x86/shstk: Add Kconfig option for shadow stack

Shadow stack provides protection for applications against function return
address corruption. It is active when the processor supports it, the
kernel has CONFIG_X86_SHADOW_STACK enabled, and the application is built
for the feature. This is only implemented for the 64-bit kernel. When it
is enabled, legacy non-shadow stack applications continue to work, but
without protection.

Since there is another feature that utilizes CET (Kernel IBT) that will
share implementation with shadow stacks, create CONFIG_CET to signify
that at least one CET feature is configured.

Co-developed-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Tested-by: John Allen <john.allen@amd.com>
Tested-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/all/20230613001108.3040476-7-rick.p.edgecombe%40intel.com

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 7422db4097701c96710ce67054a9f0c7edc6ec1b..e860f805199fdfdaa09608375921895152acf48b 100644 (file)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1849,6 +1849,11 @@ config CC_HAS_IBT
                  (CC_IS_CLANG && CLANG_VERSION >= 140000)) && \
                  $(as-instr,endbr64)
 
+config X86_CET
+       def_bool n
+       help
+         CET features configured (Shadow stack or IBT)
+
 config X86_KERNEL_IBT
        prompt "Indirect Branch Tracking"
        def_bool y
@@ -1856,6 +1861,7 @@ config X86_KERNEL_IBT
        # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
        depends on !LD_IS_LLD || LLD_VERSION >= 140000
        select OBJTOOL
+       select X86_CET
        help
          Build the kernel with support for Indirect Branch Tracking, a
          hardware support course-grain forward-edge Control Flow Integrity
@@ -1949,6 +1955,24 @@ config X86_SGX
 
          If unsure, say N.
 
+config X86_USER_SHADOW_STACK
+       bool "X86 userspace shadow stack"
+       depends on AS_WRUSS
+       depends on X86_64
+       select ARCH_USES_HIGH_VMA_FLAGS
+       select X86_CET
+       help
+         Shadow stack protection is a hardware feature that detects function
+         return address corruption.  This helps mitigate ROP attacks.
+         Applications must be enabled to use it, and old userspace does not
+         get protection "for free".
+
+         CPUs supporting shadow stacks were first released in 2020.
+
+         See Documentation/x86/shstk.rst for more information.
+
+         If unsure, say N.
+
 config EFI
        bool "EFI runtime service support"
        depends on ACPI

diff --git a/arch/x86/Kconfig.assembler b/arch/x86/Kconfig.assembler
index b88f784cb02ef0b41890973ded251c6a1caa554a..8ad41da301e53caf650460c2aceccac37f97400c 100644 (file)
--- a/arch/x86/Kconfig.assembler
+++ b/arch/x86/Kconfig.assembler
@@ -24,3 +24,8 @@ config AS_GFNI
        def_bool $(as-instr,vgf2p8mulb %xmm0$(comma)%xmm1$(comma)%xmm2)
        help
          Supported by binutils >= 2.30 and LLVM integrated assembler
+
+config AS_WRUSS
+       def_bool $(as-instr,wrussq %rax$(comma)(%rbx))
+       help
+         Supported by binutils >= 2.31 and LLVM integrated assembler