diff --git a/Documentation/features/seccomp/seccomp-filter/arch-support.txt b/Documentation/features/seccomp/seccomp-filter/arch-support.txt index f54ddfc06a12..c688aba22a8d 100644 --- a/Documentation/features/seccomp/seccomp-filter/arch-support.txt +++ b/Documentation/features/seccomp/seccomp-filter/arch-support.txt @@ -29,5 +29,5 @@ | sparc: | TODO | | um: | ok | | x86: | ok | - | xtensa: | TODO | + | xtensa: | ok | ----------------------- diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig index b71ba910d92f..e997e0119c02 100644 --- a/arch/xtensa/Kconfig +++ b/arch/xtensa/Kconfig @@ -21,8 +21,10 @@ config XTENSA select GENERIC_PCI_IOMAP select GENERIC_SCHED_CLOCK select GENERIC_STRNCPY_FROM_USER if KASAN + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KASAN if MMU && !XIP_KERNEL + select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_KMEMLEAK select HAVE_DMA_CONTIGUOUS @@ -215,6 +217,20 @@ config HOTPLUG_CPU Say N if you want to disable CPU hotplug. +config SECCOMP + bool + prompt "Enable seccomp to safely compute untrusted bytecode" + help + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + config FAST_SYSCALL_XTENSA bool "Enable fast atomic syscalls" default n diff --git a/arch/xtensa/boot/Makefile b/arch/xtensa/boot/Makefile index 1a14d38d9b33..f6bb352f94b4 100644 --- a/arch/xtensa/boot/Makefile +++ b/arch/xtensa/boot/Makefile @@ -17,6 +17,8 @@ BIG_ENDIAN := $(shell echo __XTENSA_EB__ | $(CC) -E - | grep -v "\#") export BIG_ENDIAN subdir-y := lib +targets += vmlinux.bin vmlinux.bin.gz +targets += uImage xipImage # Subdirs for the boot loader(s) @@ -35,19 +37,19 @@ boot-elf boot-redboot: $(addprefix $(obj)/,$(subdir-y)) OBJCOPYFLAGS = --strip-all -R .comment -R .notes -O binary -vmlinux.bin: vmlinux FORCE +$(obj)/vmlinux.bin: vmlinux FORCE $(call if_changed,objcopy) -vmlinux.bin.gz: vmlinux.bin FORCE +$(obj)/vmlinux.bin.gz: $(obj)/vmlinux.bin FORCE $(call if_changed,gzip) -boot-elf: vmlinux.bin -boot-redboot: vmlinux.bin.gz +boot-elf: $(obj)/vmlinux.bin +boot-redboot: $(obj)/vmlinux.bin.gz UIMAGE_LOADADDR = $(CONFIG_KERNEL_LOAD_ADDRESS) UIMAGE_COMPRESSION = gzip -$(obj)/uImage: vmlinux.bin.gz FORCE +$(obj)/uImage: $(obj)/vmlinux.bin.gz FORCE $(call if_changed,uimage) $(Q)$(kecho) ' Kernel: $@ is ready' diff --git a/arch/xtensa/boot/boot-elf/Makefile b/arch/xtensa/boot/boot-elf/Makefile index 12ae1e91cb75..0ebc9827f7e5 100644 --- a/arch/xtensa/boot/boot-elf/Makefile +++ b/arch/xtensa/boot/boot-elf/Makefile @@ -15,12 +15,13 @@ export CPPFLAGS_boot.lds += -P -C export KBUILD_AFLAGS += -mtext-section-literals boot-y := bootstrap.o +targets += $(boot-y) boot.lds OBJS := $(addprefix $(obj)/,$(boot-y)) -$(obj)/Image.o: vmlinux.bin $(OBJS) +$(obj)/Image.o: $(obj)/../vmlinux.bin $(OBJS) $(Q)$(OBJCOPY) $(OBJCOPY_ARGS) -R .comment \ - --add-section image=vmlinux.bin \ + --add-section image=$< \ --set-section-flags image=contents,alloc,load,load,data \ $(OBJS) $@ diff --git a/arch/xtensa/boot/boot-redboot/Makefile b/arch/xtensa/boot/boot-redboot/Makefile index 8632473ad319..07cb24afedc2 100644 --- a/arch/xtensa/boot/boot-redboot/Makefile +++ b/arch/xtensa/boot/boot-redboot/Makefile @@ -13,15 +13,16 @@ endif LD_ARGS = -T $(srctree)/$(obj)/boot.ld boot-y := bootstrap.o +targets += $(boot-y) OBJS := $(addprefix $(obj)/,$(boot-y)) LIBS := arch/xtensa/boot/lib/lib.a arch/xtensa/lib/lib.a LIBGCC := $(shell $(CC) $(KBUILD_CFLAGS) -print-libgcc-file-name) -$(obj)/zImage.o: vmlinux.bin.gz $(OBJS) +$(obj)/zImage.o: $(obj)/../vmlinux.bin.gz $(OBJS) $(Q)$(OBJCOPY) $(OBJCOPY_ARGS) -R .comment \ - --add-section image=vmlinux.bin.gz \ + --add-section image=$< \ --set-section-flags image=contents,alloc,load,load,data \ $(OBJS) $@ diff --git a/arch/xtensa/include/asm/Kbuild b/arch/xtensa/include/asm/Kbuild index 9718e9593564..c59c42a1221a 100644 --- a/arch/xtensa/include/asm/Kbuild +++ b/arch/xtensa/include/asm/Kbuild @@ -7,4 +7,5 @@ generic-y += mcs_spinlock.h generic-y += param.h generic-y += qrwlock.h generic-y += qspinlock.h +generic-y += seccomp.h generic-y += user.h diff --git a/arch/xtensa/include/asm/initialize_mmu.h b/arch/xtensa/include/asm/initialize_mmu.h index 9ee0c1d004f9..05cb13dfe6f4 100644 --- a/arch/xtensa/include/asm/initialize_mmu.h +++ b/arch/xtensa/include/asm/initialize_mmu.h @@ -6,7 +6,7 @@ * For the new V3 MMU we remap the TLB from virtual == physical * to the standard Linux mapping used in earlier MMU's. * - * The the MMU we also support a new configuration register that + * For the MMU we also support a new configuration register that * specifies how the S32C1I instruction operates with the cache * controller. * diff --git a/arch/xtensa/include/asm/thread_info.h b/arch/xtensa/include/asm/thread_info.h index f092cc3f4e66..6acbbe0d87d3 100644 --- a/arch/xtensa/include/asm/thread_info.h +++ b/arch/xtensa/include/asm/thread_info.h @@ -55,6 +55,10 @@ struct thread_info { mm_segment_t addr_limit; /* thread address space */ unsigned long cpenable; +#if XCHAL_HAVE_EXCLUSIVE + /* result of the most recent exclusive store */ + unsigned long atomctl8; +#endif /* Allocate storage for extra user states and coprocessor states. */ #if XTENSA_HAVE_COPROCESSORS @@ -111,15 +115,20 @@ static inline struct thread_info *current_thread_info(void) #define TIF_RESTORE_SIGMASK 6 /* restore signal mask in do_signal() */ #define TIF_NOTIFY_RESUME 7 /* callback before returning to user */ #define TIF_DB_DISABLED 8 /* debug trap disabled for syscall */ +#define TIF_SYSCALL_AUDIT 9 /* syscall auditing active */ +#define TIF_SECCOMP 10 /* secure computing */ #define _TIF_SYSCALL_TRACE (1< */ +#include #include #include #include @@ -21,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +53,7 @@ static int gpr_get(struct task_struct *target, .threadptr = regs->threadptr, .windowbase = regs->windowbase, .windowstart = regs->windowstart, + .syscall = regs->syscall, }; memcpy(newregs.a, @@ -90,6 +93,9 @@ static int gpr_set(struct task_struct *target, regs->sar = newregs.sar; regs->threadptr = newregs.threadptr; + if (newregs.syscall) + regs->syscall = newregs.syscall; + if (newregs.windowbase != regs->windowbase || newregs.windowstart != regs->windowstart) { u32 rotws, wmask; @@ -554,7 +560,8 @@ int do_syscall_trace_enter(struct pt_regs *regs) return 0; } - if (regs->syscall == NO_SYSCALL) { + if (regs->syscall == NO_SYSCALL || + secure_computing() == -1) { do_syscall_trace_leave(regs); return 0; } @@ -562,6 +569,9 @@ int do_syscall_trace_enter(struct pt_regs *regs) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, syscall_get_nr(current, regs)); + audit_syscall_entry(regs->syscall, regs->areg[6], + regs->areg[3], regs->areg[4], + regs->areg[5]); return 1; } @@ -569,6 +579,8 @@ void do_syscall_trace_leave(struct pt_regs *regs) { int step; + audit_syscall_exit(regs); + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_exit(regs, regs_return_value(regs)); diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 5267b9fb7c0f..06bd5901be74 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -129,6 +129,8 @@ struct seccomp_data { # define __NR_seccomp 358 # elif defined(__s390__) # define __NR_seccomp 348 +# elif defined(__xtensa__) +# define __NR_seccomp 337 # else # warning "seccomp syscall number unknown for this architecture" # define __NR_seccomp 0xffff @@ -1699,6 +1701,14 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define SYSCALL_SYSCALL_NUM regs[4] # define SYSCALL_RET regs[2] # define SYSCALL_NUM_RET_SHARE_REG +#elif defined(__xtensa__) +# define ARCH_REGS struct user_pt_regs +# define SYSCALL_NUM syscall +/* + * On xtensa syscall return value is in the register + * a2 of the current window which is not fixed. + */ +#define SYSCALL_RET(reg) a[(reg).windowbase * 4 + 2] #else # error "Do not know how to find your architecture's registers and syscalls" #endif @@ -1770,7 +1780,8 @@ void change_syscall(struct __test_metadata *_metadata, EXPECT_EQ(0, ret) {} #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ - defined(__s390__) || defined(__hppa__) || defined(__riscv) + defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ + defined(__xtensa__) { regs.SYSCALL_NUM = syscall; } @@ -1813,6 +1824,9 @@ void change_syscall(struct __test_metadata *_metadata, if (syscall == -1) #ifdef SYSCALL_NUM_RET_SHARE_REG TH_LOG("Can't modify syscall return on this architecture"); + +#elif defined(__xtensa__) + regs.SYSCALL_RET(regs) = result; #else regs.SYSCALL_RET = result; #endif