Linux 6.2 Implementing Dynamic Shadow Call Stack Support For AArch64
The Shadow Call Stack support is useful for protecting against return address overwrites / stack buffer overflows. But on AArch64 processors with pointer authentication, it's harder to justify the usefulness of the Shadow Call Stack. So for Linux 6.2 the plan is to enable dynamic SCS support to allow it to be enabled/disabled at boot time.This Dynamic Shadow Call Stack support is done at boot/run-time via code patching.
Thereby no alternative kernel build with SCS disabled is needed for those not wanting this security feature for their AArch64 SoC due to other hardware protections already in place.
"Implement dynamic shadow call stack support on Clang, by parsing the unwind tables at init time to locate all occurrences of PACIASP/AUTIASP instructions, and replacing them with the shadow call stack push and pop instructions, respectively.
This is useful because the overhead of the shadow call stack is difficult to justify on hardware that implements pointer authentication (PAC), and given that the PAC instructions are executed as NOPs on hardware that doesn't, we can just replace them without breaking anything. As PACIASP/AUTIASP are guaranteed to be paired with respect to manipulations of the return address, replacing them 1:1 with shadow call stack pushes and pops is guaranteed to result in the desired behavior."
Queued via ARM64's "for-next" core material is dynamic SCS and implementing it for ARM64 with Clang. Barring any issues from coming up, this code in turn will then be submitted for the Linux 6.2 merge window next month.
Those wanting to learn more about Clang's Shadow Call Stack instrumentation pass can do so via the Clang docs.