From patchwork Thu Nov 5 00:02:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 11883113 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E64AEC00A89 for ; Thu, 5 Nov 2020 04:23:26 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4F89820795 for ; Thu, 5 Nov 2020 04:23:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="1DUTBbze"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="NHLXtL9P"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="tlosH7TY" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4F89820795 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:From:Subject:Mime-Version:Message-Id:Date: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=jdx7SDghmtqcqp7Xa9OV37sFvX62saiPCFtxpCu4Ve0=; b=1DUTBbzetJQg38WdMEvB908z8C VUFww0788pej3lTd6kO6a6z/yNkUNbgv5+7QygyHfAq1clgablkjn5SghGS2QYW/U5HWFrHzakIND /BfiyQKOz7ulCJ2q8UaXyfxWdYeAiVjVdNZWVZjQQ3hNWSUFOV2ZSKRi2abGySoMDFIaV6lbFd+WV KU8H5GD5BlobSQ1j6J+1U5AZx/H/a6FtgMV9KI1+JSXOgwT9uId6+zkYAA0PkhOLafi0+4/9FQfkp g36iDr2ZI8dmugr7HTvrXWHFW5Ge960SNjhrln+Zu252FCliB3PspEmoogPJEpVkLUhlisp9EMRvg g9872+Qg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaWnW-0006KP-FR; Thu, 05 Nov 2020 04:22:54 +0000 Received: from casper.infradead.org ([2001:8b0:10b:1236::1]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaW3v-00016k-NQ for linux-arm-kernel@merlin.infradead.org; Thu, 05 Nov 2020 03:35:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Type:Cc:To:From:Subject: Mime-Version:Message-Id:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:In-Reply-To:References; bh=WSUBpnn+b8BH+LyGrDbHds9kTTIXmq8ZO4c/IH1ztE8=; b=NHLXtL9P5Wk0LWf5To2OOSPTad HsebVkjP72IjteMqPnnPNTlZtN1le5OyuOkCl3Vms1iipcDkZUby5h3XBhzxEViimRJrMIVkNXR5g CvZEdPha+iair6g0xIqNIsmtqbHXrZCq70SD3kunCyLtb48+16C77CgO7nama0eYRHy/LXbtqMlvZ Leon27ZxVgED6PEShtd0tpZgw7U58cTyDX0gXAGMgQSt0B1sqv68RuIiiOlYJ51T7lbmH5Zuja3SI z7/DdUR7y7+KfT95PM5JNBVDrGTsXbfPdp3ilHanTofH9eNz4y9La41iFM+p1Ue12skaKBpnQRqMW N76B/uIw==; Received: from mail-qk1-x749.google.com ([2607:f8b0:4864:20::749]) by casper.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaSkd-0000mP-P7 for linux-arm-kernel@lists.infradead.org; Thu, 05 Nov 2020 00:03:43 +0000 Received: by mail-qk1-x749.google.com with SMTP id k12so26410qkj.18 for ; Wed, 04 Nov 2020 16:03:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=WSUBpnn+b8BH+LyGrDbHds9kTTIXmq8ZO4c/IH1ztE8=; b=tlosH7TYK549pHThXItN057SkhxAVtEmov60aTPXGGcxAQr+jBG2/9HWQQnVDHj7Lq I4rcwA92bbYaRi3LrrRj+r6cVPe1BLbMsnuLNxAqDQxgzofveZawQvgUZw1DV2v7qcGI C90TZE7jzRgAsnaJjj27SFbDu4SZSgMRbUoVxGlWD56qLEkTuH/ygfTexaNk2vv908bz UXJWwyqLCXV88Hc4JwZaIupPoEZRKKimXcqhaqA3vIwXzrNRUhH2glnY5hUGmB5bxRxZ gRVrHL3CRgV7XMXuYEsAhbcOYyAqqishtjGPg2q1+iGswsioyPqkoH85wGyc916RPirO F38g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=WSUBpnn+b8BH+LyGrDbHds9kTTIXmq8ZO4c/IH1ztE8=; b=LNwj07hNiTSdPLAuMUybx/3DVDDzmL69xUpU/pTSx5z5Airoea1FKSHz0YvOoWgBTl ZE0qFZAAVMSLUuFaguB3PeluzXF0N2qIwATpurN3DRg9LrtbDXnwwxIuaZ/Ty79xlxAo HkioP3rG8g8HIfWzTrVLAIQlXyzqhic2yCwmfPdNbzT2M0OuBDsGXjuT8is77aeXaXDK YntsccmWSjFt8NTnQi9L57v+OP3qJMkAgFU+hN5QdKdxtceFZNWdpD20jQqXwvFRB4La AZF1Cz+pU0XmVmfEzLEixhTWuPC8OCeF43LYevTfD4evMjSyJzdYheeY5OeL8DJhx8yK jpMQ== X-Gm-Message-State: AOAM531lVg8/bWUV3MEIAmLOoweWxakIZg0CkaNPGsvKjnSoAwJB7nPp HHwcPVP1c77gEcGY+9lBApV1FkZpcxM88+Vv X-Google-Smtp-Source: ABdhPJxM0Ooa/cktu8AEqoiwTREH3YYQ4nXnZhGizgrguujs+ZY0sca5P3O6TuibSvdClNd1q1Fa2i69iA8RvCzE X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:7220:84ff:fe09:7e9d]) (user=andreyknvl job=sendgmr) by 2002:a0c:c187:: with SMTP id n7mr286302qvh.19.1604534555430; Wed, 04 Nov 2020 16:02:35 -0800 (PST) Date: Thu, 5 Nov 2020 01:02:10 +0100 Message-Id: Mime-Version: 1.0 X-Mailer: git-send-email 2.29.1.341.ge80a0c044ae-goog Subject: [PATCH 00/20] kasan: boot parameters for hardware tag-based mode From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Vincenzo Frascino , Dmitry Vyukov , Alexander Potapenko , Marco Elver X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201105_000340_059071_333F2D9B X-CRM114-Status: GOOD ( 21.12 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Branislav Rankov , Andrey Konovalov , Kevin Brodsky , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, Andrey Ryabinin , Andrew Morton , Evgenii Stepanov Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org === Overview Hardware tag-based KASAN mode [1] is intended to eventually be used in production as a security mitigation. Therefore there's a need for finer control over KASAN features and for an existence of a kill switch. This patchset adds a few boot parameters for hardware tag-based KASAN that allow to disable or otherwise control particular KASAN features. There's another planned patchset what will further optimize hardware tag-based KASAN, provide proper benchmarking and tests, and will fully enable tag-based KASAN for production use. Hardware tag-based KASAN relies on arm64 Memory Tagging Extension (MTE) [2] to perform memory and pointer tagging. Please see [3] and [4] for detailed analysis of how MTE helps to fight memory safety problems. The features that can be controlled are: 1. Whether KASAN is enabled at all. 2. Whether KASAN collects and saves alloc/free stacks. 3. Whether KASAN panics on a detected bug or not. The patch titled "kasan: add and integrate kasan boot parameters" of this series adds a few new boot parameters. kasan.mode allows to choose one of three main modes: - kasan.mode=off - KASAN is disabled, no tag checks are performed - kasan.mode=prod - only essential production features are enabled - kasan.mode=full - all KASAN features are enabled The chosen mode provides default control values for the features mentioned above. However it's also possible to override the default values by providing: - kasan.stack=off/on - enable stacks collection (default: on for mode=full, otherwise off) - kasan.fault=report/panic - only report tag fault or also panic (default: report) If kasan.mode parameter is not provided, it defaults to full when CONFIG_DEBUG_KERNEL is enabled, and to prod otherwise. It is essential that switching between these modes doesn't require rebuilding the kernel with different configs, as this is required by the Android GKI (Generic Kernel Image) initiative. === Benchmarks For now I've only performed a few simple benchmarks such as measuring kernel boot time and slab memory usage after boot. There's an upcoming patchset which will optimize KASAN further and include more detailed benchmarking results. The benchmarks were performed in QEMU and the results below exclude the slowdown caused by QEMU memory tagging emulation (as it's different from the slowdown that will be introduced by hardware and is therefore irrelevant). KASAN_HW_TAGS=y + kasan.mode=off introduces no performance or memory impact compared to KASAN_HW_TAGS=n. kasan.mode=prod (manually excluding tagging) introduces 3% of performance and no memory impact (except memory used by hardware to store tags) compared to kasan.mode=off. kasan.mode=full has about 40% performance and 30% memory impact over kasan.mode=prod. Both come from alloc/free stack collection. === Notes This patchset is available here: https://github.com/xairy/linux/tree/up-boot-mte-v1 and on Gerrit here: https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/3707 This patchset is based on v8 of "kasan: add hardware tag-based mode for arm64" patchset [1]. For testing in QEMU hardware tag-based KASAN requires: 1. QEMU built from master [6] (use "-machine virt,mte=on -cpu max" arguments to run). 2. GCC version 10. [1] https://lkml.org/lkml/2020/11/4/1208 [2] https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety [3] https://arxiv.org/pdf/1802.09517.pdf [4] https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf [5] https://source.android.com/devices/architecture/kernel/generic-kernel-image [6] https://github.com/qemu/qemu === History Changes RFC v2 -> v1: - Rebrand the patchset from fully enabling production use to partially addressing that; another optimization and testing patchset will be required. - Rebase onto v8 of KASAN_HW_TAGS series. - Fix "ASYNC" -> "async" typo. - Rework depends condition for VMAP_STACK and update config text. - Remove unneeded reset_tag() macro, use kasan_reset_tag() instead. - Rename kasan.stack to kasan.stacks to avoid confusion with stack instrumentation. - Introduce kasan_stack_collection_enabled() and kasan_is_enabled() helpers. - Simplify kasan_stack_collection_enabled() usage. - Rework SLAB_KASAN flag and metadata allocation (see the corresponding patch for details). - Allow cache merging with KASAN_HW_TAGS when kasan.stacks is off. - Use sync mode dy default for both prod and full KASAN modes. - Drop kasan.trap=sync/async boot parameter, as async mode isn't supported yet. - Choose prod or full mode depending on CONFIG_DEBUG_KERNEL when no kasan.mode boot parameter is provided. - Drop krealloc optimization changes, those will be included in a separate patchset. - Update KASAN documentation to mention boot parameters. Changes RFC v1 -> RFC v2: - Rework boot parameters. - Drop __init from empty kasan_init_tags() definition. - Add cpu_supports_mte() helper that can be used during early boot and use it in kasan_init_tags() - Lots of new KASAN optimization commits. Andrey Konovalov (20): kasan: simplify quarantine_put call site kasan: rename get_alloc/free_info kasan: introduce set_alloc_info kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK kasan: allow VMAP_STACK for HW_TAGS mode kasan: remove __kasan_unpoison_stack kasan: inline kasan_reset_tag for tag-based modes kasan: inline random_tag for HW_TAGS kasan: inline kasan_poison_memory and check_invalid_free kasan: inline and rename kasan_unpoison_memory kasan: add and integrate kasan boot parameters kasan, mm: check kasan_enabled in annotations kasan: simplify kasan_poison_kfree kasan, mm: rename kasan_poison_kfree kasan: don't round_up too much kasan: simplify assign_tag and set_tag calls kasan: clarify comment in __kasan_kfree_large kasan: clean up metadata allocation and usage kasan, mm: allow cache merging with no metadata kasan: update documentation Documentation/dev-tools/kasan.rst | 180 ++++++++++++-------- arch/Kconfig | 8 +- arch/arm64/kernel/sleep.S | 2 +- arch/x86/kernel/acpi/wakeup_64.S | 2 +- include/linux/kasan.h | 253 +++++++++++++++++++++------ include/linux/mm.h | 22 ++- kernel/fork.c | 2 +- mm/kasan/common.c | 274 ++++++++++++++++++------------ mm/kasan/generic.c | 27 +-- mm/kasan/hw_tags.c | 171 ++++++++++++++++--- mm/kasan/kasan.h | 113 ++++++++---- mm/kasan/quarantine.c | 13 +- mm/kasan/report.c | 61 ++++--- mm/kasan/report_hw_tags.c | 2 +- mm/kasan/report_sw_tags.c | 13 +- mm/kasan/shadow.c | 5 +- mm/kasan/sw_tags.c | 17 +- mm/mempool.c | 2 +- mm/slab_common.c | 13 +- 19 files changed, 816 insertions(+), 364 deletions(-)