On Tue, 01 Oct 2024 23:58:39 +0100, Mark Brown wrote:
The arm64 Guarded Control Stack (GCS) feature provides support for hardware protected stacks of return addresses, intended to provide hardening against return oriented programming (ROP) attacks and to make it easier to gather call stacks for applications such as profiling.
When GCS is active a secondary stack called the Guarded Control Stack is maintained, protected with a memory attribute which means that it can only be written with specific GCS operations. The current GCS pointer can not be directly written to by userspace. When a BL is executed the value stored in LR is also pushed onto the GCS, and when a RET is executed the top of the GCS is popped and compared to LR with a fault being raised if the values do not match. GCS operations may only be performed on GCS pages, a data abort is generated if they are not.
[...]
I applied most of the series to arm64 (for-next/gcs), apart from two KVM patches - 16 and 40 (the latter is the kselftest). I usually start picking patches at -rc3 but the glibc folk are waiting for these patches to at least end up in a maintainer's branch. Of course, these patches are subject to change until the final 6.13 release.
The KVM patches can go on top once agreed (or they can go in via the KVM tree, I don't mind either way).
Thanks!
[01/40] mm: Introduce ARCH_HAS_USER_SHADOW_STACK https://git.kernel.org/arm64/c/bcc9d04e749a [02/40] mm: Define VM_HIGH_ARCH_6 https://git.kernel.org/arm64/c/9ab515b18f84 [03/40] arm64/mm: Restructure arch_validate_flags() for extensibility https://git.kernel.org/arm64/c/f645e888b1a6 [04/40] prctl: arch-agnostic prctl for shadow stack https://git.kernel.org/arm64/c/91e102e79740 [05/40] mman: Add map_shadow_stack() flags https://git.kernel.org/arm64/c/3630e82ab6bd [06/40] arm64: Document boot requirements for Guarded Control Stacks https://git.kernel.org/arm64/c/830ae8a39685 [07/40] arm64/gcs: Document the ABI for Guarded Control Stacks https://git.kernel.org/arm64/c/7058bf87cd59 [08/40] arm64/sysreg: Add definitions for architected GCS caps https://git.kernel.org/arm64/c/ce0641d48ddd [09/40] arm64/gcs: Add manual encodings of GCS instructions https://git.kernel.org/arm64/c/dad947cc22cf [10/40] arm64/gcs: Provide put_user_gcs() https://git.kernel.org/arm64/c/d0aa2b435186 [11/40] arm64/gcs: Provide basic EL2 setup to allow GCS usage at EL0 and EL1 https://git.kernel.org/arm64/c/ff5181d8a2a8 [12/40] arm64/cpufeature: Runtime detection of Guarded Control Stack (GCS) https://git.kernel.org/arm64/c/6487c963083c [13/40] arm64/mm: Allocate PIE slots for EL0 guarded control stack https://git.kernel.org/arm64/c/092055f1508c [14/40] mm: Define VM_SHADOW_STACK for arm64 when we support GCS https://git.kernel.org/arm64/c/ae80e1629aea [15/40] arm64/mm: Map pages for guarded control stack https://git.kernel.org/arm64/c/6497b66ba694 [17/40] arm64/idreg: Add overrride for GCS https://git.kernel.org/arm64/c/a94452112ce4 [18/40] arm64/hwcap: Add hwcap for GCS https://git.kernel.org/arm64/c/eefc98711f84 [19/40] arm64/traps: Handle GCS exceptions https://git.kernel.org/arm64/c/8ce71d270536 [20/40] arm64/mm: Handle GCS data aborts https://git.kernel.org/arm64/c/cfad706e8f6d [21/40] arm64/gcs: Context switch GCS state for EL0 https://git.kernel.org/arm64/c/fc84bc5378a8 [22/40] arm64/gcs: Ensure that new threads have a GCS https://git.kernel.org/arm64/c/506496bcbb42 [23/40] arm64/gcs: Implement shadow stack prctl() interface https://git.kernel.org/arm64/c/b57180c75c7e [24/40] arm64/mm: Implement map_shadow_stack() https://git.kernel.org/arm64/c/8f3e750673b2 [25/40] arm64/signal: Set up and restore the GCS context for signal handlers https://git.kernel.org/arm64/c/eaf62ce1563b [26/40] arm64/signal: Expose GCS state in signal frames https://git.kernel.org/arm64/c/16f47bb9ac8a [27/40] arm64/ptrace: Expose GCS via ptrace and core files https://git.kernel.org/arm64/c/7ec3b57cb29f [28/40] arm64: Add Kconfig for Guarded Control Stack (GCS) https://git.kernel.org/arm64/c/5d8b172e7005 [29/40] kselftest/arm64: Verify the GCS hwcap https://git.kernel.org/arm64/c/7a2f671db61f [30/40] kselftest/arm64: Add GCS as a detected feature in the signal tests https://git.kernel.org/arm64/c/b2d2f11ff5d6 [31/40] kselftest/arm64: Add framework support for GCS to signal handling tests https://git.kernel.org/arm64/c/0d426f7dd9a0 [32/40] kselftest/arm64: Allow signals tests to specify an expected si_code https://git.kernel.org/arm64/c/956573ac1890 [33/40] kselftest/arm64: Always run signals tests with GCS enabled https://git.kernel.org/arm64/c/42155a8eb0f6 [34/40] kselftest/arm64: Add very basic GCS test program https://git.kernel.org/arm64/c/3d37d4307e0f [35/40] kselftest/arm64: Add a GCS test program built with the system libc https://git.kernel.org/arm64/c/a505a52b4e29 [36/40] kselftest/arm64: Add test coverage for GCS mode locking https://git.kernel.org/arm64/c/58d69a3e3582 [37/40] kselftest/arm64: Add GCS signal tests https://git.kernel.org/arm64/c/794b64ca5665 [38/40] kselftest/arm64: Add a GCS stress test https://git.kernel.org/arm64/c/05e6cfff58c4 [39/40] kselftest/arm64: Enable GCS for the FP stress tests https://git.kernel.org/arm64/c/bb9ae1a66c85