Re: [PATCH v5 05/27] Documentation/x86: Add CET description
From: Borislav Petkov <bp@alien8.de>
Date: 2018-11-13 18:43:52
Also in:
linux-api, linux-arch, linux-doc, lkml
On Thu, Oct 11, 2018 at 08:15:01AM -0700, Yu-cheng Yu wrote:
Explain how CET works and the no_cet_shstk/no_cet_ibt kernel parameters. Signed-off-by: Yu-cheng Yu <redacted> --- .../admin-guide/kernel-parameters.txt | 6 + Documentation/index.rst | 1 + Documentation/x86/index.rst | 11 + Documentation/x86/intel_cet.rst | 266 ++++++++++++++++++ 4 files changed, 284 insertions(+) create mode 100644 Documentation/x86/index.rst create mode 100644 Documentation/x86/intel_cet.rst
So this patch should probably come first in the series so that a reader can know what to expect...
quoted hunk ↗ jump to hunk
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 92eb1f42240d..3854423f7c86 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt@@ -2764,6 +2764,12 @@ noexec=on: enable non-executable mappings (default) noexec=off: disable non-executable mappings + no_cet_ibt [X86-64] Disable indirect branch tracking for user-mode + applications + + no_cet_shstk [X86-64] Disable shadow stack support for user-mode + applications + nosmap [X86] Disable SMAP (Supervisor Mode Access Prevention) even if it is supported by processor.diff --git a/Documentation/index.rst b/Documentation/index.rst index 5db7e87c7cb1..1cdc139adb40 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst
Please integrate scripts/checkpatch.pl into your patch creation workflow. Some of the warnings/errors *actually* make sense: WARNING: Missing or malformed SPDX-License-Identifier tag in line 1 #76: FILE: Documentation/x86/index.rst:1: +======================= WARNING: Missing or malformed SPDX-License-Identifier tag in line 1 #93: FILE: Documentation/x86/intel_cet.rst:1: +=========================================
quoted hunk ↗ jump to hunk
@@ -104,6 +104,7 @@ implementation. :maxdepth: 2 sh/index + x86/index Filesystem Documentation ------------------------diff --git a/Documentation/x86/index.rst b/Documentation/x86/index.rst new file mode 100644 index 000000000000..9c34d8cbc8f0 --- /dev/null +++ b/Documentation/x86/index.rst@@ -0,0 +1,11 @@ +======================= +X86 Documentation +======================= + +Control Flow Enforcement +======================== + +.. toctree:: + :maxdepth: 1 + + intel_cetdiff --git a/Documentation/x86/intel_cet.rst b/Documentation/x86/intel_cet.rst new file mode 100644 index 000000000000..946f4802a51f --- /dev/null +++ b/Documentation/x86/intel_cet.rst@@ -0,0 +1,266 @@ +========================================= +Control Flow Enforcement Technology (CET) +========================================= + +[1] Overview +============ + +Control Flow Enforcement Technology (CET) provides protection against +return/jump-oriented programming (ROP) attacks. It can be implemented +to protect both the kernel and applications. In the first phase, +only the user-mode protection is implemented on the 64-bit kernel.
s/the// is implemented in 64-bit mode.
+However, 32-bit applications are supported under the compatibility +mode.
Drop "However": "32-bit applications are, of course, supported in compatibility mode."
+ +CET includes shadow stack (SHSTK) and indirect branch tracking (IBT).
"CET introduces two a shadow stack and an indirect branch tracking mechanism."
+The SHSTK is a secondary stack allocated from memory. The processor
s/The//
+automatically pushes/pops a secure copy to the SHSTK every return +address and,
that reads funny - pls reorganize. Also, what is a "secure copy"? You mean a copy of every return address which software cannot access?
by comparing the secure copy to the program stack copy, +verifies function returns are as intended.
... have not been corrupted/modified."
The IBT verifies all +indirect CALL/JMP targets are intended and marked by the compiler with +'ENDBR' op codes.
"opcode" - one word. And before you use "ENDBR" you need to explain it above what it is. /me reads further... encounters ENDBR's definition... ah, ok, so you should say something like "... and marked by the compiler with the ENDBR opcode (see below)."
+ +There are two kernel configuration options: + + INTEL_X86_SHADOW_STACK_USER, and + INTEL_X86_BRANCH_TRACKING_USER. + +To build a CET-enabled kernel, Binutils v2.31 and GCC v8.1 or later +are required. To build a CET-enabled application, GLIBC v2.28 or +later is also required. + +There are two command-line options for disabling CET features: + + no_cet_shstk - disables SHSTK, and + no_cet_ibt - disables IBT. + +At run time, /proc/cpuinfo shows the availability of SHSTK and IBT.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.