If shadow stack have memory protections from underlying cpu, use those
protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
stack pages. Hw assisted shadow stack pages grow downwards like regular
stack. Clang based software shadow call stack grows low to high address.
Thus this patch addresses some of those needs due to opposite direction
of shadow stack. Furthermore, hw shadow stack can't be memset because memset
uses normal stores. Lastly to store magic word at base of shadow stack, arch
specific shadow stack store has to be performed.
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
---
include/linux/scs.h | 26 +++++++++++++++++++++++++-
kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
2 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/include/linux/scs.h b/include/linux/scs.h
index 4ab5bdc898cf..6ceee07c2d1a 100644
--- a/include/linux/scs.h
+++ b/include/linux/scs.h
@@ -12,6 +12,7 @@
#include <linux/poison.h>
#include <linux/sched.h>
#include <linux/sizes.h>
+#include <asm/scs.h>
#ifdef CONFIG_SHADOW_CALL_STACK
@@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
* Reset the shadow stack to the base address in case the task
* is reused.
*/
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
+#else
task_scs_sp(tsk) = task_scs(tsk);
+#endif
}
static inline unsigned long *__scs_magic(void *s)
{
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ return (unsigned long *)(s);
+#else
return (unsigned long *)(s + SCS_SIZE) - 1;
+#endif
}
static inline bool task_scs_end_corrupted(struct task_struct *tsk)
{
unsigned long *magic = __scs_magic(task_scs(tsk));
- unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
+ unsigned long sz;
+
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
+#else
+ sz = task_scs_sp(tsk) - task_scs(tsk);
+#endif
return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
}
+static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
+{
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ arch_scs_store(s, magic_val);
+#else
+ *__scs_magic(s) = magic_val;
+#endif
+}
+
DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
static inline bool scs_is_dynamic(void)
diff --git a/kernel/scs.c b/kernel/scs.c
index d7809affe740..5910c0a8eabd 100644
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -11,6 +11,7 @@
#include <linux/scs.h>
#include <linux/vmalloc.h>
#include <linux/vmstat.h>
+#include <asm-generic/set_memory.h>
#ifdef CONFIG_DYNAMIC_SCS
DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
@@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
{
int i;
void *s;
+ pgprot_t prot = PAGE_KERNEL;
+
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ prot = PAGE_KERNEL_SHADOWSTACK;
+#endif
for (i = 0; i < NR_CACHED_SCS; i++) {
s = this_cpu_xchg(scs_cache[i], NULL);
if (s) {
s = kasan_unpoison_vmalloc(s, SCS_SIZE,
KASAN_VMALLOC_PROT_NORMAL);
+/*
+ * If software shadow stack, its safe to memset. Else memset is not
+ * possible on hw protected shadow stack. memset constitutes stores and
+ * stores to shadow stack memory are disallowed and will fault.
+ */
+#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
memset(s, 0, SCS_SIZE);
+#endif
goto out;
}
}
s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
- GFP_SCS, PAGE_KERNEL, 0, node,
+ GFP_SCS, prot, 0, node,
__builtin_return_address(0));
out:
@@ -59,7 +72,7 @@ void *scs_alloc(int node)
if (!s)
return NULL;
- *__scs_magic(s) = SCS_END_MAGIC;
+ __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
/*
* Poison the allocation to catch unintentional accesses to
@@ -87,6 +100,16 @@ void scs_free(void *s)
return;
kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
+ /*
+ * Hardware protected shadow stack is not writeable by regular stores
+ * Thus adding this back to free list will raise faults by vmalloc
+ * It needs to be writeable again. It's good sanity as well because
+ * then it can't be inadvertently accesses and if done, it will fault.
+ */
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
+#endif
+
vfree_atomic(s);
}
@@ -96,6 +119,9 @@ static int scs_cleanup(unsigned int cpu)
void **cache = per_cpu_ptr(scs_cache, cpu);
for (i = 0; i < NR_CACHED_SCS; i++) {
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ set_memory_rw((unsigned long)cache[i], (SCS_SIZE/PAGE_SIZE));
+#endif
vfree(cache[i]);
cache[i] = NULL;
}
@@ -122,7 +148,13 @@ int scs_prepare(struct task_struct *tsk, int node)
if (!s)
return -ENOMEM;
- task_scs(tsk) = task_scs_sp(tsk) = s;
+ task_scs(tsk) = s;
+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
+ task_scs_sp(tsk) = s + SCS_SIZE;
+#else
+ task_scs_sp(tsk) = s;
+#endif
+
return 0;
}
--
2.43.0On Thu, 2025-07-24 at 16:37 -0700, Deepak Gupta wrote:
> If shadow stack have memory protections from underlying cpu, use those
> protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
> stack pages. Hw assisted shadow stack pages grow downwards like regular
> stack. Clang based software shadow call stack grows low to high address.
> Thus this patch addresses some of those needs due to opposite direction
> of shadow stack. Furthermore, hw shadow stack can't be memset because memset
> uses normal stores. Lastly to store magic word at base of shadow stack, arch
> specific shadow stack store has to be performed.
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
> include/linux/scs.h | 26 +++++++++++++++++++++++++-
> kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
> 2 files changed, 60 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/scs.h b/include/linux/scs.h
> index 4ab5bdc898cf..6ceee07c2d1a 100644
> --- a/include/linux/scs.h
> +++ b/include/linux/scs.h
> @@ -12,6 +12,7 @@
> #include <linux/poison.h>
> #include <linux/sched.h>
> #include <linux/sizes.h>
> +#include <asm/scs.h>
>
> #ifdef CONFIG_SHADOW_CALL_STACK
>
> @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
> * Reset the shadow stack to the base address in case the task
> * is reused.
> */
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
> +#else
> task_scs_sp(tsk) = task_scs(tsk);
> +#endif
> }
>
> static inline unsigned long *__scs_magic(void *s)
> {
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + return (unsigned long *)(s);
> +#else
> return (unsigned long *)(s + SCS_SIZE) - 1;
> +#endif
> }
>
> static inline bool task_scs_end_corrupted(struct task_struct *tsk)
> {
> unsigned long *magic = __scs_magic(task_scs(tsk));
> - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
> + unsigned long sz;
> +
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
> +#else
> + sz = task_scs_sp(tsk) - task_scs(tsk);
> +#endif
>
> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
> }
>
> +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
> +{
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + arch_scs_store(s, magic_val);
> +#else
> + *__scs_magic(s) = magic_val;
> +#endif
> +}
> +
> DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>
> static inline bool scs_is_dynamic(void)
> diff --git a/kernel/scs.c b/kernel/scs.c
> index d7809affe740..5910c0a8eabd 100644
> --- a/kernel/scs.c
> +++ b/kernel/scs.c
> @@ -11,6 +11,7 @@
> #include <linux/scs.h>
> #include <linux/vmalloc.h>
> #include <linux/vmstat.h>
> +#include <asm-generic/set_memory.h>
>
> #ifdef CONFIG_DYNAMIC_SCS
> DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
> @@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
> {
> int i;
> void *s;
> + pgprot_t prot = PAGE_KERNEL;
> +
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + prot = PAGE_KERNEL_SHADOWSTACK;
> +#endif
>
> for (i = 0; i < NR_CACHED_SCS; i++) {
> s = this_cpu_xchg(scs_cache[i], NULL);
> if (s) {
> s = kasan_unpoison_vmalloc(s, SCS_SIZE,
> KASAN_VMALLOC_PROT_NORMAL);
> +/*
> + * If software shadow stack, its safe to memset. Else memset is not
> + * possible on hw protected shadow stack. memset constitutes stores and
> + * stores to shadow stack memory are disallowed and will fault.
> + */
> +#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> memset(s, 0, SCS_SIZE);
> +#endif
> goto out;
> }
> }
>
> s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
> - GFP_SCS, PAGE_KERNEL, 0, node,
> + GFP_SCS, prot, 0, node,
> __builtin_return_address(0));
This doesn't update the direct map alias I think. Do you want to protect it?
>
> out:
> @@ -59,7 +72,7 @@ void *scs_alloc(int node)
> if (!s)
> return NULL;
>
> - *__scs_magic(s) = SCS_END_MAGIC;
> + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
>
> /*
> * Poison the allocation to catch unintentional accesses to
> @@ -87,6 +100,16 @@ void scs_free(void *s)
> return;
>
> kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
> + /*
> + * Hardware protected shadow stack is not writeable by regular stores
> + * Thus adding this back to free list will raise faults by vmalloc
> + * It needs to be writeable again. It's good sanity as well because
> + * then it can't be inadvertently accesses and if done, it will fault.
> + */
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
Above you don't update the direct map permissions. So I don't think you need
this. vmalloc should flush the permissioned mapping before re-using it with the
lazy cleanup scheme.
> +#endif
> +
I was thinking someday when we get to this for CET we would protect the direct
map, and so would need some pool of shadow stacks because flushing the TLB for
every thread alloc/free would likely be too impactful.
> vfree_atomic(s);
> }
>
> @@ -96,6 +119,9 @@ static int scs_cleanup(unsigned int cpu)
> void **cache = per_cpu_ptr(scs_cache, cpu);
>
> for (i = 0; i < NR_CACHED_SCS; i++) {
Oh! There is a cache, but the size is only 2.
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + set_memory_rw((unsigned long)cache[i], (SCS_SIZE/PAGE_SIZE));
> +#endif
> vfree(cache[i]);
> cache[i] = NULL;
> }
> @@ -122,7 +148,13 @@ int scs_prepare(struct task_struct *tsk, int node)
> if (!s)
> return -ENOMEM;
>
> - task_scs(tsk) = task_scs_sp(tsk) = s;
> + task_scs(tsk) = s;
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + task_scs_sp(tsk) = s + SCS_SIZE;
> +#else
> + task_scs_sp(tsk) = s;
> +#endif
> +
> return 0;
> }
>
>
On Fri, Jul 25, 2025 at 05:06:17PM +0000, Edgecombe, Rick P wrote:
>On Thu, 2025-07-24 at 16:37 -0700, Deepak Gupta wrote:
>> If shadow stack have memory protections from underlying cpu, use those
>> protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
>> stack pages. Hw assisted shadow stack pages grow downwards like regular
>> stack. Clang based software shadow call stack grows low to high address.
>> Thus this patch addresses some of those needs due to opposite direction
>> of shadow stack. Furthermore, hw shadow stack can't be memset because memset
>> uses normal stores. Lastly to store magic word at base of shadow stack, arch
>> specific shadow stack store has to be performed.
>>
>> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
>> ---
>> include/linux/scs.h | 26 +++++++++++++++++++++++++-
>> kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
>> 2 files changed, 60 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/linux/scs.h b/include/linux/scs.h
>> index 4ab5bdc898cf..6ceee07c2d1a 100644
>> --- a/include/linux/scs.h
>> +++ b/include/linux/scs.h
>> @@ -12,6 +12,7 @@
>> #include <linux/poison.h>
>> #include <linux/sched.h>
>> #include <linux/sizes.h>
>> +#include <asm/scs.h>
>>
>> #ifdef CONFIG_SHADOW_CALL_STACK
>>
>> @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
>> * Reset the shadow stack to the base address in case the task
>> * is reused.
>> */
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
>> +#else
>> task_scs_sp(tsk) = task_scs(tsk);
>> +#endif
>> }
>>
>> static inline unsigned long *__scs_magic(void *s)
>> {
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + return (unsigned long *)(s);
>> +#else
>> return (unsigned long *)(s + SCS_SIZE) - 1;
>> +#endif
>> }
>>
>> static inline bool task_scs_end_corrupted(struct task_struct *tsk)
>> {
>> unsigned long *magic = __scs_magic(task_scs(tsk));
>> - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
>> + unsigned long sz;
>> +
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
>> +#else
>> + sz = task_scs_sp(tsk) - task_scs(tsk);
>> +#endif
>>
>> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
>> }
>>
>> +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
>> +{
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + arch_scs_store(s, magic_val);
>> +#else
>> + *__scs_magic(s) = magic_val;
>> +#endif
>> +}
>> +
>> DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>>
>> static inline bool scs_is_dynamic(void)
>> diff --git a/kernel/scs.c b/kernel/scs.c
>> index d7809affe740..5910c0a8eabd 100644
>> --- a/kernel/scs.c
>> +++ b/kernel/scs.c
>> @@ -11,6 +11,7 @@
>> #include <linux/scs.h>
>> #include <linux/vmalloc.h>
>> #include <linux/vmstat.h>
>> +#include <asm-generic/set_memory.h>
>>
>> #ifdef CONFIG_DYNAMIC_SCS
>> DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>> @@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
>> {
>> int i;
>> void *s;
>> + pgprot_t prot = PAGE_KERNEL;
>> +
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + prot = PAGE_KERNEL_SHADOWSTACK;
>> +#endif
>>
>> for (i = 0; i < NR_CACHED_SCS; i++) {
>> s = this_cpu_xchg(scs_cache[i], NULL);
>> if (s) {
>> s = kasan_unpoison_vmalloc(s, SCS_SIZE,
>> KASAN_VMALLOC_PROT_NORMAL);
>> +/*
>> + * If software shadow stack, its safe to memset. Else memset is not
>> + * possible on hw protected shadow stack. memset constitutes stores and
>> + * stores to shadow stack memory are disallowed and will fault.
>> + */
>> +#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> memset(s, 0, SCS_SIZE);
>> +#endif
>> goto out;
>> }
>> }
>>
>> s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
>> - GFP_SCS, PAGE_KERNEL, 0, node,
>> + GFP_SCS, prot, 0, node,
>> __builtin_return_address(0));
>
>This doesn't update the direct map alias I think. Do you want to protect it?
Yes any alternate address mapping which is writeable is a problem and dilutes
the mechanism. How do I go about updating direct map ? (I pretty new to linux
kernel and have limited understanding on which kernel api's to use here to unmap
direct map)
>
>>
>> out:
>> @@ -59,7 +72,7 @@ void *scs_alloc(int node)
>> if (!s)
>> return NULL;
>>
>> - *__scs_magic(s) = SCS_END_MAGIC;
>> + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
>>
>> /*
>> * Poison the allocation to catch unintentional accesses to
>> @@ -87,6 +100,16 @@ void scs_free(void *s)
>> return;
>>
>> kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
>> + /*
>> + * Hardware protected shadow stack is not writeable by regular stores
>> + * Thus adding this back to free list will raise faults by vmalloc
>> + * It needs to be writeable again. It's good sanity as well because
>> + * then it can't be inadvertently accesses and if done, it will fault.
>> + */
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
>
>Above you don't update the direct map permissions. So I don't think you need
>this. vmalloc should flush the permissioned mapping before re-using it with the
>lazy cleanup scheme.
If I didn't do this, I was getting a page fault on this vmalloc address. It directly
uses first 8 bytes to add it into some list and that was the location of fault.
>
>> +#endif
>> +
>
>I was thinking someday when we get to this for CET we would protect the direct
>map, and so would need some pool of shadow stacks because flushing the TLB for
>every thread alloc/free would likely be too impactful.
Yes pool would be useful per-cpu.
>
>
>> vfree_atomic(s);
>> }
>>
>> @@ -96,6 +119,9 @@ static int scs_cleanup(unsigned int cpu)
>> void **cache = per_cpu_ptr(scs_cache, cpu);
>>
>> for (i = 0; i < NR_CACHED_SCS; i++) {
>
>Oh! There is a cache, but the size is only 2.
Yes.
In next iteration, I would likely increase the size of the cache if
CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK=y.
>
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + set_memory_rw((unsigned long)cache[i], (SCS_SIZE/PAGE_SIZE));
>> +#endif
>> vfree(cache[i]);
>> cache[i] = NULL;
>> }
>> @@ -122,7 +148,13 @@ int scs_prepare(struct task_struct *tsk, int node)
>> if (!s)
>> return -ENOMEM;
>>
>> - task_scs(tsk) = task_scs_sp(tsk) = s;
>> + task_scs(tsk) = s;
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + task_scs_sp(tsk) = s + SCS_SIZE;
>> +#else
>> + task_scs_sp(tsk) = s;
>> +#endif
>> +
>> return 0;
>> }
>>
>>
>
On Fri, 2025-07-25 at 10:19 -0700, Deepak Gupta wrote: > > This doesn't update the direct map alias I think. Do you want to protect it? > > Yes any alternate address mapping which is writeable is a problem and dilutes > the mechanism. How do I go about updating direct map ? (I pretty new to linux > kernel and have limited understanding on which kernel api's to use here to > unmap > direct map) Here is some info on how it works: set_memory_foo() variants should (I didn't check riscv implementation, but on x86) update the target addresses passed in *and* the direct map alias. And flush the TLB. vmalloc_node_range() will just set the permission on the vmalloc alias and not touch the direct map alias. vfree() works by trying to batch the flushing for unmap operations to avoid flushing the TLB too much. When memory is unmapped in userspace, it will only flush on the CPU's with that MM (process address space). But for kernel memory the mappings are shared between all CPUs. So, like on a big server or something, it requires way more work and distance IPIs, etc. So vmalloc will try to be efficient and keep zapped mappings unflushed until it has enough to clean them up in bulk. In the meantime it won't reuse that vmalloc address space. But this means there can also be other vmalloc aliases still in the TLB for any page that gets allocated from the page allocator. If you want to be fully sure there are no writable aliases, you need to call vm_unmap_aliases() each time you change kernel permissions, which will do the vmalloc TLB flush immediately. Many set_memory() implementations call this automatically, but it looks like not riscv. So doing something like vmalloc(), set_memory_shadow_stack() on alloc and set_memory_rw(), vfree() on free is doing the expensive flush (depends on the device how expensive) in a previously fast path. Ignoring the direct map alias is faster. A middle ground would be to do the allocation/conversion and freeing of a bunch of stacks at once, and recycle them. You could make it tidy first and then optimize it later, or make it faster first and maximally secure later. Or try to do it all at once. But there have long been discussions on batching type kernel memory permission solutions. So it would could be a whole project itself. > > > > > > > > > out: > > > @@ -59,7 +72,7 @@ void *scs_alloc(int node) > > > if (!s) > > > return NULL; > > > > > > - *__scs_magic(s) = SCS_END_MAGIC; > > > + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC); > > > > > > /* > > > * Poison the allocation to catch unintentional accesses to > > > @@ -87,6 +100,16 @@ void scs_free(void *s) > > > return; > > > > > > kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL); > > > + /* > > > + * Hardware protected shadow stack is not writeable by regular > > > stores > > > + * Thus adding this back to free list will raise faults by > > > vmalloc > > > + * It needs to be writeable again. It's good sanity as well > > > because > > > + * then it can't be inadvertently accesses and if done, it will > > > fault. > > > + */ > > > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK > > > + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE)); > > > > Above you don't update the direct map permissions. So I don't think you need > > this. vmalloc should flush the permissioned mapping before re-using it with > > the > > lazy cleanup scheme. > > If I didn't do this, I was getting a page fault on this vmalloc address. It > directly > uses first 8 bytes to add it into some list and that was the location of > fault. Ah right! Because it is using the vfree atomic variant. You could create your own WQ in SCS and call vfree() in non-atomic context. If you want to avoid thr set_memory_rw() on free, in the ignoring the direct map case.
On Fri, Jul 25, 2025 at 06:05:22PM +0000, Edgecombe, Rick P wrote: >On Fri, 2025-07-25 at 10:19 -0700, Deepak Gupta wrote: >> > This doesn't update the direct map alias I think. Do you want to protect it? >> >> Yes any alternate address mapping which is writeable is a problem and dilutes >> the mechanism. How do I go about updating direct map ? (I pretty new to linux >> kernel and have limited understanding on which kernel api's to use here to >> unmap >> direct map) > >Here is some info on how it works: > >set_memory_foo() variants should (I didn't check riscv implementation, but on >x86) update the target addresses passed in *and* the direct map alias. And flush >the TLB. > >vmalloc_node_range() will just set the permission on the vmalloc alias and not >touch the direct map alias. > >vfree() works by trying to batch the flushing for unmap operations to avoid >flushing the TLB too much. When memory is unmapped in userspace, it will only >flush on the CPU's with that MM (process address space). But for kernel memory >the mappings are shared between all CPUs. So, like on a big server or something, >it requires way more work and distance IPIs, etc. So vmalloc will try to be >efficient and keep zapped mappings unflushed until it has enough to clean them >up in bulk. In the meantime it won't reuse that vmalloc address space. > >But this means there can also be other vmalloc aliases still in the TLB for any >page that gets allocated from the page allocator. If you want to be fully sure >there are no writable aliases, you need to call vm_unmap_aliases() each time you >change kernel permissions, which will do the vmalloc TLB flush immediately. Many >set_memory() implementations call this automatically, but it looks like not >riscv. > > >So doing something like vmalloc(), set_memory_shadow_stack() on alloc and >set_memory_rw(), vfree() on free is doing the expensive flush (depends on the >device how expensive) in a previously fast path. Ignoring the direct map alias >is faster. A middle ground would be to do the allocation/conversion and freeing >of a bunch of stacks at once, and recycle them. > > >You could make it tidy first and then optimize it later, or make it faster first >and maximally secure later. Or try to do it all at once. But there have long >been discussions on batching type kernel memory permission solutions. So it >would could be a whole project itself. Thanks Rick. Another approach I am thinking could be making vmalloc intrinsically aware of certain range to be security sensitive. Meaning during vmalloc initialization itself, it could reserve a range which is ensured to be not direct mapped. Whenever `PAGE_SHADOWSTACK` is requested, it always comes from this range (which is guaranteed to be never direct mapped). I do not expect hardware assisted shadow stack to be more than 4K in size (should support should 512 call-depth). A system with 30,000 active threads (taking a swag number here), will need 30,000 * 2 (one for guard) = 60000 pages. That's like ~245 MB address range. We can be conservative and have 1GB range in vmalloc larger range reserved for shadow stack. vmalloc ensures that this range's direct mappping always have read-only encoding in ptes. Sure this number (shadow stack range in larget vmalloc range) could be configured so that user can do their own trade off. Does this approach look okay? > >> >> > >> > > >> > > out: >> > > @@ -59,7 +72,7 @@ void *scs_alloc(int node) >> > > if (!s) >> > > return NULL; >> > > >> > > - *__scs_magic(s) = SCS_END_MAGIC; >> > > + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC); >> > > >> > > /* >> > > * Poison the allocation to catch unintentional accesses to >> > > @@ -87,6 +100,16 @@ void scs_free(void *s) >> > > return; >> > > >> > > kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL); >> > > + /* >> > > + * Hardware protected shadow stack is not writeable by regular >> > > stores >> > > + * Thus adding this back to free list will raise faults by >> > > vmalloc >> > > + * It needs to be writeable again. It's good sanity as well >> > > because >> > > + * then it can't be inadvertently accesses and if done, it will >> > > fault. >> > > + */ >> > > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK >> > > + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE)); >> > >> > Above you don't update the direct map permissions. So I don't think you need >> > this. vmalloc should flush the permissioned mapping before re-using it with >> > the >> > lazy cleanup scheme. >> >> If I didn't do this, I was getting a page fault on this vmalloc address. It >> directly >> uses first 8 bytes to add it into some list and that was the location of >> fault. > >Ah right! Because it is using the vfree atomic variant. > >You could create your own WQ in SCS and call vfree() in non-atomic context. If >you want to avoid thr set_memory_rw() on free, in the ignoring the direct map >case.
On Mon, Jul 28, 2025 at 12:23:56PM -0700, Deepak Gupta wrote: >On Fri, Jul 25, 2025 at 06:05:22PM +0000, Edgecombe, Rick P wrote: >>On Fri, 2025-07-25 at 10:19 -0700, Deepak Gupta wrote: >>>> This doesn't update the direct map alias I think. Do you want to protect it? >>> >>>Yes any alternate address mapping which is writeable is a problem and dilutes >>>the mechanism. How do I go about updating direct map ? (I pretty new to linux >>>kernel and have limited understanding on which kernel api's to use here to >>>unmap >>>direct map) >> >>Here is some info on how it works: >> >>set_memory_foo() variants should (I didn't check riscv implementation, but on >>x86) update the target addresses passed in *and* the direct map alias. And flush >>the TLB. >> >>vmalloc_node_range() will just set the permission on the vmalloc alias and not >>touch the direct map alias. >> >>vfree() works by trying to batch the flushing for unmap operations to avoid >>flushing the TLB too much. When memory is unmapped in userspace, it will only >>flush on the CPU's with that MM (process address space). But for kernel memory >>the mappings are shared between all CPUs. So, like on a big server or something, >>it requires way more work and distance IPIs, etc. So vmalloc will try to be >>efficient and keep zapped mappings unflushed until it has enough to clean them >>up in bulk. In the meantime it won't reuse that vmalloc address space. >> >>But this means there can also be other vmalloc aliases still in the TLB for any >>page that gets allocated from the page allocator. If you want to be fully sure >>there are no writable aliases, you need to call vm_unmap_aliases() each time you >>change kernel permissions, which will do the vmalloc TLB flush immediately. Many >>set_memory() implementations call this automatically, but it looks like not >>riscv. >> >> >>So doing something like vmalloc(), set_memory_shadow_stack() on alloc and >>set_memory_rw(), vfree() on free is doing the expensive flush (depends on the >>device how expensive) in a previously fast path. Ignoring the direct map alias >>is faster. A middle ground would be to do the allocation/conversion and freeing >>of a bunch of stacks at once, and recycle them. >> >> >>You could make it tidy first and then optimize it later, or make it faster first >>and maximally secure later. Or try to do it all at once. But there have long >>been discussions on batching type kernel memory permission solutions. So it >>would could be a whole project itself. > >Thanks Rick. Another approach I am thinking could be making vmalloc >intrinsically aware of certain range to be security sensitive. Meaning during >vmalloc initialization itself, it could reserve a range which is ensured to be >not direct mapped. Whenever `PAGE_SHADOWSTACK` is requested, it always comes >from this range (which is guaranteed to be never direct mapped). > >I do not expect hardware assisted shadow stack to be more than 4K in size >(should support should 512 call-depth). A system with 30,000 active threads >(taking a swag number here), will need 30,000 * 2 (one for guard) = 60000 pages. >That's like ~245 MB address range. We can be conservative and have 1GB range in >vmalloc larger range reserved for shadow stack. vmalloc ensures that this >range's direct mappping always have read-only encoding in ptes. Sure this number >(shadow stack range in larget vmalloc range) could be configured so that user >can do their own trade off. > >Does this approach look okay? Never mind, maintaining free/allocated list by vmalloc would be problematic In that case this has to be something like a consumer of vmalloc, reserve a range and do free/alloc out of that. And then it starts looking like a cache of shadow stacks without direct mapping (as you suggested) > >> >>> >>>> >>>> > >>>> > out: >>>> > @@ -59,7 +72,7 @@ void *scs_alloc(int node) >>>> > if (!s) >>>> > return NULL; >>>> > >>>> > - *__scs_magic(s) = SCS_END_MAGIC; >>>> > + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC); >>>> > >>>> > /* >>>> > * Poison the allocation to catch unintentional accesses to >>>> > @@ -87,6 +100,16 @@ void scs_free(void *s) >>>> > return; >>>> > >>>> > kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL); >>>> > + /* >>>> > + * Hardware protected shadow stack is not writeable by regular >>>> > stores >>>> > + * Thus adding this back to free list will raise faults by >>>> > vmalloc >>>> > + * It needs to be writeable again. It's good sanity as well >>>> > because >>>> > + * then it can't be inadvertently accesses and if done, it will >>>> > fault. >>>> > + */ >>>> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK >>>> > + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE)); >>>> >>>> Above you don't update the direct map permissions. So I don't think you need >>>> this. vmalloc should flush the permissioned mapping before re-using it with >>>> the >>>> lazy cleanup scheme. >>> >>>If I didn't do this, I was getting a page fault on this vmalloc address. It >>>directly >>>uses first 8 bytes to add it into some list and that was the location of >>>fault. >> >>Ah right! Because it is using the vfree atomic variant. >> >>You could create your own WQ in SCS and call vfree() in non-atomic context. If >>you want to avoid thr set_memory_rw() on free, in the ignoring the direct map >>case.
On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote:
> If shadow stack have memory protections from underlying cpu, use those
> protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
> stack pages. Hw assisted shadow stack pages grow downwards like regular
> stack. Clang based software shadow call stack grows low to high address.
Is this the case for all the current hardware shadow stack
implementations? If not, we might want a separate config for the
shadow stack direction instead.
> Thus this patch addresses some of those needs due to opposite direction
> of shadow stack. Furthermore, hw shadow stack can't be memset because memset
> uses normal stores. Lastly to store magic word at base of shadow stack, arch
> specific shadow stack store has to be performed.
>
> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
> ---
> include/linux/scs.h | 26 +++++++++++++++++++++++++-
> kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
> 2 files changed, 60 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/scs.h b/include/linux/scs.h
> index 4ab5bdc898cf..6ceee07c2d1a 100644
> --- a/include/linux/scs.h
> +++ b/include/linux/scs.h
> @@ -12,6 +12,7 @@
> #include <linux/poison.h>
> #include <linux/sched.h>
> #include <linux/sizes.h>
> +#include <asm/scs.h>
>
> #ifdef CONFIG_SHADOW_CALL_STACK
>
> @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
> * Reset the shadow stack to the base address in case the task
> * is reused.
> */
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
> +#else
> task_scs_sp(tsk) = task_scs(tsk);
> +#endif
> }
>
> static inline unsigned long *__scs_magic(void *s)
> {
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + return (unsigned long *)(s);
> +#else
> return (unsigned long *)(s + SCS_SIZE) - 1;
> +#endif
> }
>
> static inline bool task_scs_end_corrupted(struct task_struct *tsk)
> {
> unsigned long *magic = __scs_magic(task_scs(tsk));
> - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
> + unsigned long sz;
> +
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
> +#else
> + sz = task_scs_sp(tsk) - task_scs(tsk);
> +#endif
>
> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
> }
>
> +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
> +{
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + arch_scs_store(s, magic_val);
> +#else
> + *__scs_magic(s) = magic_val;
> +#endif
> +}
> +
I'm not a huge fan of all the ifdefs. We could clean this up by
allowing architectures to simply override some these functions, or at
least use if (IS_ENABLED(CONFIG...)) instead. Will, any thoughts about
this?
> DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>
> static inline bool scs_is_dynamic(void)
> diff --git a/kernel/scs.c b/kernel/scs.c
> index d7809affe740..5910c0a8eabd 100644
> --- a/kernel/scs.c
> +++ b/kernel/scs.c
> @@ -11,6 +11,7 @@
> #include <linux/scs.h>
> #include <linux/vmalloc.h>
> #include <linux/vmstat.h>
> +#include <asm-generic/set_memory.h>
>
> #ifdef CONFIG_DYNAMIC_SCS
> DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
> @@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
> {
> int i;
> void *s;
> + pgprot_t prot = PAGE_KERNEL;
> +
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + prot = PAGE_KERNEL_SHADOWSTACK;
> +#endif
I would rather define the shadow stack protection flags in the header
file and allow them to be overridden in asm/scs.h.
> for (i = 0; i < NR_CACHED_SCS; i++) {
> s = this_cpu_xchg(scs_cache[i], NULL);
> if (s) {
> s = kasan_unpoison_vmalloc(s, SCS_SIZE,
> KASAN_VMALLOC_PROT_NORMAL);
> +/*
> + * If software shadow stack, its safe to memset. Else memset is not
> + * possible on hw protected shadow stack. memset constitutes stores and
> + * stores to shadow stack memory are disallowed and will fault.
> + */
> +#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> memset(s, 0, SCS_SIZE);
> +#endif
This could also be moved to a static inline function that
architectures can override if they have hardware shadow stacks that
cannot be cleared at this point.
> goto out;
> }
> }
>
> s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
> - GFP_SCS, PAGE_KERNEL, 0, node,
> + GFP_SCS, prot, 0, node,
> __builtin_return_address(0));
>
> out:
> @@ -59,7 +72,7 @@ void *scs_alloc(int node)
> if (!s)
> return NULL;
>
> - *__scs_magic(s) = SCS_END_MAGIC;
> + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
>
> /*
> * Poison the allocation to catch unintentional accesses to
> @@ -87,6 +100,16 @@ void scs_free(void *s)
> return;
>
> kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
> + /*
> + * Hardware protected shadow stack is not writeable by regular stores
> + * Thus adding this back to free list will raise faults by vmalloc
> + * It needs to be writeable again. It's good sanity as well because
> + * then it can't be inadvertently accesses and if done, it will fault.
> + */
> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
> +#endif
Another candidate for an arch-specific function to reduce the number
of ifdefs in the generic code.
Sami
On Fri, Jul 25, 2025 at 04:13:27PM +0000, Sami Tolvanen wrote:
> On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote:
> > diff --git a/include/linux/scs.h b/include/linux/scs.h
> > index 4ab5bdc898cf..6ceee07c2d1a 100644
> > --- a/include/linux/scs.h
> > +++ b/include/linux/scs.h
> > @@ -12,6 +12,7 @@
> > #include <linux/poison.h>
> > #include <linux/sched.h>
> > #include <linux/sizes.h>
> > +#include <asm/scs.h>
> >
> > #ifdef CONFIG_SHADOW_CALL_STACK
> >
> > @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
> > * Reset the shadow stack to the base address in case the task
> > * is reused.
> > */
> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> > + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
> > +#else
> > task_scs_sp(tsk) = task_scs(tsk);
> > +#endif
> > }
> >
> > static inline unsigned long *__scs_magic(void *s)
> > {
> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> > + return (unsigned long *)(s);
> > +#else
> > return (unsigned long *)(s + SCS_SIZE) - 1;
> > +#endif
> > }
> >
> > static inline bool task_scs_end_corrupted(struct task_struct *tsk)
> > {
> > unsigned long *magic = __scs_magic(task_scs(tsk));
> > - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
> > + unsigned long sz;
> > +
> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> > + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
> > +#else
> > + sz = task_scs_sp(tsk) - task_scs(tsk);
> > +#endif
> >
> > return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
> > }
> >
> > +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
> > +{
> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
> > + arch_scs_store(s, magic_val);
> > +#else
> > + *__scs_magic(s) = magic_val;
> > +#endif
> > +}
> > +
>
> I'm not a huge fan of all the ifdefs. We could clean this up by
> allowing architectures to simply override some these functions, or at
> least use if (IS_ENABLED(CONFIG...)) instead. Will, any thoughts about
> this?
Yeah, I agree that allowing architectures to provide overrides makes
sense, however I also suspect that some of this needs to be a runtime
decision because not all CPUs will support the hardware-accelerated
feature and will presumably want to fall back on the software
implementation.
Will
On Mon, Jul 28, 2025 at 01:47:14PM +0100, Will Deacon wrote:
>On Fri, Jul 25, 2025 at 04:13:27PM +0000, Sami Tolvanen wrote:
>> On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote:
>> > diff --git a/include/linux/scs.h b/include/linux/scs.h
>> > index 4ab5bdc898cf..6ceee07c2d1a 100644
>> > --- a/include/linux/scs.h
>> > +++ b/include/linux/scs.h
>> > @@ -12,6 +12,7 @@
>> > #include <linux/poison.h>
>> > #include <linux/sched.h>
>> > #include <linux/sizes.h>
>> > +#include <asm/scs.h>
>> >
>> > #ifdef CONFIG_SHADOW_CALL_STACK
>> >
>> > @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
>> > * Reset the shadow stack to the base address in case the task
>> > * is reused.
>> > */
>> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> > + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
>> > +#else
>> > task_scs_sp(tsk) = task_scs(tsk);
>> > +#endif
>> > }
>> >
>> > static inline unsigned long *__scs_magic(void *s)
>> > {
>> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> > + return (unsigned long *)(s);
>> > +#else
>> > return (unsigned long *)(s + SCS_SIZE) - 1;
>> > +#endif
>> > }
>> >
>> > static inline bool task_scs_end_corrupted(struct task_struct *tsk)
>> > {
>> > unsigned long *magic = __scs_magic(task_scs(tsk));
>> > - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
>> > + unsigned long sz;
>> > +
>> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> > + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
>> > +#else
>> > + sz = task_scs_sp(tsk) - task_scs(tsk);
>> > +#endif
>> >
>> > return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
>> > }
>> >
>> > +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
>> > +{
>> > +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> > + arch_scs_store(s, magic_val);
>> > +#else
>> > + *__scs_magic(s) = magic_val;
>> > +#endif
>> > +}
>> > +
>>
>> I'm not a huge fan of all the ifdefs. We could clean this up by
>> allowing architectures to simply override some these functions, or at
>> least use if (IS_ENABLED(CONFIG...)) instead. Will, any thoughts about
>> this?
>
>Yeah, I agree that allowing architectures to provide overrides makes
>sense, however I also suspect that some of this needs to be a runtime
>decision because not all CPUs will support the hardware-accelerated
>feature and will presumably want to fall back on the software
>implementation.
Hmm runtime fallback is an important point. Thanks. I'll munch on it a
bit.
>
>Will
On Fri, Jul 25, 2025 at 04:13:27PM +0000, Sami Tolvanen wrote: > On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote: > > If shadow stack have memory protections from underlying cpu, use those > > protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow > > stack pages. Hw assisted shadow stack pages grow downwards like regular > > stack. Clang based software shadow call stack grows low to high address. > Is this the case for all the current hardware shadow stack > implementations? If not, we might want a separate config for the > shadow stack direction instead. It's true for arm64.
On Fri, Jul 25, 2025 at 04:13:27PM +0000, Sami Tolvanen wrote:
>On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote:
>> If shadow stack have memory protections from underlying cpu, use those
>> protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
>> stack pages. Hw assisted shadow stack pages grow downwards like regular
>> stack. Clang based software shadow call stack grows low to high address.
>
>Is this the case for all the current hardware shadow stack
>implementations? If not, we might want a separate config for the
>shadow stack direction instead.
Is there something like this for regular stack as well?
I could copy same mechanism.
>
>> Thus this patch addresses some of those needs due to opposite direction
>> of shadow stack. Furthermore, hw shadow stack can't be memset because memset
>> uses normal stores. Lastly to store magic word at base of shadow stack, arch
>> specific shadow stack store has to be performed.
>>
>> Signed-off-by: Deepak Gupta <debug@rivosinc.com>
>> ---
>> include/linux/scs.h | 26 +++++++++++++++++++++++++-
>> kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
>> 2 files changed, 60 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/linux/scs.h b/include/linux/scs.h
>> index 4ab5bdc898cf..6ceee07c2d1a 100644
>> --- a/include/linux/scs.h
>> +++ b/include/linux/scs.h
>> @@ -12,6 +12,7 @@
>> #include <linux/poison.h>
>> #include <linux/sched.h>
>> #include <linux/sizes.h>
>> +#include <asm/scs.h>
>>
>> #ifdef CONFIG_SHADOW_CALL_STACK
>>
>> @@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
>> * Reset the shadow stack to the base address in case the task
>> * is reused.
>> */
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
>> +#else
>> task_scs_sp(tsk) = task_scs(tsk);
>> +#endif
>> }
>>
>> static inline unsigned long *__scs_magic(void *s)
>> {
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + return (unsigned long *)(s);
>> +#else
>> return (unsigned long *)(s + SCS_SIZE) - 1;
>> +#endif
>> }
>>
>> static inline bool task_scs_end_corrupted(struct task_struct *tsk)
>> {
>> unsigned long *magic = __scs_magic(task_scs(tsk));
>> - unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
>> + unsigned long sz;
>> +
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
>> +#else
>> + sz = task_scs_sp(tsk) - task_scs(tsk);
>> +#endif
>>
>> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
>> }
>>
>> +static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
>> +{
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + arch_scs_store(s, magic_val);
>> +#else
>> + *__scs_magic(s) = magic_val;
>> +#endif
>> +}
>> +
>
>I'm not a huge fan of all the ifdefs. We could clean this up by
>allowing architectures to simply override some these functions, or at
>least use if (IS_ENABLED(CONFIG...)) instead. Will, any thoughts about
>this?
>
>> DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>>
>> static inline bool scs_is_dynamic(void)
>> diff --git a/kernel/scs.c b/kernel/scs.c
>> index d7809affe740..5910c0a8eabd 100644
>> --- a/kernel/scs.c
>> +++ b/kernel/scs.c
>> @@ -11,6 +11,7 @@
>> #include <linux/scs.h>
>> #include <linux/vmalloc.h>
>> #include <linux/vmstat.h>
>> +#include <asm-generic/set_memory.h>
>>
>> #ifdef CONFIG_DYNAMIC_SCS
>> DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>> @@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
>> {
>> int i;
>> void *s;
>> + pgprot_t prot = PAGE_KERNEL;
>> +
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + prot = PAGE_KERNEL_SHADOWSTACK;
>> +#endif
>
>I would rather define the shadow stack protection flags in the header
>file and allow them to be overridden in asm/scs.h.
>
>> for (i = 0; i < NR_CACHED_SCS; i++) {
>> s = this_cpu_xchg(scs_cache[i], NULL);
>> if (s) {
>> s = kasan_unpoison_vmalloc(s, SCS_SIZE,
>> KASAN_VMALLOC_PROT_NORMAL);
>> +/*
>> + * If software shadow stack, its safe to memset. Else memset is not
>> + * possible on hw protected shadow stack. memset constitutes stores and
>> + * stores to shadow stack memory are disallowed and will fault.
>> + */
>> +#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> memset(s, 0, SCS_SIZE);
>> +#endif
>
>This could also be moved to a static inline function that
>architectures can override if they have hardware shadow stacks that
>cannot be cleared at this point.
>
>> goto out;
>> }
>> }
>>
>> s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
>> - GFP_SCS, PAGE_KERNEL, 0, node,
>> + GFP_SCS, prot, 0, node,
>> __builtin_return_address(0));
>>
>> out:
>> @@ -59,7 +72,7 @@ void *scs_alloc(int node)
>> if (!s)
>> return NULL;
>>
>> - *__scs_magic(s) = SCS_END_MAGIC;
>> + __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
>>
>> /*
>> * Poison the allocation to catch unintentional accesses to
>> @@ -87,6 +100,16 @@ void scs_free(void *s)
>> return;
>>
>> kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
>> + /*
>> + * Hardware protected shadow stack is not writeable by regular stores
>> + * Thus adding this back to free list will raise faults by vmalloc
>> + * It needs to be writeable again. It's good sanity as well because
>> + * then it can't be inadvertently accesses and if done, it will fault.
>> + */
>> +#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>> + set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
>> +#endif
>
>Another candidate for an arch-specific function to reduce the number
>of ifdefs in the generic code.
>
>Sami
Sorry forgot to respond to rest of the comments.
On Fri, Jul 25, 2025 at 09:42:39AM -0700, Deepak Gupta wrote:
>On Fri, Jul 25, 2025 at 04:13:27PM +0000, Sami Tolvanen wrote:
>>On Thu, Jul 24, 2025 at 04:37:03PM -0700, Deepak Gupta wrote:
>>>If shadow stack have memory protections from underlying cpu, use those
>>>protections. arches can define PAGE_KERNEL_SHADOWSTACK to vmalloc such shadow
>>>stack pages. Hw assisted shadow stack pages grow downwards like regular
>>>stack. Clang based software shadow call stack grows low to high address.
>>
>>Is this the case for all the current hardware shadow stack
>>implementations? If not, we might want a separate config for the
>>shadow stack direction instead.
>
>Is there something like this for regular stack as well?
>I could copy same mechanism.
>
>>
>>>Thus this patch addresses some of those needs due to opposite direction
>>>of shadow stack. Furthermore, hw shadow stack can't be memset because memset
>>>uses normal stores. Lastly to store magic word at base of shadow stack, arch
>>>specific shadow stack store has to be performed.
>>>
>>>Signed-off-by: Deepak Gupta <debug@rivosinc.com>
>>>---
>>> include/linux/scs.h | 26 +++++++++++++++++++++++++-
>>> kernel/scs.c | 38 +++++++++++++++++++++++++++++++++++---
>>> 2 files changed, 60 insertions(+), 4 deletions(-)
>>>
>>>diff --git a/include/linux/scs.h b/include/linux/scs.h
>>>index 4ab5bdc898cf..6ceee07c2d1a 100644
>>>--- a/include/linux/scs.h
>>>+++ b/include/linux/scs.h
>>>@@ -12,6 +12,7 @@
>>> #include <linux/poison.h>
>>> #include <linux/sched.h>
>>> #include <linux/sizes.h>
>>>+#include <asm/scs.h>
>>>
>>> #ifdef CONFIG_SHADOW_CALL_STACK
>>>
>>>@@ -37,22 +38,45 @@ static inline void scs_task_reset(struct task_struct *tsk)
>>> * Reset the shadow stack to the base address in case the task
>>> * is reused.
>>> */
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ task_scs_sp(tsk) = task_scs(tsk) + SCS_SIZE;
>>>+#else
>>> task_scs_sp(tsk) = task_scs(tsk);
>>>+#endif
>>> }
>>>
>>> static inline unsigned long *__scs_magic(void *s)
>>> {
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ return (unsigned long *)(s);
>>>+#else
>>> return (unsigned long *)(s + SCS_SIZE) - 1;
>>>+#endif
>>> }
>>>
>>> static inline bool task_scs_end_corrupted(struct task_struct *tsk)
>>> {
>>> unsigned long *magic = __scs_magic(task_scs(tsk));
>>>- unsigned long sz = task_scs_sp(tsk) - task_scs(tsk);
>>>+ unsigned long sz;
>>>+
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ sz = (task_scs(tsk) + SCS_SIZE) - task_scs_sp(tsk);
>>>+#else
>>>+ sz = task_scs_sp(tsk) - task_scs(tsk);
>>>+#endif
>>>
>>> return sz >= SCS_SIZE - 1 || READ_ONCE_NOCHECK(*magic) != SCS_END_MAGIC;
>>> }
>>>
>>>+static inline void __scs_store_magic(unsigned long *s, unsigned long magic_val)
>>>+{
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ arch_scs_store(s, magic_val);
>>>+#else
>>>+ *__scs_magic(s) = magic_val;
>>>+#endif
>>>+}
>>>+
>>
>>I'm not a huge fan of all the ifdefs. We could clean this up by
>>allowing architectures to simply override some these functions, or at
>>least use if (IS_ENABLED(CONFIG...)) instead. Will, any thoughts about
>>this?
Yes I don't like it either.
I'll do something about it in next iteration.
>>
>>> DECLARE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>>>
>>> static inline bool scs_is_dynamic(void)
>>>diff --git a/kernel/scs.c b/kernel/scs.c
>>>index d7809affe740..5910c0a8eabd 100644
>>>--- a/kernel/scs.c
>>>+++ b/kernel/scs.c
>>>@@ -11,6 +11,7 @@
>>> #include <linux/scs.h>
>>> #include <linux/vmalloc.h>
>>> #include <linux/vmstat.h>
>>>+#include <asm-generic/set_memory.h>
>>>
>>> #ifdef CONFIG_DYNAMIC_SCS
>>> DEFINE_STATIC_KEY_FALSE(dynamic_scs_enabled);
>>>@@ -32,19 +33,31 @@ static void *__scs_alloc(int node)
>>> {
>>> int i;
>>> void *s;
>>>+ pgprot_t prot = PAGE_KERNEL;
>>>+
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ prot = PAGE_KERNEL_SHADOWSTACK;
>>>+#endif
>>
>>I would rather define the shadow stack protection flags in the header
>>file and allow them to be overridden in asm/scs.h.
Yes that's good idea. I'll do that.
>>
>>> for (i = 0; i < NR_CACHED_SCS; i++) {
>>> s = this_cpu_xchg(scs_cache[i], NULL);
>>> if (s) {
>>> s = kasan_unpoison_vmalloc(s, SCS_SIZE,
>>> KASAN_VMALLOC_PROT_NORMAL);
>>>+/*
>>>+ * If software shadow stack, its safe to memset. Else memset is not
>>>+ * possible on hw protected shadow stack. memset constitutes stores and
>>>+ * stores to shadow stack memory are disallowed and will fault.
>>>+ */
>>>+#ifndef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>> memset(s, 0, SCS_SIZE);
>>>+#endif
>>
>>This could also be moved to a static inline function that
>>architectures can override if they have hardware shadow stacks that
>>cannot be cleared at this point.
Make sense.
>>
>>> goto out;
>>> }
>>> }
>>>
>>> s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
>>>- GFP_SCS, PAGE_KERNEL, 0, node,
>>>+ GFP_SCS, prot, 0, node,
>>> __builtin_return_address(0));
>>>
>>> out:
>>>@@ -59,7 +72,7 @@ void *scs_alloc(int node)
>>> if (!s)
>>> return NULL;
>>>
>>>- *__scs_magic(s) = SCS_END_MAGIC;
>>>+ __scs_store_magic(__scs_magic(s), SCS_END_MAGIC);
>>>
>>> /*
>>> * Poison the allocation to catch unintentional accesses to
>>>@@ -87,6 +100,16 @@ void scs_free(void *s)
>>> return;
>>>
>>> kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
>>>+ /*
>>>+ * Hardware protected shadow stack is not writeable by regular stores
>>>+ * Thus adding this back to free list will raise faults by vmalloc
>>>+ * It needs to be writeable again. It's good sanity as well because
>>>+ * then it can't be inadvertently accesses and if done, it will fault.
>>>+ */
>>>+#ifdef CONFIG_ARCH_HAS_KERNEL_SHADOW_STACK
>>>+ set_memory_rw((unsigned long)s, (SCS_SIZE/PAGE_SIZE));
>>>+#endif
>>
>>Another candidate for an arch-specific function to reduce the number
>>of ifdefs in the generic code.
Yes I'll do these changes in next iteration.
>>
>>Sami
© 2016 - 2025 Red Hat, Inc.