[v7,00/23] aarch64: Add support for Guarded Control Stack extension

Message ID 20250103154141.47731-1-yury.khrustalev@arm.com (mailing list archive)
Headers
Series aarch64: Add support for Guarded Control Stack extension |

Message

Yury Khrustalev Jan. 3, 2025, 3:41 p.m. UTC
  This patch series adds support for the Guarded Control Stack extension [1] that
allows to use shadow stacks on AArch64 systems with enabled GCS.

This patch series includes:
 - Definition of jmp_buf offset for GCS
 - GCS support in longjmp, vfork, setcontext, makecontext
 - GCS support in static startup code and dynamic linker
 - Handling of GCS marking in dynamic binaries and DSOs
 - Handling of GCS marking in static binaries
 - Mark swapcontext with indirect_return
 - Reserved tunable names glibc.cpu.aarch64_gcs and glibc.cpu.aarch64_gcs_policy
 - Add generic hook for processing notes and properties in static executables

GCS marking for binaries is specified in [2].
Regression tested on AArch64 and x86 and no regressions have been found.
Also build-tested using build-many-glibcs.py and no regressions found.

Applies to e9eea05986 in master. Any feedback is welcome and appreciated.

Sources and branches:
 - binutils-gdb: sourceware.org/git/binutils-gdb.git master
 - gcc: gcc.gnu.org/git/gcc.git master
 - glibc: this patch series
 - kernel: git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Cross-building the toolchain for target aarch64-none-linux-gnu:
 - build and install binutils-gdb
 - build and install GCC stage 1
 - install kernel headers
 - install glibc headers
 - build and install GCC stage 2 configuring with --enable-standard-branch-protection
 - build and install glibc
 - build and install GCC stage 3 along with target libraries configuring with --enable-standard-branch-protection

FVP model provided by the Shrinkwrap tool [3] can be used for testing.

To enable GCS, run tests with environment variable:

  GLIBC_TUNABLES=glibc.cpu.aarch64_gcs=1:glibc.cpu.aarch64_gcs_policy=2

[1] https://developer.arm.com/documentation/ddi0487/ka/ (chapter D11)
[2] https://github.com/ARM-software/abi-aa/blob/main/sysvabi64/sysvabi64.rst
[3] https://git.gitlab.arm.com/tooling/shrinkwrap.git

---

Changes in v7:
 - Rebased on recent master (required fix-up for one of the commits: is_rtld_link_map).
 - Added check for incorrect tunable value for glibc.cpu.aarch64_gcs_policy.
 - Updated copyright years.

Link to v6:
https://inbox.sourceware.org/libc-alpha/20241212143749.767747-1-yury.khrustalev@arm.com/

Changes in v6:
 - Changed how notes and properties are processed for static executables.
 - Fixed vfork() comment.
 - Fixed error message formatting for GCS errors for static executables.
 - Fixed ARCH_THREAD_FREERES macro to avoid #ifdef-s.
 - Rebased on recent master.

Link to v5:
https://inbox.sourceware.org/libc-alpha/20241206132952.2410680-1-yury.khrustalev@arm.com/

Changes in v5:
 - Reworked patch series to exclude exporting new public header constants.
 - Fixed minor style issues.
 - Added reserved names for new Glibc tunables to the manual.
 - GCS tunables are now using internally defined HWCAP_GCS unless it is
   already defined.
 - vfork() does not clear x30 before "returning" to child any more as this
   would be unnecessary in most cases but might create some undocumented
   "de facto" ABI.

Link to v4:
https://inbox.sourceware.org/libc-alpha/20241129163721.2385847-1-yury.khrustalev@arm.com/

Changes in v4:
 - Merged patches 17 and 18 from v3 series.
 - Amended tests that would fail if executed on a system with GCS.

Link to v3:
https://inbox.sourceware.org/libc-alpha/20241023083920.466015-1-yury.khrustalev@arm.com/

---

Szabolcs Nagy (20):
  aarch64: Add asm helpers for GCS
  elf.h: Define GNU_PROPERTY_AARCH64_FEATURE_1_GCS
  aarch64: Define jmp_buf offset for GCS
  aarch64: Add GCS support to longjmp
  aarch64: Add GCS support to vfork
  aarch64: Add GCS support for setcontext
  aarch64: Mark swapcontext with indirect_return
  aarch64: Add GCS support for makecontext
  aarch64: Try to free the GCS of makecontext
  aarch64: Add glibc.cpu.aarch64_gcs tunable
  aarch64: Enable GCS in static linked exe
  aarch64: Enable GCS in dynamic linked exe
  aarch64: Mark objects with GCS property note
  aarch64: Add glibc.cpu.aarch64_gcs_policy tunable
  aarch64: Use l_searchlist.r_list for bti
  aarch64: Handle GCS marking
  aarch64: Ignore GCS property of ld.so
  aarch64: Process gnu properties in static exe
  aarch64: Add GCS user-space allocation logic
  aarch64: Use __alloc_gcs in makecontext

Yury Khrustalev (3):
  manual: Add glibc.cpu.aarch64_gcs tunable
  manual: Add glibc.cpu.aarch64_gcs_policy tunable
  aarch64: Fix tests not compatible with targets supporting GCS

 csu/libc-start.c                              | 12 +++
 elf/elf.h                                     |  1 +
 elf/tst-asm-helper.h                          | 49 ++++++++++
 elf/tst-big-note-lib.S                        |  2 +
 elf/tst-ro-dynamic-mod.map                    |  7 +-
 include/set-freeres.h                         |  2 +
 malloc/thread-freeres.c                       |  9 ++
 manual/tunables.texi                          | 12 +++
 sysdeps/aarch64/Makefile                      | 11 ++-
 sysdeps/aarch64/__alloc_gcs.c                 | 66 +++++++++++++
 sysdeps/aarch64/__longjmp.S                   | 30 ++++++
 sysdeps/aarch64/aarch64-gcs.h                 | 28 ++++++
 sysdeps/aarch64/bits/indirect-return.h        | 36 +++++++
 sysdeps/aarch64/dl-bti.c                      |  5 +-
 sysdeps/aarch64/dl-gcs.c                      | 76 +++++++++++++++
 sysdeps/aarch64/dl-prop.h                     | 15 ++-
 sysdeps/aarch64/dl-start.S                    | 25 ++++-
 sysdeps/aarch64/dl-tunables.list              | 10 ++
 sysdeps/aarch64/jmpbuf-offsets.h              | 62 ++++++++++++
 sysdeps/aarch64/linkmap.h                     |  1 +
 sysdeps/aarch64/rtld-global-offsets.sym       |  5 +
 sysdeps/aarch64/setjmp.S                      | 10 ++
 sysdeps/aarch64/sysdep.h                      | 12 ++-
 sysdeps/aarch64/tst-vpcs-mod.S                |  4 +-
 sysdeps/generic/libc-start.h                  |  1 +
 .../unix/sysv/linux/aarch64/cpu-features.c    | 13 +++
 sysdeps/unix/sysv/linux/aarch64/dl-procinfo.c | 13 +++
 .../unix/sysv/linux/aarch64/dl-procruntime.c  | 37 +++++++
 sysdeps/unix/sysv/linux/aarch64/getcontext.S  | 17 +++-
 sysdeps/unix/sysv/linux/aarch64/libc-start.h  | 65 +++++++++++++
 sysdeps/unix/sysv/linux/aarch64/makecontext.c | 97 ++++++++++++++++++-
 sysdeps/unix/sysv/linux/aarch64/setcontext.S  | 57 ++++++++++-
 sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 32 ++++--
 sysdeps/unix/sysv/linux/aarch64/sysdep.h      |  6 +-
 .../sysv/linux/aarch64/ucontext-internal.h    |  5 +
 sysdeps/unix/sysv/linux/aarch64/vfork.S       |  7 +-
 36 files changed, 806 insertions(+), 34 deletions(-)
 create mode 100644 elf/tst-asm-helper.h
 create mode 100644 sysdeps/aarch64/__alloc_gcs.c
 create mode 100644 sysdeps/aarch64/aarch64-gcs.h
 create mode 100644 sysdeps/aarch64/bits/indirect-return.h
 create mode 100644 sysdeps/aarch64/dl-gcs.c
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/dl-procruntime.c
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/libc-start.h
  

Comments

Yury Khrustalev Jan. 14, 2025, 4:21 p.m. UTC | #1
Hi Adhemerval,

On Fri, Jan 03, 2025 at 03:41:18PM +0000, Yury Khrustalev wrote:
> This patch series adds support for the Guarded Control Stack extension [1] that
> allows to use shadow stacks on AArch64 systems with enabled GCS.

Thank you for taking time to review v7 series. I've addressed your comments in the
v8 series [1].

I would appreciate if you could review v8 patches 8-11, 13 and 15. I hope in its
current state the series looks good for merging it.

[1] https://inbox.sourceware.org/libc-alpha/20250114160328.2031684-1-yury.khrustalev@arm.com/

Kind regards,
Yury