From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BA67C433E7 for ; Wed, 2 Sep 2020 16:50:29 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D9B5020767 for ; Wed, 2 Sep 2020 16:50:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="FIWS08Lt" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D9B5020767 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=1NFdMRvjyxlwJMSlXOtkfw405XgPxOvmREh2JNluGSY=; b=FIWS08LtnFMVu/CfLdB+6E9h1 OTwrX53g2FscUfc9hUknD64DSIGtrpKo1dQ503ikVNIl+SpjcsN2bkzof32QyNlbh4rxDbLdAjgLm EG1d2WbWAzLAkF15eRIU10WEo5+/FXBs4bf1uOw4ZBy5jIBCSOPg84Y45mOhEYR20hUKVf1C1XYDa 8ubE3EaZ4Mwr2o1fagpArI9r1Hep6Ik51hrwSS7IqKOzHdFxD7KEhR/1iPnIgQSbBujFEK6/vHwd4 ftHK7npgyZMxGO7QZjeDLeVv9lfs2VtC6ADhyElvVpvfImi6HavM9cYPEln/e3TuoI/RuxAlqvnzq q2b7ARkJw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDVwd-0000n7-Au; Wed, 02 Sep 2020 16:49:11 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDVwY-0000m3-SS for linux-arm-kernel@lists.infradead.org; Wed, 02 Sep 2020 16:49:08 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 742AB1045; Wed, 2 Sep 2020 09:49:04 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 240463F66F; Wed, 2 Sep 2020 09:49:03 -0700 (PDT) Date: Wed, 2 Sep 2020 17:49:01 +0100 From: Dave Martin To: Boyan Karatotev Subject: Re: [PATCH 1/4] kselftests/arm64: add a basic Pointer Authentication test Message-ID: <20200902164858.GI6642@arm.com> References: <20200828131606.7946-1-boyan.karatotev@arm.com> <20200828131606.7946-2-boyan.karatotev@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200828131606.7946-2-boyan.karatotev@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200902_124907_083604_EAEFE680 X-CRM114-Status: GOOD ( 33.80 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Shuah Khan , boian4o1@gmail.com, Catalin Marinas , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, amit.kachhap@arm.com, vincenzo.frascino@arm.com, Will Deacon , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Aug 28, 2020 at 02:16:03PM +0100, Boyan Karatotev wrote: > PAuth signs and verifies return addresses on the stack. It does so by > inserting a Pointer Authentication code (PAC) into some of the unused top > bits of an address. This is achieved by adding paciasp/autiasp instructions > at the beginning and end of a function. > > This feature is partially backwards compatible with earlier versions of the > ARM architecture. To coerce the compiler into emitting fully backwards > compatible code the main file is compiled to target an earlier ARM version. > This allows the tests to check for the feature and print meaningful error > messages instead of crashing. > > Add a test to verify that corrupting the return address results in a > SIGSEGV on return. > > Cc: Shuah Khan > Cc: Catalin Marinas > Cc: Will Deacon > Signed-off-by: Boyan Karatotev > --- > tools/testing/selftests/arm64/Makefile | 2 +- > .../testing/selftests/arm64/pauth/.gitignore | 1 + > tools/testing/selftests/arm64/pauth/Makefile | 22 ++++++++++++ > tools/testing/selftests/arm64/pauth/helper.h | 10 ++++++ > tools/testing/selftests/arm64/pauth/pac.c | 32 +++++++++++++++++ > .../selftests/arm64/pauth/pac_corruptor.S | 36 +++++++++++++++++++ > 6 files changed, 102 insertions(+), 1 deletion(-) > create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore > create mode 100644 tools/testing/selftests/arm64/pauth/Makefile > create mode 100644 tools/testing/selftests/arm64/pauth/helper.h > create mode 100644 tools/testing/selftests/arm64/pauth/pac.c > create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S > > diff --git a/tools/testing/selftests/arm64/Makefile b/tools/testing/selftests/arm64/Makefile > index 93b567d23c8b..525506fd97b9 100644 > --- a/tools/testing/selftests/arm64/Makefile > +++ b/tools/testing/selftests/arm64/Makefile > @@ -4,7 +4,7 @@ > ARCH ?= $(shell uname -m 2>/dev/null || echo not) > > ifneq (,$(filter $(ARCH),aarch64 arm64)) > -ARM64_SUBTARGETS ?= tags signal > +ARM64_SUBTARGETS ?= tags signal pauth > else > ARM64_SUBTARGETS := > endif > diff --git a/tools/testing/selftests/arm64/pauth/.gitignore b/tools/testing/selftests/arm64/pauth/.gitignore > new file mode 100644 > index 000000000000..b557c916720a > --- /dev/null > +++ b/tools/testing/selftests/arm64/pauth/.gitignore > @@ -0,0 +1 @@ > +pac > diff --git a/tools/testing/selftests/arm64/pauth/Makefile b/tools/testing/selftests/arm64/pauth/Makefile > new file mode 100644 > index 000000000000..785c775e5e41 > --- /dev/null > +++ b/tools/testing/selftests/arm64/pauth/Makefile > @@ -0,0 +1,22 @@ > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (C) 2020 ARM Limited > + > +CFLAGS += -mbranch-protection=pac-ret > + > +TEST_GEN_PROGS := pac > +TEST_GEN_FILES := pac_corruptor.o > + > +include ../../lib.mk > + > +# pac* and aut* instructions are not available on architectures berfore > +# ARMv8.3. Therefore target ARMv8.3 wherever they are used directly > +$(OUTPUT)/pac_corruptor.o: pac_corruptor.S > + $(CC) -c $^ -o $@ $(CFLAGS) -march=armv8.3-a > + > +# when -mbranch-protection is enabled and the target architecture is ARMv8.3 or > +# greater, gcc emits pac* instructions which are not in HINT NOP space, > +# preventing the tests from occurring at all. Compile for ARMv8.2 so tests can > +# run on earlier targets and print a meaningful error messages > +$(OUTPUT)/pac: pac.c $(OUTPUT)/pac_corruptor.o > + $(CC) $^ -o $@ $(CFLAGS) -march=armv8.2-a > + > diff --git a/tools/testing/selftests/arm64/pauth/helper.h b/tools/testing/selftests/arm64/pauth/helper.h > new file mode 100644 > index 000000000000..f777f88acf0a > --- /dev/null > +++ b/tools/testing/selftests/arm64/pauth/helper.h > @@ -0,0 +1,10 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* Copyright (C) 2020 ARM Limited */ > + > +#ifndef _HELPER_H_ > +#define _HELPER_H_ > + > +void pac_corruptor(void); > + > +#endif > + > diff --git a/tools/testing/selftests/arm64/pauth/pac.c b/tools/testing/selftests/arm64/pauth/pac.c > new file mode 100644 > index 000000000000..ed445050f621 > --- /dev/null > +++ b/tools/testing/selftests/arm64/pauth/pac.c > @@ -0,0 +1,32 @@ > +// SPDX-License-Identifier: GPL-2.0 > +// Copyright (C) 2020 ARM Limited > + > +#include > +#include > + > +#include "../../kselftest_harness.h" > +#include "helper.h" > + > +/* > + * Tests are ARMv8.3 compliant. They make no provisions for features present in > + * future version of the arm architecture > + */ > + > +#define ASSERT_PAUTH_ENABLED() \ > +do { \ > + unsigned long hwcaps = getauxval(AT_HWCAP); \ > + /* data key instructions are not in NOP space. This prevents a SIGILL */ \ > + ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled"); \ > +} while (0) > + > + > +/* check that a corrupted PAC results in SIGSEGV */ > +TEST_SIGNAL(corrupt_pac, SIGSEGV) > +{ > + ASSERT_PAUTH_ENABLED(); > + > + pac_corruptor(); > +} > + > +TEST_HARNESS_MAIN > + > diff --git a/tools/testing/selftests/arm64/pauth/pac_corruptor.S b/tools/testing/selftests/arm64/pauth/pac_corruptor.S > new file mode 100644 > index 000000000000..6a34ec23a034 > --- /dev/null > +++ b/tools/testing/selftests/arm64/pauth/pac_corruptor.S > @@ -0,0 +1,36 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* Copyright (C) 2020 ARM Limited */ > + > +.global pac_corruptor > + > +.text > +/* > + * Corrupting a single bit of the PAC ensures the authentication will fail. It > + * also guarantees no possible collision. TCR_EL1.TBI0 is set by default so no > + * top byte PAC is tested > + */ > + pac_corruptor: > + paciasp > + > + /* make stack frame */ > + sub sp, sp, #16 > + stp x29, lr, [sp] Nit: if respinning, you can optimise a few sequences of this sort, e.g. stp x29, lr, [sp, #-16]! > + mov x29, sp > + > + /* prepare mask for bit to be corrupted (bit 54) */ > + mov x1, xzr > + add x1, x1, #1 > + lsl x1, x1, #54 Nit: mov x1, #1 << 54 but anyway, the logic operations can encode most simple bitmasks directly as immediate operands, so you can skip this and just do > + > + /* get saved lr, corrupt selected bit, put it back */ > + ldr x0, [sp, #8] > + eor x0, x0, x1 eor x0, x0, #1 << 54 > + str x0, [sp, #8] > + > + /* remove stack frame */ > + ldp x29, lr, [sp] > + add sp, sp, #16 ldp x29, lr, [sp], #16 [...] Actually, since there are no leaf nested function calls and no trap is expected until the function returns (so backtracing in the middle of this function is unlikely to be needed), could we optimise this whole thing down to the following? pac_corruptor: paciasp eor lr, lr, #1 << 53 autiasp ret Cheers ---Dave _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel