From: Kees Cook <keescook@chromium.org>
To: Luke Cheeseman <Luke.Cheeseman2@arm.com>
Cc: Mark Rutland <Mark.Rutland@arm.com>,
Diogo Sampaio <Diogo.Sampaio@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Catalin Marinas <Catalin.Marinas@arm.com>,
Luke Cheeseman <luke.cheeseman@arm.com>,
Will Deacon <Will.Deacon@arm.com>,
Kristina Martsenko <Kristina.Martsenko@arm.com>,
Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
Amit Kachhap <Amit.Kachhap@arm.com>,
Suzuki Poulose <Suzuki.Poulose@arm.com>,
Dave P Martin <Dave.Martin@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: [RFC v2 0/7] arm64: return address signing
Date: Thu, 30 May 2019 08:57:57 -0700 [thread overview]
Message-ID: <201905300851.4A68705B0@keescook> (raw)
In-Reply-To: <DB7PR08MB3865C4AA36C9C465B2A687DABF180@DB7PR08MB3865.eurprd08.prod.outlook.com>
On Thu, May 30, 2019 at 10:33:33AM +0000, Luke Cheeseman wrote:
> > Luke, is this expected to work Clang currently?
>
>
> Do you mean something like the following to control signing of each function?
>
>
> int __attribute__ ((target ("sign-return-address=all"))) foo(void) {
> return 42;
> }
Well, yes, though, in this usage, the goal is to disable it for specific
functions:
int __attribute__((target("branch-protection=none"))) early_func(void)
{
/* set up branch protection registers */
}
> Clang doesn't currently support any function attribute to control
> function signing to this level of granularity. We haven't added it and
> don't have a plan to do so at the moment.
What's needed to accomplish this? It looks to be a blocker for getting
PAC working on Android kernels.
-Kees
>
>
> Thanks,
>
> Luke
>
>
> ________________________________
> From: Kees Cook <keescook@chromium.org>
> Sent: 30 May 2019 04:09:23
> To: Kristina Martsenko
> Cc: Luke Cheeseman; Diogo Sampaio; linux-arm-kernel@lists.infradead.org; Amit Kachhap; Ard Biesheuvel; Catalin Marinas; Dave P Martin; Mark Rutland; Ramana Radhakrishnan; Suzuki Poulose; Will Deacon
> Subject: Re: [RFC v2 0/7] arm64: return address signing
>
> On Wed, May 29, 2019 at 08:03:25PM +0100, Kristina Martsenko wrote:
> > This series improves function return address protection for the arm64 kernel, by
> > compiling the kernel with ARMv8.3 Pointer Authentication instructions. This
> > should help protect the kernel against attacks using return-oriented
> > programming.
>
> Can you speak to whether this feature should be enalbed in addition to
> or instead of the standard stack canary option?
>
> > - The patches make use of the sign-return-address/branch-protection compiler
> > options and function attributes. GCC supports both, but Clang/LLVM appears
> > to only support the compiler option, not the function attribute, so with
> > these patches (and CONFIG_ARM64_PTR_AUTH=y) an LLVM-built kernel will fail
> > to boot on ARMv8.3 CPUs. I don't yet know why LLVM does not support it, or
> > whether support can be added. This series may need to be rewritten to not
> > use the attribute, and instead move the functionality to assembly, or to
> > disable return address signing when building with LLVM.
>
> I've added Luke Cheeseman and Diogo N. Sampaio to CC. In looking quickly
> at the LLVM support for branch-protection, I think it's just missing the
> attribute target glue needed to "notice" the attribute markings. Luke,
> is this expected to work Clang currently? I'm not familiar yet with
> how attributes get wired up, but I think it should be quite possible.
>
> > - more testing
>
> Is PAC emulated in QEmu yet? (I assume I can't get real hardware to help
> test this yet...)
>
> --
> Kees Cook
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-05-30 15:58 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 19:03 [RFC v2 0/7] arm64: return address signing Kristina Martsenko
2019-05-29 19:03 ` [RFC v2 1/7] arm64: cpufeature: add pointer auth meta-capabilities Kristina Martsenko
2019-05-30 1:58 ` Kees Cook
2019-05-30 10:50 ` Suzuki K Poulose
2019-06-13 16:13 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 2/7] arm64: install user ptrauth keys at kernel exit time Kristina Martsenko
2019-05-30 2:04 ` Kees Cook
2019-06-06 16:26 ` Catalin Marinas
2019-05-29 19:03 ` [RFC v2 3/7] arm64: cpufeature: handle conflicts based on capability Kristina Martsenko
2019-05-30 2:49 ` Kees Cook
2019-05-30 14:16 ` Suzuki K Poulose
2019-05-31 14:00 ` Kristina Martsenko
2019-05-31 15:08 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 4/7] arm64: enable ptrauth earlier Kristina Martsenko
2019-05-30 3:11 ` Kees Cook
2019-06-13 15:41 ` Suzuki K Poulose
2019-05-29 19:03 ` [RFC v2 5/7] arm64: initialize and switch ptrauth kernel keys Kristina Martsenko
2019-05-30 3:34 ` Kees Cook
2019-05-30 16:26 ` Kristina Martsenko
2019-06-04 10:03 ` Dave Martin
2019-06-06 16:44 ` Catalin Marinas
2019-06-12 16:21 ` Kristina Martsenko
2019-06-13 10:44 ` Catalin Marinas
2019-05-29 19:03 ` [RFC v2 6/7] arm64: unwind: strip PAC from kernel addresses Kristina Martsenko
2019-05-30 3:36 ` Kees Cook
2019-05-29 19:03 ` [RFC v2 7/7] arm64: compile the kernel with ptrauth return address signing Kristina Martsenko
2019-05-30 3:45 ` Kees Cook
2019-05-30 3:09 ` [RFC v2 0/7] arm64: " Kees Cook
2019-05-30 7:25 ` Will Deacon
2019-05-30 8:39 ` Ard Biesheuvel
2019-05-30 9:11 ` Ramana Radhakrishnan
2019-05-30 9:12 ` Ramana Radhakrishnan
2019-06-06 17:44 ` Kristina Martsenko
2019-06-08 4:09 ` Kees Cook
[not found] ` <DB7PR08MB3865C4AA36C9C465B2A687DABF180@DB7PR08MB3865.eurprd08.prod.outlook.com>
2019-05-30 15:57 ` Kees Cook [this message]
[not found] ` <DB7PR08MB3865A83066179CE419D171EDBF180@DB7PR08MB3865.eurprd08.prod.outlook.com>
2019-05-30 18:05 ` Kees Cook
2019-05-31 9:22 ` Will Deacon
2019-06-02 15:43 ` Kees Cook
2019-06-03 10:40 ` Will Deacon
2019-06-04 13:52 ` Luke Cheeseman
2019-06-06 17:43 ` Kristina Martsenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201905300851.4A68705B0@keescook \
--to=keescook@chromium.org \
--cc=Amit.Kachhap@arm.com \
--cc=Catalin.Marinas@arm.com \
--cc=Dave.Martin@arm.com \
--cc=Diogo.Sampaio@arm.com \
--cc=Kristina.Martsenko@arm.com \
--cc=Luke.Cheeseman2@arm.com \
--cc=Mark.Rutland@arm.com \
--cc=Ramana.Radhakrishnan@arm.com \
--cc=Suzuki.Poulose@arm.com \
--cc=Will.Deacon@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=luke.cheeseman@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).