diff mbox series

[02/35] prctl: Add flag for shadow stack writeability and push/pop

Message ID 20230716-arm64-gcs-v1-2-bf567f93bba6@kernel.org
State New
Headers show
Series arm64/gcs: Provide support for GCS at EL0 | expand

Commit Message

Mark Brown July 16, 2023, 9:50 p.m. UTC
On arm64 and x86 the kernel can control if there is write access to the
shadow stack via specific instructions defined for the purpose, useful
for things like userspace threading at the expense of some security.
Add a flag to allow this to be selected when changing the shadow stack
status.

On arm64 the kernel can separately control if userspace is able to pop
and push values directly onto the shadow stack via GCS push and pop
instructions, supporting many scenarios where userspace needs to write
to the stack with less security exposure than full write access.  Add a
flag to allow this to be selected when changing the shadow stack status.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 include/uapi/linux/prctl.h | 2 ++
 1 file changed, 2 insertions(+)

Comments

Edgecombe, Rick P July 18, 2023, 5:47 p.m. UTC | #1
On Sun, 2023-07-16 at 22:50 +0100, Mark Brown wrote:
> On arm64 and x86 the kernel can control if there is write access to
> the
> shadow stack via specific instructions defined for the purpose,
> useful
> for things like userspace threading at the expense of some security.
> Add a flag to allow this to be selected when changing the shadow
> stack
> status.
> 
> On arm64 the kernel can separately control if userspace is able to
> pop
> and push values directly onto the shadow stack via GCS push and pop
> instructions, supporting many scenarios where userspace needs to
> write
> to the stack with less security exposure than full write access.  Add
> a
> flag to allow this to be selected when changing the shadow stack
> status.

Is this correct? I thought Szabolcs was saying pop was always
supported, but push was optional.
Mark Brown July 18, 2023, 7:10 p.m. UTC | #2
On Tue, Jul 18, 2023 at 05:47:32PM +0000, Edgecombe, Rick P wrote:
> On Sun, 2023-07-16 at 22:50 +0100, Mark Brown wrote:

> > On arm64 the kernel can separately control if userspace is able to
> > pop
> > and push values directly onto the shadow stack via GCS push and pop
> > instructions, supporting many scenarios where userspace needs to
> > write
> > to the stack with less security exposure than full write access.  Add
> > a
> > flag to allow this to be selected when changing the shadow stack
> > status.

> Is this correct? I thought Szabolcs was saying pop was always
> supported, but push was optional.

It's not, I wrote this right after looking at hypervisor controls which
do control push and pop.
diff mbox series

Patch

diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index 9fdc77fa2bfe..e88d2ddcdb2d 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -321,5 +321,7 @@  struct prctl_mm_map {
 #define PR_SET_SHADOW_STACK_STATUS      72
 # define PR_SHADOW_STACK_LOCK           (1UL << 0)
 # define PR_SHADOW_STACK_ENABLE         (1UL << 1)
+# define PR_SHADOW_STACK_WRITE		(1UL << 2)
+# define PR_SHADOW_STACK_PUSH		(1UL << 3)
 
 #endif /* _LINUX_PRCTL_H */