1 .. SPDX-License-Identifier: GPL-2.0
2
3 ==============================================
4 Control-flow Enforcement Technology (CET) Shad
5 ==============================================
6
7 CET Background
8 ==============
9
10 Control-flow Enforcement Technology (CET) cove
11 features that provide protection against contr
12 can protect both applications and the kernel.
13
14 CET introduces shadow stack and indirect branc
15 is a secondary stack allocated from memory whi
16 applications. When executing a CALL instructio
17 return address to both the normal stack and th
18 function return, the processor pops the shadow
19 to the normal stack copy. If the two differ, t
20 control-protection fault. IBT verifies indirec
21 as marked by the compiler with 'ENDBR' opcodes
22 Stack and Indirect Branch Tracking. Today in t
23 shadow stack and kernel IBT are supported.
24
25 Requirements to use Shadow Stack
26 ================================
27
28 To use userspace shadow stack you need HW that
29 configured with it and userspace libraries com
30
31 The kernel Kconfig option is X86_USER_SHADOW_S
32 stacks can be disabled at runtime with the ker
33
34 To build a user shadow stack enabled kernel, B
35 are required.
36
37 At run time, /proc/cpuinfo shows CET features
38 CET. "user_shstk" means that userspace shadow
39 kernel and HW.
40
41 Application Enabling
42 ====================
43
44 An application's CET capability is marked in i
45 from readelf/llvm-readelf output::
46
47 readelf -n <application> | grep -a SHSTK
48 properties: x86 feature: SHSTK
49
50 The kernel does not process these applications
51 or loaders must enable CET features using the
52 Typically this would be done in dynamic loader
53 the case in GLIBC.
54
55 Enabling arch_prctl()'s
56 =======================
57
58 Elf features should be enabled by the loader u
59 are only supported in 64 bit user applications
60 on a per-thread basis. The enablement status i
61 feature is enabled on the first thread, it wil
62 in an app.
63
64 arch_prctl(ARCH_SHSTK_ENABLE, unsigned long fe
65 Enable a single feature specified in 'feat
66 one feature at a time.
67
68 arch_prctl(ARCH_SHSTK_DISABLE, unsigned long f
69 Disable a single feature specified in 'fea
70 one feature at a time.
71
72 arch_prctl(ARCH_SHSTK_LOCK, unsigned long feat
73 Lock in features at their current enabled
74 is a mask of all features to lock. All bit
75 are ignored. The mask is ORed with the exi
76 set here cannot be enabled or disabled aft
77
78 arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long fe
79 Unlock features. 'features' is a mask of a
80 bits set are processed, unset bits are ign
81
82 arch_prctl(ARCH_SHSTK_STATUS, unsigned long ad
83 Copy the currently enabled features to the
84 features are described using the bits pass
85 'features'.
86
87 The return values are as follows. On success,
88 be::
89
90 -EPERM if any of the passed feature ar
91 -ENOTSUPP if the feature is not suppor
92 kernel.
93 -EINVAL arguments (non existing featur
94 -EFAULT if could not copy information
95
96 The feature's bits supported are::
97
98 ARCH_SHSTK_SHSTK - Shadow stack
99 ARCH_SHSTK_WRSS - WRSS
100
101 Currently shadow stack and WRSS are supported
102 can only be enabled with shadow stack, and is
103 if shadow stack is disabled.
104
105 Proc Status
106 ===========
107 To check if an application is actually running
108 user can read the /proc/$PID/status. It will r
109 depending on what is enabled. The lines look l
110
111 x86_Thread_features: shstk wrss
112 x86_Thread_features_locked: shstk wrss
113
114 Implementation of the Shadow Stack
115 ==================================
116
117 Shadow Stack Size
118 -----------------
119
120 A task's shadow stack is allocated from memory
121 MIN(RLIMIT_STACK, 4 GB). In other words, the s
122 the maximum size of the normal stack, but capp
123 of the clone3 syscall, there is a stack size p
124 uses this instead of the rlimit.
125
126 Signal
127 ------
128
129 The main program and its signal handlers use t
130 the shadow stack stores only return addresses,
131 the condition that both the program stack and
132 out.
133
134 When a signal happens, the old pre-signal stat
135 shadow stack is enabled, the shadow stack spec
136 shadow stack. Today this is only the old SSP (
137 in a special format with bit 63 set. On sigret
138 verified and restored by the kernel. The kerne
139 restorer address to the shadow stack to help u
140 violation on the sigreturn path that goes thro
141
142 So the shadow stack signal frame format is as
143
144 |1...old SSP| - Pointer to old pre-signal
145 (bit 63 set to 1)
146 | ...| - Other state may be added i
147
148
149 32 bit ABI signals are not supported in shadow
150 32 bit execution while shadow stack is enabled
151 outside of the 32 bit address space. When exec
152 via far call or returning to userspace, a #GP
153 which, will be delivered to the process as a s
154 userspace the register's state will be as if t
155 caused the segfault.
156
157 Fork
158 ----
159
160 The shadow stack's vma has VM_SHADOW_STACK fla
161 to be read-only and dirty. When a shadow stack
162 shadow access triggers a page fault with the s
163 in the page fault error code.
164
165 When a task forks a child, its shadow stack PT
166 parent's and the child's shadow stack PTEs are
167 Upon the next shadow stack access, the resulti
168 is handled by page copy/re-use.
169
170 When a pthread child is created, the kernel al
171 for the new thread. New shadow stack creation
172 to ASLR behavior. Similarly, on thread exit th
173 disabled.
174
175 Exec
176 ----
177
178 On exec, shadow stack features are disabled by
179 userspace can choose to re-enable, or lock the
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.