Re: [RFC 0/9] ARMv8.3 pointer authentication userspace support

[Adam Wallis <awallis@codeaurora.org>]

On 4/3/2017 11:19 AM, Mark Rutland wrote:
> This series adds support for the ARMv8.3 pointer authentication extension.
> 
> I've included a quick intro to the extension below, with the usual series
> description below that. The final patch of the series adds additional
> documentation regarding the extension.
> 
> I've based the series on the arm64 for-next/core branch [1]. I'm aware that
> this series may conflict with other patches currently in flight (e.g.
> allocation of ELF notes), and I intend to rebase this series as things settle.
> 
> I've pushed the series to the arm64/pointer-auth branch [2] of my linux tree.
> I've also pushed out a necessary bootwrapper patch to the pointer-auth branch
> [3] of my bootwrapper repo.
> 
> 
> Extension Overview 
> ==================
> 
> The ARMv8.3 pointer authentication extension adds functionality to detect
> modification of pointer values, mitigating certain classes of attack such as
> stack smashing, and making return oriented programming attacks harder
> 
> The extension introduces the concept of a pointer authentication code (PAC),
> which is stored in some upper bits of pointers. Each PAC is derived from the
> original pointer, another 64-bit value (e.g. the stack pointer), and a secret
> 128-bit key.
> 
> New instructions are added which can be used to:
> 
> * Insert a PAC into a pointer
> * Strip a PAC from a pointer
> * Authenticate strip a PAC from a pointer
> 
> If authentication succeeds, the code is removed, yielding the original pointer.
> If authentication fails, bits are set in the pointer such that it is guaranteed
> to cause a fault if used.
> 
> These instructions can make use of four keys:
> 
> * APIAKey (A.K.A. Instruction A key)
> * APIBKey (A.K.A. Instruction B key)
> * APDAKey (A.K.A. Data A key)
> * APDBKey (A.K.A. Data B Key)
> 
> A subset of these instruction encodings have been allocated from the HINT
> space, and will operate as NOPs on any ARMv8 parts which do not feature the
> extension (or if purposefully disabled by the kernel). Software using only this
> subset of the instructions should function correctly on all ARMv8-A parts.
> 
> Additionally, instructions are added to authenticate small blocks of memory in
> similar fashion, using APGAKey (A.K.A. Generic key).
> 
> 
> This Series
> ===========
> 
> This series enables the use of instructions using APIAKey, which is initialised
> and maintained per-process (shared by all threads). This series does not add
> support for APIBKey, APDAKey, APDBKey, nor APGAKey. The series only supports
> the use of an architected algorithm.
> 
> I've given this some basic testing with a homebrew test suite. More ideally,
> we'd add some tests to the kernel source tree.
> 
> I've added some basic KVM support, but this doesn't cater for systems with
> mismatched support. Looking forward, we'll need ID register emulation in KVM so
> that we can hide features from guests to cater for cases like this.
> 
> There are also a few questions to consider, e.g:
> 
> * Should we expose a per-process data key now, to go with the insn key?
> * Should keys be per-thread rather than per-process?
> * Should we expose generic authentication (i.e. APGAKey)?
> * Should the kernel remove PACs when unwinding user stacks?
> 
> Thanks,
> Mark.
> 
> [1] git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core
> [2] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git arm64/pointer-auth
> [3] git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git pointer-auth
> 
> Mark Rutland (9):
>   asm-generic: mm_hooks: allow hooks to be overridden individually
>   arm64: add pointer authentication register bits
>   arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits
>   arm64/cpufeature: detect pointer authentication
>   arm64: Don't trap host pointer auth use to EL2
>   arm64: add basic pointer authentication support
>   arm64: expose PAC bit positions via ptrace
>   arm64/kvm: context-switch PAC registers
>   arm64: docs: document pointer authentication
> 
>  Documentation/arm64/booting.txt                |  8 +++
>  Documentation/arm64/pointer-authentication.txt | 78 +++++++++++++++++++++
>  arch/arm64/Kconfig                             | 23 ++++++
>  arch/arm64/include/asm/cpucaps.h               |  4 +-
>  arch/arm64/include/asm/esr.h                   |  3 +-
>  arch/arm64/include/asm/kvm_arm.h               |  2 +
>  arch/arm64/include/asm/kvm_emulate.h           | 15 ++++
>  arch/arm64/include/asm/kvm_host.h              | 12 ++++
>  arch/arm64/include/asm/mmu.h                   |  5 ++
>  arch/arm64/include/asm/mmu_context.h           | 25 ++++++-
>  arch/arm64/include/asm/pointer_auth.h          | 96 ++++++++++++++++++++++++++
>  arch/arm64/include/asm/sysreg.h                | 30 ++++++++
>  arch/arm64/include/uapi/asm/hwcap.h            |  1 +
>  arch/arm64/include/uapi/asm/ptrace.h           |  5 ++
>  arch/arm64/kernel/cpufeature.c                 | 39 ++++++++++-
>  arch/arm64/kernel/cpuinfo.c                    |  1 +
>  arch/arm64/kernel/head.S                       | 19 ++++-
>  arch/arm64/kernel/ptrace.c                     | 39 +++++++++++
>  arch/arm64/kvm/hyp/sysreg-sr.c                 | 43 ++++++++++++
>  include/asm-generic/mm_hooks.h                 | 12 ++++
>  include/uapi/linux/elf.h                       |  1 +
>  21 files changed, 454 insertions(+), 7 deletions(-)
>  create mode 100644 Documentation/arm64/pointer-authentication.txt
>  create mode 100644 arch/arm64/include/asm/pointer_auth.h
> 

Tested on Qualcomm platform with ARMV8 architecture (without 8.3 extensions) for
backwards compatibility (meaning I did not pass -march=armv8.3-a to GCC; only
-msign-return-address=all). The HINT PACIASP/AUTIASP caused no issues and no
other issues were encountered. Will test again once a platform is available with
8.3-a extensions.

Thanks

-- 
Adam Wallis
Qualcomm Datacenter Technologies as an affiliate of Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.