From: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Brown <broonie@kernel.org>
Cc: Mark Rutland <Mark.Rutland@arm.com>,
Kees Cook <keescook@chromium.org>,
Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
Amit Kachhap <Amit.Kachhap@arm.com>,
Will Deacon <will@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH] arm64: Always force a branch protection mode when the compiler has one
Date: Wed, 1 Apr 2020 18:54:44 +0100 [thread overview]
Message-ID: <20200401175444.GF9434@mbp> (raw)
In-Reply-To: <20200331194459.54740-1-broonie@kernel.org>
On Tue, Mar 31, 2020 at 08:44:59PM +0100, Mark Brown wrote:
> Compilers with branch protection support can be configured to enable it by
> default, it is likely that distributions will do this as part of deploying
> branch protection system wide. As well as the slight overhead from having
> some extra NOPs for unused branch protection features this can cause more
> serious problems when the kernel is providing pointer authentication to
> userspace but not built for pointer authentication itself.
With 5.7 you won't be able to configure user and kernel PAC support
independently. So, I guess that's something only for prior kernel
versions.
> In that case our
> switching of keys for userspace can affect the kernel unexpectedly, causing
> pointer authentication instructions in the kernel to corrupt addresses.
>
> To ensure that we get consistent and reliable behaviour always explicitly
> initialise the branch protection mode, ensuring that the kernel is built
> the same way regardless of the compiler defaults.
>
> Fixes: 7503197562567 (arm64: add basic pointer authentication support)
> Reported-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Cc: stable@vger.kernel.org
> ---
> arch/arm64/Kconfig | 4 ++++
> arch/arm64/Makefile | 7 ++++++-
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index d3efdc095a17..1e46746e8392 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1537,6 +1537,10 @@ config ARM64_PTR_AUTH
> This feature works with FUNCTION_GRAPH_TRACER option only if
> DYNAMIC_FTRACE_WITH_REGS is enabled.
>
> +config CC_HAS_BRANCH_PROT_NONE
> + # GCC 9 or later, clang 8 or later
> + def_bool $(cc-option,-mbranch-protection=none)
I don't think we need to bother with a Kconfig entry here. We did it for
the other options since CONFIG_ARM64_PTR_AUTH has a dependency on them.
> +
> config CC_HAS_BRANCH_PROT_PAC_RET
> # GCC 9 or later, clang 8 or later
> def_bool $(cc-option,-mbranch-protection=pac-ret+leaf)
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index f15f92ba53e6..370fca6663c8 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -65,6 +65,10 @@ stack_protector_prepare: prepare0
> include/generated/asm-offsets.h))
> endif
>
> +# Ensure that if the compiler supports branch protection we default it
> +# off, this will be overridden if we are using branch protection.
> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_NONE) := -mbranch-protection=none
And a $(call cc-option,-mbranch-protection=none) here.
branch-prot-flags-y is only introduced in 5.7, so backporting may look
slightly weirder.
> +
> ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
> branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
> branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> @@ -73,9 +77,10 @@ branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pa
> # we pass it only to the assembler. This option is utilized only in case of non
> # integrated assemblers.
> branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
> -KBUILD_CFLAGS += $(branch-prot-flags-y)
> endif
>
> +KBUILD_CFLAGS += $(branch-prot-flags-y)
Or just use an else clause here with:
KBUILD_CFLAGS += ($call cc-option,-mbranch-protection=none).
On backports, we just drop else/endif since they don't exist.
Not a strong preference really, just looking to have backports resemble
upstream better. I can fix it up locally, whichever variant we go for
(or even this one).
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-04-01 17:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 19:44 [PATCH] arm64: Always force a branch protection mode when the compiler has one Mark Brown
2020-03-31 19:46 ` Kees Cook
2020-04-01 9:55 ` Mark Rutland
2020-04-01 17:54 ` Catalin Marinas [this message]
2020-04-01 18:07 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200401175444.GF9434@mbp \
--to=catalin.marinas@arm.com \
--cc=Amit.Kachhap@arm.com \
--cc=Mark.Rutland@arm.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=broonie@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).