162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0
262306a36Sopenharmony_ci/*
362306a36Sopenharmony_ci * Clang Control Flow Integrity (CFI) support.
462306a36Sopenharmony_ci *
562306a36Sopenharmony_ci * Copyright (C) 2023 Google LLC
662306a36Sopenharmony_ci */
762306a36Sopenharmony_ci#include <asm/cfi.h>
862306a36Sopenharmony_ci#include <asm/insn.h>
962306a36Sopenharmony_ci
1062306a36Sopenharmony_ci/*
1162306a36Sopenharmony_ci * Returns the target address and the expected type when regs->epc points
1262306a36Sopenharmony_ci * to a compiler-generated CFI trap.
1362306a36Sopenharmony_ci */
1462306a36Sopenharmony_cistatic bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
1562306a36Sopenharmony_ci			    u32 *type)
1662306a36Sopenharmony_ci{
1762306a36Sopenharmony_ci	unsigned long *regs_ptr = (unsigned long *)regs;
1862306a36Sopenharmony_ci	int rs1_num;
1962306a36Sopenharmony_ci	u32 insn;
2062306a36Sopenharmony_ci
2162306a36Sopenharmony_ci	*target = *type = 0;
2262306a36Sopenharmony_ci
2362306a36Sopenharmony_ci	/*
2462306a36Sopenharmony_ci	 * The compiler generates the following instruction sequence
2562306a36Sopenharmony_ci	 * for indirect call checks:
2662306a36Sopenharmony_ci	 *
2762306a36Sopenharmony_ci	 *   lw      t1, -4(<reg>)
2862306a36Sopenharmony_ci	 *   lui     t2, <hi20>
2962306a36Sopenharmony_ci	 *   addiw   t2, t2, <lo12>
3062306a36Sopenharmony_ci	 *   beq     t1, t2, .Ltmp1
3162306a36Sopenharmony_ci	 *   ebreak  ; <- regs->epc
3262306a36Sopenharmony_ci	 *   .Ltmp1:
3362306a36Sopenharmony_ci	 *   jalr    <reg>
3462306a36Sopenharmony_ci	 *
3562306a36Sopenharmony_ci	 * We can read the expected type and the target address from the
3662306a36Sopenharmony_ci	 * registers passed to the beq/jalr instructions.
3762306a36Sopenharmony_ci	 */
3862306a36Sopenharmony_ci	if (get_kernel_nofault(insn, (void *)regs->epc - 4))
3962306a36Sopenharmony_ci		return false;
4062306a36Sopenharmony_ci	if (!riscv_insn_is_beq(insn))
4162306a36Sopenharmony_ci		return false;
4262306a36Sopenharmony_ci
4362306a36Sopenharmony_ci	*type = (u32)regs_ptr[RV_EXTRACT_RS1_REG(insn)];
4462306a36Sopenharmony_ci
4562306a36Sopenharmony_ci	if (get_kernel_nofault(insn, (void *)regs->epc) ||
4662306a36Sopenharmony_ci	    get_kernel_nofault(insn, (void *)regs->epc + GET_INSN_LENGTH(insn)))
4762306a36Sopenharmony_ci		return false;
4862306a36Sopenharmony_ci
4962306a36Sopenharmony_ci	if (riscv_insn_is_jalr(insn))
5062306a36Sopenharmony_ci		rs1_num = RV_EXTRACT_RS1_REG(insn);
5162306a36Sopenharmony_ci	else if (riscv_insn_is_c_jalr(insn))
5262306a36Sopenharmony_ci		rs1_num = RVC_EXTRACT_C2_RS1_REG(insn);
5362306a36Sopenharmony_ci	else
5462306a36Sopenharmony_ci		return false;
5562306a36Sopenharmony_ci
5662306a36Sopenharmony_ci	*target = regs_ptr[rs1_num];
5762306a36Sopenharmony_ci
5862306a36Sopenharmony_ci	return true;
5962306a36Sopenharmony_ci}
6062306a36Sopenharmony_ci
6162306a36Sopenharmony_ci/*
6262306a36Sopenharmony_ci * Checks if the ebreak trap is because of a CFI failure, and handles the trap
6362306a36Sopenharmony_ci * if needed. Returns a bug_trap_type value similarly to report_bug.
6462306a36Sopenharmony_ci */
6562306a36Sopenharmony_cienum bug_trap_type handle_cfi_failure(struct pt_regs *regs)
6662306a36Sopenharmony_ci{
6762306a36Sopenharmony_ci	unsigned long target;
6862306a36Sopenharmony_ci	u32 type;
6962306a36Sopenharmony_ci
7062306a36Sopenharmony_ci	if (!is_cfi_trap(regs->epc))
7162306a36Sopenharmony_ci		return BUG_TRAP_TYPE_NONE;
7262306a36Sopenharmony_ci
7362306a36Sopenharmony_ci	if (!decode_cfi_insn(regs, &target, &type))
7462306a36Sopenharmony_ci		return report_cfi_failure_noaddr(regs, regs->epc);
7562306a36Sopenharmony_ci
7662306a36Sopenharmony_ci	return report_cfi_failure(regs, regs->epc, &target, type);
7762306a36Sopenharmony_ci}
78