€•sœ      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ&/translations/zh_CN/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/zh_TW/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/it_IT/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/ja_JP/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/ko_KR/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/pt_BR/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/sp_SP/arch/riscv/zicfiss”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1hµhhh²hh³Œ@/var/lib/git/docbuild/linux/Documentation/arch/riscv/zicfiss.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ8Shadow stack to protect function returns on RISC-V Linux”h]”hŒ8Shadow stack to protect function returns on RISC-V Linux”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ	paragraph”“”)”}”(hŒŠThis document briefly describes the interface provided to userspace by Linux
to enable shadow stacks for user mode applications on RISC-V.”h]”hŒŠThis document briefly describes the interface provided to userspace by Linux
to enable shadow stacks for user mode applications on RISC-V.”…””}”(hhßh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K
hhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒ1. Feature Overview”h]”hŒ1. Feature Overview”…””}”(hhðh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhíh²hh³hÇh´KubhÞ)”}”(hŒžMemory corruption issues usually result in crashes.  However, in the
hands of a creative adversary, these issues can result in a variety of
security problems.”h]”hŒžMemory corruption issues usually result in crashes.  However, in the
hands of a creative adversary, these issues can result in a variety of
security problems.”…””}”(hhþh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khhíh²hubhÞ)”}”(hX  Some of those security issues can be code re-use attacks on programs
where an adversary can use corrupt return addresses present on the
stack. chaining them together to perform return oriented programming
(ROP) and thus compromising the control flow integrity (CFI) of the
program.”h]”hX  Some of those security issues can be code re-use attacks on programs
where an adversary can use corrupt return addresses present on the
stack. chaining them together to perform return oriented programming
(ROP) and thus compromising the control flow integrity (CFI) of the
program.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khhíh²hubhÞ)”}”(hX  Return addresses live on the stack in read-write memory.  Therefore
they are susceptible to corruption, which allows an adversary to
control the program counter. On RISC-V, the ``zicfiss`` extension
provides an alternate stack (the "shadow stack") on which return
addresses can be safely placed in the prologue of the function and
retrieved in the epilogue.  The ``zicfiss`` extension makes the
following changes:”h]”(hŒ±Return addresses live on the stack in read-write memory.  Therefore
they are susceptible to corruption, which allows an adversary to
control the program counter. On RISC-V, the ”…””}”(hj  h²hh³Nh´NubhŒliteral”“”)”}”(hŒ``zicfiss``”h]”hŒzicfiss”…””}”(hj$  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ³ extension
provides an alternate stack (the â€œshadow stackâ€) on which return
addresses can be safely placed in the prologue of the function and
retrieved in the epilogue.  The ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``zicfiss``”h]”hŒzicfiss”…””}”(hj6  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ' extension makes the
following changes:”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khhíh²hubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ·PTE encodings for shadow stack virtual memory
An earlier reserved encoding in first stage translation i.e.
PTE.R=0, PTE.W=1, PTE.X=0  becomes the PTE encoding for shadow stack pages.
”h]”hÞ)”}”(hŒ¶PTE encodings for shadow stack virtual memory
An earlier reserved encoding in first stage translation i.e.
PTE.R=0, PTE.W=1, PTE.X=0  becomes the PTE encoding for shadow stack pages.”h]”hŒ¶PTE encodings for shadow stack virtual memory
An earlier reserved encoding in first stage translation i.e.
PTE.R=0, PTE.W=1, PTE.X=0  becomes the PTE encoding for shadow stack pages.”…””}”(hjY  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K"hjU  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjP  h²hh³hÇh´NubjT  )”}”(hŒLThe ``sspush x1/x5`` instruction pushes (stores) ``x1/x5`` to shadow stack.
”h]”hÞ)”}”(hŒKThe ``sspush x1/x5`` instruction pushes (stores) ``x1/x5`` to shadow stack.”h]”(hŒThe ”…””}”(hjq  h²hh³Nh´Nubj#  )”}”(hŒ``sspush x1/x5``”h]”hŒsspush x1/x5”…””}”(hjy  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjq  ubhŒ instruction pushes (stores) ”…””}”(hjq  h²hh³Nh´Nubj#  )”}”(hŒ	``x1/x5``”h]”hŒx1/x5”…””}”(hj‹  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjq  ubhŒ to shadow stack.”…””}”(hjq  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K&hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjP  h²hh³hÇh´NubjT  )”}”(hŒ±The ``sspopchk x1/x5`` instruction pops (loads) from shadow stack and compares
with ``x1/x5`` and if not equal, the CPU raises a ``software check exception``
with ``*tval = 3``
”h]”hÞ)”}”(hŒ°The ``sspopchk x1/x5`` instruction pops (loads) from shadow stack and compares
with ``x1/x5`` and if not equal, the CPU raises a ``software check exception``
with ``*tval = 3``”h]”(hŒThe ”…””}”(hj­  h²hh³Nh´Nubj#  )”}”(hŒ``sspopchk x1/x5``”h]”hŒsspopchk x1/x5”…””}”(hjµ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj­  ubhŒ> instruction pops (loads) from shadow stack and compares
with ”…””}”(hj­  h²hh³Nh´Nubj#  )”}”(hŒ	``x1/x5``”h]”hŒx1/x5”…””}”(hjÇ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj­  ubhŒ$ and if not equal, the CPU raises a ”…””}”(hj­  h²hh³Nh´Nubj#  )”}”(hŒ``software check exception``”h]”hŒsoftware check exception”…””}”(hjÙ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj­  ubhŒ
with ”…””}”(hj­  h²hh³Nh´Nubj#  )”}”(hŒ``*tval = 3``”h]”hŒ	*tval = 3”…””}”(hjë  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj­  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K(hj©  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjP  h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1jN  h³hÇh´K"hhíh²hubhÞ)”}”(hXY  The compiler toolchain ensures that function prologues have ``sspush
x1/x5`` to save the return address on shadow stack in addition to the
regular stack.  Similarly, function epilogues have ``ld x5,
offset(x2)`` followed by ``sspopchk x5`` to ensure that a popped value
from the regular stack matches with the popped value from the shadow
stack.”h]”(hŒ<The compiler toolchain ensures that function prologues have ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``sspush
x1/x5``”h]”hŒsspush
x1/x5”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒr to save the return address on shadow stack in addition to the
regular stack.  Similarly, function epilogues have ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``ld x5,
offset(x2)``”h]”hŒld x5,
offset(x2)”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ followed by ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``sspopchk x5``”h]”hŒsspopchk x5”…””}”(hj9  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒj to ensure that a popped value
from the regular stack matches with the popped value from the shadow
stack.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K,hhíh²hubeh}”(h]”Œfeature-overview”ah ]”h"]”Œ1. feature overview”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ42. Shadow stack protections and linux memory manager”h]”hŒ42. Shadow stack protections and linux memory manager”…””}”(hj\  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjY  h²hh³hÇh´K4ubhÞ)”}”(hŒ¯As mentioned earlier, shadow stacks get new page table encodings that
have some special properties assigned to them, along with instructions
that operate on the shadow stacks:”h]”hŒ¯As mentioned earlier, shadow stacks get new page table encodings that
have some special properties assigned to them, along with instructions
that operate on the shadow stacks:”…””}”(hjj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K6hjY  h²hubjO  )”}”(hhh]”(jT  )”}”(hŒvRegular stores to shadow stack memory raise store access faults. This
protects shadow stack memory from stray writes.
”h]”hÞ)”}”(hŒuRegular stores to shadow stack memory raise store access faults. This
protects shadow stack memory from stray writes.”h]”hŒuRegular stores to shadow stack memory raise store access faults. This
protects shadow stack memory from stray writes.”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K:hj{  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjx  h²hh³hÇh´NubjT  )”}”(hŒ¸Regular loads from shadow stack memory are allowed. This allows
stack trace utilities or backtrace functions to read the true call
stack and ensure that it has not been tampered with.
”h]”hÞ)”}”(hŒ·Regular loads from shadow stack memory are allowed. This allows
stack trace utilities or backtrace functions to read the true call
stack and ensure that it has not been tampered with.”h]”hŒ·Regular loads from shadow stack memory are allowed. This allows
stack trace utilities or backtrace functions to read the true call
stack and ensure that it has not been tampered with.”…””}”(hj—  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K=hj“  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjx  h²hh³hÇh´NubjT  )”}”(hŒWOnly shadow stack instructions can generate shadow stack loads or
shadow stack stores.
”h]”hÞ)”}”(hŒVOnly shadow stack instructions can generate shadow stack loads or
shadow stack stores.”h]”hŒVOnly shadow stack instructions can generate shadow stack loads or
shadow stack stores.”…””}”(hj¯  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KAhj«  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjx  h²hh³hÇh´NubjT  )”}”(hX»  Shadow stack loads and stores on read-only memory raise AMO/store
page faults. Thus both ``sspush x1/x5`` and ``sspopchk x1/x5`` will
raise AMO/store page fault. This simplies COW handling in kernel
during fork(). The kernel can convert shadow stack pages into
read-only memory (as it does for regular read-write memory).  As
soon as subsequent ``sspush`` or ``sspopchk`` instructions in
userspace are encountered, the kernel can perform COW.
”h]”hÞ)”}”(hXº  Shadow stack loads and stores on read-only memory raise AMO/store
page faults. Thus both ``sspush x1/x5`` and ``sspopchk x1/x5`` will
raise AMO/store page fault. This simplies COW handling in kernel
during fork(). The kernel can convert shadow stack pages into
read-only memory (as it does for regular read-write memory).  As
soon as subsequent ``sspush`` or ``sspopchk`` instructions in
userspace are encountered, the kernel can perform COW.”h]”(hŒYShadow stack loads and stores on read-only memory raise AMO/store
page faults. Thus both ”…””}”(hjÇ  h²hh³Nh´Nubj#  )”}”(hŒ``sspush x1/x5``”h]”hŒsspush x1/x5”…””}”(hjÏ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjÇ  ubhŒ and ”…””}”(hjÇ  h²hh³Nh´Nubj#  )”}”(hŒ``sspopchk x1/x5``”h]”hŒsspopchk x1/x5”…””}”(hjá  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjÇ  ubhŒÙ will
raise AMO/store page fault. This simplies COW handling in kernel
during fork(). The kernel can convert shadow stack pages into
read-only memory (as it does for regular read-write memory).  As
soon as subsequent ”…””}”(hjÇ  h²hh³Nh´Nubj#  )”}”(hŒ
``sspush``”h]”hŒsspush”…””}”(hjó  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjÇ  ubhŒ or ”…””}”(hjÇ  h²hh³Nh´Nubj#  )”}”(hŒ``sspopchk``”h]”hŒsspopchk”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjÇ  ubhŒG instructions in
userspace are encountered, the kernel can perform COW.”…””}”(hjÇ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KDhjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjx  h²hh³hÇh´NubjT  )”}”(hŒæShadow stack loads and stores on read-write or read-write-execute
memory raise an access fault. This is a fatal condition because
shadow stack loads and stores should never be operating on
read-write or read-write-execute memory.
”h]”hÞ)”}”(hŒåShadow stack loads and stores on read-write or read-write-execute
memory raise an access fault. This is a fatal condition because
shadow stack loads and stores should never be operating on
read-write or read-write-execute memory.”h]”hŒåShadow stack loads and stores on read-write or read-write-execute
memory raise an access fault. This is a fatal condition because
shadow stack loads and stores should never be operating on
read-write or read-write-execute memory.”…””}”(hj'  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KLhj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjx  h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”j  j  uh1jN  h³hÇh´K:hjY  h²hubeh}”(h]”Œ1shadow-stack-protections-and-linux-memory-manager”ah ]”h"]”Œ42. shadow stack protections and linux memory manager”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K4ubhÉ)”}”(hhh]”(hÎ)”}”(hŒ3. ELF and psABI”h]”hŒ3. ELF and psABI”…””}”(hjL  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjI  h²hh³hÇh´KRubhÞ)”}”(hŒ¤The toolchain sets up :c:macro:`GNU_PROPERTY_RISCV_FEATURE_1_BCFI` for
property :c:macro:`GNU_PROPERTY_RISCV_FEATURE_1_AND` in the notes
section of the object file.”h]”(hŒThe toolchain sets up ”…””}”(hjZ  h²hh³Nh´Nubh)”}”(hŒ,:c:macro:`GNU_PROPERTY_RISCV_FEATURE_1_BCFI`”h]”j#  )”}”(hjd  h]”hŒ!GNU_PROPERTY_RISCV_FEATURE_1_BCFI”…””}”(hjf  h²hh³Nh´Nubah}”(h]”h ]”(Œxref”Œc”Œc-macro”eh"]”h$]”h&]”uh1j"  hjb  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œarch/riscv/zicfiss”Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰Œ	reftarget”Œ!GNU_PROPERTY_RISCV_FEATURE_1_BCFI”uh1hh³hÇh´KThjZ  ubhŒ for
property ”…””}”(hjZ  h²hh³Nh´Nubh)”}”(hŒ+:c:macro:`GNU_PROPERTY_RISCV_FEATURE_1_AND`”h]”j#  )”}”(hj‹  h]”hŒ GNU_PROPERTY_RISCV_FEATURE_1_AND”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj‰  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ GNU_PROPERTY_RISCV_FEATURE_1_AND”uh1hh³hÇh´KThjZ  ubhŒ) in the notes
section of the object file.”…””}”(hjZ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KThjI  h²hubeh}”(h]”Œelf-and-psabi”ah ]”h"]”Œ3. elf and psabi”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KRubhÉ)”}”(hhh]”(hÎ)”}”(hŒ4. Linux enabling”h]”hŒ4. Linux enabling”…””}”(hj½  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjº  h²hh³hÇh´KYubhÞ)”}”(hX	  User space programs can have multiple shared objects loaded in their
address space.  It's a difficult task to make sure all the
dependencies have been compiled with shadow stack support.  Thus
it's left to the dynamic loader to enable shadow stacks for the
program.”h]”hX  User space programs can have multiple shared objects loaded in their
address space.  Itâ€™s a difficult task to make sure all the
dependencies have been compiled with shadow stack support.  Thus
itâ€™s left to the dynamic loader to enable shadow stacks for the
program.”…””}”(hjË  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K[hjº  h²hubeh}”(h]”Œlinux-enabling”ah ]”h"]”Œ4. linux enabling”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KYubhÉ)”}”(hhh]”(hÎ)”}”(hŒ5. prctl() enabling”h]”hŒ5. prctl() enabling”…””}”(hjä  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjá  h²hh³hÇh´KbubhÞ)”}”(hX  :c:macro:`PR_SET_SHADOW_STACK_STATUS` / :c:macro:`PR_GET_SHADOW_STACK_STATUS` /
:c:macro:`PR_LOCK_SHADOW_STACK_STATUS` are three prctls added to manage shadow
stack enabling for tasks.  These prctls are architecture-agnostic and return
-EINVAL if not implemented.”h]”(h)”}”(hŒ%:c:macro:`PR_SET_SHADOW_STACK_STATUS`”h]”j#  )”}”(hjø  h]”hŒPR_SET_SHADOW_STACK_STATUS”…””}”(hjú  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjö  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_SET_SHADOW_STACK_STATUS”uh1hh³hÇh´Kdhjò  ubhŒ / ”…””}”(hjò  h²hh³Nh´Nubh)”}”(hŒ%:c:macro:`PR_GET_SHADOW_STACK_STATUS`”h]”j#  )”}”(hj  h]”hŒPR_GET_SHADOW_STACK_STATUS”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_GET_SHADOW_STACK_STATUS”uh1hh³hÇh´Kdhjò  ubhŒ /
”…””}”(hjò  h²hh³Nh´Nubh)”}”(hŒ&:c:macro:`PR_LOCK_SHADOW_STACK_STATUS`”h]”j#  )”}”(hj>  h]”hŒPR_LOCK_SHADOW_STACK_STATUS”…””}”(hj@  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj<  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_LOCK_SHADOW_STACK_STATUS”uh1hh³hÇh´Kdhjò  ubhŒ‘ are three prctls added to manage shadow
stack enabling for tasks.  These prctls are architecture-agnostic and return
-EINVAL if not implemented.”…””}”(hjò  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kdhjá  h²hubjO  )”}”(hhh]”jT  )”}”(hŒ5prctl(PR_SET_SHADOW_STACK_STATUS, unsigned long arg)
”h]”hÞ)”}”(hŒ4prctl(PR_SET_SHADOW_STACK_STATUS, unsigned long arg)”h]”hŒ4prctl(PR_SET_SHADOW_STACK_STATUS, unsigned long arg)”…””}”(hjl  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kihjh  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hje  h²hh³hÇh´Nubah}”(h]”h ]”h"]”h$]”h&]”j  Œ*”uh1jN  h³hÇh´Kihjá  h²hubhÞ)”}”(hXì  If arg = :c:macro:`PR_SHADOW_STACK_ENABLE` and if CPU supports
``zicfiss`` then the kernel will enable shadow stacks for the task.
The dynamic loader can issue this :c:macro:`prctl` once it has
determined that all the objects loaded in address space have support
for shadow stacks.  Additionally, if there is a :c:macro:`dlopen` to
an object which wasn't compiled with ``zicfiss``, the dynamic loader
can issue this prctl with arg set to 0 (i.e.
:c:macro:`PR_SHADOW_STACK_ENABLE` being clear)”h]”(hŒ	If arg = ”…””}”(hj‡  h²hh³Nh´Nubh)”}”(hŒ!:c:macro:`PR_SHADOW_STACK_ENABLE`”h]”j#  )”}”(hj‘  h]”hŒPR_SHADOW_STACK_ENABLE”…””}”(hj“  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_SHADOW_STACK_ENABLE”uh1hh³hÇh´Kkhj‡  ubhŒ and if CPU supports
”…””}”(hj‡  h²hh³Nh´Nubj#  )”}”(hŒ``zicfiss``”h]”hŒzicfiss”…””}”(hj²  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj‡  ubhŒ[ then the kernel will enable shadow stacks for the task.
The dynamic loader can issue this ”…””}”(hj‡  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`prctl`”h]”j#  )”}”(hjÆ  h]”hŒprctl”…””}”(hjÈ  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjÄ  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œprctl”uh1hh³hÇh´Kkhj‡  ubhŒ‚ once it has
determined that all the objects loaded in address space have support
for shadow stacks.  Additionally, if there is a ”…””}”(hj‡  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`dlopen`”h]”j#  )”}”(hjé  h]”hŒdlopen”…””}”(hjë  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjç  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œdlopen”uh1hh³hÇh´Kkhj‡  ubhŒ+ to
an object which wasnâ€™t compiled with ”…””}”(hj‡  h²hh³Nh´Nubj#  )”}”(hŒ``zicfiss``”h]”hŒzicfiss”…””}”(hj
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj‡  ubhŒB, the dynamic loader
can issue this prctl with arg set to 0 (i.e.
”…””}”(hj‡  h²hh³Nh´Nubh)”}”(hŒ!:c:macro:`PR_SHADOW_STACK_ENABLE`”h]”j#  )”}”(hj  h]”hŒPR_SHADOW_STACK_ENABLE”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_SHADOW_STACK_ENABLE”uh1hh³hÇh´Kkhj‡  ubhŒ being clear)”…””}”(hj‡  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kkhjá  h²hubjO  )”}”(hhh]”jT  )”}”(hŒ7prctl(PR_GET_SHADOW_STACK_STATUS, unsigned long * arg)
”h]”hÞ)”}”(hŒ6prctl(PR_GET_SHADOW_STACK_STATUS, unsigned long * arg)”h]”hŒ6prctl(PR_GET_SHADOW_STACK_STATUS, unsigned long * arg)”…””}”(hjL  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KthjH  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjE  h²hh³hÇh´Nubah}”(h]”h ]”h"]”h$]”h&]”j  j†  uh1jN  h³hÇh´Kthjá  h²hubhÞ)”}”(hŒrReturns the current status of indirect branch tracking. If enabled
it'll return :c:macro:`PR_SHADOW_STACK_ENABLE`.”h]”(hŒRReturns the current status of indirect branch tracking. If enabled
itâ€™ll return ”…””}”(hjf  h²hh³Nh´Nubh)”}”(hŒ!:c:macro:`PR_SHADOW_STACK_ENABLE`”h]”j#  )”}”(hjp  h]”hŒPR_SHADOW_STACK_ENABLE”…””}”(hjr  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjn  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒPR_SHADOW_STACK_ENABLE”uh1hh³hÇh´Kvhjf  ubhŒ.”…””}”(hjf  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kvhjá  h²hubjO  )”}”(hhh]”jT  )”}”(hŒ6prctl(PR_LOCK_SHADOW_STACK_STATUS, unsigned long arg)
”h]”hÞ)”}”(hŒ5prctl(PR_LOCK_SHADOW_STACK_STATUS, unsigned long arg)”h]”hŒ5prctl(PR_LOCK_SHADOW_STACK_STATUS, unsigned long arg)”…””}”(hjž  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kyhjš  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hj—  h²hh³hÇh´Nubah}”(h]”h ]”h"]”h$]”h&]”j  j†  uh1jN  h³hÇh´Kyhjá  h²hubhÞ)”}”(hX   Locks the current status of shadow stack enabling on the
task. Userspace may want to run with a strict security posture and
wouldn't want loading of objects without ``zicfiss`` support.  In this
case userspace can use this prctl to disallow disabling of shadow
stacks on the current task.”h]”(hŒ§Locks the current status of shadow stack enabling on the
task. Userspace may want to run with a strict security posture and
wouldnâ€™t want loading of objects without ”…””}”(hj¸  h²hh³Nh´Nubj#  )”}”(hŒ``zicfiss``”h]”hŒzicfiss”…””}”(hjÀ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj¸  ubhŒp support.  In this
case userspace can use this prctl to disallow disabling of shadow
stacks on the current task.”…””}”(hj¸  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K{hjá  h²hubeh}”(h]”Œprctl-enabling”ah ]”h"]”Œ5. prctl() enabling”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KbubhÉ)”}”(hhh]”(hÎ)”}”(hŒ:5. violations related to returns with shadow stack enabled”h]”hŒ:5. violations related to returns with shadow stack enabled”…””}”(hjã  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjà  h²hh³hÇh´K‚ubhÞ)”}”(hŒòPertaining to shadow stacks, the CPU raises a ``software check
exception`` upon executing ``sspopchk x1/x5`` if ``x1/x5`` doesn't
match the top of shadow stack.  If a mismatch happens, then the CPU
sets ``*tval = 3`` and raises the exception.”h]”(hŒ.Pertaining to shadow stacks, the CPU raises a ”…””}”(hjñ  h²hh³Nh´Nubj#  )”}”(hŒ``software check
exception``”h]”hŒsoftware check
exception”…””}”(hjù  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjñ  ubhŒ upon executing ”…””}”(hjñ  h²hh³Nh´Nubj#  )”}”(hŒ``sspopchk x1/x5``”h]”hŒsspopchk x1/x5”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjñ  ubhŒ if ”…””}”(hjñ  h²hh³Nh´Nubj#  )”}”(hŒ	``x1/x5``”h]”hŒx1/x5”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjñ  ubhŒT doesnâ€™t
match the top of shadow stack.  If a mismatch happens, then the CPU
sets ”…””}”(hjñ  h²hh³Nh´Nubj#  )”}”(hŒ``*tval = 3``”h]”hŒ	*tval = 3”…””}”(hj/  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjñ  ubhŒ and raises the exception.”…””}”(hjñ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K„hjà  h²hubhÞ)”}”(hŒ‹The Linux kernel will treat this as a :c:macro:`SIGSEGV` with code =
:c:macro:`SEGV_CPERR` and follow the normal course of signal delivery.”h]”(hŒ&The Linux kernel will treat this as a ”…””}”(hjG  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`SIGSEGV`”h]”j#  )”}”(hjQ  h]”hŒSIGSEGV”…””}”(hjS  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjO  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  ŒSIGSEGV”uh1hh³hÇh´K‰hjG  ubhŒ with code =
”…””}”(hjG  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`SEGV_CPERR`”h]”j#  )”}”(hjt  h]”hŒ
SEGV_CPERR”…””}”(hjv  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjr  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ
SEGV_CPERR”uh1hh³hÇh´K‰hjG  ubhŒ1 and follow the normal course of signal delivery.”…””}”(hjG  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K‰hjà  h²hubeh}”(h]”Œ7violations-related-to-returns-with-shadow-stack-enabled”ah ]”h"]”Œ:5. violations related to returns with shadow stack enabled”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K‚ubhÉ)”}”(hhh]”(hÎ)”}”(hŒ6. Shadow stack tokens”h]”hŒ6. Shadow stack tokens”…””}”(hj¦  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj£  h²hh³hÇh´KubhÞ)”}”(hX¿  Regular stores on shadow stacks are not allowed and thus can't be
tampered with via arbitrary stray writes.  However, one method of
pivoting / switching to a shadow stack is simply writing to the CSR
``CSR_SSP``.  This will change the active shadow stack for the
program.  Writes to ``CSR_SSP`` in the program should be mostly
limited to context switches, stack unwinds, or longjmp or similar
mechanisms (like context switching of Green Threads) in languages like
Go and Rust. CSR_SSP writes can be problematic because an attacker can
use memory corruption bugs and leverage context switching routines to
pivot to any shadow stack. Shadow stack tokens can help mitigate this
problem by making sure that:”h]”(hŒÊRegular stores on shadow stacks are not allowed and thus canâ€™t be
tampered with via arbitrary stray writes.  However, one method of
pivoting / switching to a shadow stack is simply writing to the CSR
”…””}”(hj´  h²hh³Nh´Nubj#  )”}”(hŒ``CSR_SSP``”h]”hŒCSR_SSP”…””}”(hj¼  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj´  ubhŒH.  This will change the active shadow stack for the
program.  Writes to ”…””}”(hj´  h²hh³Nh´Nubj#  )”}”(hŒ``CSR_SSP``”h]”hŒCSR_SSP”…””}”(hjÎ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj´  ubhX™   in the program should be mostly
limited to context switches, stack unwinds, or longjmp or similar
mechanisms (like context switching of Green Threads) in languages like
Go and Rust. CSR_SSP writes can be problematic because an attacker can
use memory corruption bugs and leverage context switching routines to
pivot to any shadow stack. Shadow stack tokens can help mitigate this
problem by making sure that:”…””}”(hj´  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khj£  h²hubjO  )”}”(hhh]”(jT  )”}”(hŒ¦When software is switching away from a shadow stack, the shadow
stack pointer should be saved on the shadow stack itself (this is
called the ``shadow stack token``).
”h]”hÞ)”}”(hŒ¥When software is switching away from a shadow stack, the shadow
stack pointer should be saved on the shadow stack itself (this is
called the ``shadow stack token``).”h]”(hŒWhen software is switching away from a shadow stack, the shadow
stack pointer should be saved on the shadow stack itself (this is
called the ”…””}”(hjí  h²hh³Nh´Nubj#  )”}”(hŒ``shadow stack token``”h]”hŒshadow stack token”…””}”(hjõ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjí  ubhŒ).”…””}”(hjí  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K›hjé  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjæ  h²hh³hÇh´NubjT  )”}”(hŒÑWhen software is switching to a shadow stack, it should read the
``shadow stack token`` from the shadow stack pointer and verify that
the ``shadow stack token`` itself is a pointer to the shadow stack
itself.
”h]”hÞ)”}”(hŒÐWhen software is switching to a shadow stack, it should read the
``shadow stack token`` from the shadow stack pointer and verify that
the ``shadow stack token`` itself is a pointer to the shadow stack
itself.”h]”(hŒAWhen software is switching to a shadow stack, it should read the
”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``shadow stack token``”h]”hŒshadow stack token”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ3 from the shadow stack pointer and verify that
the ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``shadow stack token``”h]”hŒshadow stack token”…””}”(hj1  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ0 itself is a pointer to the shadow stack
itself.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KŸhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjæ  h²hh³hÇh´NubjT  )”}”(hŒlOnce the token verification is done, software can perform the write
to ``CSR_SSP`` to switch shadow stacks.
”h]”hÞ)”}”(hŒkOnce the token verification is done, software can perform the write
to ``CSR_SSP`` to switch shadow stacks.”h]”(hŒGOnce the token verification is done, software can perform the write
to ”…””}”(hjS  h²hh³Nh´Nubj#  )”}”(hŒ``CSR_SSP``”h]”hŒCSR_SSP”…””}”(hj[  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjS  ubhŒ to switch shadow stacks.”…””}”(hjS  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¤hjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jS  hjæ  h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”j  j  uh1jN  h³hÇh´K›hj£  h²hubhÞ)”}”(hX  Here "software" could refer to the user mode task runtime itself,
managing various contexts as part of a single thread.  Or "software"
could refer to the kernel, when the kernel has to deliver a signal to
a user task and must save the shadow stack pointer.  The kernel can
perform similar procedure itself by saving a token on the user mode
task's shadow stack.  This way, whenever :c:macro:`sigreturn` happens,
the kernel can read and verify the token and then switch to the shadow
stack. Using this mechanism, the kernel helps the user task so that
any corruption issue in the user task is not exploited by adversaries
arbitrarily using :c:macro:`sigreturn`. Adversaries will have to make
sure that there is a valid ``shadow stack token`` in addition to
invoking :c:macro:`sigreturn`.”h]”(hXˆ  Here â€œsoftwareâ€ could refer to the user mode task runtime itself,
managing various contexts as part of a single thread.  Or â€œsoftwareâ€
could refer to the kernel, when the kernel has to deliver a signal to
a user task and must save the shadow stack pointer.  The kernel can
perform similar procedure itself by saving a token on the user mode
taskâ€™s shadow stack.  This way, whenever ”…””}”(hj  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigreturn`”h]”j#  )”}”(hj‰  h]”hŒ	sigreturn”…””}”(hj‹  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj‡  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ	sigreturn”uh1hh³hÇh´K§hj  ubhŒí happens,
the kernel can read and verify the token and then switch to the shadow
stack. Using this mechanism, the kernel helps the user task so that
any corruption issue in the user task is not exploited by adversaries
arbitrarily using ”…””}”(hj  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigreturn`”h]”j#  )”}”(hj¬  h]”hŒ	sigreturn”…””}”(hj®  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjª  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ	sigreturn”uh1hh³hÇh´K§hj  ubhŒ;. Adversaries will have to make
sure that there is a valid ”…””}”(hj  h²hh³Nh´Nubj#  )”}”(hŒ``shadow stack token``”h]”hŒshadow stack token”…””}”(hjÍ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  ubhŒ in addition to
invoking ”…””}”(hj  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigreturn`”h]”j#  )”}”(hjá  h]”hŒ	sigreturn”…””}”(hjã  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjß  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ	sigreturn”uh1hh³hÇh´K§hj  ubhŒ.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K§hj£  h²hubeh}”(h]”Œshadow-stack-tokens”ah ]”h"]”Œ6. shadow stack tokens”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ7. Signal shadow stack”h]”hŒ7. Signal shadow stack”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj  h²hh³hÇh´KµubhÞ)”}”(hŒAThe following structure has been added to sigcontext for RISC-V::”h]”hŒ@The following structure has been added to sigcontext for RISC-V:”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¶hj  h²hubhŒliteral_block”“”)”}”(hŒ:struct __sc_riscv_cfi_state {
    unsigned long ss_ptr;
};”h]”hŒ:struct __sc_riscv_cfi_state {
    unsigned long ss_ptr;
};”…””}”hj1  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j/  h³hÇh´K¸hj  h²hubhÞ)”}”(hXË  As part of signal delivery, the shadow stack token is saved on the
current shadow stack itself.  The updated pointer is saved away in the
:c:macro:`ss_ptr` field in :c:macro:`__sc_riscv_cfi_state` under
:c:macro:`sigcontext`. The existing shadow stack allocation is used
for signal delivery.  During :c:macro:`sigreturn`, kernel will obtain
:c:macro:`ss_ptr` from :c:macro:`sigcontext`, verify the saved
token on the shadow stack, and switch the shadow stack.”h]”(hŒŠAs part of signal delivery, the shadow stack token is saved on the
current shadow stack itself.  The updated pointer is saved away in the
”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`ss_ptr`”h]”j#  )”}”(hjI  h]”hŒss_ptr”…””}”(hjK  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjG  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œss_ptr”uh1hh³hÇh´K¼hj?  ubhŒ
 field in ”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`__sc_riscv_cfi_state`”h]”j#  )”}”(hjl  h]”hŒ__sc_riscv_cfi_state”…””}”(hjn  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ__sc_riscv_cfi_state”uh1hh³hÇh´K¼hj?  ubhŒ under
”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigcontext`”h]”j#  )”}”(hj  h]”hŒ
sigcontext”…””}”(hj‘  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ
sigcontext”uh1hh³hÇh´K¼hj?  ubhŒL. The existing shadow stack allocation is used
for signal delivery.  During ”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigreturn`”h]”j#  )”}”(hj²  h]”hŒ	sigreturn”…””}”(hj´  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hj°  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ	sigreturn”uh1hh³hÇh´K¼hj?  ubhŒ, kernel will obtain
”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`ss_ptr`”h]”j#  )”}”(hjÕ  h]”hŒss_ptr”…””}”(hj×  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjÓ  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œss_ptr”uh1hh³hÇh´K¼hj?  ubhŒ from ”…””}”(hj?  h²hh³Nh´Nubh)”}”(hŒ:c:macro:`sigcontext`”h]”j#  )”}”(hjø  h]”hŒ
sigcontext”…””}”(hjú  h²hh³Nh´Nubah}”(h]”h ]”(jp  jq  Œc-macro”eh"]”h$]”h&]”uh1j"  hjö  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”j}  Œ	refdomain”jq  Œreftype”Œmacro”Œrefexplicit”‰Œrefwarn”‰jƒ  Œ
sigcontext”uh1hh³hÇh´K¼hj?  ubhŒJ, verify the saved
token on the shadow stack, and switch the shadow stack.”…””}”(hj?  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¼hj  h²hubeh}”(h]”Œsignal-shadow-stack”ah ]”h"]”Œ7. signal shadow stack”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´Kµubeh}”(h]”Œ8shadow-stack-to-protect-function-returns-on-risc-v-linux”ah ]”h"]”Œ8shadow stack to protect function returns on risc-v linux”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jR	  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j,	  j)	  jV  jS  jF  jC  j·  j´  jÞ  jÛ  jÝ  jÚ  j   j  j  j
  j$	  j!	  uŒ	nametypes”}”(j,	  ‰jV  ‰jF  ‰j·  ‰jÞ  ‰jÝ  ‰j   ‰j  ‰j$	  ‰uh}”(j)	  hÊjS  híjC  jY  j´  jI  jÛ  jº  jÚ  já  j  jà  j
  j£  j!	  j  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nh²hub.