cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

randomize_kstack.h (3839B)


      1/* SPDX-License-Identifier: GPL-2.0-only */
      2#ifndef _LINUX_RANDOMIZE_KSTACK_H
      3#define _LINUX_RANDOMIZE_KSTACK_H
      4
      5#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
      6#include <linux/kernel.h>
      7#include <linux/jump_label.h>
      8#include <linux/percpu-defs.h>
      9
     10DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
     11			 randomize_kstack_offset);
     12DECLARE_PER_CPU(u32, kstack_offset);
     13
     14/*
     15 * Do not use this anywhere else in the kernel. This is used here because
     16 * it provides an arch-agnostic way to grow the stack with correct
     17 * alignment. Also, since this use is being explicitly masked to a max of
     18 * 10 bits, stack-clash style attacks are unlikely. For more details see
     19 * "VLAs" in Documentation/process/deprecated.rst
     20 *
     21 * The normal __builtin_alloca() is initialized with INIT_STACK_ALL (currently
     22 * only with Clang and not GCC). Initializing the unused area on each syscall
     23 * entry is expensive, and generating an implicit call to memset() may also be
     24 * problematic (such as in noinstr functions). Therefore, if the compiler
     25 * supports it (which it should if it initializes allocas), always use the
     26 * "uninitialized" variant of the builtin.
     27 */
     28#if __has_builtin(__builtin_alloca_uninitialized)
     29#define __kstack_alloca __builtin_alloca_uninitialized
     30#else
     31#define __kstack_alloca __builtin_alloca
     32#endif
     33
     34/*
     35 * Use, at most, 10 bits of entropy. We explicitly cap this to keep the
     36 * "VLA" from being unbounded (see above). 10 bits leaves enough room for
     37 * per-arch offset masks to reduce entropy (by removing higher bits, since
     38 * high entropy may overly constrain usable stack space), and for
     39 * compiler/arch-specific stack alignment to remove the lower bits.
     40 */
     41#define KSTACK_OFFSET_MAX(x)	((x) & 0x3FF)
     42
     43/**
     44 * add_random_kstack_offset - Increase stack utilization by previously
     45 *			      chosen random offset
     46 *
     47 * This should be used in the syscall entry path when interrupts and
     48 * preempt are disabled, and after user registers have been stored to
     49 * the stack. For testing the resulting entropy, please see:
     50 * tools/testing/selftests/lkdtm/stack-entropy.sh
     51 */
     52#define add_random_kstack_offset() do {					\
     53	if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,	\
     54				&randomize_kstack_offset)) {		\
     55		u32 offset = raw_cpu_read(kstack_offset);		\
     56		u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset));	\
     57		/* Keep allocation even after "ptr" loses scope. */	\
     58		asm volatile("" :: "r"(ptr) : "memory");		\
     59	}								\
     60} while (0)
     61
     62/**
     63 * choose_random_kstack_offset - Choose the random offset for the next
     64 *				 add_random_kstack_offset()
     65 *
     66 * This should only be used during syscall exit when interrupts and
     67 * preempt are disabled. This position in the syscall flow is done to
     68 * frustrate attacks from userspace attempting to learn the next offset:
     69 * - Maximize the timing uncertainty visible from userspace: if the
     70 *   offset is chosen at syscall entry, userspace has much more control
     71 *   over the timing between choosing offsets. "How long will we be in
     72 *   kernel mode?" tends to be more difficult to predict than "how long
     73 *   will we be in user mode?"
     74 * - Reduce the lifetime of the new offset sitting in memory during
     75 *   kernel mode execution. Exposure of "thread-local" memory content
     76 *   (e.g. current, percpu, etc) tends to be easier than arbitrary
     77 *   location memory exposure.
     78 */
     79#define choose_random_kstack_offset(rand) do {				\
     80	if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,	\
     81				&randomize_kstack_offset)) {		\
     82		u32 offset = raw_cpu_read(kstack_offset);		\
     83		offset ^= (rand);					\
     84		raw_cpu_write(kstack_offset, offset);			\
     85	}								\
     86} while (0)
     87#else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
     88#define add_random_kstack_offset()		do { } while (0)
     89#define choose_random_kstack_offset(rand)	do { } while (0)
     90#endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */
     91
     92#endif