Shadow stack instructions shadow stack mmu index for load/stores.
`MMU_IDX_SS_ACCESS` at bit positon 3 is used as shadow stack index.
Shadow stack mmu index depend on privilege and SUM bit. If shadow stack
accesses happening in user mode, shadow stack mmu index = 0b1000. If
shaodw stack access happening in supervisor mode mmu index = 0b1001. If
shadow stack access happening in supervisor mode with SUM=1 then mmu
index = 0b1010
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
target/riscv/cpu.h | 13 ++++++++++
target/riscv/cpu_helper.c | 3 +++
target/riscv/insn_trans/trans_rva.c.inc | 8 ++++++
target/riscv/insn_trans/trans_rvzicfiss.c.inc | 6 +++++
target/riscv/internals.h | 1 +
target/riscv/translate.c | 25 +++++++++++++++++++
6 files changed, 56 insertions(+)
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 0e0a9d2be1..82475490ab 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -614,6 +614,19 @@ FIELD(TB_FLAGS, AXL, 26, 2)
FIELD(TB_FLAGS, FCFI_LP_EXPECTED, 28, 1)
/* zicfiss needs a TB flag so that correct TB is located based on tb flags */
FIELD(TB_FLAGS, BCFI_ENABLED, 29, 1)
+/*
+ * zicfiss shadow stack is special memory on which regular stores aren't
+ * allowed but shadow stack stores are allowed. Shadow stack stores can
+ * happen as `sspush` or `ssamoswap` instructions. `sspush` implicitly
+ * takes shadow stack address from CSR_SSP. But `ssamoswap` takes address
+ * from encoded input register and it will be used by supervisor software
+ * to access (read/write) user shadow stack for setting up rt_frame during
+ * signal delivery. Supervisor software will do so by setting SUM=1. Thus
+ * a TB flag is needed if SUM was 1 during TB generation to correctly
+ * reflect memory permissions to access shadow stack user memory from
+ * supervisor mode.
+ */
+FIELD(TB_FLAGS, SUM, 30, 1)
#ifdef TARGET_RISCV32
#define riscv_cpu_mxl(env) ((void)(env), MXL_RV32)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 7942587a56..b2bb1e4293 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -180,6 +180,9 @@ void cpu_get_tb_cpu_state(CPURISCVState *env, vaddr *pc,
fs = EXT_STATUS_DIRTY;
vs = EXT_STATUS_DIRTY;
#else
+ flags = FIELD_DP32(flags, TB_FLAGS, SUM,
+ ((env->mstatus & MSTATUS_SUM) == MSTATUS_SUM));
+
flags = FIELD_DP32(flags, TB_FLAGS, PRIV, env->priv);
flags |= riscv_env_mmu_index(env, 0);
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
index db6c03f6a8..68b71339a3 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -132,6 +132,10 @@ static bool trans_ssamoswap_w(DisasContext *ctx, arg_amoswap_w *a)
decode_save_opc(ctx);
src1 = get_address(ctx, a->rs1, 0);
+#ifndef CONFIG_USER_ONLY
+ /* Shadow stack access and thus index is SS TLB index */
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_atomic_xchg_tl(dest, src1, src2, ss_mmu_idx, (MO_ALIGN | MO_TESL));
gen_set_gpr(ctx, a->rd, dest);
@@ -224,6 +228,10 @@ static bool trans_ssamoswap_d(DisasContext *ctx, arg_amoswap_w *a)
decode_save_opc(ctx);
src1 = get_address(ctx, a->rs1, 0);
+#ifndef CONFIG_USER_ONLY
+ /* Shadow stack access and thus index is SS TLB index */
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_atomic_xchg_tl(dest, src1, src2, ss_mmu_idx, (MO_ALIGN | MO_TESQ));
gen_set_gpr(ctx, a->rd, dest);
diff --git a/target/riscv/insn_trans/trans_rvzicfiss.c.inc b/target/riscv/insn_trans/trans_rvzicfiss.c.inc
index bac65d4166..9c3c872f59 100644
--- a/target/riscv/insn_trans/trans_rvzicfiss.c.inc
+++ b/target/riscv/insn_trans/trans_rvzicfiss.c.inc
@@ -69,6 +69,9 @@ static bool trans_sspopchk(DisasContext *ctx, arg_sspopchk *a)
TCGv_i32 ssp_csr = tcg_constant_i32(CSR_SSP);
TCGv data = tcg_temp_new();
gen_helper_csrr(addr, tcg_env, ssp_csr);
+#ifndef CONFIG_USER_ONLY
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_qemu_ld_tl(data, addr, ss_mmu_idx,
mxl_memop(ctx) | MO_ALIGN);
@@ -118,6 +121,9 @@ static bool trans_sspush(DisasContext *ctx, arg_sspush *a)
TCGv_i32 ssp_csr = tcg_constant_i32(CSR_SSP);
TCGv data = get_gpr(ctx, a->rs2, EXT_NONE);
gen_helper_csrr(addr, tcg_env, ssp_csr);
+#ifndef CONFIG_USER_ONLY
+ ss_mmu_idx = get_ss_index(ctx);
+#endif
tcg_gen_addi_tl(addr, addr, tmp);
diff --git a/target/riscv/internals.h b/target/riscv/internals.h
index dad0657c80..5147d6bf90 100644
--- a/target/riscv/internals.h
+++ b/target/riscv/internals.h
@@ -32,6 +32,7 @@
* - S+SUM+2STAGE 0b110
* - Shadow stack+U 0b1000
* - Shadow stack+S 0b1001
+ * - Shadow stack+SUM 0b1010
*/
#define MMUIdx_U 0
#define MMUIdx_S 1
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 9152a963ee..ad0f841807 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -123,6 +123,8 @@ typedef struct DisasContext {
bool fcfi_lp_expected;
/* zicfiss extension, if shadow stack was enabled during TB gen */
bool bcfi_enabled;
+ /* SUM was on during tb translation? */
+ bool sum;
} DisasContext;
static inline bool has_ext(DisasContext *ctx, uint32_t ext)
@@ -1128,6 +1130,29 @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
return translator_ldl(env, &ctx->base, pc);
}
+#ifndef CONFIG_USER_ONLY
+static unsigned int get_ss_index(DisasContext *ctx)
+{
+ int ss_mmu_idx = MMU_IDX_SS_ACCESS;
+
+ /*
+ * If priv mode is S then a separate index for supervisor
+ * shadow stack accesses
+ */
+ if (ctx->priv == PRV_S) {
+ ss_mmu_idx |= MMUIdx_S;
+ }
+
+ /* If SUM was set, SS index should have S cleared */
+ if (ctx->sum) {
+ ss_mmu_idx &= ~(MMUIdx_S);
+ ss_mmu_idx |= MMUIdx_S_SUM;
+ }
+
+ return ss_mmu_idx;
+}
+#endif
+
/* Include insn module translation function */
#include "insn_trans/trans_rvi.c.inc"
#include "insn_trans/trans_rvm.c.inc"
--
2.44.0