From: Dave Martin <Dave.Martin@arm.com>
To: Boyan Karatotev <boyan.karatotev@arm.com>
Cc: Shuah Khan <shuah@kernel.org>,
boian4o1@gmail.com, Catalin Marinas <catalin.marinas@arm.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
amit.kachhap@arm.com, vincenzo.frascino@arm.com,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 3/4] kselftests/arm64: add PAuth test for whether exec() changes keys
Date: Mon, 7 Sep 2020 11:35:16 +0100 [thread overview]
Message-ID: <20200907103516.GO6642@arm.com> (raw)
In-Reply-To: <926691e4-1990-207e-bcb9-40ab6d3b0fa0@arm.com>
On Thu, Sep 03, 2020 at 11:48:37AM +0100, Boyan Karatotev wrote:
> On 02/09/2020 18:08, Dave Martin wrote:
> > On Mon, Aug 31, 2020 at 12:04:49PM +0100, Boyan Karatotev wrote:
> >> +/*
> >> + * fork() does not change keys. Only exec() does so call a worker program.
> >> + * Its only job is to sign a value and report back the resutls
> >> + */
> >> +TEST(exec_unique_keys)
> >> +{
> >
> > The kernel doesn't guarantee that keys are unique.
> >
> > Can we present all the "unique keys" wording differently, say
> >
> > exec_key_collision_likely()
>
> I agree that this test's name is a bit out of place. I would rather have
> it named "exec_changed_keys" though.
>
> > Otherwise people might infer from this test code that the keys are
> > supposed to be truly unique and start reporting bugs on the kernel.
> >
> > I can't see an obvious security argument for unique keys (rather, the
> > keys just need to be "unique enough". That's the job of
> > get_random_bytes().)
>
> The "exec_unique_keys" test only checks that the keys changed after an
> exec() which I think the name change would reflect.
>
> The thing with the "single_thread_unique_keys" test is that the kernel
> says the the keys will be random. Yes, there is no uniqueness guarantee
> but I'm not sure how to phrase it differently. There is some minuscule
> chance that the keys end up the same, but for this test I pretend this
> will not happen. Would changing up the comments and the failure message
> communicate this? Maybe substitute "unique" for "different" and say how
> many keys clashed?
Yes, something like that seems reasonable.
Cheers
---Dave
WARNING: multiple messages have this Message-ID (diff)
From: Dave Martin <Dave.Martin@arm.com>
To: Boyan Karatotev <boyan.karatotev@arm.com>
Cc: Will Deacon <will@kernel.org>,
boian4o1@gmail.com, Catalin Marinas <catalin.marinas@arm.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
amit.kachhap@arm.com, vincenzo.frascino@arm.com,
Shuah Khan <shuah@kernel.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 3/4] kselftests/arm64: add PAuth test for whether exec() changes keys
Date: Mon, 7 Sep 2020 11:35:16 +0100 [thread overview]
Message-ID: <20200907103516.GO6642@arm.com> (raw)
In-Reply-To: <926691e4-1990-207e-bcb9-40ab6d3b0fa0@arm.com>
On Thu, Sep 03, 2020 at 11:48:37AM +0100, Boyan Karatotev wrote:
> On 02/09/2020 18:08, Dave Martin wrote:
> > On Mon, Aug 31, 2020 at 12:04:49PM +0100, Boyan Karatotev wrote:
> >> +/*
> >> + * fork() does not change keys. Only exec() does so call a worker program.
> >> + * Its only job is to sign a value and report back the resutls
> >> + */
> >> +TEST(exec_unique_keys)
> >> +{
> >
> > The kernel doesn't guarantee that keys are unique.
> >
> > Can we present all the "unique keys" wording differently, say
> >
> > exec_key_collision_likely()
>
> I agree that this test's name is a bit out of place. I would rather have
> it named "exec_changed_keys" though.
>
> > Otherwise people might infer from this test code that the keys are
> > supposed to be truly unique and start reporting bugs on the kernel.
> >
> > I can't see an obvious security argument for unique keys (rather, the
> > keys just need to be "unique enough". That's the job of
> > get_random_bytes().)
>
> The "exec_unique_keys" test only checks that the keys changed after an
> exec() which I think the name change would reflect.
>
> The thing with the "single_thread_unique_keys" test is that the kernel
> says the the keys will be random. Yes, there is no uniqueness guarantee
> but I'm not sure how to phrase it differently. There is some minuscule
> chance that the keys end up the same, but for this test I pretend this
> will not happen. Would changing up the comments and the failure message
> communicate this? Maybe substitute "unique" for "different" and say how
> many keys clashed?
Yes, something like that seems reasonable.
Cheers
---Dave
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-09-07 10:35 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 11:04 [PATCH v2 0/4] kselftests/arm64: add PAuth tests Boyan Karatotev
2020-08-31 11:04 ` Boyan Karatotev
2020-08-31 11:04 ` [PATCH v2 1/4] kselftests/arm64: add a basic Pointer Authentication test Boyan Karatotev
2020-08-31 11:04 ` Boyan Karatotev
2020-09-16 12:11 ` Amit Kachhap
2020-09-16 12:11 ` Amit Kachhap
2020-09-17 13:38 ` Boyan Karatotev
2020-09-17 13:38 ` Boyan Karatotev
2020-08-31 11:04 ` [PATCH v2 2/4] kselftests/arm64: add nop checks for PAuth tests Boyan Karatotev
2020-08-31 11:04 ` Boyan Karatotev
2020-08-31 11:04 ` [PATCH v2 3/4] kselftests/arm64: add PAuth test for whether exec() changes keys Boyan Karatotev
2020-08-31 11:04 ` Boyan Karatotev
2020-09-02 17:08 ` Dave Martin
2020-09-02 17:08 ` Dave Martin
2020-09-03 10:48 ` Boyan Karatotev
2020-09-03 10:48 ` Boyan Karatotev
2020-09-07 10:35 ` Dave Martin [this message]
2020-09-07 10:35 ` Dave Martin
2020-08-31 11:04 ` [PATCH v2 4/4] kselftests/arm64: add PAuth tests for single threaded consistency and key uniqueness Boyan Karatotev
2020-08-31 11:04 ` Boyan Karatotev
2020-08-31 21:04 ` [PATCH v2 0/4] kselftests/arm64: add PAuth tests Shuah Khan
2020-08-31 21:04 ` Shuah Khan
2020-09-11 18:15 ` Will Deacon
2020-09-11 18:15 ` Will Deacon
2020-09-14 12:24 ` Vincenzo Frascino
2020-09-14 12:24 ` Vincenzo Frascino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200907103516.GO6642@arm.com \
--to=dave.martin@arm.com \
--cc=amit.kachhap@arm.com \
--cc=boian4o1@gmail.com \
--cc=boyan.karatotev@arm.com \
--cc=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.