Commit afcf5441 authored by Dan Li's avatar Dan Li Committed by Kees Cook

arm64: Add gcc Shadow Call Stack support

Shadow call stacks will be available in GCC >= 12, this patch makes
the corresponding kernel configuration available when compiling
the kernel with the gcc.

Note that the implementation in GCC is slightly different from Clang.
With SCS enabled, functions will only pop x30 once in the epilogue,
like:

   str     x30, [x18], #8
   stp     x29, x30, [sp, #-16]!
   ......
-  ldp     x29, x30, [sp], #16	  //clang
+  ldr     x29, [sp], #16	  //GCC
   ldr     x30, [x18, #-8]!

Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ce09ab17ddd21f73ff2caf6eec3b0ee9b0e1a11eReviewed-by: default avatarNathan Chancellor <nathan@kernel.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
Signed-off-by: default avatarDan Li <ashimida@linux.alibaba.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220303074323.86282-1-ashimida@linux.alibaba.com
parent 575d6b77
...@@ -599,21 +599,22 @@ config STACKPROTECTOR_STRONG ...@@ -599,21 +599,22 @@ config STACKPROTECTOR_STRONG
config ARCH_SUPPORTS_SHADOW_CALL_STACK config ARCH_SUPPORTS_SHADOW_CALL_STACK
bool bool
help help
An architecture should select this if it supports Clang's Shadow An architecture should select this if it supports the compiler's
Call Stack and implements runtime support for shadow stack Shadow Call Stack and implements runtime support for shadow stack
switching. switching.
config SHADOW_CALL_STACK config SHADOW_CALL_STACK
bool "Clang Shadow Call Stack" bool "Shadow Call Stack"
depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
help help
This option enables Clang's Shadow Call Stack, which uses a This option enables the compiler's Shadow Call Stack, which
shadow stack to protect function return addresses from being uses a shadow stack to protect function return addresses from
overwritten by an attacker. More information can be found in being overwritten by an attacker. More information can be found
Clang's documentation: in the compiler's documentation:
https://clang.llvm.org/docs/ShadowCallStack.html - Clang: https://clang.llvm.org/docs/ShadowCallStack.html
- GCC: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options
Note that security guarantees in the kernel differ from the Note that security guarantees in the kernel differ from the
ones documented for user space. The kernel must store addresses ones documented for user space. The kernel must store addresses
......
...@@ -1239,7 +1239,7 @@ config HW_PERF_EVENTS ...@@ -1239,7 +1239,7 @@ config HW_PERF_EVENTS
config ARCH_HAS_FILTER_PGPROT config ARCH_HAS_FILTER_PGPROT
def_bool y def_bool y
# Supported by clang >= 7.0 # Supported by clang >= 7.0 or GCC >= 12.0.0
config CC_HAVE_SHADOW_CALL_STACK config CC_HAVE_SHADOW_CALL_STACK
def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18)
......
...@@ -97,6 +97,10 @@ ...@@ -97,6 +97,10 @@
#define KASAN_ABI_VERSION 4 #define KASAN_ABI_VERSION 4
#endif #endif
#ifdef CONFIG_SHADOW_CALL_STACK
#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
#endif
#if __has_attribute(__no_sanitize_address__) #if __has_attribute(__no_sanitize_address__)
#define __no_sanitize_address __attribute__((no_sanitize_address)) #define __no_sanitize_address __attribute__((no_sanitize_address))
#else #else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment