arch/x86: Support for automatic shadow stacks

   - No more need for special IRQ shadow stacks - just reuse the one
   created for z_interrupt_stacks;
   - Add the linker sections for the pairs of stack/shadow stack;
   - Support shadow stack arrays.

Last item was a bit challenging: shadow stacks need to be initialised
before use, and this is done statically for normal shadow stacks. To
initialise the shadow stacks in the array, one needs how many entries it
has. While a simple approach would use `LISTIFY` to them do the
initialization on all entries, that is not possible as many stack arrays
are created using expressions instead of literals, such as
`CONFIG_MP_MAX_NUM_CPUS - 1`, which won't work with `LISTIFY`.

Instead, this patch uses a script, `gen_static_shstk_array.py` that
gathers all needed information and patches the ELF to initialize the
stack arrays. Note that this needs to be done before any other operation
on the ELF file that creates new representations, such as the .bin
output.

Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>

Author: edersondisouza

arch/x86/CMakeLists.txt

@@ -75,4 +75,32 @@ endif()
 
 if(CONFIG_X86_CET)
   zephyr_compile_options(-fcf-protection=full)
+
+  if(CONFIG_HW_SHADOW_STACK)
+      set(GEN_SHSTK_ARRAY ${ZEPHYR_BASE}/arch/x86/gen_static_shstk_array.py)
+
+      if(CONFIG_X86_64)
+          set(gen_shstk_array_arch_param --arch x86_64)
+
+          execute_process(
+              COMMAND
+              ${PYTHON_EXECUTABLE}
+              ${GEN_SHSTK_ARRAY}
+              --header-output ${PROJECT_BINARY_DIR}/include/generated/zephyr/x86_shstk.h
+              --config ${DOTCONFIG}
+              ${gen_shstk_array_arch_param}
+              WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+          )
+      else()
+          set(gen_shstk_array_arch_param --arch x86)
+      endif()
+
+      set_property(GLOBAL APPEND PROPERTY post_build_patch_elf_commands
+          COMMAND
+          ${PYTHON_EXECUTABLE}
+          ${GEN_SHSTK_ARRAY}
+          --kernel $<TARGET_FILE:${ZEPHYR_FINAL_EXECUTABLE}>
+          ${gen_shstk_array_arch_param}
+      )
+  endif()
 endif()

arch/x86/Kconfig

@@ -515,14 +515,6 @@ config X86_CET_SHADOW_STACK_ALIGNMENT
 	help
 	  This option sets the alignment of the Shadow Stack.
 
-config X86_CET_IRQ_SHADOW_STACK_SIZE
-	int "IRQ Shadow Stack size"
-	default 4096
-	depends on HW_SHADOW_STACK
-	help
-	  This option sets the size of the shadow stack used for interrupt
-	  and exception handling.
-
 config X86_CET_VERIFY_KERNEL_SHADOW_STACK
 	bool "Verify kernel shadow stack"
 	depends on HW_SHADOW_STACK

arch/x86/core/cet.c

@@ -16,6 +16,7 @@
 #include <zephyr/logging/log_ctrl.h>
 #include <zephyr/logging/log.h>
 
+#include <kernel_arch_data.h>
 LOG_MODULE_DECLARE(os, CONFIG_KERNEL_LOG_LEVEL);
 
 #ifdef CONFIG_X86_64

arch/x86/core/ia32/irq_manage.c

@@ -24,11 +24,6 @@
 #include <zephyr/arch/x86/ia32/segmentation.h>
 #include <kernel_arch_data.h>
 
-#ifdef CONFIG_HW_SHADOW_STACK
-X86_IRQ_SHADOW_STACK_DEFINE(z_x86_irq_shadow_stack,
-			    CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE);
-#endif
-
 #define TOKEN_OFFSET 4
 
 extern void z_SpuriousIntHandler(void *handler);
@@ -54,8 +49,10 @@ void arch_isr_direct_footer_swap(unsigned int key)
 #ifdef CONFIG_HW_SHADOW_STACK
 void z_x86_set_irq_shadow_stack(void)
 {
-	size_t stack_size = CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE;
-	arch_thread_hw_shadow_stack_t *stack = z_x86_irq_shadow_stack;
+	size_t stack_size = sizeof(__z_interrupt_stacks_shstk_arr);
+	arch_thread_hw_shadow_stack_t *stack;
+
+	stack = (arch_thread_hw_shadow_stack_t *)__z_interrupt_stacks_shstk_arr;
 
 	_kernel.cpus[0].arch.shstk_addr = stack +
 		(stack_size - TOKEN_OFFSET * sizeof(*stack)) / sizeof(*stack);

arch/x86/core/intel64/locore.S

@@ -14,6 +14,9 @@
 #include <zephyr/drivers/interrupt_controller/loapic.h>
 #include <zephyr/arch/cpu.h>
 #include <zephyr/kernel/mm.h>
+#ifdef CONFIG_HW_SHADOW_STACK
+#include <x86_shstk.h>
+#endif
 
 /*
  * Definitions/macros for enabling paging
@@ -823,7 +826,7 @@ irq:
 #ifdef CONFIG_HW_SHADOW_STACK
 	pushq %rsi
 	movq %gs:(__x86_tss64_t_shstk_addr_OFFSET), %rsi
-	subq $CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE, (%rsi)
+	subq $X86_CET_IRQ_SHADOW_SUBSTACK_SIZE, (%rsi)
 	popq %rsi
 #endif
 	cmpl $CONFIG_ISR_DEPTH, ___cpu_t_nested_OFFSET(%rsi)
@@ -981,7 +984,7 @@ irq_dispatch:
 	addq $CONFIG_ISR_SUBSTACK_SIZE, %gs:__x86_tss64_t_ist1_OFFSET
 #ifdef CONFIG_HW_SHADOW_STACK
 	movq %gs:(__x86_tss64_t_shstk_addr_OFFSET), %rax
-	addq $CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE, (%rax)
+	addq $X86_CET_IRQ_SHADOW_SUBSTACK_SIZE, (%rax)
 #endif
 	decl ___cpu_t_nested_OFFSET(%rsi)
 	jnz irq_exit_nested

arch/x86/gen_static_shstk_array.py

@@ -0,0 +1,233 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+import argparse
+import struct
+
+from elftools.elf.elffile import ELFFile
+from elftools.elf.sections import SymbolTableSection
+
+
+def parse_args():
+    global args
+    parser = argparse.ArgumentParser(
+        description=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        allow_abbrev=False,
+    )
+
+    parser.add_argument("-k", "--kernel", required=False, help="Zephyr kernel image")
+    parser.add_argument("-o", "--header-output", required=False, help="Header output file")
+    parser.add_argument("-c", "--config", required=False, help="Configuration file (.config)")
+    parser.add_argument(
+        "-a",
+        "--arch",
+        required=False,
+        help="Architecture to generate shadow stack for",
+        choices=["x86", "x86_64"],
+        default="x86",
+    )
+    args = parser.parse_args()
+
+
+def get_symbols(obj):
+    for section in obj.iter_sections():
+        if isinstance(section, SymbolTableSection):
+            return {sym.name: sym for sym in section.iter_symbols()}
+
+    raise LookupError("Could not find symbol table")
+
+
+shstk_irq_top_fmt = "<Q"
+
+
+def generate_initialized_irq_array64(sym, section_data, section_addr, isr_depth):
+    offset = sym["st_value"] - section_addr
+    # First four bytes have the number of members of the array
+    nmemb = int.from_bytes(section_data[offset : offset + 4], "little") * isr_depth
+    stack_size = (int)(sym["st_size"] / nmemb)
+
+    # Top of shadow stack is on the form:
+    # [-1] = shadow stack supervisor token
+
+    output = bytearray(sym["st_size"])
+    for i in range(nmemb):
+        token = sym["st_value"] + stack_size * (i + 1) - 8
+
+        struct.pack_into(shstk_irq_top_fmt, output, stack_size * (i + 1) - 8, token)
+
+    return output
+
+
+shstk_top_fmt = "<QQQQ"
+
+
+def generate_initialized_array64(sym, section_data, section_addr, thread_entry):
+    offset = sym["st_value"] - section_addr
+    # First four bytes have the number of members of the array
+    nmemb = int.from_bytes(section_data[offset : offset + 4], "little")
+    if nmemb == 0:
+        # CONFIG_DYNAMIC_THREAD_POOL_SIZE can be zero - in which case isn't
+        # used. To allow the static initialization, we make the corresponding shadow stack
+        # have one item. Here, we recognize it by having 0 members. But we already
+        # wasted the space for this. Sigh...
+        return bytearray(sym["st_size"])
+    stack_size = (int)(sym["st_size"] / nmemb)
+
+    # Top of shadow stack is on the form:
+    # [-5] = shadow stack token, pointing to [-4]
+    # [-4] = previous SSP, pointing to [-1]
+    # [-3] = z_thread_entry
+    # [-2] = X86_KERNEL_CS
+
+    output = bytearray(sym["st_size"])
+    for i in range(nmemb):
+        end = sym["st_value"] + stack_size * (i + 1)
+        token = end - 8 * 4 + 1
+        prev_ssp = end - 8
+        cs = 0x18  # X86_KERNEL_CS
+
+        struct.pack_into(
+            shstk_top_fmt,
+            output,
+            stack_size * (i + 1) - 8 * 5,
+            token,
+            prev_ssp,
+            thread_entry["st_value"],
+            cs,
+        )
+
+    return output
+
+
+shstk_top_fmt32 = "<QI"
+
+
+def generate_initialized_array32(sym, section_data, section_addr, thread_entry):
+    offset = sym["st_value"] - section_addr
+    # First four bytes have the number of members of the array
+    nmemb = int.from_bytes(section_data[offset : offset + 4], "little")
+    if nmemb == 0:
+        # See comment on generate_initialized_array64
+        return bytearray(sym["st_size"])
+    stack_size = (int)(sym["st_size"] / nmemb)
+
+    # Top of shadow stack is on the form:
+    # [-4] = shadow stack token, pointing to [-2]
+    # [-3] = 0 - high order bits of token
+    # [-2] = z_thread_entry/z_x86_thread_entry_wrapper
+
+    output = bytearray(sym["st_size"])
+    for i in range(nmemb):
+        end = sym["st_value"] + stack_size * (i + 1)
+        token = end - 8
+
+        struct.pack_into(
+            shstk_top_fmt32,
+            output,
+            stack_size * (i + 1) - 4 * 4,
+            token,
+            thread_entry["st_value"],
+        )
+
+    return output
+
+
+def generate_initialized_array(sym, section_data, section_addr, thread_entry):
+    if args.arch == "x86":
+        return generate_initialized_array32(sym, section_data, section_addr, thread_entry)
+
+    return generate_initialized_array64(sym, section_data, section_addr, thread_entry)
+
+
+def patch_elf():
+    with open(args.kernel, "r+b") as elf_fp:
+        kernel = ELFFile(elf_fp)
+        section = kernel.get_section_by_name(".x86shadowstack.arr")
+        syms = get_symbols(kernel)
+        thread_entry = syms["z_thread_entry"]
+        if args.arch == "x86" and syms["CONFIG_X86_DEBUG_INFO"].entry.st_value:
+            thread_entry = syms["z_x86_thread_entry_wrapper"]
+
+        updated_section = bytearray()
+        shstk_arr_syms = [
+            sym[1]
+            for sym in syms.items()
+            if sym[0].startswith("__") and sym[0].endswith("_shstk_arr")
+        ]
+        shstk_arr_syms.sort(key=lambda x: x["st_value"])
+        section_data = section.data()
+
+        for sym in shstk_arr_syms:
+            if sym.name == "__z_interrupt_stacks_shstk_arr" and args.arch == "x86_64":
+                isr_depth = syms["CONFIG_ISR_DEPTH"].entry.st_value
+                out = generate_initialized_irq_array64(
+                    sym, section_data, section["sh_addr"], isr_depth
+                )
+            else:
+                out = generate_initialized_array(
+                    sym, section_data, section["sh_addr"], thread_entry
+                )
+
+            updated_section += out
+
+        elf_fp.seek(section["sh_offset"])
+        elf_fp.write(updated_section)
+
+
+def generate_header():
+    if args.config is None:
+        raise ValueError("Configuration file is required to generate header")
+
+    isr_depth = stack_size = alignment = hw_stack_percentage = hw_stack_min_size = None
+
+    with open(args.config) as config_fp:
+        config_lines = config_fp.readlines()
+
+    for line in config_lines:
+        if line.startswith("CONFIG_ISR_DEPTH="):
+            isr_depth = int(line.split("=")[1].strip())
+        if line.startswith("CONFIG_ISR_STACK_SIZE="):
+            stack_size = int(line.split("=")[1].strip())
+        if line.startswith("CONFIG_X86_CET_SHADOW_STACK_ALIGNMENT="):
+            alignment = int(line.split("=")[1].strip())
+        if line.startswith("CONFIG_HW_SHADOW_STACK_PERCENTAGE_SIZE="):
+            hw_stack_percentage = int(line.split("=")[1].strip())
+        if line.startswith("CONFIG_HW_SHADOW_STACK_MIN_SIZE="):
+            hw_stack_min_size = int(line.split("=")[1].strip())
+
+    if isr_depth is None:
+        raise ValueError("Missing CONFIG_ISR_DEPTH in configuration file")
+    if stack_size is None:
+        raise ValueError("Missing CONFIG_ISR_STACK_SIZE in configuration file")
+    if alignment is None:
+        raise ValueError("Missing CONFIG_X86_CET_SHADOW_STACK_ALIGNMENT in configuration file")
+    if hw_stack_percentage is None:
+        raise ValueError("Missing CONFIG_HW_SHADOW_STACK_PERCENTAGE_SIZE in configuration file")
+    if hw_stack_min_size is None:
+        raise ValueError("Missing CONFIG_HW_SHADOW_STACK_MIN_SIZE in configuration file")
+
+    stack_size = int(stack_size * (hw_stack_percentage / 100))
+    stack_size = int((stack_size + alignment - 1) / alignment) * alignment
+    stack_size = max(stack_size, hw_stack_min_size)
+    stack_size = int(stack_size / isr_depth)
+
+    with open(args.header_output, "w") as header_fp:
+        header_fp.write(f"#define X86_CET_IRQ_SHADOW_SUBSTACK_SIZE {stack_size}\n")
+
+
+def main():
+    parse_args()
+
+    if args.kernel is not None:
+        patch_elf()
+
+    if args.header_output is not None:
+        generate_header()
+
+
+if __name__ == "__main__":
+    main()

arch/x86/include/intel64/kernel_arch_data.h

@@ -44,7 +44,6 @@ struct x86_interrupt_ssp_table {
 };
 
 extern uint8_t x86_cpu_loapics[];	/* CPU logical ID -> local APIC ID */
-
 #endif /* _ASMLANGUAGE */
 
 #ifdef CONFIG_X86_KPTI
@@ -91,6 +90,9 @@ extern uint8_t x86_cpu_loapics[];	/* CPU logical ID -> local APIC ID */
 			(uintptr_t)name + size * (i + 1) - 1 *					\
 			sizeof(arch_thread_hw_shadow_stack_t)
 
+#define X86_EXCEPTION_SHADOW_STACK_SIZE \
+	K_THREAD_HW_SHADOW_STACK_SIZE(CONFIG_X86_EXCEPTION_STACK_SIZE)
+
 #define X86_IRQ_SHADOW_STACK_DEFINE(name, size)							\
 	arch_thread_hw_shadow_stack_t Z_GENERIC_SECTION(.x86shadowstack)			\
 	__aligned(CONFIG_X86_CET_SHADOW_STACK_ALIGNMENT)					\
@@ -100,24 +102,24 @@ extern uint8_t x86_cpu_loapics[];	/* CPU logical ID -> local APIC ID */
 		}
 
 #define X86_INTERRUPT_SHADOW_STACK_DEFINE(n)							\
-	X86_IRQ_SHADOW_STACK_DEFINE(z_x86_irq_shadow_stack##n,					\
-				     CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE);			\
 	X86_IRQ_SHADOW_STACK_DEFINE(z_x86_nmi_shadow_stack##n,					\
-				     CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE);			\
+				     X86_EXCEPTION_SHADOW_STACK_SIZE);				\
 	X86_IRQ_SHADOW_STACK_DEFINE(z_x86_exception_shadow_stack##n,				\
-				     CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE)
+				     X86_EXCEPTION_SHADOW_STACK_SIZE)
 
-#define SHSTK_LAST_ENTRY (CONFIG_X86_CET_IRQ_SHADOW_STACK_SIZE *				\
+#define SHSTK_LAST_ENTRY (X86_EXCEPTION_SHADOW_STACK_SIZE *					\
 			  CONFIG_ISR_DEPTH / sizeof(arch_thread_hw_shadow_stack_t) - 1)
 
+#define IRQ_SHSTK_LAST_ENTRY sizeof(__z_interrupt_stacks_shstk_arr[0]) /			\
+	sizeof(arch_thread_hw_shadow_stack_t) - 1
+
 #define X86_INTERRUPT_SSP_TABLE_INIT(n, _)							\
 	{											\
-		.ist1 = (uintptr_t)&z_x86_irq_shadow_stack##n[SHSTK_LAST_ENTRY],		\
+		.ist1 = (uintptr_t)&__z_interrupt_stacks_shstk_arr[n][IRQ_SHSTK_LAST_ENTRY],	\
 		.ist6 = (uintptr_t)&z_x86_nmi_shadow_stack##n[SHSTK_LAST_ENTRY],		\
 		.ist7 = (uintptr_t)&z_x86_exception_shadow_stack##n[SHSTK_LAST_ENTRY],	\
 	}
 
-
 #define STACK_ARRAY_IDX(n, _) n
 
 #define DEFINE_STACK_ARRAY_IDX\