gcs.rst 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227
  1. ===============================================
  2. Guarded Control Stack support for AArch64 Linux
  3. ===============================================
  4. This document outlines briefly the interface provided to userspace by Linux in
  5. order to support use of the ARM Guarded Control Stack (GCS) feature.
  6. This is an outline of the most important features and issues only and not
  7. intended to be exhaustive.
  8. 1. General
  9. -----------
  10. * GCS is an architecture feature intended to provide greater protection
  11. against return oriented programming (ROP) attacks and to simplify the
  12. implementation of features that need to collect stack traces such as
  13. profiling.
  14. * When GCS is enabled a separate guarded control stack is maintained by the
  15. PE which is writeable only through specific GCS operations. This
  16. stores the call stack only, when a procedure call instruction is
  17. performed the current PC is pushed onto the GCS and on RET the
  18. address in the LR is verified against that on the top of the GCS.
  19. * When active the current GCS pointer is stored in the system register
  20. GCSPR_EL0. This is readable by userspace but can only be updated
  21. via specific GCS instructions.
  22. * The architecture provides instructions for switching between guarded
  23. control stacks with checks to ensure that the new stack is a valid
  24. target for switching.
  25. * The functionality of GCS is similar to that provided by the x86 Shadow
  26. Stack feature, due to sharing of userspace interfaces the ABI refers to
  27. shadow stacks rather than GCS.
  28. * Support for GCS is reported to userspace via HWCAP_GCS in the aux vector
  29. AT_HWCAP entry.
  30. * GCS is enabled per thread. While there is support for disabling GCS
  31. at runtime this should be done with great care.
  32. * GCS memory access faults are reported as normal memory access faults.
  33. * GCS specific errors (those reported with EC 0x2d) will be reported as
  34. SIGSEGV with a si_code of SEGV_CPERR (control protection error).
  35. * GCS is supported only for AArch64.
  36. * On systems where GCS is supported GCSPR_EL0 is always readable by EL0
  37. regardless of the GCS configuration for the thread.
  38. * The architecture supports enabling GCS without verifying that return values
  39. in LR match those in the GCS, the LR will be ignored. This is not supported
  40. by Linux.
  41. 2. Enabling and disabling Guarded Control Stacks
  42. -------------------------------------------------
  43. * GCS is enabled and disabled for a thread via the PR_SET_SHADOW_STACK_STATUS
  44. prctl(), this takes a single flags argument specifying which GCS features
  45. should be used.
  46. * When set PR_SHADOW_STACK_ENABLE flag allocates a Guarded Control Stack
  47. and enables GCS for the thread, enabling the functionality controlled by
  48. GCSCRE0_EL1.{nTR, RVCHKEN, PCRSEL}.
  49. * When set the PR_SHADOW_STACK_PUSH flag enables the functionality controlled
  50. by GCSCRE0_EL1.PUSHMEn, allowing explicit GCS pushes.
  51. * When set the PR_SHADOW_STACK_WRITE flag enables the functionality controlled
  52. by GCSCRE0_EL1.STREn, allowing explicit stores to the Guarded Control Stack.
  53. * Any unknown flags will cause PR_SET_SHADOW_STACK_STATUS to return -EINVAL.
  54. * PR_LOCK_SHADOW_STACK_STATUS is passed a bitmask of features with the same
  55. values as used for PR_SET_SHADOW_STACK_STATUS. Any future changes to the
  56. status of the specified GCS mode bits will be rejected.
  57. * PR_LOCK_SHADOW_STACK_STATUS allows any bit to be locked, this allows
  58. userspace to prevent changes to any future features.
  59. * There is no support for a process to remove a lock that has been set for
  60. it.
  61. * PR_SET_SHADOW_STACK_STATUS and PR_LOCK_SHADOW_STACK_STATUS affect only the
  62. thread that called them, any other running threads will be unaffected.
  63. * New threads inherit the GCS configuration of the thread that created them.
  64. * GCS is disabled on exec().
  65. * The current GCS configuration for a thread may be read with the
  66. PR_GET_SHADOW_STACK_STATUS prctl(), this returns the same flags that
  67. are passed to PR_SET_SHADOW_STACK_STATUS.
  68. * If GCS is disabled for a thread after having previously been enabled then
  69. the stack will remain allocated for the lifetime of the thread. At present
  70. any attempt to reenable GCS for the thread will be rejected, this may be
  71. revisited in future.
  72. * It should be noted that since enabling GCS will result in GCS becoming
  73. active immediately it is not normally possible to return from the function
  74. that invoked the prctl() that enabled GCS. It is expected that the normal
  75. usage will be that GCS is enabled very early in execution of a program.
  76. 3. Allocation of Guarded Control Stacks
  77. ----------------------------------------
  78. * When GCS is enabled for a thread a new Guarded Control Stack will be
  79. allocated for it of half the standard stack size or 2 gigabytes,
  80. whichever is smaller.
  81. * When a new thread is created by a thread which has GCS enabled then a
  82. new Guarded Control Stack will be allocated for the new thread with
  83. half the size of the standard stack.
  84. * When a stack is allocated by enabling GCS or during thread creation then
  85. the top 8 bytes of the stack will be initialised to 0 and GCSPR_EL0 will
  86. be set to point to the address of this 0 value, this can be used to
  87. detect the top of the stack.
  88. * Additional Guarded Control Stacks can be allocated using the
  89. map_shadow_stack() system call.
  90. * Stacks allocated using map_shadow_stack() can optionally have an end of
  91. stack marker and cap placed at the top of the stack. If the flag
  92. SHADOW_STACK_SET_TOKEN is specified a cap will be placed on the stack,
  93. if SHADOW_STACK_SET_MARKER is not specified the cap will be the top 8
  94. bytes of the stack and if it is specified then the cap will be the next
  95. 8 bytes. While specifying just SHADOW_STACK_SET_MARKER by itself is
  96. valid since the marker is all bits 0 it has no observable effect.
  97. * Stacks allocated using map_shadow_stack() must have a size which is a
  98. multiple of 8 bytes larger than 8 bytes and must be 8 bytes aligned.
  99. * An address can be specified to map_shadow_stack(), if one is provided then
  100. it must be aligned to a page boundary.
  101. * When a thread is freed the Guarded Control Stack initially allocated for
  102. that thread will be freed. Note carefully that if the stack has been
  103. switched this may not be the stack currently in use by the thread.
  104. 4. Signal handling
  105. --------------------
  106. * A new signal frame record gcs_context encodes the current GCS mode and
  107. pointer for the interrupted context on signal delivery. This will always
  108. be present on systems that support GCS.
  109. * The record contains a flag field which reports the current GCS configuration
  110. for the interrupted context as PR_GET_SHADOW_STACK_STATUS would.
  111. * The signal handler is run with the same GCS configuration as the interrupted
  112. context.
  113. * When GCS is enabled for the interrupted thread a signal handling specific
  114. GCS cap token will be written to the GCS, this is an architectural GCS cap
  115. with the token type (bits 0..11) all clear. The GCSPR_EL0 reported in the
  116. signal frame will point to this cap token.
  117. * The signal handler will use the same GCS as the interrupted context.
  118. * When GCS is enabled on signal entry a frame with the address of the signal
  119. return handler will be pushed onto the GCS, allowing return from the signal
  120. handler via RET as normal. This will not be reported in the gcs_context in
  121. the signal frame.
  122. 5. Signal return
  123. -----------------
  124. When returning from a signal handler:
  125. * If there is a gcs_context record in the signal frame then the GCS flags
  126. and GCSPR_EL0 will be restored from that context prior to further
  127. validation.
  128. * If there is no gcs_context record in the signal frame then the GCS
  129. configuration will be unchanged.
  130. * If GCS is enabled on return from a signal handler then GCSPR_EL0 must
  131. point to a valid GCS signal cap record, this will be popped from the
  132. GCS prior to signal return.
  133. * If the GCS configuration is locked when returning from a signal then any
  134. attempt to change the GCS configuration will be treated as an error. This
  135. is true even if GCS was not enabled prior to signal entry.
  136. * GCS may be disabled via signal return but any attempt to enable GCS via
  137. signal return will be rejected.
  138. 6. ptrace extensions
  139. ---------------------
  140. * A new regset NT_ARM_GCS is defined for use with PTRACE_GETREGSET and
  141. PTRACE_SETREGSET.
  142. * The GCS mode, including enable and disable, may be configured via ptrace.
  143. If GCS is enabled via ptrace no new GCS will be allocated for the thread.
  144. * Configuration via ptrace ignores locking of GCS mode bits.
  145. 7. ELF coredump extensions
  146. ---------------------------
  147. * NT_ARM_GCS notes will be added to each coredump for each thread of the
  148. dumped process. The contents will be equivalent to the data that would
  149. have been read if a PTRACE_GETREGSET of the corresponding type were
  150. executed for each thread when the coredump was generated.
  151. 8. /proc extensions
  152. --------------------
  153. * Guarded Control Stack pages will include "ss" in their VmFlags in
  154. /proc/<pid>/smaps.