[PATCH v3 3/3] arm64: implement dynamic shadow call stack for Clang

Thu Jun 16 03:51:10 PDT 2022

On Wed, 15 Jun 2022 at 23:33, Sami Tolvanen <samitolvanen at google.com> wrote:
>
> On Mon, Jun 13, 2022 at 03:40:08PM +0200, Ard Biesheuvel wrote:
> > Implement dynamic shadow call stack support on Clang, by parsing the
> > unwind tables at init time to locate all occurrences of PACIASP/AUTIASP
> > instructions, and replacing them with the shadow call stack push and pop
> > instructions, respectively.
> >
> > This is useful because the overhead of the shadow call stack is
> > difficult to justify on hardware that implements pointer authentication
> > (PAC), and given that the PAC instructions are executed as NOPs on
> > hardware that doesn't, we can just replace them without breaking
> > anything. As PACIASP/AUTIASP are guaranteed to be paired with respect to
> > manipulations of the return address, replacing them 1:1 with shadow call
> > stack pushes and pops is guaranteed to result in the desired behavior.
> >
> > Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
> > ---
> >  arch/arm64/Kconfig            |   9 +
> >  arch/arm64/Makefile           |  10 +-
> >  arch/arm64/include/asm/scs.h  |  45 ++++
> >  arch/arm64/kernel/Makefile    |   2 +
> >  arch/arm64/kernel/head.S      |   3 +
> >  arch/arm64/kernel/irq.c       |   2 +-
> >  arch/arm64/kernel/module.c    |   8 +
> >  arch/arm64/kernel/patch-scs.c | 257 ++++++++++++++++++++
> >  arch/arm64/kernel/sdei.c      |   2 +-
> >  arch/arm64/kernel/setup.c     |   4 +
> >  10 files changed, 338 insertions(+), 4 deletions(-)
> >
...
> > --- a/arch/arm64/include/asm/scs.h
> > +++ b/arch/arm64/include/asm/scs.h
...
> > +
> > +static inline void dynamic_scs_init(void)
> > +{
> > +     if (should_patch_pac_into_scs())
> > +             static_branch_enable(&dynamic_scs_enabled);
> > +}
>
> Should we print out a message to indicate we are actually enabling SCS
> at runtime? Otherwise I think the only way to know would be to look at
> /proc/meminfo, for example.
>

Yes, good point. I will add something here.

...
>
> I applied the series on top of -rc1 and tested it in qemu. With -cpu
> cortex-a57 everything seems to work and PAC instructions are correctly
> patched into SCS push/pop:
>
...
>
> However, with -cpu max I'm still seeing calls to scs_alloc despite the
> following:
>
> # dmesg | grep "Address authentication"
> [    0.000000] CPU features: detected: Address authentication (architected QARMA5 algorithm)
...

> I'm guessing this is also why I'm getting the following panic after
> attempting to load a module:
>
> [   25.549517] Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000003 -- BTI
...
>
> This is with defconfig + SHADOW_CALL_STACK + UNWIND_PATCH_PAC_INTO_SCS.
> Any thoughts if I'm doing something wrong here?
>

No, I made a mistake with the initial value of the dynamic_scs_enabled
static key, so it's currently always true.

I'll fix this in the next revision.