| Message ID | 20201218115632.59067-2-daniel.kiss@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2,1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option | expand |
On Fri, Dec 18, 2020 at 12:56:31PM +0100, Daniel Kiss wrote: > This new option makes possible to build the kernel with pointer > authentication support for the user space while the kernel is not built > with the pointer authentication. There is a similar config structure for BTI. > > The default configuration will be the same after this patch. Please read the "Describe your changes" section of Documentation/process/submitting-patches.rst for some guidance on writing commit messages. > Signed-off-by: Daniel Kiss <daniel.kiss@arm.com> > --- > arch/arm64/Kconfig | 26 +++++++++++++++++--------- > arch/arm64/Makefile | 2 +- > drivers/misc/lkdtm/bugs.c | 6 +++--- > 3 files changed, 21 insertions(+), 13 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 75aefc9990ea..b8af3297425a 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -1501,7 +1501,6 @@ config ARM64_PTR_AUTH > # which is only understood by binutils starting with version 2.33.1. > depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) > depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE Why do we need to keep all the toolchain checks here if this option doesn't enable PAC in the kernel? > - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) > help > Pointer authentication (part of the ARMv8.3 Extensions) provides > instructions for signing and authenticating pointers against secret > @@ -1513,13 +1512,6 @@ config ARM64_PTR_AUTH > for each process at exec() time, with these keys being > context-switched along with the process. > > - If the compiler supports the -mbranch-protection or > - -msign-return-address flag (e.g. GCC 7 or later), then this option > - will also cause the kernel itself to be compiled with return address > - protection. In this case, and if the target hardware is known to > - support pointer authentication, then CONFIG_STACKPROTECTOR can be > - disabled with minimal loss of protection. > - > The feature is detected at runtime. If the feature is not present in > hardware it will not be advertised to userspace/KVM guest nor will it > be enabled. > @@ -1530,6 +1522,22 @@ config ARM64_PTR_AUTH > but with the feature disabled. On such a system, this option should > not be selected. > > +config ARM64_PTR_AUTH_KERNEL > + bool "Enable support for pointer authentication for kernel" Maybe "Use pointer authentication for kernel" for parity with the BTI description. > + default y > + depends on ARM64_PTR_AUTH > + depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) > + help > + Build the kernel with return address protection by > + pointer authentication. I don't think these two lines add anything ^^ Will
> On 26 Jan 2021, at 14:27, Will Deacon <will@kernel.org> wrote: > > On Fri, Dec 18, 2020 at 12:56:31PM +0100, Daniel Kiss wrote: >> This new option makes possible to build the kernel with pointer >> authentication support for the user space while the kernel is not built >> with the pointer authentication. There is a similar config structure for BTI. >> >> The default configuration will be the same after this patch. > > Please read the "Describe your changes" section of > Documentation/process/submitting-patches.rst for some guidance on writing > commit messages. WIll do, thanks. I’ll send a new patch series according to it with the fixes. >> Signed-off-by: Daniel Kiss <daniel.kiss@arm.com> >> --- >> arch/arm64/Kconfig | 26 +++++++++++++++++--------- >> arch/arm64/Makefile | 2 +- >> drivers/misc/lkdtm/bugs.c | 6 +++--- >> 3 files changed, 21 insertions(+), 13 deletions(-) >> >> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig >> index 75aefc9990ea..b8af3297425a 100644 >> --- a/arch/arm64/Kconfig >> +++ b/arch/arm64/Kconfig >> @@ -1501,7 +1501,6 @@ config ARM64_PTR_AUTH >> # which is only understood by binutils starting with version 2.33.1. >> depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) >> depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE > > Why do we need to keep all the toolchain checks here if this option doesn't > enable PAC in the kernel? No need for that, can be moved to under ARM64_PTR_AUTH_KERNEL. > >> - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) >> help >> Pointer authentication (part of the ARMv8.3 Extensions) provides >> instructions for signing and authenticating pointers against secret >> @@ -1513,13 +1512,6 @@ config ARM64_PTR_AUTH >> for each process at exec() time, with these keys being >> context-switched along with the process. >> >> - If the compiler supports the -mbranch-protection or >> - -msign-return-address flag (e.g. GCC 7 or later), then this option >> - will also cause the kernel itself to be compiled with return address >> - protection. In this case, and if the target hardware is known to >> - support pointer authentication, then CONFIG_STACKPROTECTOR can be >> - disabled with minimal loss of protection. >> - >> The feature is detected at runtime. If the feature is not present in >> hardware it will not be advertised to userspace/KVM guest nor will it >> be enabled. >> @@ -1530,6 +1522,22 @@ config ARM64_PTR_AUTH >> but with the feature disabled. On such a system, this option should >> not be selected. >> >> +config ARM64_PTR_AUTH_KERNEL >> + bool "Enable support for pointer authentication for kernel" > > Maybe "Use pointer authentication for kernel" for parity with the BTI > description. Done > >> + default y >> + depends on ARM64_PTR_AUTH >> + depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) >> + help >> + Build the kernel with return address protection by >> + pointer authentication. > > I don't think these two lines add anything ^^ Done. > > Will
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 75aefc9990ea..b8af3297425a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1501,7 +1501,6 @@ config ARM64_PTR_AUTH # which is only understood by binutils starting with version 2.33.1. depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) help Pointer authentication (part of the ARMv8.3 Extensions) provides instructions for signing and authenticating pointers against secret @@ -1513,13 +1512,6 @@ config ARM64_PTR_AUTH for each process at exec() time, with these keys being context-switched along with the process. - If the compiler supports the -mbranch-protection or - -msign-return-address flag (e.g. GCC 7 or later), then this option - will also cause the kernel itself to be compiled with return address - protection. In this case, and if the target hardware is known to - support pointer authentication, then CONFIG_STACKPROTECTOR can be - disabled with minimal loss of protection. - The feature is detected at runtime. If the feature is not present in hardware it will not be advertised to userspace/KVM guest nor will it be enabled. @@ -1530,6 +1522,22 @@ config ARM64_PTR_AUTH but with the feature disabled. On such a system, this option should not be selected. +config ARM64_PTR_AUTH_KERNEL + bool "Enable support for pointer authentication for kernel" + default y + depends on ARM64_PTR_AUTH + depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) + help + Build the kernel with return address protection by + pointer authentication. + + If the compiler supports the -mbranch-protection or + -msign-return-address flag (e.g. GCC 7 or later), then this option + will cause the kernel itself to be compiled with return address + protection. In this case, and if the target hardware is known to + support pointer authentication, then CONFIG_STACKPROTECTOR can be + disabled with minimal loss of protection. + This feature works with FUNCTION_GRAPH_TRACER option only if DYNAMIC_FTRACE_WITH_REGS is enabled. @@ -1618,7 +1626,7 @@ config ARM64_BTI_KERNEL bool "Use Branch Target Identification for kernel" default y depends on ARM64_BTI - depends on ARM64_PTR_AUTH + depends on ARM64_PTR_AUTH_KERNEL depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697 depends on !CC_IS_GCC || GCC_VERSION >= 100100 diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 6a87d592bd00..6e5d9de8c2b3 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -70,7 +70,7 @@ endif # off, this will be overridden if we are using branch protection. branch-prot-flags-y += $(call cc-option,-mbranch-protection=none) -ifeq ($(CONFIG_ARM64_PTR_AUTH),y) +ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y) branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all # We enable additional protection for leaf functions as there is some # narrow potential for ROP protection benefits and no substantial diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index a0675d4154d2..439fa33ae413 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -446,7 +446,7 @@ void lkdtm_DOUBLE_FAULT(void) #ifdef CONFIG_ARM64 static noinline void change_pac_parameters(void) { - if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) { + if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) { /* Reset the keys of current task */ ptrauth_thread_init_kernel(current); ptrauth_thread_switch_kernel(current); @@ -460,8 +460,8 @@ noinline void lkdtm_CORRUPT_PAC(void) #define CORRUPT_PAC_ITERATE 10 int i; - if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) - pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH\n"); + if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) + pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n"); if (!system_supports_address_auth()) { pr_err("FAIL: CPU lacks pointer authentication feature\n");
This new option makes possible to build the kernel with pointer authentication support for the user space while the kernel is not built with the pointer authentication. There is a similar config structure for BTI. The default configuration will be the same after this patch. Signed-off-by: Daniel Kiss <daniel.kiss@arm.com> --- arch/arm64/Kconfig | 26 +++++++++++++++++--------- arch/arm64/Makefile | 2 +- drivers/misc/lkdtm/bugs.c | 6 +++--- 3 files changed, 21 insertions(+), 13 deletions(-)