[PATCH] [PATCH V4]ARM64: SCS: Add gcc plugin to support Shadow Call Stack
Nick Desaulniers
ndesaulniers at google.com
Thu Oct 14 11:44:45 PDT 2021
On Wed, Oct 13, 2021 at 4:28 PM Dan Li <ashimida at linux.alibaba.com> wrote:
>
> - This function can be used to test whether the shadow stack is effective:
> //noinline void __noscs scs_test(void)
> noinline void scs_test(void)
> {
> register unsigned long *sp asm("sp");
> unsigned long * lr = sp + 1;
>
> asm volatile("":::"x30");
> *lr = 0;
> }
>
> when compiled with:
> CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> CONFIG_ARM64_PTR_AUTH_KERNEL=y
> CONFIG_ARM64_BTI_KERNEL=y
>
> ffff800010013b60 <scs_test>:
> ffff800010013b60: d503245f bti c
> ffff800010013b64: d503201f nop
> ffff800010013b68: d503201f nop
> ffff800010013b6c: d503233f paciasp
> ffff800010013b70: f800865e str x30, [x18], #8
> ffff800010013b74: a9bf7bfd stp x29, x30, [sp, #-16]!
> ffff800010013b78: 910003fd mov x29, sp
> ffff800010013b7c: 910003e0 mov x0, sp
> ffff800010013b80: f900041f str xzr, [x0, #8]
> ffff800010013b84: a8c17bfd ldp x29, x30, [sp], #16
> ffff800010013b88: f85f8e5e ldr x30, [x18, #-8]!
> ffff800010013b8c: d50323bf autiasp
> ffff800010013b90: d65f03c0 ret
>
> If SCS protection is enabled, this function will return normally.
> If the function has __noscs attribute (scs disabled), it will crash due to 0
> address access.
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index cb9217f..426c8e5 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -50,6 +50,10 @@
> #define __latent_entropy __attribute__((latent_entropy))
> #endif
>
> +#if defined(SHADOW_CALL_STACK_PLUGIN) && !defined(__CHECKER__)
> +#define __noscs __attribute__((no_shadow_call_stack))
> +#endif
Cool this is a nice addition, and something I don't think that clang
has. For any new feature, having a function attribute to disable it
at the function granularity is nice, and plays better with LTO than -f
group flags. Though that begs the question: what happens if a __noscs
callee is inlined into a non-__noscs caller, or vice versa?
I noticed that __noscs isn't actually applied anywhere in the kernel,
yet, at least in this series. Were there any places necessary that
you've found thus far?
Overall, I'm happy with the patch and am ready to ack it, but I would
like to see a link to to the upstream GCC feature request for SCS (and
one created if it doesn't exist) cited explicitly in the commit
message. I think that would be a good demonstration that this can or
will be upstreamed into the compiler proper for the compiler vendors
to maintain, rather than the kernel folks. The compiler vendors may
have further feedback on the approach, such as my question above
pertaining to inlining.
--
Thanks,
~Nick Desaulniers
More information about the linux-arm-kernel
mailing list