.
--
Catalin
Powered by blists - more mailing lists