Re: [PATCH] ARM64: Provide the ARM64_TBI option

From: twd2 <twd2.me@gmail.com>
To: Peter Collingbourne <pcc@google.com>,
	Robin Murphy <robin.murphy@arm.com>
Cc: Will Deacon <will@kernel.org>, Yuan Li <lydorazoe@gmail.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH] ARM64: Provide the ARM64_TBI option
Date: Sat, 17 Jul 2021 02:37:05 +0800	[thread overview]
Message-ID: <7bfced24-3319-9008-bee4-d2d4f47dd261@gmail.com> (raw)
In-Reply-To: <CAMn1gO51hMW3TH5D6tXf7yJzvkz597mOsSaUx_JN2Ns5fUsUWQ@mail.gmail.com>

MTE is indeed strong mitigation, but I'm curious that when will commercial chips featuring MTE be carried out :)

Or we would have to depend on other mitigations like PAC for a while.

Thanks.
Wende

On 2021/7/17 0:14, Peter Collingbourne wrote:
> On Fri, Jul 16, 2021 at 1:09 AM Robin Murphy <robin.murphy@arm.com> wrote:
>> On 2021-07-15 17:11, Will Deacon wrote:
>>> On Wed, Jul 14, 2021 at 07:43:03PM +0100, Robin Murphy wrote:
>>>> On 2021-07-14 19:06, Yuan Li wrote:
>>>>> The ARM64 provides the Top Byte Ignore (TBI) early on, so the kernel turns TBI
>>>>> on by default, but, it does not provide any option to turn the feature off.
>>>>>
>>>>> In ARMv8.3, the Pointer Authentication (PA) was introduced, and if TBI is
>>>>> turned off, the PA will be able to use the top byte, resulting longer pointer
>>>>> authentication codes, which is more secure.
>>>>>
>>>>> This patch changes the default support for the TBI to an option that can be
>>>>> turned off.
>>>> This would have to be something that processes explicitly opt in to. See
>>>> Documentation/arm64/tagged-pointers.rst - silently disabling TBI0 *will*
>>>> break existing userspace software.
>>> Maybe the patch from Peter:
>>>
>>> https://lore.kernel.org/r/20210622051204.3682580-1-pcc@google.com
>>>
>>> is a better starting point?
>> Yeah, a command-line opt-in is certainly a more reasonable approach.
>> However it still seems to me that it would make most sense as a
>> per-process thing like the tagged address syscall ABI, since it's of no
>> automatic benefit to existing software built without pointer auth, and
>> AFAICS it's really up to individual programs whether they care more
>> about stronger signing than tagged pointers. It was bad enough when we
>> changed the VA_BITS default to 48 and discovered just how many things
>> were using the Mozilla JIT, so I'm not sure I relish the thought of
>> going through the same process with TBI0 ;)
>>
>>
>> Come to think of it I guess any option should probably disable the
>> tagged address syscall ABI, as that doesn't make much sense without
>> TBI0. Are we likely to want a signed pointer syscall ABI as well?
>>
>> Robin.
> Bear in mind that disabling TBI0 disables the ability to use MTE. At
> least from our perspective, MTE is considered a more valuable
> mitigation than PAC. That's why we're only intending to disable TBI
> for code pointers, not for data pointers (via TBID0).
>
> As Catalin wrote in [1], having this be a per-process option would be
> more expensive, and may even be infeasible with the current
> architecture. That's why we decided to go with a command line option.
>
> Peter
>
> [1] https://lore.kernel.org/linux-arm-kernel/20201124184742.GC42276@C02TF0J2HF1T.local/

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel