Arm Guarded Control Stack "GCS" Patches Debut For The Linux Kernel

Written by Michael Larabel in Arm on 18 July 2023 at 05:53 AM EDT. Add A Comment
ARM
A set of 35 patches were posted on Sunday for introducing ARM64 Guarded Control Stack (GCS) support to the Linux kernel. This is akin to x86 Shadow Stack support for hardware-protected stacks of return addresses to help fend off ROP attacks.

Arm's Guarded Control Stack functionality is designed to help prevent return-oriented programming (ROP) attacks similar to the Intel Shadow Stack work, and in fact this Linux kernel enablement depends upon that x86 Shadow Stack code in some areas. GCS can additionally help in gathering call stacks of an application such as for profiling purposes.

Mark Brown explains in the patch cover letter:
"When GCS is active a secondary stack called the Guarded Control Stack is maintained, protected with a memory attribute which means that it can only be written with specific GCS operations. When a BL is executed the value stored in LR is also pushed onto the GCS, and when a RET is executed the top of the GCS is popped and compared to LR with a fault being raised if the values do not match. GCS operations may only be performed on GCS pages, a data abort is generated if they are not.

This series implements support for use of GCS by EL0, along with support for use of GCS within KVM guests. It does not enable use of GCS by either EL1 or EL2. Executables are started without GCS and must use a prctl() to enable it, it is expected that this will be done very early in application execution by the dynamic linker or other startup code."

As for that prctl-based opt-in support by applications, the patch series adds an architecture-agnostic prctl for toggling shadow stack support with PR_GET_SHADOW_STACK_STATUS and PR_SET_SHADOW_STACK_STATUS. Besides Arm GCS and x86 Shadow Stack support, RISC-V is also working on similar functionality too.

More details on Arm Guarded Control Stack support via this documentation patch. Those interested in ARM64 GCS support can see this patch series now under review.
Add A Comment
Related News
LLVM Clang 19 Adds Arm Neoverse-N3 / Neoverse-V3 / Neoverse-V3AE Support
Acer Aspire One ARM Laptop To Have "Almost Full" Support With Linux 6.10
Linux 6.10 To Add Script For Building ARM64 Flat Image Trees
Arm China Looking At Upstreaming Their "Zhouyi" NPU Driver Into The Linux Kernel
Panthor DRM Driver Queued For Linux 6.10 To Support Newer Arm Mali GPUs
ARM SCMI CPUFreq Driver Enabling Boost Support By Default With Linux 6.9
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Linux Mint Looks To Fork More GNOME Software, Make XApp More Independent
Ubuntu 24.04 LTS Downloads Now Available
Proton 9.0 RC2 Makes More Windows Games Playable On Linux, Other Fixes