arm64/gcs: Provide support for GCS at EL0

[PATCH 02/35] prctl: Add flag for shadow stack writeability and push/pop

Posted by Mark Brown 2 years, 6 months ago

On arm64 and x86 the kernel can control if there is write access to the
shadow stack via specific instructions defined for the purpose, useful
for things like userspace threading at the expense of some security.
Add a flag to allow this to be selected when changing the shadow stack
status.

On arm64 the kernel can separately control if userspace is able to pop
and push values directly onto the shadow stack via GCS push and pop
instructions, supporting many scenarios where userspace needs to write
to the stack with less security exposure than full write access.  Add a
flag to allow this to be selected when changing the shadow stack status.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 include/uapi/linux/prctl.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index 9fdc77fa2bfe..e88d2ddcdb2d 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -321,5 +321,7 @@ struct prctl_mm_map {
 #define PR_SET_SHADOW_STACK_STATUS      72
 # define PR_SHADOW_STACK_LOCK           (1UL << 0)
 # define PR_SHADOW_STACK_ENABLE         (1UL << 1)
+# define PR_SHADOW_STACK_WRITE		(1UL << 2)
+# define PR_SHADOW_STACK_PUSH		(1UL << 3)
 
 #endif /* _LINUX_PRCTL_H */

-- 
2.30.2

Re: [PATCH 02/35] prctl: Add flag for shadow stack writeability and push/pop

Posted by Edgecombe, Rick P 2 years, 6 months ago

On Sun, 2023-07-16 at 22:50 +0100, Mark Brown wrote:
> On arm64 and x86 the kernel can control if there is write access to
> the
> shadow stack via specific instructions defined for the purpose,
> useful
> for things like userspace threading at the expense of some security.
> Add a flag to allow this to be selected when changing the shadow
> stack
> status.
> 
> On arm64 the kernel can separately control if userspace is able to
> pop
> and push values directly onto the shadow stack via GCS push and pop
> instructions, supporting many scenarios where userspace needs to
> write
> to the stack with less security exposure than full write access.  Add
> a
> flag to allow this to be selected when changing the shadow stack
> status.

Is this correct? I thought Szabolcs was saying pop was always
supported, but push was optional.

Re: [PATCH 02/35] prctl: Add flag for shadow stack writeability and push/pop

Posted by Mark Brown 2 years, 6 months ago

On Tue, Jul 18, 2023 at 05:47:32PM +0000, Edgecombe, Rick P wrote:
> On Sun, 2023-07-16 at 22:50 +0100, Mark Brown wrote:

> > On arm64 the kernel can separately control if userspace is able to
> > pop
> > and push values directly onto the shadow stack via GCS push and pop
> > instructions, supporting many scenarios where userspace needs to
> > write
> > to the stack with less security exposure than full write access.  Add
> > a
> > flag to allow this to be selected when changing the shadow stack
> > status.

> Is this correct? I thought Szabolcs was saying pop was always
> supported, but push was optional.

It's not, I wrote this right after looking at hypervisor controls which
do control push and pop.