From: Kees Cook <keescook@chromium.org>
To: Kristina Martsenko <kristina.martsenko@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
Amit Kachhap <Amit.Kachhap@arm.com>,
Dave Martin <Dave.Martin@arm.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC v2 4/7] arm64: enable ptrauth earlier
Date: Wed, 29 May 2019 20:11:57 -0700 [thread overview]
Message-ID: <201905292010.8C66149@keescook> (raw)
In-Reply-To: <20190529190332.29753-5-kristina.martsenko@arm.com>
On Wed, May 29, 2019 at 08:03:29PM +0100, Kristina Martsenko wrote:
> When the kernel is compiled with pointer auth instructions, the boot CPU
> needs to start using address auth very early, so change the cpucap to
> account for this.
>
> A function that enables pointer auth cannot return, so compile such
> functions without pointer auth (using a compiler function attribute).
> The __no_ptrauth macro will be defined to the required function
> attribute in a later patch.
>
> Do not use the cpu_enable callback, to avoid compiling the whole
> callchain down to cpu_enable without pointer auth.
>
> Note the change in behavior: if the boot CPU has address auth and a late
> CPU does not, then we offline the late CPU. Until now we would have just
> disabled address auth in this case.
>
> Leave generic authentication as a "system scope" cpucap for now, since
> initially the kernel will only use address authentication.
>
> Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
This feels a little out of order to define the empty __no_ptrauth here.
The only better option I can think of is to split the compiler flag
patch in half to introduce the __no_ptrauth flag in full, on its own.
Either way:
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
>
> Changes since RFC v1:
> - Enable instructions for all 5 keys
> - Replaced __always_inline with __no_ptrauth as it turns out __always_inline
> is only a hint (and could therefore result in crashes)
> - Left the __no_ptrauth definition blank for now as it needs to be determined
> with more complex logic in a later patch
> - Updated the Kconfig symbol description
> - Minor cleanups
> - Updated the commit message
>
> arch/arm64/Kconfig | 4 ++++
> arch/arm64/include/asm/cpufeature.h | 9 +++++++++
> arch/arm64/include/asm/pointer_auth.h | 19 +++++++++++++++++++
> arch/arm64/kernel/cpufeature.c | 13 +++----------
> arch/arm64/kernel/smp.c | 7 ++++++-
> 5 files changed, 41 insertions(+), 11 deletions(-)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 7e34b9eba5de..f4c1e9b30129 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1304,6 +1304,10 @@ config ARM64_PTR_AUTH
> hardware it will not be advertised to userspace nor will it be
> enabled.
>
> + If the feature is present on the primary CPU but not a secondary CPU,
> + then the secondary CPU will be offlined. On such a system, this
> + option should not be selected.
> +
> endmenu
>
> config ARM64_SVE
> diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
> index ad952f2e0a2b..e36a7948b763 100644
> --- a/arch/arm64/include/asm/cpufeature.h
> +++ b/arch/arm64/include/asm/cpufeature.h
> @@ -299,6 +299,15 @@ extern struct arm64_ftr_reg arm64_ftr_reg_ctrel0;
> #define ARM64_CPUCAP_STRICT_BOOT_CPU_FEATURE \
> (ARM64_CPUCAP_SCOPE_BOOT_CPU | ARM64_CPUCAP_PANIC_ON_CONFLICT)
>
> +/*
> + * CPU feature used early in the boot based on the boot CPU. It is safe for a
> + * late CPU to have this feature even though the boot CPU hasn't enabled it,
> + * although the feature will not be used by Linux in this case. If the boot CPU
> + * has enabled this feature already, then every late CPU must have it.
> + */
> +#define ARM64_CPUCAP_BOOT_CPU_FEATURE \
> + (ARM64_CPUCAP_SCOPE_BOOT_CPU | ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU)
> +
> struct arm64_cpu_capabilities {
> const char *desc;
> u16 capability;
> diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h
> index fc8dc70cc19f..a97b7dc10bdb 100644
> --- a/arch/arm64/include/asm/pointer_auth.h
> +++ b/arch/arm64/include/asm/pointer_auth.h
> @@ -11,6 +11,13 @@
>
> #ifdef CONFIG_ARM64_PTR_AUTH
> /*
> + * Compile the function without pointer authentication instructions. This
> + * allows pointer authentication to be enabled/disabled within the function
> + * (but leaves the function unprotected by pointer authentication).
> + */
> +#define __no_ptrauth
> +
> +/*
> * Each key is a 128-bit quantity which is split across a pair of 64-bit
> * registers (Lo and Hi).
> */
> @@ -50,6 +57,16 @@ do { \
> write_sysreg_s(__pki_v.hi, SYS_ ## k ## KEYHI_EL1); \
> } while (0)
>
> +static inline void __no_ptrauth ptrauth_cpu_enable(void)
> +{
> + if (!system_supports_address_auth())
> + return;
> +
> + sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ENIA | SCTLR_ELx_ENIB |
> + SCTLR_ELx_ENDA | SCTLR_ELx_ENDB);
> + isb();
> +}
> +
> extern int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg);
>
> /*
> @@ -68,6 +85,8 @@ static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr)
> ptrauth_keys_init(&(tsk)->thread.keys_user)
>
> #else /* CONFIG_ARM64_PTR_AUTH */
> +#define __no_ptrauth
> +#define ptrauth_cpu_enable(tsk)
> #define ptrauth_prctl_reset_keys(tsk, arg) (-EINVAL)
> #define ptrauth_strip_insn_pac(lr) (lr)
> #define ptrauth_thread_init_user(tsk)
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 8a595b4cb0aa..2cf042ebb237 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -1200,12 +1200,6 @@ static void cpu_clear_disr(const struct arm64_cpu_capabilities *__unused)
> #endif /* CONFIG_ARM64_RAS_EXTN */
>
> #ifdef CONFIG_ARM64_PTR_AUTH
> -static void cpu_enable_address_auth(struct arm64_cpu_capabilities const *cap)
> -{
> - sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ENIA | SCTLR_ELx_ENIB |
> - SCTLR_ELx_ENDA | SCTLR_ELx_ENDB);
> -}
> -
> static bool has_address_auth(const struct arm64_cpu_capabilities *entry,
> int __unused)
> {
> @@ -1474,7 +1468,7 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
> {
> .desc = "Address authentication (architected algorithm)",
> .capability = ARM64_HAS_ADDRESS_AUTH_ARCH,
> - .type = ARM64_CPUCAP_SYSTEM_FEATURE,
> + .type = ARM64_CPUCAP_BOOT_CPU_FEATURE,
> .sys_reg = SYS_ID_AA64ISAR1_EL1,
> .sign = FTR_UNSIGNED,
> .field_pos = ID_AA64ISAR1_APA_SHIFT,
> @@ -1484,7 +1478,7 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
> {
> .desc = "Address authentication (IMP DEF algorithm)",
> .capability = ARM64_HAS_ADDRESS_AUTH_IMP_DEF,
> - .type = ARM64_CPUCAP_SYSTEM_FEATURE,
> + .type = ARM64_CPUCAP_BOOT_CPU_FEATURE,
> .sys_reg = SYS_ID_AA64ISAR1_EL1,
> .sign = FTR_UNSIGNED,
> .field_pos = ID_AA64ISAR1_API_SHIFT,
> @@ -1493,9 +1487,8 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
> },
> {
> .capability = ARM64_HAS_ADDRESS_AUTH,
> - .type = ARM64_CPUCAP_SYSTEM_FEATURE,
> + .type = ARM64_CPUCAP_BOOT_CPU_FEATURE,
> .matches = has_address_auth,
> - .cpu_enable = cpu_enable_address_auth,
> },
> {
> .desc = "Generic authentication (architected algorithm)",
> diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
> index 824de7038967..eca6aa05ac66 100644
> --- a/arch/arm64/kernel/smp.c
> +++ b/arch/arm64/kernel/smp.c
> @@ -54,6 +54,7 @@
> #include <asm/numa.h>
> #include <asm/pgtable.h>
> #include <asm/pgalloc.h>
> +#include <asm/pointer_auth.h>
> #include <asm/processor.h>
> #include <asm/smp_plat.h>
> #include <asm/sections.h>
> @@ -238,6 +239,8 @@ asmlinkage notrace void secondary_start_kernel(void)
> */
> check_local_cpu_capabilities();
>
> + ptrauth_cpu_enable();
> +
> if (cpu_ops[cpu]->cpu_postboot)
> cpu_ops[cpu]->cpu_postboot();
>
> @@ -432,7 +435,7 @@ void __init smp_cpus_done(unsigned int max_cpus)
> mark_linear_text_alias_ro();
> }
>
> -void __init smp_prepare_boot_cpu(void)
> +void __init __no_ptrauth smp_prepare_boot_cpu(void)
> {
> set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
> /*
> @@ -452,6 +455,8 @@ void __init smp_prepare_boot_cpu(void)
> /* Conditionally switch to GIC PMR for interrupt masking */
> if (system_uses_irq_prio_masking())
> init_gic_priority_masking();
> +
> + ptrauth_cpu_enable();
> }
>
> static u64 __init of_get_cpu_mpidr(struct device_node *dn)
> --
> 2.11.0
>
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-05-30 3:12 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 19:03 [RFC v2 0/7] arm64: return address signing Kristina Martsenko
2019-05-29 19:03 ` [RFC v2 1/7] arm64: cpufeature: add pointer auth meta-capabilities Kristina Martsenko
2019-05-30 1:58 ` Kees Cook
2019-05-30 10:50 ` Suzuki K Poulose
2019-06-13 16:13 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 2/7] arm64: install user ptrauth keys at kernel exit time Kristina Martsenko
2019-05-30 2:04 ` Kees Cook
2019-06-06 16:26 ` Catalin Marinas
2019-05-29 19:03 ` [RFC v2 3/7] arm64: cpufeature: handle conflicts based on capability Kristina Martsenko
2019-05-30 2:49 ` Kees Cook
2019-05-30 14:16 ` Suzuki K Poulose
2019-05-31 14:00 ` Kristina Martsenko
2019-05-31 15:08 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 4/7] arm64: enable ptrauth earlier Kristina Martsenko
2019-05-30 3:11 ` Kees Cook [this message]
2019-06-13 15:41 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 5/7] arm64: initialize and switch ptrauth kernel keys Kristina Martsenko
2019-05-30 3:34 ` Kees Cook
2019-05-30 16:26 ` Kristina Martsenko
2019-06-04 10:03 ` Dave Martin
2019-06-06 16:44 ` Catalin Marinas
2019-06-12 16:21 ` Kristina Martsenko
2019-06-13 10:44 ` Catalin Marinas
2019-05-29 19:03 ` [RFC v2 6/7] arm64: unwind: strip PAC from kernel addresses Kristina Martsenko
2019-05-30 3:36 ` Kees Cook
2019-05-29 19:03 ` [RFC v2 7/7] arm64: compile the kernel with ptrauth return address signing Kristina Martsenko
2019-05-30 3:45 ` Kees Cook
2019-05-30 3:09 ` [RFC v2 0/7] arm64: " Kees Cook
2019-05-30 7:25 ` Will Deacon
2019-05-30 8:39 ` Ard Biesheuvel
2019-05-30 9:11 ` Ramana Radhakrishnan
2019-05-30 9:12 ` Ramana Radhakrishnan
2019-06-06 17:44 ` Kristina Martsenko
2019-06-08 4:09 ` Kees Cook
[not found] ` <DB7PR08MB3865C4AA36C9C465B2A687DABF180@DB7PR08MB3865.eurprd08.prod.outlook.com>
2019-05-30 15:57 ` Kees Cook
[not found] ` <DB7PR08MB3865A83066179CE419D171EDBF180@DB7PR08MB3865.eurprd08.prod.outlook.com>
2019-05-30 18:05 ` Kees Cook
2019-05-31 9:22 ` Will Deacon
2019-06-02 15:43 ` Kees Cook
2019-06-03 10:40 ` Will Deacon
2019-06-04 13:52 ` Luke Cheeseman
2019-06-06 17:43 ` Kristina Martsenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201905292010.8C66149@keescook \
--to=keescook@chromium.org \
--cc=Amit.Kachhap@arm.com \
--cc=Dave.Martin@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=kristina.martsenko@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=ramana.radhakrishnan@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.