Add and enable several x86_64 security features

aero.py

@@ -470,11 +470,11 @@ def run_in_emulator(args, iso_path):
         print("Running with KVM acceleration enabled")
 
         if platform.system() == 'Darwin':
-            qemu_args += ['-accel', 'hvf', '-cpu', 'qemu64,+la57' if args.la57 else 'qemu64']
+            qemu_args += ['-accel', 'hvf', '-cpu', 'qemu64,+la57,+smap,+smep,+umip' if args.la57 else 'qemu64,+smap,+smep,+umip']
         else:
-            qemu_args += ['-enable-kvm', '-cpu', 'host,+la57' if args.la57 else 'host']
+            qemu_args += ['-enable-kvm', '-cpu', 'host,+la57,+smap,+smep,+umip' if args.la57 else 'host,+smap,+smep,+umip']
     else:
-        qemu_args += ["-cpu", "qemu64,+la57" if args.la57 else "qemu64"]
+        qemu_args += ["-cpu", "qemu64,+la57,+smap,+smep,+umip" if args.la57 else "qemu64,+smap,+smep,+umip"]
 
     run_command(['qemu-system-x86_64', *qemu_args])
 

bootstrap.yml

@@ -236,9 +236,9 @@ tools:
         # -g blows up the binary size.
         - 'CFLAGS=-pipe'
     compile:
-      - args: ['make', '-j@PARALLELISM@']
+      - args: ['make', '-j@PARALLELISM@', 'all-binutils', 'all-gas', 'all-ld']
     install:
-      - args: ['make', 'install']
+      - args: ['make', 'install-binutils', 'install-gas', 'install-ld']
 
   - name: host-gcc
     from_source: gcc

src/aero_kernel/src/arch/x86_64/controlregs.rs

@@ -17,6 +17,8 @@
  * along with Aero. If not, see <https://www.gnu.org/licenses/>.
  */
 
+use core::sync::atomic::{AtomicUsize, Ordering};
+
 use crate::mem::paging::{PhysAddr, PhysFrame, VirtAddr};
 
 bitflags::bitflags! {
@@ -273,3 +275,34 @@ pub fn read_cr2() -> VirtAddr {
         VirtAddr::new(value)
     }
 }
+
+/// Returns true if Supervisor Mode Access Prevention (SMAP) is supported by the CPU and is enabled in Cr4.
+#[inline]
+pub fn smap_enabled() -> bool {
+    read_cr4().contains(Cr4Flags::SUPERVISOR_MODE_ACCESS_PREVENTION)
+}
+
+#[inline]
+pub fn with_userspace_access<F, R>(f: F) -> R
+where
+  F: FnOnce() -> R,
+{
+    static REF_COUNT: AtomicUsize = AtomicUsize::new(0);
+    if smap_enabled() {
+        unsafe {
+            asm!("stac");
+        }
+        REF_COUNT.fetch_add(1, Ordering::Acquire);
+    };
+    let r = f();
+    if smap_enabled() {
+        REF_COUNT.fetch_sub(1, Ordering::Release);
+
+        if REF_COUNT.load(Ordering::Relaxed) == 0 {
+            unsafe {
+                asm!("clac");
+            }
+        }
+    };
+    r
+}

src/aero_kernel/src/arch/x86_64/interrupts/exceptions.rs

@@ -97,6 +97,23 @@ pub(super) fn page_fault(stack: &mut InterruptErrorStack) {
         log::error!("stack: {:#x?}", stack);
     };
 
+    if reason.contains(PageFaultErrorCode::PROTECTION_VIOLATION) && !reason.contains(PageFaultErrorCode::USER_MODE) {
+        if controlregs::smap_enabled() {
+            unwind::prepare_panic();
+
+            log::error!("SMAP violation page fault");
+            print_info();
+
+            controlregs::with_userspace_access(||unwind::unwind_stack_trace());
+
+            unsafe {
+                loop {
+                    super::halt();
+                }
+            }
+        }
+    }
+
     if accessed_address < userland_last_address && scheduler::is_initialized()
         || stack.stack.iret.is_user()
     {
@@ -130,7 +147,7 @@ pub(super) fn page_fault(stack: &mut InterruptErrorStack) {
                 scheduler::get_scheduler().log_ptable();
             }
 
-            unwind::unwind_stack_trace();
+            controlregs::with_userspace_access(||unwind::unwind_stack_trace());
 
             let task = scheduler::get_scheduler().current_task();
             task.signal(aero_syscall::signal::SIGSEGV);
@@ -147,7 +164,7 @@ pub(super) fn page_fault(stack: &mut InterruptErrorStack) {
     log::error!("Page fault");
     print_info();
 
-    unwind::unwind_stack_trace();
+    controlregs::with_userspace_access(||unwind::unwind_stack_trace());
 
     unsafe {
         loop {

src/aero_kernel/src/arch/x86_64/mod.rs

@@ -146,16 +146,16 @@ extern "C" fn x86_64_aero_main(boot_info: &'static StivaleStruct) -> ! {
             .unwrap()
     });
 
-    // Initialize the CPU specific features.
-    init_cpu();
-
     // We initialize the COM ports before doing anything else.
     //
     // This will help printing panics and logs before or when the debug renderer
     // is initialized and if serial output is avaliable.
     drivers::uart_16550::init();
     logger::init();
 
+    // Initialize the CPU specific features.
+    init_cpu();
+
     // Parse the kernel command line.
     let command_line: &'static _ = boot_info.command_line().map_or("", |cmd| unsafe {
         let cmdline = PhysAddr::new(cmd.command_line).as_hhdm_virt();
@@ -251,13 +251,50 @@ pub fn init_cpu() {
 
             cr0.remove(controlregs::Cr0Flags::EMULATE_COPROCESSOR);
             cr0.insert(controlregs::Cr0Flags::MONITOR_COPROCESSOR);
+            cr0.insert(controlregs::Cr0Flags::WRITE_PROTECT);
 
             controlregs::write_cr0(cr0);
         }
 
         {
+            // Check if SMAP is supported.
+            let has_smap = CpuId::new()
+                .get_extended_feature_info()
+                .map_or(false, |i| i.has_smap());
+
+            // Check if SMEP is supported.
+            let has_smep = CpuId::new()
+                .get_extended_feature_info()
+                .map_or(false, |i| i.has_smep());
+
+            // Check if UMIP is supported.
+            let has_umip = CpuId::new()
+                .get_extended_feature_info()
+                .map_or(false, |i| i.has_umip());
+
             let mut cr4 = controlregs::read_cr4();
 
+            if has_smap {
+                log::info!("SMAP is supported, enabling SMAP.");
+                cr4.insert(controlregs::Cr4Flags::SUPERVISOR_MODE_ACCESS_PREVENTION);
+            } else {
+                log::info!("SMAP is not supported.");
+            }
+
+            if has_smep {
+                log::info!("SMEP is supported, enabling SMEP.");
+                cr4.insert(controlregs::Cr4Flags::SUPERVISOR_MODE_EXECUTION_PROTECTION);
+            } else {
+                log::info!("SMEP is not supported.");
+            }
+
+            if has_umip {
+                log::info!("UMIP is supported, enabling UMIP.");
+                cr4.insert(controlregs::Cr4Flags::USER_MODE_INSTRUCTION_PREVENTION);
+            } else {
+                log::info!("UMIP is not supported.");
+            }
+
             cr4.insert(controlregs::Cr4Flags::OSFXSR);
             cr4.insert(controlregs::Cr4Flags::OSXMMEXCPT_ENABLE);
 

src/aero_kernel/src/arch/x86_64/signals.rs

@@ -20,6 +20,7 @@
 use crate::userland;
 use crate::userland::scheduler;
 use crate::utils::StackHelper;
+use crate::arch::controlregs;
 
 use super::interrupts::InterruptStack;
 
@@ -107,11 +108,11 @@ pub fn sigreturn(stack: &mut InterruptStack) -> usize {
 
     let current_task = scheduler::get_scheduler().current_task();
 
-    current_task.signals().set_mask(
+    controlregs::with_userspace_access(||current_task.signals().set_mask(
         aero_syscall::signal::SigProcMask::Set,
         signal_frame.sigmask,
         None,
-    );
+    ));
 
     writer.get_by(REDZONE_SIZE);
 

src/aero_kernel/src/drivers/tty.rs

@@ -28,6 +28,7 @@ use crate::fs::inode;
 use crate::fs::inode::INodeInterface;
 use crate::mem::paging::VirtAddr;
 use crate::utils::sync::{BlockQueue, Mutex};
+use crate::arch::controlregs;
 
 use super::keyboard::KeyCode;
 use super::keyboard::KeyboardListener;
@@ -234,11 +235,11 @@ impl INodeInterface for Tty {
 
         if buffer.len() > stdin.front_buffer.len() {
             for (i, c) in stdin.front_buffer.drain(..).enumerate() {
-                buffer[i] = c;
+                controlregs::with_userspace_access(||buffer[i] = c);
             }
         } else {
             for (i, c) in stdin.front_buffer.drain(..buffer.len()).enumerate() {
-                buffer[i] = c;
+                controlregs::with_userspace_access(||buffer[i] = c);
             }
         }
 
@@ -264,13 +265,13 @@ impl INodeInterface for Tty {
 
                 let (rows, cols) = crate::rendy::get_rows_cols();
 
-                winsize.ws_row = rows as u16;
-                winsize.ws_col = cols as u16;
+                controlregs::with_userspace_access(||winsize.ws_row = rows as u16);
+                controlregs::with_userspace_access(||winsize.ws_col = cols as u16);
 
                 let (xpixel, ypixel) = crate::rendy::get_resolution();
 
-                winsize.ws_xpixel = xpixel as u16;
-                winsize.ws_ypixel = ypixel as u16;
+                controlregs::with_userspace_access(||winsize.ws_xpixel = xpixel as u16);
+                controlregs::with_userspace_access(||winsize.ws_ypixel = ypixel as u16);
 
                 Ok(0x00)
             }
@@ -282,7 +283,7 @@ impl INodeInterface for Tty {
                 let lock = TERMIOS.lock_irq();
                 let this = &*lock;
 
-                *termios = this.clone();
+                controlregs::with_userspace_access(||*termios = this.clone());
                 Ok(0x00)
             }
 
@@ -299,7 +300,7 @@ impl INodeInterface for Tty {
                 let mut lock = TERMIOS.lock_irq();
                 let this = &mut *lock;
 
-                *this = termios.clone();
+                controlregs::with_userspace_access(||*this = termios.clone());
                 Ok(0x00)
             }
 

src/aero_kernel/src/syscall/fs.rs

@@ -20,6 +20,8 @@
 use aero_syscall::prelude::FdFlags;
 use aero_syscall::{AeroSyscallError, OpenFlags};
 
+use crate::arch::controlregs;
+
 use crate::fs::inode::DirEntry;
 use crate::fs::pipe::Pipe;
 use crate::fs::{self, lookup_path, LookupMode};
@@ -39,8 +41,8 @@ pub fn write(fd: usize, buffer: usize, size: usize) -> Result<usize, AeroSyscall
         .flags
         .intersects(OpenFlags::O_WRONLY | OpenFlags::O_RDWR)
     {
-        let buffer = validate_slice(buffer as *const u8, size).ok_or(AeroSyscallError::EINVAL)?;
-        Ok(handle.write(buffer)?)
+        let buffer = controlregs::with_userspace_access(||validate_slice(buffer as *const u8, size).ok_or(AeroSyscallError::EINVAL))?;
+        Ok(controlregs::with_userspace_access(||handle.write(buffer))?)
     } else {
         Err(AeroSyscallError::EACCES)
     }
@@ -57,8 +59,8 @@ pub fn read(fd: usize, buffer: usize, size: usize) -> Result<usize, AeroSyscallE
         .flags
         .intersects(OpenFlags::O_RDONLY | OpenFlags::O_RDWR)
     {
-        let buffer = validate_slice_mut(buffer as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
-        Ok(handle.read(buffer)?)
+        let buffer = controlregs::with_userspace_access(||validate_slice_mut(buffer as *mut u8, size).ok_or(AeroSyscallError::EINVAL))?;
+        Ok(controlregs::with_userspace_access(||handle.read(buffer))?)
     } else {
         Err(AeroSyscallError::EACCES)
     }
@@ -71,7 +73,7 @@ pub fn open(_fd: usize, path: usize, len: usize, mode: usize) -> Result<usize, A
         flags.insert(OpenFlags::O_RDONLY);
     }
 
-    let path = validate_str(path as *const u8, len).ok_or(AeroSyscallError::EINVAL)?;
+    let path = controlregs::with_userspace_access(||validate_str(path as *const u8, len).ok_or(AeroSyscallError::EINVAL))?;
     let path = Path::new(path);
 
     let mut lookup_mode = LookupMode::None;
@@ -80,7 +82,7 @@ pub fn open(_fd: usize, path: usize, len: usize, mode: usize) -> Result<usize, A
         lookup_mode = LookupMode::Create;
     }
 
-    let inode = fs::lookup_path_with_mode(path, lookup_mode)?;
+    let inode = controlregs::with_userspace_access(||fs::lookup_path_with_mode(path, lookup_mode))?;
 
     if flags.contains(OpenFlags::O_DIRECTORY) && !inode.inode().metadata()?.is_directory() {
         return Err(AeroSyscallError::ENOTDIR);
@@ -118,7 +120,7 @@ pub fn getdents(fd: usize, buffer: usize, size: usize) -> Result<usize, AeroSysc
         .ok_or(AeroSyscallError::EBADFD)?;
 
     let buffer = validate_slice_mut(buffer as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
-    Ok(handle.get_dents(buffer)?)
+    Ok(controlregs::with_userspace_access(||handle.get_dents(buffer))?)
 }
 
 pub fn close(fd: usize) -> Result<usize, AeroSyscallError> {
@@ -136,7 +138,7 @@ pub fn close(fd: usize) -> Result<usize, AeroSyscallError> {
 }
 
 pub fn chdir(path: usize, size: usize) -> Result<usize, AeroSyscallError> {
-    let buffer = validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
+    let buffer = controlregs::with_userspace_access(||validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL))?;
     let inode = fs::lookup_path(Path::new(buffer))?;
 
     if !inode.inode().metadata()?.is_directory() {
@@ -149,7 +151,7 @@ pub fn chdir(path: usize, size: usize) -> Result<usize, AeroSyscallError> {
 }
 
 pub fn mkdirat(dfd: usize, path: usize, size: usize) -> Result<usize, AeroSyscallError> {
-    let path_str = validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
+    let path_str = controlregs::with_userspace_access(||validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL))?;
     let path = Path::new(path_str);
 
     // NOTE: If the pathname given in pathname is relative, then it is interpreted
@@ -197,7 +199,7 @@ pub fn mkdir(path: usize, size: usize) -> Result<usize, AeroSyscallError> {
 }
 
 pub fn rmdir(path: usize, size: usize) -> Result<usize, AeroSyscallError> {
-    let path_str = validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
+    let path_str = controlregs::with_userspace_access(||validate_str(path as *mut u8, size).ok_or(AeroSyscallError::EINVAL))?;
     let path = Path::new(path_str);
 
     let (_, child) = path.parent_and_basename();
@@ -224,7 +226,7 @@ pub fn getcwd(buffer: usize, size: usize) -> Result<usize, AeroSyscallError> {
     let buffer = validate_slice_mut(buffer as *mut u8, size).ok_or(AeroSyscallError::EINVAL)?;
     let cwd = scheduler::get_scheduler().current_task().get_cwd();
 
-    buffer[..cwd.len()].copy_from_slice(cwd.as_bytes());
+    controlregs::with_userspace_access(||buffer[..cwd.len()].copy_from_slice(cwd.as_bytes()));
     Ok(cwd.len())
 }
 
@@ -275,8 +277,8 @@ pub fn pipe(fds: usize, flags: usize) -> Result<usize, AeroSyscallError> {
         Ok(fd2) => fd2,
     };
 
-    fds[0] = fd1;
-    fds[1] = fd2;
+    controlregs::with_userspace_access(||fds[0] = fd1);
+    controlregs::with_userspace_access(||fds[1] = fd2);
 
     Ok(0x00)
 }
@@ -287,7 +289,7 @@ pub fn unlink(
     path_size: usize,
     flags: usize,
 ) -> Result<usize, AeroSyscallError> {
-    let path_str = validate_str(path as *mut u8, path_size).ok_or(AeroSyscallError::EINVAL)?;
+    let path_str = controlregs::with_userspace_access(||validate_str(path as *mut u8, path_size).ok_or(AeroSyscallError::EINVAL))?;
     let path = Path::new(path_str);
 
     // TODO: Make use of the open flags.
@@ -319,7 +321,7 @@ pub fn access(
     _mode: usize,
     _flags: usize,
 ) -> Result<usize, AeroSyscallError> {
-    let path_str = validate_str(path as *mut u8, path_size).ok_or(AeroSyscallError::EINVAL)?;
+    let path_str = controlregs::with_userspace_access(||validate_str(path as *mut u8, path_size).ok_or(AeroSyscallError::EINVAL))?;
     let path = Path::new(path_str);
 
     if fd as isize == aero_syscall::AT_FDCWD {