From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Martin Subject: [PATCH v2 5/6] prctl.2: Add PR_PAC_RESET_KEYS (arm64) Date: Wed, 27 May 2020 22:17:37 +0100 Message-ID: <1590614258-24728-6-git-send-email-Dave.Martin@arm.com> References: <1590614258-24728-1-git-send-email-Dave.Martin@arm.com> Return-path: Received: from foss.arm.com ([217.140.110.172]:44800 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726114AbgE0VSb (ORCPT ); Wed, 27 May 2020 17:18:31 -0400 In-Reply-To: <1590614258-24728-1-git-send-email-Dave.Martin@arm.com> Sender: linux-arch-owner@vger.kernel.org List-ID: To: Michael Kerrisk Cc: linux-man@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Will Deacon , Catalin Marinas , Amit Daniel Kachhap , Mark Rutland Add documentation for the PR_PAC_RESET_KEYS ioctl added in Linux 5.0 for arm64. Signed-off-by: Dave Martin Cc: Will Deacon Cc: Catalin Marinas Cc: Amit Daniel Kachhap Cc: Mark Rutland --- Since v1: * Clarify explicitly that PR_PAC_RESET_KEYS is redundant when combined with execve(). * Move error condition details into the prctl description, to avoid excessive duplication while keeping keeping related pieces of text closer together. * In lieu of having a separate man page to cross reference for detailed guidance, cross-reference the kernel documentation. * Add safety warning. This is deliberately vague, pending ongoing discussions with libc folks. --- man2/prctl.2 | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/man2/prctl.2 b/man2/prctl.2 index 91df7c8..3ee2702 100644 --- a/man2/prctl.2 +++ b/man2/prctl.2 @@ -950,6 +950,77 @@ behavior. A value of 1 indicates .BR execve (2) will operate in the privilege-restricting mode described above. +.\" prctl PR_PAC_RESET_KEYS +.\" commit ba830885656414101b2f8ca88786524d4bb5e8c1 +.TP +.BR PR_PAC_RESET_KEYS " (since Linux 5.0, only on arm64)" +Securely reset the thread's pointer authentication keys +to fresh random values generated by the kernel. +.IP +The set of keys to be reset is specified by +.IR arg2 , +which must be a logical OR of zero or more of the following: +.RS +.TP +.B PR_PAC_APIAKEY +instruction authentication key A +.TP +.B PR_PAC_APIBKEY +instruction authentication key B +.TP +.B PR_PAC_APDAKEY +data authentication key A +.TP +.B PR_PAC_APDBKEY +data authentication key B +.TP +.B PR_PAC_APGAKEY +generic authentication \(lqA\(rq key. +.IP +(Yes folks, there really is no generic B key.) +.RE +.IP +As a special case, if +.I arg2 +is zero then all the keys are reset. +Since new keys could be added in future, +this is the recommended way to completely wipe the existing keys +when establishing a clean execution context. +Note that there is no need to use +.BR PR_PAC_RESET_KEYS +in preparation for calling +.BR execve (2), +since +.BR execve (2) +resets all the pointer authentication keys. +.IP +The remaining arguments +.IR arg3 ", " arg4 " and " arg5 +must all be zero. +.IP +If the arguments are invalid, +and in particular if +.I arg2 +contains set bits that are unrecognized +or that correspond to a key not available on this platform, +the call fails with error +.BR EINVAL . +.IP +.B Warning: +Because the compiler or run-time environment +may be using some or all of the keys, +a successful +.IP +For more information, see the kernel source file +.I Documentation/arm64/pointer\-authentication.rst +.\"commit b693d0b372afb39432e1c49ad7b3454855bc6bed +(or +.I Documentation/arm64/pointer\-authentication.txt +before Linux 5.3). +.B PR_PAC_RESET_KEYS +may crash the calling process. +The conditions for using it safely are complex and system-dependent. +Don't use it unless you know what you are doing. .\" prctl PR_SET_PDEATHSIG .TP .BR PR_SET_PDEATHSIG " (since Linux 2.1.57)" @@ -1964,6 +2035,15 @@ are not 0. .B EINVAL .I option is +.B PR_PAC_RESET_KEYS +and the arguments are invalid or unsupported. +See the description of +.B PR_PAC_RESET_KEYS +above for details. +.TP +.B EINVAL +.I option +is .B PR_SVE_SET_VL and the arguments are invalid or unsupported, or SVE is not available on this platform. -- 2.1.4