| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <D8LRS46QQ2FE.ZF1856CR80JM@ventanamicro.com> Date: Fri, 21 Mar 2025 08:35:49 +0100 From: Radim Krčmář <rkrcmar@...tanamicro.com> To: "Deepak Gupta" <debug@...osinc.com> Cc: "Thomas Gleixner" <tglx@...utronix.de>, "Ingo Molnar" <mingo@...hat.com>, "Borislav Petkov" <bp@...en8.de>, "Dave Hansen" <dave.hansen@...ux.intel.com>, <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, "Andrew Morton" <akpm@...ux-foundation.org>, "Liam R. Howlett" <Liam.Howlett@...cle.com>, "Vlastimil Babka" <vbabka@...e.cz>, "Lorenzo Stoakes" <lorenzo.stoakes@...cle.com>, "Paul Walmsley" <paul.walmsley@...ive.com>, "Palmer Dabbelt" <palmer@...belt.com>, "Albert Ou" <aou@...s.berkeley.edu>, "Conor Dooley" <conor@...nel.org>, "Rob Herring" <robh@...nel.org>, "Krzysztof Kozlowski" <krzk+dt@...nel.org>, "Arnd Bergmann" <arnd@...db.de>, "Christian Brauner" <brauner@...nel.org>, "Peter Zijlstra" <peterz@...radead.org>, "Oleg Nesterov" <oleg@...hat.com>, "Eric Biederman" <ebiederm@...ssion.com>, "Kees Cook" <kees@...nel.org>, "Jonathan Corbet" <corbet@....net>, "Shuah Khan" <shuah@...nel.org>, "Jann Horn" <jannh@...gle.com>, "Conor Dooley" <conor+dt@...nel.org>, <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>, <linux-mm@...ck.org>, <linux-riscv@...ts.infradead.org>, <devicetree@...r.kernel.org>, <linux-arch@...r.kernel.org>, <linux-doc@...r.kernel.org>, <linux-kselftest@...r.kernel.org>, <alistair.francis@....com>, <richard.henderson@...aro.org>, <jim.shu@...ive.com>, <andybnac@...il.com>, <kito.cheng@...ive.com>, <charlie@...osinc.com>, <atishp@...osinc.com>, <evan@...osinc.com>, <cleger@...osinc.com>, <alexghiti@...osinc.com>, <samitolvanen@...gle.com>, <broonie@...nel.org>, <rick.p.edgecombe@...el.com>, "Zong Li" <zong.li@...ive.com>, "linux-riscv" <linux-riscv-bounces@...ts.infradead.org> Subject: Re: [PATCH v12 22/28] riscv: enable kernel access to shadow stack memory via FWFT sbi call 2025-03-20T15:42:44-07:00, Deepak Gupta <debug@...osinc.com>: > On Thu, Mar 20, 2025 at 3:10 PM Radim Krčmář <rkrcmar@...tanamicro.com> wrote: >> >> 2025-03-14T14:39:41-07:00, Deepak Gupta <debug@...osinc.com>: >> > Kernel will have to perform shadow stack operations on user shadow stack. >> > Like during signal delivery and sigreturn, shadow stack token must be >> > created and validated respectively. Thus shadow stack access for kernel >> > must be enabled. >> >> Why can't kernel access the user shadow stack through an aliased WR >> mapping? > > It can, although that opens up a can of worms. If this alternating > mapping is user mode > then ensuring that another threat in userspace can't write to this > address in this window > of signal handling. Right, it must not be user mode. > A kernel alternate mapping can be created, but > that can lead to all > sorts of requirements of ensuring the page is pinned down. IIRC, It > has been debated > on x86 shadow stack merge time as well on how a flaky alias mapping approach can > become and weaken the threat model it is supposed to protect against. True. > Simply using `ssamoswap` is simple and serves the purpose. Enabling shadow stack > access for the kernel doesn't have any adverse effect on the kernel. Makes sense. We just depend on an extra feature, because we should consider the case when M-mode doesn't allow S-mode shadow stack, but S-mode can enable U-mode shadow stack: >> > --- >> > diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S >> > @@ -320,6 +326,12 @@ SYM_CODE_START(_start_kernel) >> > la tp, init_task >> > la sp, init_thread_union + THREAD_SIZE >> > addi sp, sp, -PT_SIZE_ON_STACK >> > + li a7, SBI_EXT_FWFT >> > + li a6, SBI_EXT_FWFT_SET >> > + li a0, SBI_FWFT_SHADOW_STACK >> > + li a1, 1 /* enable supervisor to access shadow stack access */ >> > + li a2, SBI_FWFT_SET_FLAG_LOCK >> > + ecall >> >> I think the ecall can fail even on machines that have Zicfiss, so it >> would be good to disable user shadow stack if that happens.
Powered by blists - more mailing lists