[PATCH 0/7] Usermode Indirect Branch Tracking

[Richard Patel]

I was quite surprised that the Linux kernel still does not allow
userspace to enable x86 IBT (indirect jmp/call integrity).

Compilers and linkers have been emitting 'endbr64' IBT markers and ELF
support notes for a while now.

The hard work was done years ago by Intel:
https://lore.kernel.org/all/20210830182221.3535-1-yu-cheng.yu@xxxxxxxxx/

In summary, usermode IBT requires 3 things:
1. Set the CET_ENDBR_EN bit in MSR_IA32_U_CET for each IBT-enabled thread
   (PATCH 2,5)
2. Back up the WAIT_FOR_ENDBR bit across signal handling (PATCH 3,4)
3. Provide a way for usermode to enable it (PATCH 5)

This builds on top of Yu Cheng's work, with some adaptations:
- FRED support
- Implemented the existing prctl(PR_CFI_*) API
- Removed ELF parsing (can be added later)

Unresolved questions:
- Is there a cleaner way to do the WAIT_FOR_ENDBR XSAVE fallback?
- What to do about 'notrack jmp *rax'?
  I leave CET_NO_TRACK_EN enabled, which weakens IBT, by enabling a jump
  prefix that skips the ENDBR check. GCC emits it for jump tables
  (-mcet-switch). We could introduce a PR_CFI_IBT_STRICT bit.
- There's some obvious overlap with arch_prctl(ARCH_SHSTK_*).
  Happy to use that API instead.

Richard Patel (7):
  x86: add userspace IBT config option
  x86: shstk: don't clobber IBT bits in U_CET MSR
  x86: signal handler support for IBT
  x86: ban 32-bit sigreturn when user IBT enabled
  x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS
  x86/entry/vdso: build with IBT support
  selftests/x86: test usermode IBT

 arch/x86/Kconfig                            |  17 ++
 arch/x86/entry/vdso/common/Makefile.include |   3 +-
 arch/x86/include/asm/cpufeatures.h          |   1 +
 arch/x86/include/asm/ibt.h                  |  16 ++
 arch/x86/include/asm/processor.h            |   5 +
 arch/x86/include/uapi/asm/ucontext.h        |   5 +
 arch/x86/kernel/Makefile                    |   1 +
 arch/x86/kernel/cet.c                       |   3 +-
 arch/x86/kernel/cpu/common.c                |  14 +-
 arch/x86/kernel/ibt.c                       | 175 ++++++++++++++++++++
 arch/x86/kernel/process_64.c                |   2 +
 arch/x86/kernel/shstk.c                     |  12 +-
 arch/x86/kernel/signal_32.c                 |   5 +
 arch/x86/kernel/signal_64.c                 |   6 +
 tools/arch/x86/include/asm/cpufeatures.h    |   1 +
 tools/testing/selftests/x86/Makefile        |   5 +-
 tools/testing/selftests/x86/user_ibt.c      | 157 ++++++++++++++++++
 17 files changed, 420 insertions(+), 8 deletions(-)
 create mode 100644 arch/x86/kernel/ibt.c
 create mode 100644 tools/testing/selftests/x86/user_ibt.c

--
2.47.3