From nobody Tue Nov 30 13:30:40 2021
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BBFAF18A811E
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Tue, 30 Nov 2021 13:30:51 +0000 (UTC)
	(envelope-from jrtc27@jrtc27.com)
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4J3NQM1VsMz3psS
	for <dev-commits-src-all@freebsd.org>; Tue, 30 Nov 2021 13:30:51 +0000 (UTC)
	(envelope-from jrtc27@jrtc27.com)
Received: by mail-wm1-f41.google.com with SMTP id p3-20020a05600c1d8300b003334fab53afso19527862wms.3
        for <dev-commits-src-all@freebsd.org>; Tue, 30 Nov 2021 05:30:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=Vrs3UU+puIu7RYtm2wNo5vR+q0jtPuQBdozZ+R4FvRc=;
        b=Fxu9FXhaFBatnligcNEGO9fNfE0wqkmPvEGL9/u+olymicXy0RvpNC1bN6058DbcsU
         QLeJN5OH7ijtCF0mRsefqGvRHVyHHo4YSkL8juJmGZ9+gssbfsHzlL3vtOGdWQbXx1xt
         xgjlUZ4KV1NgRrQwD36JgTQfCEVw5BLTySDkaZazs2+gjNjhKaKiiKPKaPXVYDUeozMj
         zZ/Gnl1bITFWSy+jvyzH4ezD146JFziyUDbhiADkLpZI44Qj5RUVYxt0PWbCHX6v9YOO
         Ps8pF6guXWuZA2arAE8i5vWOU+20YEemVJxQqpRBNiJ6+Wl0ZawnQVVPc4UhJsjDiU9M
         gNkQ==
X-Gm-Message-State: AOAM533aSwlFEoDo3UAvz+vtqceCAU2sDKhwqMOO1/NWRCkX3zC3ALwb
	KSRrbZIrOiFSIqUXW+hXZPFb9A==
X-Google-Smtp-Source: ABdhPJx/79ZFhfKMd0q5XwGi8909WNUHMDxcYMypno/Xbb03PE0OOvUoVJNtL6TzEAZJIuyKmSRHCw==
X-Received: by 2002:a05:600c:19cc:: with SMTP id u12mr5116937wmq.24.1638279043360;
        Tue, 30 Nov 2021 05:30:43 -0800 (PST)
Received: from smtpclient.apple (global-5-141.nat-2.net.cam.ac.uk. [131.111.5.141])
        by smtp.gmail.com with ESMTPSA id q8sm16277783wrx.71.2021.11.30.05.30.42
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 30 Nov 2021 05:30:43 -0800 (PST)
Content-Type: text/plain;
	charset=utf-8
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Subject: Re: git: ae92ace05fd4 - main - Per-thread stack canary on arm64
From: Jessica Clarke <jrtc27@freebsd.org>
In-Reply-To: <202111261451.1AQEpJ7Y040922@gitrepo.freebsd.org>
Date: Tue, 30 Nov 2021 13:30:40 +0000
Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>,
 "dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>,
 "dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F680BF76-857F-4676-857E-DB0186828DA0@freebsd.org>
References: <202111261451.1AQEpJ7Y040922@gitrepo.freebsd.org>
To: Andrew Turner <andrew@FreeBSD.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-Rspamd-Queue-Id: 4J3NQM1VsMz3psS
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of jrtc27@jrtc27.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=jrtc27@jrtc27.com
X-Spamd-Result: default: False [-0.50 / 15.00];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
	 MV_CASE(0.50)[];
	 RCVD_COUNT_THREE(0.00)[3];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 FORGED_SENDER(0.30)[jrtc27@freebsd.org,jrtc27@jrtc27.com];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	 MID_RHS_MATCH_FROM(0.00)[];
	 FROM_NEQ_ENVFROM(0.00)[jrtc27@freebsd.org,jrtc27@jrtc27.com];
	 ARC_NA(0.00)[];
	 FREEFALL_USER(0.00)[jrtc27];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[4];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-all@freebsd.org];
	 DMARC_NA(0.00)[freebsd.org];
	 NEURAL_SPAM_MEDIUM(1.00)[0.999];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 RCVD_IN_DNSWL_NONE(0.00)[209.85.128.41:from];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.128.41:from];
	 RCVD_TLS_ALL(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 26 Nov 2021, at 14:51, Andrew Turner <andrew@FreeBSD.org> wrote:
>=20
> The branch main has been updated by andrew:
>=20
> URL: =
https://cgit.FreeBSD.org/src/commit/?id=3Dae92ace05fd4fcf64e3bb787951578f6=
55b1fa5f
>=20
> commit ae92ace05fd4fcf64e3bb787951578f655b1fa5f
> Author:     Andrew Turner <andrew@FreeBSD.org>
> AuthorDate: 2021-11-22 15:20:51 +0000
> Commit:     Andrew Turner <andrew@FreeBSD.org>
> CommitDate: 2021-11-26 14:44:00 +0000
>=20
>    Per-thread stack canary on arm64
>=20
>    With the update to llvm 13 we are able to tell the compiler it can =
find
>    the SSP canary relative to the register that holds the userspace =
stack
>    pointer. As this is unused in most of the kernel it can be used =
here
>    to point to a per-thread SSP canary.
>=20
>    As the kernel could be built with an old toolchain, e.g. when =
upgrading
>    from 13, add a warning that the options was enabled but the =
compiler
>    doesn't support it to both the build and kernel boot.
>=20
>    Discussed with: emaste
>    Sponsored by:   The FreeBSD Foundation
>    Differential Revision: https://reviews.freebsd.org/D33079
> ---
> sys/arm64/arm64/exception.S  |  7 +++++++
> sys/arm64/arm64/genassym.c   |  1 +
> sys/arm64/arm64/locore.S     | 14 ++++++++++++++
> sys/arm64/arm64/machdep.c    | 22 ++++++++++++++++++++++
> sys/arm64/arm64/pmap.c       |  4 ++++
> sys/arm64/arm64/vm_machdep.c | 10 ++++++++++
> sys/arm64/conf/std.arm64     |  1 +
> sys/arm64/include/proc.h     |  1 +
> sys/conf/Makefile.arm64      | 14 ++++++++++++++
> sys/conf/options.arm64       |  4 ++++
> 10 files changed, 78 insertions(+)
>=20
> diff --git a/sys/arm64/arm64/exception.S b/sys/arm64/arm64/exception.S
> index 22f6b7ce6145..d81bbce0efc7 100644
> --- a/sys/arm64/arm64/exception.S
> +++ b/sys/arm64/arm64/exception.S
> @@ -66,6 +66,13 @@ __FBSDID("$FreeBSD$");
> 	mrs	x18, tpidr_el1
> 	add	x29, sp, #(TF_SIZE)
> .if \el =3D=3D 0
> +#if defined(PERTHREAD_SSP)
> +	/* Load the SSP canary to sp_el0 */
> +	ldr	x1, [x18, #(PC_CURTHREAD)]
> +	add	x1, x1, #(TD_MD_CANARY)
> +	msr	sp_el0, x1
> +#endif
> +
> 	/* Apply the SSBD (CVE-2018-3639) workaround if needed */
> 	ldr	x1, [x18, #PC_SSBD]
> 	cbz	x1, 1f
> diff --git a/sys/arm64/arm64/genassym.c b/sys/arm64/arm64/genassym.c
> index 1575a0158dec..8e3ddc48317b 100644
> --- a/sys/arm64/arm64/genassym.c
> +++ b/sys/arm64/arm64/genassym.c
> @@ -73,6 +73,7 @@ ASSYM(TD_PCB, offsetof(struct thread, td_pcb));
> ASSYM(TD_FLAGS, offsetof(struct thread, td_flags));
> ASSYM(TD_FRAME, offsetof(struct thread, td_frame));
> ASSYM(TD_LOCK, offsetof(struct thread, td_lock));
> +ASSYM(TD_MD_CANARY, offsetof(struct thread, td_md.md_canary));
>=20
> ASSYM(TF_SIZE, sizeof(struct trapframe));
> ASSYM(TF_SP, offsetof(struct trapframe, tf_sp));
> diff --git a/sys/arm64/arm64/locore.S b/sys/arm64/arm64/locore.S
> index 92415aab1555..bc9a7271e93a 100644
> --- a/sys/arm64/arm64/locore.S
> +++ b/sys/arm64/arm64/locore.S
> @@ -116,6 +116,13 @@ virtdone:
> 	cmp	x15, x14
> 	b.lo	1b
>=20
> +#if defined(PERTHREAD_SSP)
> +	/* Set sp_el0 to the boot canary for early per-thread SSP to =
work */
> +	adrp	x15, boot_canary
> +	add	x15, x15, :lo12:boot_canary
> +	msr	sp_el0, x15
> +#endif
> +
> 	/* Backup the module pointer */
> 	mov	x1, x0
>=20
> @@ -200,6 +207,13 @@ mp_virtdone:
> 	ldr	x4, [x4]
> 	mov	sp, x4
>=20
> +#if defined(PERTHREAD_SSP)
> +	/* Set sp_el0 to the boot canary for early per-thread SSP to =
work */
> +	adrp	x15, boot_canary
> +	add	x15, x15, :lo12:boot_canary
> +	msr	sp_el0, x15
> +#endif
> +
> 	/* Load the kernel ttbr0 pagetable */
> 	msr	ttbr0_el1, x27
> 	isb
> diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
> index 59a634f4d30c..821d9ba19022 100644
> --- a/sys/arm64/arm64/machdep.c
> +++ b/sys/arm64/arm64/machdep.c
> @@ -109,6 +109,14 @@ enum arm64_bus arm64_bus_method =3D =
ARM64_BUS_NONE;
>  */
> struct pcpu pcpu0;
>=20
> +#if defined(PERTHREAD_SSP)
> +/*
> + * The boot SSP canary. Will be replaced with a per-thread canary =
when
> + * scheduling has started.
> + */
> +uintptr_t boot_canary =3D 0x49a2d892bc05a0b1ul;

Is it *really* a pointer? That sure looks like it=E2=80=99s really a =
size_t or
unsigned long. I doubt you=E2=80=99d want a capability on CHERI (well, =
you=E2=80=99d
turn the feature off because it=E2=80=99s a waste of time there, but =
still).

Jess