Commit 680ed2f1 authored by Mike Rapoport's avatar Mike Rapoport Committed by Dave Hansen
Browse files

x86/shstk: Add ARCH_SHSTK_UNLOCK 



Userspace loaders may lock features before a CRIU restore operation has
the chance to set them to whatever state is required by the process
being restored. Allow a way for CRIU to unlock features. Add it as an
arch_prctl() like the other shadow stack operations, but restrict it being
called by the ptrace arch_pctl() interface.

[Merged into recent API changes, added commit log and docs]

Signed-off-by: default avatarMike Rapoport <rppt@linux.ibm.com>
Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
Tested-by: default avatarPengfei Xu <pengfei.xu@intel.com>
Tested-by: default avatarJohn Allen <john.allen@amd.com>
Tested-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/all/20230613001108.3040476-42-rick.p.edgecombe%40intel.com
parent 2fab02b2

Documentation/arch/x86/shstk.rst

+4 −0
Original line number Diff line number Diff line
@@ -75,6 +75,10 @@ arch_prctl(ARCH_SHSTK_LOCK, unsigned long features) 
    are ignored. The mask is ORed with the existing value. So any feature bits

    set here cannot be enabled or disabled afterwards.



arch_prctl(ARCH_SHSTK_UNLOCK, unsigned long features)

    Unlock features. 'features' is a mask of all features to unlock. All

    bits set are processed, unset bits are ignored. Only works via ptrace.



The return values are as follows. On success, return 0. On error, errno can

be::

arch/x86/include/uapi/asm/prctl.h

+1 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ 
#define ARCH_SHSTK_ENABLE		0x5001

#define ARCH_SHSTK_DISABLE		0x5002

#define ARCH_SHSTK_LOCK			0x5003

#define ARCH_SHSTK_UNLOCK		0x5004



/* ARCH_SHSTK_ features bits */

#define ARCH_SHSTK_SHSTK		(1ULL <<  0)

arch/x86/kernel/process_64.c

+1 −0
Original line number Diff line number Diff line
@@ -899,6 +899,7 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) 
	case ARCH_SHSTK_ENABLE:

	case ARCH_SHSTK_DISABLE:

	case ARCH_SHSTK_LOCK:

	case ARCH_SHSTK_UNLOCK:

		return shstk_prctl(task, option, arg2);

	default:

		ret = -EINVAL;

arch/x86/kernel/shstk.c

+7 −2
Original line number Diff line number Diff line
@@ -489,9 +489,14 @@ long shstk_prctl(struct task_struct *task, int option, unsigned long features) 
		return 0;

	}



	/* Don't allow via ptrace */

	if (task != current)

	/* Only allow via ptrace */

	if (task != current) {

		if (option == ARCH_SHSTK_UNLOCK && IS_ENABLED(CONFIG_CHECKPOINT_RESTORE)) {

			task->thread.features_locked &= ~features;

			return 0;

		}

		return -EINVAL;

	}



	/* Do not allow to change locked features */

	if (features & task->thread.features_locked)