Commit afcf5441 authored by Dan Li's avatar Dan Li Committed by Kees Cook
Browse files

arm64: Add gcc Shadow Call Stack support 

Shadow call stacks will be available in GCC >= 12, this patch makes
the corresponding kernel configuration available when compiling
the kernel with the gcc.

Note that the implementation in GCC is slightly different from Clang.
With SCS enabled, functions will only pop x30 once in the epilogue,
like:

   str     x30, [x18], #8
   stp     x29, x30, [sp, #-16]!
   ......
-  ldp     x29, x30, [sp], #16	  //clang
+  ldr     x29, [sp], #16	  //GCC
   ldr     x30, [x18, #-8]!

Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11e



Reviewed-by: default avatarNathan Chancellor <nathan@kernel.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
Signed-off-by: default avatarDan Li <ashimida@linux.alibaba.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220303074323.86282-1-ashimida@linux.alibaba.com
parent 575d6b77

arch/Kconfig

+10 −9
Original line number Diff line number Diff line
@@ -599,21 +599,22 @@ config STACKPROTECTOR_STRONG 
config ARCH_SUPPORTS_SHADOW_CALL_STACK

	bool

	help

	  An architecture should select this if it supports Clang's Shadow

	  Call Stack and implements runtime support for shadow stack

	  An architecture should select this if it supports the compiler's

	  Shadow Call Stack and implements runtime support for shadow stack

	  switching.



config SHADOW_CALL_STACK

	bool "Clang Shadow Call Stack"

	depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK

	bool "Shadow Call Stack"

	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK

	depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER

	help

	  This option enables Clang's Shadow Call Stack, which uses a

	  shadow stack to protect function return addresses from being

	  overwritten by an attacker. More information can be found in

	  Clang's documentation:

	  This option enables the compiler's Shadow Call Stack, which

	  uses a shadow stack to protect function return addresses from

	  being overwritten by an attacker. More information can be found

	  in the compiler's documentation:



	    https://clang.llvm.org/docs/ShadowCallStack.html

	  - Clang: https://clang.llvm.org/docs/ShadowCallStack.html

	  - GCC: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options



	  Note that security guarantees in the kernel differ from the

	  ones documented for user space. The kernel must store addresses

arch/arm64/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -1239,7 +1239,7 @@ config HW_PERF_EVENTS 
config ARCH_HAS_FILTER_PGPROT

	def_bool y



# Supported by clang >= 7.0

# Supported by clang >= 7.0 or GCC >= 12.0.0

config CC_HAVE_SHADOW_CALL_STACK

	def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)

include/linux/compiler-gcc.h

+4 −0
Original line number Diff line number Diff line
@@ -97,6 +97,10 @@ 
#define KASAN_ABI_VERSION 4

#endif



#ifdef CONFIG_SHADOW_CALL_STACK

#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))

#endif



#if __has_attribute(__no_sanitize_address__)

#define __no_sanitize_address __attribute__((no_sanitize_address))

#else