Message ID | 20241129163721.2385847-1-yury.khrustalev@arm.com (mailing list archive) |
---|---|
Headers |
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 823EA385841C for <patchwork@sourceware.org>; Fri, 29 Nov 2024 16:38:49 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id A6ACC3858C51 for <libc-alpha@sourceware.org>; Fri, 29 Nov 2024 16:37:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A6ACC3858C51 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=arm.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A6ACC3858C51 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=217.140.110.172 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732898250; cv=none; b=POWRRiec81NHd11mvCafThMOyYWUwhJRur7OQ5mlhEKt5kvMaDeBGgwY0AWRsnExafO201ZckyctfM3TE2hQmMbhdBmK/dFR9MD+rpm2YDSzK/gDHcHKRtPg8+Z6SV7+vbVjgnr13Ci5NLdCwc1esYuclScpiJrnv/LpEaEPV5g= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732898250; c=relaxed/simple; bh=Iua5Lp107JyG2k5D163IeRRAoBZPb1iobGJMF1EnLm8=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=v7X0cU6y6/iTBDFpF0USxsc3oe/fOOFMe58Bf7Iyc0KyPgBF8Drc4oCl6XtAo49Lg/LGLCeh0nvzBTzOZWdke8YF5SGlj3b6pEHu73GPxDqWOiA9llwnWq6sVfb1AfRKDuQMA6McWcsi9Y/Rzjjx+JK7AlnUE3PTgAViIDh5zfA= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D23D212FC; Fri, 29 Nov 2024 08:37:59 -0800 (PST) Received: from udebian.localdomain (unknown [10.1.35.24]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 58B823F5A1; Fri, 29 Nov 2024 08:37:29 -0800 (PST) From: Yury Khrustalev <yury.khrustalev@arm.com> To: libc-alpha@sourceware.org Cc: fweimer@redhat.com, adhemerval.zanella@linaro.org, codonell@redhat.com, nsz@gcc.gnu.org, schwab@suse.de Subject: [PATCH v4 00/22] aarch64: Add support for Guarded Control Stack extension Date: Fri, 29 Nov 2024 16:36:59 +0000 Message-Id: <20241129163721.2385847-1-yury.khrustalev@arm.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_SHORT, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org |
Series |
aarch64: Add support for Guarded Control Stack extension
|
|
Message
Yury Khrustalev
Nov. 29, 2024, 4:36 p.m. UTC
This patch series adds support for the Guarded Control Stack extension [1] that allows to use shadow stacks on AArch64 systems with enabled GCS. This patch series includes: - New tunables glibc.cpu.aarch64_gcs and glibc.cpu.aarch64_gcs_policy - Definition of jmp_buf offset for GCS - GCS support in longjmp, vfork, setcontext, makecontext - GCS support in static startup code and dynamic linker - Handling of GCS marking in dynamic binaries and DSOs - Handling of GCS marking in static binaries - Mark swapcontext with indirect_return - HWCAP_GCS Corresponding Linux kernel patches [2] are very close to stable ABI. GCS marking for binaries is specified in [3]. Regression tested on AArch64 and no regressions have been found. Any feedback is welcome and appreciated. Sources and branches: - binutils-gdb: sourceware.org/git/binutils-gdb.git users/ARM/gcs - gcc: gcc.gnu.org/git/gcc.git master - glibc: this patch series - kernel: git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/gcs Cross-building the toolchain for target aarch64-none-linux-gnu: - build and install binutils-gdb - build and install GCC stage 1 - install kernel headers - install glibc headers - build and install GCC stage 2 configuring with --enable-standard-branch-protection - build and install glibc - build and install GCC stage 3 and target libraries configuring with --enable-standard-branch-protection FVP model provided by the Shrinkwrap tool [4] can be used for testing. To enable GCS, run tests with environment variable: GLIBC_TUNABLES=glibc.cpu.aarch64_gcs=1:glibc.cpu.aarch64_gcs_policy=2 By default both tunables are 0, the meaning is: - glibc.cpu.aarch64_gcs_policy=0: GCS is enabled if glibc.cpu.aarch64_gcs is set - glibc.cpu.aarch64_gcs_policy=1: GCS is enabled if glibc.cpu.aarch64_gcs is set and binary is marked if GCS is enabled, an incompatible dlopen is an error - glibc.cpu.aarch64_gcs_policy=2: GCS is enabled if glibc.cpu.aarch64_gcs is set if GCS is enabled, any incompatible binary is an error [1] https://developer.arm.com/documentation/ddi0487/ka/ (chapter D11) [2] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/gcs [3] https://github.com/ARM-software/abi-aa/blob/main/sysvabi64/sysvabi64.rst [4] https://git.gitlab.arm.com/tooling/shrinkwrap.git --- Changes in v4: - Merged patches 17 and 18 from v3 series. - Amended tests that would fail if executed on a system with GCS. Link to v3: https://inbox.sourceware.org/libc-alpha/20241023083920.466015-1-yury.khrustalev@arm.com/ --- Szabolcs Nagy (21): aarch64: Add HWCAP_GCS aarch64: Add asm helpers for GCS elf.h: Define GNU_PROPERTY_AARCH64_FEATURE_1_GCS aarch64: Define jmp_buf offset for GCS aarch64: Add GCS support to longjmp aarch64: Add GCS support to vfork aarch64: Add GCS support for setcontext aarch64: Mark swapcontext with indirect_return aarch64: Add GCS support for makecontext aarch64: Try to free the GCS of makecontext aarch64: Add glibc.cpu.aarch64_gcs tunable aarch64: Enable GCS in static linked exe aarch64: Enable GCS in dynamic linked exe aarch64: Mark objects with GCS property note aarch64: Add glibc.cpu.aarch64_gcs_policy aarch64: Use l_searchlist.r_list for bti aarch64: Handle GCS marking aarch64: Ignore GCS property of ld.so aarch64: Process gnu properties in static exe aarch64: Add GCS user-space allocation logic aarch64: Use __alloc_gcs in makecontext Yury Khrustalev (1): aarch64: Fix tests not compatible with targets supporting GCS elf/elf.h | 1 + elf/tst-asm-helper.h | 49 ++++++++++ elf/tst-big-note-lib.S | 2 + elf/tst-ro-dynamic-mod.map | 7 +- include/set-freeres.h | 4 + malloc/thread-freeres.c | 3 + sysdeps/aarch64/Makefile | 11 ++- sysdeps/aarch64/__alloc_gcs.c | 66 +++++++++++++ sysdeps/aarch64/__longjmp.S | 30 ++++++ sysdeps/aarch64/aarch64-gcs.h | 36 +++++++ sysdeps/aarch64/bits/indirect-return.h | 36 +++++++ sysdeps/aarch64/dl-bti.c | 5 +- sysdeps/aarch64/dl-gcs.c | 64 ++++++++++++ sysdeps/aarch64/dl-prop.h | 15 ++- sysdeps/aarch64/dl-start.S | 23 ++++- sysdeps/aarch64/dl-tunables.list | 10 ++ sysdeps/aarch64/jmpbuf-offsets.h | 63 ++++++++++++ sysdeps/aarch64/linkmap.h | 1 + sysdeps/aarch64/rtld-global-offsets.sym | 5 + sysdeps/aarch64/setjmp.S | 10 ++ sysdeps/aarch64/sysdep.h | 12 ++- sysdeps/aarch64/tst-vpcs-mod.S | 4 +- sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h | 1 + .../unix/sysv/linux/aarch64/cpu-features.c | 9 ++ sysdeps/unix/sysv/linux/aarch64/dl-procinfo.c | 13 +++ .../unix/sysv/linux/aarch64/dl-procruntime.c | 37 +++++++ sysdeps/unix/sysv/linux/aarch64/getcontext.S | 17 +++- sysdeps/unix/sysv/linux/aarch64/libc-start.h | 61 ++++++++++++ sysdeps/unix/sysv/linux/aarch64/makecontext.c | 97 ++++++++++++++++++- sysdeps/unix/sysv/linux/aarch64/setcontext.S | 57 ++++++++++- sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 32 ++++-- sysdeps/unix/sysv/linux/aarch64/sysdep.h | 6 +- .../sysv/linux/aarch64/ucontext-internal.h | 5 + sysdeps/unix/sysv/linux/aarch64/vfork.S | 8 +- 34 files changed, 766 insertions(+), 34 deletions(-) create mode 100644 elf/tst-asm-helper.h create mode 100644 sysdeps/aarch64/__alloc_gcs.c create mode 100644 sysdeps/aarch64/aarch64-gcs.h create mode 100644 sysdeps/aarch64/bits/indirect-return.h create mode 100644 sysdeps/aarch64/dl-gcs.c create mode 100644 sysdeps/unix/sysv/linux/aarch64/dl-procruntime.c create mode 100644 sysdeps/unix/sysv/linux/aarch64/libc-start.h
Comments
On Fri, Nov 29, 2024 at 04:36:59PM +0000, Yury Khrustalev wrote: > This patch series adds support for the Guarded Control Stack extension [1] that > allows to use shadow stacks on AArch64 systems with enabled GCS. > Sources and branches: > - binutils-gdb: sourceware.org/git/binutils-gdb.git users/ARM/gcs > - gcc: gcc.gnu.org/git/gcc.git master > - glibc: this patch series > - kernel: git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/gcs Update on relevant sources: - binutils can now be taken from master - in case there are Glibc test failures, it could partly be due to the 7828dc07051 commit in GCC that can be rolled back to allow building and running Glibc tests, see [1] for details [1] https://sourceware.org/bugzilla/show_bug.cgi?id=32366 Kind regards, Yury
On 11/29/24 11:36 AM, Yury Khrustalev wrote: > This patch series adds support for the Guarded Control Stack extension [1] that > allows to use shadow stacks on AArch64 systems with enabled GCS. > > This patch series includes: > - New tunables glibc.cpu.aarch64_gcs and glibc.cpu.aarch64_gcs_policy > - Definition of jmp_buf offset for GCS > - GCS support in longjmp, vfork, setcontext, makecontext > - GCS support in static startup code and dynamic linker > - Handling of GCS marking in dynamic binaries and DSOs > - Handling of GCS marking in static binaries > - Mark swapcontext with indirect_return > - HWCAP_GCS > > Corresponding Linux kernel patches [2] are very close to stable ABI. > GCS marking for binaries is specified in [3]. > Regression tested on AArch64 and no regressions have been found. > > Any feedback is welcome and appreciated. I think we could commit a lot of the changes in this series with the exception of exporting the public header constants? The tunable could be added, but have it do nothing, and mark it in the manual as "reserved for future use." Then once the kernel comes out we can backport a commit that adds the header constants (allowed and doesn't impact ABI) and then the tunable gets documented as working and functional (no impact on ld.so<->libc.so.6 private ABI). Cheers, Carlos.
Hi Carlos, On Mon, Dec 02, 2024 at 04:18:01PM -0500, Carlos O'Donell wrote: > On 11/29/24 11:36 AM, Yury Khrustalev wrote: > > This patch series adds support for the Guarded Control Stack extension [1] that > > allows to use shadow stacks on AArch64 systems with enabled GCS. > > > > ... > > > > Corresponding Linux kernel patches [2] are very close to stable ABI. > > GCS marking for binaries is specified in [3]. > > Regression tested on AArch64 and no regressions have been found. > > > > Any feedback is welcome and appreciated. > > I think we could commit a lot of the changes in this series with the exception of > exporting the public header constants? > > The tunable could be added, but have it do nothing, and mark it in the manual as > "reserved for future use." > > Then once the kernel comes out we can backport a commit that adds the header > constants (allowed and doesn't impact ABI) and then the tunable gets documented > as working and functional (no impact on ld.so<->libc.so.6 private ABI). > > Cheers, > Carlos. Thank you for your suggestions and comments. I've updated patch series to exclude and public headers constants: hopefully v5 [1] is much better suited to be merged ahead of the upcoming Linux release. [1] https://inbox.sourceware.org/libc-alpha/20241206132952.2410680-1-yury.khrustalev@arm.com/ Kind regards, Yury