~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/arch/x86/shstk.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/arch/x86/shstk.rst (Version linux-6.12-rc7) and /Documentation/arch/m68k/shstk.rst (Version linux-5.9.16)


  1 .. SPDX-License-Identifier: GPL-2.0               
  2                                                   
  3 ==============================================    
  4 Control-flow Enforcement Technology (CET) Shad    
  5 ==============================================    
  6                                                   
  7 CET Background                                    
  8 ==============                                    
  9                                                   
 10 Control-flow Enforcement Technology (CET) cove    
 11 features that provide protection against contr    
 12 can protect both applications and the kernel.     
 13                                                   
 14 CET introduces shadow stack and indirect branc    
 15 is a secondary stack allocated from memory whi    
 16 applications. When executing a CALL instructio    
 17 return address to both the normal stack and th    
 18 function return, the processor pops the shadow    
 19 to the normal stack copy. If the two differ, t    
 20 control-protection fault. IBT verifies indirec    
 21 as marked by the compiler with 'ENDBR' opcodes    
 22 Stack and Indirect Branch Tracking. Today in t    
 23 shadow stack and kernel IBT are supported.        
 24                                                   
 25 Requirements to use Shadow Stack                  
 26 ================================                  
 27                                                   
 28 To use userspace shadow stack you need HW that    
 29 configured with it and userspace libraries com    
 30                                                   
 31 The kernel Kconfig option is X86_USER_SHADOW_S    
 32 stacks can be disabled at runtime with the ker    
 33                                                   
 34 To build a user shadow stack enabled kernel, B    
 35 are required.                                     
 36                                                   
 37 At run time, /proc/cpuinfo shows CET features     
 38 CET. "user_shstk" means that userspace shadow     
 39 kernel and HW.                                    
 40                                                   
 41 Application Enabling                              
 42 ====================                              
 43                                                   
 44 An application's CET capability is marked in i    
 45 from readelf/llvm-readelf output::                
 46                                                   
 47     readelf -n <application> | grep -a SHSTK      
 48         properties: x86 feature: SHSTK            
 49                                                   
 50 The kernel does not process these applications    
 51 or loaders must enable CET features using the     
 52 Typically this would be done in dynamic loader    
 53 the case in GLIBC.                                
 54                                                   
 55 Enabling arch_prctl()'s                           
 56 =======================                           
 57                                                   
 58 Elf features should be enabled by the loader u    
 59 are only supported in 64 bit user applications    
 60 on a per-thread basis. The enablement status i    
 61 feature is enabled on the first thread, it wil    
 62 in an app.                                        
 63                                                   
 64 arch_prctl(ARCH_SHSTK_ENABLE, unsigned long fe    
 65     Enable a single feature specified in 'feat    
 66     one feature at a time.                        
 67                                                   
 68 arch_prctl(ARCH_SHSTK_DISABLE, unsigned long f    
 69     Disable a single feature specified in 'fea    
 70     one feature at a time.                        
 71                                                   
 72 arch_prctl(ARCH_SHSTK_LOCK, unsigned long feat    
 73     Lock in features at their current enabled     
 74     is a mask of all features to lock. All bit    
 75     are ignored. The mask is ORed with the exi    
 76     set here cannot be enabled or disabled aft    
 77                                                   
 78 arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long fe    
 79     Unlock features. 'features' is a mask of a    
 80     bits set are processed, unset bits are ign    
 81                                                   
 82 arch_prctl(ARCH_SHSTK_STATUS, unsigned long ad    
 83     Copy the currently enabled features to the    
 84     features are described using the bits pass    
 85     'features'.                                   
 86                                                   
 87 The return values are as follows. On success,     
 88 be::                                              
 89                                                   
 90         -EPERM if any of the passed feature ar    
 91         -ENOTSUPP if the feature is not suppor    
 92          kernel.                                  
 93         -EINVAL arguments (non existing featur    
 94         -EFAULT if could not copy information     
 95                                                   
 96 The feature's bits supported are::                
 97                                                   
 98     ARCH_SHSTK_SHSTK - Shadow stack               
 99     ARCH_SHSTK_WRSS  - WRSS                       
100                                                   
101 Currently shadow stack and WRSS are supported     
102 can only be enabled with shadow stack, and is     
103 if shadow stack is disabled.                      
104                                                   
105 Proc Status                                       
106 ===========                                       
107 To check if an application is actually running    
108 user can read the /proc/$PID/status. It will r    
109 depending on what is enabled. The lines look l    
110                                                   
111     x86_Thread_features: shstk wrss               
112     x86_Thread_features_locked: shstk wrss        
113                                                   
114 Implementation of the Shadow Stack                
115 ==================================                
116                                                   
117 Shadow Stack Size                                 
118 -----------------                                 
119                                                   
120 A task's shadow stack is allocated from memory    
121 MIN(RLIMIT_STACK, 4 GB). In other words, the s    
122 the maximum size of the normal stack, but capp    
123 of the clone3 syscall, there is a stack size p    
124 uses this instead of the rlimit.                  
125                                                   
126 Signal                                            
127 ------                                            
128                                                   
129 The main program and its signal handlers use t    
130 the shadow stack stores only return addresses,    
131 the condition that both the program stack and     
132 out.                                              
133                                                   
134 When a signal happens, the old pre-signal stat    
135 shadow stack is enabled, the shadow stack spec    
136 shadow stack. Today this is only the old SSP (    
137 in a special format with bit 63 set. On sigret    
138 verified and restored by the kernel. The kerne    
139 restorer address to the shadow stack to help u    
140 violation on the sigreturn path that goes thro    
141                                                   
142 So the shadow stack signal frame format is as     
143                                                   
144     |1...old SSP| - Pointer to old pre-signal     
145                     (bit 63 set to 1)             
146     |        ...| - Other state may be added i    
147                                                   
148                                                   
149 32 bit ABI signals are not supported in shadow    
150 32 bit execution while shadow stack is enabled    
151 outside of the 32 bit address space. When exec    
152 via far call or returning to userspace, a #GP     
153 which, will be delivered to the process as a s    
154 userspace the register's state will be as if t    
155 caused the segfault.                              
156                                                   
157 Fork                                              
158 ----                                              
159                                                   
160 The shadow stack's vma has VM_SHADOW_STACK fla    
161 to be read-only and dirty. When a shadow stack    
162 shadow access triggers a page fault with the s    
163 in the page fault error code.                     
164                                                   
165 When a task forks a child, its shadow stack PT    
166 parent's and the child's shadow stack PTEs are    
167 Upon the next shadow stack access, the resulti    
168 is handled by page copy/re-use.                   
169                                                   
170 When a pthread child is created, the kernel al    
171 for the new thread. New shadow stack creation     
172 to ASLR behavior. Similarly, on thread exit th    
173 disabled.                                         
174                                                   
175 Exec                                              
176 ----                                              
177                                                   
178 On exec, shadow stack features are disabled by    
179 userspace can choose to re-enable, or lock the    
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php