diff mbox series

[v5,1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option

Message ID 20210604100437.1658599-2-daniel.kiss@arm.com (mailing list archive)
State New, archived
Headers show
Series arm64: split ARM64_PTR_AUTH option to userspace and kernel | expand

Commit Message

Daniel Kiss June 4, 2021, 10:04 a.m. UTC
This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the
build aspect of it.

Userspace support has no dependency on the toolchain therefore all
toolchain checks and build flags are controlled the new config
option.
The default config behavior will not be changed.

Signed-off-by: Daniel Kiss <daniel.kiss@arm.com>
Acked-by: Will Deacon <will@kernel.org>
---
 arch/arm64/Kconfig              | 33 +++++++++++++++++++--------------
 arch/arm64/Makefile             |  2 +-
 arch/arm64/kernel/asm-offsets.c |  2 ++
 drivers/misc/lkdtm/bugs.c       |  6 +++---
 4 files changed, 25 insertions(+), 18 deletions(-)

Comments

Catalin Marinas June 4, 2021, 10:37 a.m. UTC | #1
On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote:
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 9f1d8566bbf9..c0c0073a70c3 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features"
>  config ARM64_PTR_AUTH
>  	bool "Enable support for pointer authentication"
>  	default y
[...]
> +config ARM64_PTR_AUTH_KERNEL
> +	bool "Use pointer authentication for kernel"
> +	default y
> +	depends on ARM64_PTR_AUTH

Nitpick: if you only apply this patch and disable ARM64_PTR_AUTH_KERNEL,
I suspect it will go wrong. Maybe make it unselectable in this patch:

config ARM64_PTR_AUTH_KERNEL
	bool
	default y
	depends on ARM64_PTR_AUTH

and add the description in the next one, once all the other bits are in
place (for bisectability reasons):

With that:

Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Will Deacon June 8, 2021, 11:58 a.m. UTC | #2
On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote:
> This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the
> build aspect of it.
> 
> Userspace support has no dependency on the toolchain therefore all
> toolchain checks and build flags are controlled the new config
> option.
> The default config behavior will not be changed.
> 
> Signed-off-by: Daniel Kiss <daniel.kiss@arm.com>
> Acked-by: Will Deacon <will@kernel.org>
> ---
>  arch/arm64/Kconfig              | 33 +++++++++++++++++++--------------
>  arch/arm64/Makefile             |  2 +-
>  arch/arm64/kernel/asm-offsets.c |  2 ++
>  drivers/misc/lkdtm/bugs.c       |  6 +++---
>  4 files changed, 25 insertions(+), 18 deletions(-)
> 
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 9f1d8566bbf9..c0c0073a70c3 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features"
>  config ARM64_PTR_AUTH
>  	bool "Enable support for pointer authentication"
>  	default y
> -	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
> -	# Modern compilers insert a .note.gnu.property section note for PAC
> -	# which is only understood by binutils starting with version 2.33.1.
> -	depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100)
> -	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE
> -	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
>  	help
>  	  Pointer authentication (part of the ARMv8.3 Extensions) provides
>  	  instructions for signing and authenticating pointers against secret
> @@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH
>  	  for each process at exec() time, with these keys being
>  	  context-switched along with the process.
>  
> -	  If the compiler supports the -mbranch-protection or
> -	  -msign-return-address flag (e.g. GCC 7 or later), then this option
> -	  will also cause the kernel itself to be compiled with return address
> -	  protection. In this case, and if the target hardware is known to
> -	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
> -	  disabled with minimal loss of protection.
> -
>  	  The feature is detected at runtime. If the feature is not present in
>  	  hardware it will not be advertised to userspace/KVM guest nor will it
>  	  be enabled.
> @@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH
>  	  but with the feature disabled. On such a system, this option should
>  	  not be selected.
>  
> +config ARM64_PTR_AUTH_KERNEL
> +	bool "Use pointer authentication for kernel"
> +	default y
> +	depends on ARM64_PTR_AUTH
> +	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
> +	# Modern compilers insert a .note.gnu.property section note for PAC
> +	# which is only understood by binutils starting with version 2.33.1.
> +	depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100)

Why is this checking 'LD_VERSION >= 233010000' whereas the code you removed
from ARM64_PTR_AUTH was checking 'LD_VERSION >= 23301' ?

Will
Daniel Kiss June 13, 2021, 9:25 a.m. UTC | #3
> On 8 Jun 2021, at 13:58, Will Deacon <will@kernel.org> wrote:
> 
> On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote:
>> This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the
>> build aspect of it.
>> 
>> Userspace support has no dependency on the toolchain therefore all
>> toolchain checks and build flags are controlled the new config
>> option.
>> The default config behavior will not be changed.
>> 
>> Signed-off-by: Daniel Kiss <daniel.kiss@arm.com>
>> Acked-by: Will Deacon <will@kernel.org>
>> ---
>> arch/arm64/Kconfig              | 33 +++++++++++++++++++--------------
>> arch/arm64/Makefile             |  2 +-
>> arch/arm64/kernel/asm-offsets.c |  2 ++
>> drivers/misc/lkdtm/bugs.c       |  6 +++---
>> 4 files changed, 25 insertions(+), 18 deletions(-)
>> 
>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>> index 9f1d8566bbf9..c0c0073a70c3 100644
>> --- a/arch/arm64/Kconfig
>> +++ b/arch/arm64/Kconfig
>> @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features"
>> config ARM64_PTR_AUTH
>> 	bool "Enable support for pointer authentication"
>> 	default y
>> -	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
>> -	# Modern compilers insert a .note.gnu.property section note for PAC
>> -	# which is only understood by binutils starting with version 2.33.1.
>> -	depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100)
>> -	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE
>> -	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
>> 	help
>> 	  Pointer authentication (part of the ARMv8.3 Extensions) provides
>> 	  instructions for signing and authenticating pointers against secret
>> @@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH
>> 	  for each process at exec() time, with these keys being
>> 	  context-switched along with the process.
>> 
>> -	  If the compiler supports the -mbranch-protection or
>> -	  -msign-return-address flag (e.g. GCC 7 or later), then this option
>> -	  will also cause the kernel itself to be compiled with return address
>> -	  protection. In this case, and if the target hardware is known to
>> -	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
>> -	  disabled with minimal loss of protection.
>> -
>> 	  The feature is detected at runtime. If the feature is not present in
>> 	  hardware it will not be advertised to userspace/KVM guest nor will it
>> 	  be enabled.
>> @@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH
>> 	  but with the feature disabled. On such a system, this option should
>> 	  not be selected.
>> 
>> +config ARM64_PTR_AUTH_KERNEL
>> +	bool "Use pointer authentication for kernel"
>> +	default y
>> +	depends on ARM64_PTR_AUTH
>> +	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
>> +	# Modern compilers insert a .note.gnu.property section note for PAC
>> +	# which is only understood by binutils starting with version 2.33.1.
>> +	depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100)
> 
> Why is this checking 'LD_VERSION >= 233010000' whereas the code you removed
> from ARM64_PTR_AUTH was checking 'LD_VERSION >= 23301’ ?
This is unintentional, since the first patch the "kbuild: LD_VERSION redenomination” is landed and I missed during the rebase.
diff mbox series

Patch

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 9f1d8566bbf9..c0c0073a70c3 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1481,12 +1481,6 @@  menu "ARMv8.3 architectural features"
 config ARM64_PTR_AUTH
 	bool "Enable support for pointer authentication"
 	default y
-	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
-	# Modern compilers insert a .note.gnu.property section note for PAC
-	# which is only understood by binutils starting with version 2.33.1.
-	depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100)
-	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE
-	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
 	help
 	  Pointer authentication (part of the ARMv8.3 Extensions) provides
 	  instructions for signing and authenticating pointers against secret
@@ -1498,13 +1492,6 @@  config ARM64_PTR_AUTH
 	  for each process at exec() time, with these keys being
 	  context-switched along with the process.
 
-	  If the compiler supports the -mbranch-protection or
-	  -msign-return-address flag (e.g. GCC 7 or later), then this option
-	  will also cause the kernel itself to be compiled with return address
-	  protection. In this case, and if the target hardware is known to
-	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
-	  disabled with minimal loss of protection.
-
 	  The feature is detected at runtime. If the feature is not present in
 	  hardware it will not be advertised to userspace/KVM guest nor will it
 	  be enabled.
@@ -1515,6 +1502,24 @@  config ARM64_PTR_AUTH
 	  but with the feature disabled. On such a system, this option should
 	  not be selected.
 
+config ARM64_PTR_AUTH_KERNEL
+	bool "Use pointer authentication for kernel"
+	default y
+	depends on ARM64_PTR_AUTH
+	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
+	# Modern compilers insert a .note.gnu.property section note for PAC
+	# which is only understood by binutils starting with version 2.33.1.
+	depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100)
+	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE
+	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
+	help
+	  If the compiler supports the -mbranch-protection or
+	  -msign-return-address flag (e.g. GCC 7 or later), then this option
+	  will cause the kernel itself to be compiled with return address
+	  protection. In this case, and if the target hardware is known to
+	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
+	  disabled with minimal loss of protection.
+
 	  This feature works with FUNCTION_GRAPH_TRACER option only if
 	  DYNAMIC_FTRACE_WITH_REGS is enabled.
 
@@ -1606,7 +1611,7 @@  config ARM64_BTI_KERNEL
 	bool "Use Branch Target Identification for kernel"
 	default y
 	depends on ARM64_BTI
-	depends on ARM64_PTR_AUTH
+	depends on ARM64_PTR_AUTH_KERNEL
 	depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI
 	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697
 	depends on !CC_IS_GCC || GCC_VERSION >= 100100
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index b52481f0605d..3b5b1c480449 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -70,7 +70,7 @@  endif
 # off, this will be overridden if we are using branch protection.
 branch-prot-flags-y += $(call cc-option,-mbranch-protection=none)
 
-ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
+ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y)
 branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
 # We enable additional protection for leaf functions as there is some
 # narrow potential for ROP protection benefits and no substantial
diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c
index 0cb34ccb6e73..03420b89c602 100644
--- a/arch/arm64/kernel/asm-offsets.c
+++ b/arch/arm64/kernel/asm-offsets.c
@@ -46,6 +46,8 @@  int main(void)
   DEFINE(THREAD_SCTLR_USER,	offsetof(struct task_struct, thread.sctlr_user));
 #ifdef CONFIG_ARM64_PTR_AUTH
   DEFINE(THREAD_KEYS_USER,	offsetof(struct task_struct, thread.keys_user));
+#endif
+#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL
   DEFINE(THREAD_KEYS_KERNEL,	offsetof(struct task_struct, thread.keys_kernel));
 #endif
 #ifdef CONFIG_ARM64_MTE
diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index 0e8254d0cf0b..a164896dc6d4 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -463,7 +463,7 @@  void lkdtm_DOUBLE_FAULT(void)
 #ifdef CONFIG_ARM64
 static noinline void change_pac_parameters(void)
 {
-	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) {
+	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {
 		/* Reset the keys of current task */
 		ptrauth_thread_init_kernel(current);
 		ptrauth_thread_switch_kernel(current);
@@ -477,8 +477,8 @@  noinline void lkdtm_CORRUPT_PAC(void)
 #define CORRUPT_PAC_ITERATE	10
 	int i;
 
-	if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH))
-		pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH\n");
+	if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL))
+		pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n");
 
 	if (!system_supports_address_auth()) {
 		pr_err("FAIL: CPU lacks pointer authentication feature\n");