From nobody Mon Nov 10 01:22:23 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1552481001988678.7155787088217; Wed, 13 Mar 2019 05:43:21 -0700 (PDT) Received: from localhost ([127.0.0.1]:43932 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h43E2-0002d7-SE for importer@patchew.org; Wed, 13 Mar 2019 08:43:14 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33329) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h43Bz-0001N0-PM for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:41:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h43By-0005N8-KH for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:41:07 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56570) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h43Bx-0005Lx-Cv for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:41:06 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6C3807C0A8; Wed, 13 Mar 2019 12:41:04 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-112-43.ams2.redhat.com [10.36.112.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9D51E1001DE9; Wed, 13 Mar 2019 12:41:02 +0000 (UTC) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Wed, 13 Mar 2019 13:40:42 +0100 Message-Id: <20190313124042.12855-8-pbonzini@redhat.com> In-Reply-To: <20190313124042.12855-1-pbonzini@redhat.com> References: <20190313124042.12855-1-pbonzini@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 13 Mar 2019 12:41:04 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 7/7] coroutine-x86: add CET shadow stack support X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: fweimer@redhat.com, kwolf@redhat.com, richard.henderson@linaro.org, stefanha@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Note that the ABI is not yet part of Linux, so this patch is kinda experimental. Signed-off-by: Paolo Bonzini --- configure | 14 ++++++++ util/Makefile.objs | 1 - util/coroutine-x86.c | 80 ++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 92 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 4e553e521b..43e2321d3d 100755 --- a/configure +++ b/configure @@ -5090,6 +5090,20 @@ if test "$cet" !=3D no; then feature_not_found "cet" 'CET is not supported by your toolchain' fi cet=3Dno + else + if test $cpu =3D x86_64; then + # only needed by coroutine-x86.c, however it should be rare to have + # CET support in the compiler but not in binutils + cat > $TMPC << EOF +int main(void) { asm("rdsspq %%rax" : : : "rax"); } +EOF + if ! compile_prog "" "" ; then + if test "$cet" =3D yes; then + feature_not_found "cet" 'CET is not supported by your toolchain' + fi + cet=3Dno + fi + fi fi fi if test "$cet" =3D ""; then diff --git a/util/Makefile.objs b/util/Makefile.objs index 93a8397aae..ce1ea310af 100644 --- a/util/Makefile.objs +++ b/util/Makefile.objs @@ -42,7 +42,6 @@ coroutine-x86.o-cflags :=3D -mno-red-zone ifeq ($(CONFIG_CET),y) coroutine-sigaltstack.o-cflags :=3D -fcf-protection=3Dbranch coroutine-ucontext.o-cflags :=3D -fcf-protection=3Dbranch -coroutine-x86.o-cflags +=3D -fcf-protection=3Dbranch endif util-obj-y +=3D buffer.o util-obj-y +=3D timed-average.o diff --git a/util/coroutine-x86.c b/util/coroutine-x86.c index bcb9666700..d55f07dc92 100644 --- a/util/coroutine-x86.c +++ b/util/coroutine-x86.c @@ -22,6 +22,16 @@ #include "qemu/osdep.h" #include "qemu-common.h" #include "qemu/coroutine_int.h" +#include "qemu/error-report.h" + +#ifdef CONFIG_CET +#include +#include +int arch_prctl(int code, unsigned long addr); +#ifndef ARCH_X86_CET_ALLOC_SHSTK +#define ARCH_X86_CET_ALLOC_SHSTK 0x3004 +#endif +#endif =20 #ifdef CONFIG_VALGRIND_H #include @@ -39,10 +49,14 @@ typedef struct { Coroutine base; void *sp; + void *ssp; =20 void *stack; size_t stack_size; =20 + /* CET shadow stack */ + void *sstack; + size_t sstack_size; #ifdef CONFIG_VALGRIND_H unsigned int valgrind_stack_id; #endif @@ -77,6 +91,30 @@ static void start_switch_fiber(void **fake_stack_save, #endif } =20 +static bool have_cet(void) +{ +#if defined CONFIG_CET + uint64_t ssp; + asm ("xor %0, %0; rdsspq %0\n" : "=3Drm" (ssp)); + return !!ssp; +#else + return 0; +#endif +} + +static void *cet_alloc_sstack(size_t sz) +{ +#if defined CONFIG_CET + uint64_t arg =3D sz; + if (arch_prctl(ARCH_X86_CET_ALLOC_SHSTK, (unsigned long) &arg) < 0) { + abort(); + } + + return (void *)arg; +#else + abort(); +#endif +} /* * We hardcode all operands to specific registers so that we can write dow= n all the * others in the clobber list. Note that action also needs to be hardcode= d so that @@ -87,6 +125,26 @@ static void start_switch_fiber(void **fake_stack_save, * Note that push and call would clobber the red zone. Makefile.objs comp= iles this * file with -mno-red-zone. The alternative is to subtract/add 128 bytes = from rsp * around the switch, with slightly lower cache performance. + * + * The RSTORSSP and SAVEPREVSSP instructions are intricate. In a nutshell= they are: + * + * RSTORSSP(mem): oldSSP =3D SSP + * SSP =3D *mem + * *SSP =3D oldSSP + * + * SAVEPREVSSP: oldSSP =3D shadow_stack_pop() + * *(oldSSP - 8) =3D oldSSP # "push" to old s= hadow stack + * + * Therefore, RSTORSSP(mem) followed by SAVEPREVSSP is the same as + * + * shadow_stack_push(SSP) + * SSP =3D *mem + * shadow_stack_pop() + * + * From the simplified description you can see that co->ssp, being stored = before + * the RSTORSSP+SAVEPREVSSP sequence, points to the top actual entry of th= e shadow + * stack, not to the restore token. Hence we use an offset of -8 in the o= perand + * of rstorssp. */ #define CO_SWITCH(from, to, action, jump) ({ = \ int action_ =3D action; = \ @@ -101,7 +159,15 @@ static void start_switch_fiber(void **fake_stack_save, "jmp 2f\n" /* switch back continues at la= bel 2 */ \ = \ "1: .cfi_adjust_cfa_offset 8\n" = \ - "movq %%rsp, %c[SP](%[FROM])\n" /* save source SP */ = \ + "xor %%rbp, %%rbp\n" /* use old frame pointer as sc= ratch reg */ \ + "rdsspq %%rbp\n" = \ + "test %%rbp, %%rbp\n" /* if CET is on... */ = \ + "jz 9f\n" = \ + "movq %%rbp, %c[SSP](%[FROM])\n" /* ... save source shadow SP, = */ \ + "movq %c[SSP](%[TO]), %%rbp\n" /* restore destination shadow = stack, */ \ + "rstorssp -8(%%rbp)\n" = \ + "saveprevssp\n" /* and save source shadow SP t= oken */ \ + "9: movq %%rsp, %c[SP](%[FROM])\n" /* save source SP */ = \ "movq %c[SP](%[TO]), %%rsp\n" /* load destination SP */ = \ jump "\n" /* coroutine switch */ = \ = \ @@ -110,7 +176,8 @@ static void start_switch_fiber(void **fake_stack_save, ".cfi_adjust_cfa_offset -8\n" = \ ".cfi_restore_state\n" = \ : "+a" (action_), [FROM] "+b" (from_), [TO] "+D" (to_) = \ - : [SP] "i" (offsetof(CoroutineX86, sp)) = \ + : [SP] "i" (offsetof(CoroutineX86, sp)), = \ + [SSP] "i" (offsetof(CoroutineX86, ssp)) = \ : "rcx", "rdx", "rsi", "r8", "r9", "r10", "r11", "r12", "r13", "r1= 4", "r15", \ "memory"); = \ action_; = \ @@ -139,6 +206,12 @@ Coroutine *qemu_coroutine_new(void) co->stack =3D qemu_alloc_stack(&co->stack_size); co->sp =3D co->stack + co->stack_size; =20 + if (have_cet()) { + co->sstack_size =3D COROUTINE_SHADOW_STACK_SIZE; + co->sstack =3D cet_alloc_sstack(co->sstack_size); + co->ssp =3D co->sstack + co->sstack_size; + } + #ifdef CONFIG_VALGRIND_H co->valgrind_stack_id =3D VALGRIND_STACK_REGISTER(co->stack, co->stack + co->stack_size); @@ -178,6 +251,9 @@ void qemu_coroutine_delete(Coroutine *co_) #endif =20 qemu_free_stack(co->stack, co->stack_size); + if (co->sstack) { + munmap(co->sstack, co->sstack_size); + } g_free(co); } =20 --=20 2.20.1