From patchwork Mon Dec 7 22:46:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Kiss X-Patchwork-Id: 11957025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EE79C4167B for ; Mon, 7 Dec 2020 22:47:52 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3367E239E4 for ; Mon, 7 Dec 2020 22:47:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3367E239E4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:To: From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=j7jjq41J8N6hg6ia5bwX0Ze+ehSQoLgeKw7FR+hmIWY=; b=kMAlWTwMIdGC4qBZ3dye0ju3io F0wPucF1KAOQ0QWwB6JKUjY7tbmUWDhWvvfhsIROM8veLUw+pZQh+QrFryLNiQoeWMYUeSb1/Z4WL VOm5T9Xmdwv/zyVvMwYjGiJ3IN+N3K0lIXXqflmEuF1fbKX/c7VnfrqMNKVpN90YYrlHYriBsCF9Q WFZDoE1r0rwW4vBv1CIW3vmMHG9ahIsOK1ju0wBUTtVUcMu/fijORA+yHvQtv48SQ5K1X/tbu81l3 +fpR+Dw4jGib5Sd23pKy+waqVNSPzigif3FOOPRgrbRVT3wqtkkAZ1UkIoaN3wxbc2OLqbwg5UDke e9sVPe4w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmPHI-0005RY-P5; Mon, 07 Dec 2020 22:46:44 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmPHE-0005Q8-BE for linux-arm-kernel@lists.infradead.org; Mon, 07 Dec 2020 22:46:41 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 72EC430E; Mon, 7 Dec 2020 14:46:36 -0800 (PST) Received: from e120529-lin.arm.com (unknown [10.57.30.87]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 690943F68F; Mon, 7 Dec 2020 14:46:35 -0800 (PST) From: Daniel Kiss To: linux-arm-kernel@lists.infradead.org, pcc@google.com, will@kernel.org, catalin.marinas@arm.com Subject: [PATCH 1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option Date: Mon, 7 Dec 2020 23:46:24 +0100 Message-Id: <20201207224625.13764-2-daniel.kiss@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201207224625.13764-1-daniel.kiss@arm.com> References: <20201207224625.13764-1-daniel.kiss@arm.com> X-ARM-No-Footer: FoSSMail X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201207_174640_600033_85FEC310 X-CRM114-Status: GOOD ( 23.30 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Kiss MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This new option makes possible to build the kernel with pointer authentication support for the user space while the kernel is not built with the pointer authentication. We have similar config structure for BTI. The default configuration will be the same after this patch. Signed-off-by: Daniel Kiss --- arch/arm64/Kconfig | 26 +++++++++++++++++--------- arch/arm64/Makefile | 2 +- drivers/misc/lkdtm/bugs.c | 6 +++--- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a6b5b7ef40ae..4e88dbbb16d9 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1501,7 +1501,6 @@ config ARM64_PTR_AUTH # which is only understood by binutils starting with version 2.33.1. depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) help Pointer authentication (part of the ARMv8.3 Extensions) provides instructions for signing and authenticating pointers against secret @@ -1513,13 +1512,6 @@ config ARM64_PTR_AUTH for each process at exec() time, with these keys being context-switched along with the process. - If the compiler supports the -mbranch-protection or - -msign-return-address flag (e.g. GCC 7 or later), then this option - will also cause the kernel itself to be compiled with return address - protection. In this case, and if the target hardware is known to - support pointer authentication, then CONFIG_STACKPROTECTOR can be - disabled with minimal loss of protection. - The feature is detected at runtime. If the feature is not present in hardware it will not be advertised to userspace/KVM guest nor will it be enabled. @@ -1530,6 +1522,22 @@ config ARM64_PTR_AUTH but with the feature disabled. On such a system, this option should not be selected. +config ARM64_PTR_AUTH_KERNEL + bool "Enable support for pointer authentication for kernel" + default y + depends on ARM64_PTR_AUTH + depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) + help + Build the kernel with return address protection by + pointer authentication. + + If the compiler supports the -mbranch-protection or + -msign-return-address flag (e.g. GCC 7 or later), then this option + will cause the kernel itself to be compiled with return address + protection. In this case, and if the target hardware is known to + support pointer authentication, then CONFIG_STACKPROTECTOR can be + disabled with minimal loss of protection. + This feature works with FUNCTION_GRAPH_TRACER option only if DYNAMIC_FTRACE_WITH_REGS is enabled. @@ -1618,7 +1626,7 @@ config ARM64_BTI_KERNEL bool "Use Branch Target Identification for kernel" default y depends on ARM64_BTI - depends on ARM64_PTR_AUTH + depends on ARM64_PTR_AUTH_KERNEL depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697 depends on !CC_IS_GCC || GCC_VERSION >= 100100 diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 6a87d592bd00..6e5d9de8c2b3 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -70,7 +70,7 @@ endif # off, this will be overridden if we are using branch protection. branch-prot-flags-y += $(call cc-option,-mbranch-protection=none) -ifeq ($(CONFIG_ARM64_PTR_AUTH),y) +ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y) branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all # We enable additional protection for leaf functions as there is some # narrow potential for ROP protection benefits and no substantial diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index a0675d4154d2..439fa33ae413 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -446,7 +446,7 @@ void lkdtm_DOUBLE_FAULT(void) #ifdef CONFIG_ARM64 static noinline void change_pac_parameters(void) { - if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) { + if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) { /* Reset the keys of current task */ ptrauth_thread_init_kernel(current); ptrauth_thread_switch_kernel(current); @@ -460,8 +460,8 @@ noinline void lkdtm_CORRUPT_PAC(void) #define CORRUPT_PAC_ITERATE 10 int i; - if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) - pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH\n"); + if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) + pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n"); if (!system_supports_address_auth()) { pr_err("FAIL: CPU lacks pointer authentication feature\n"); From patchwork Mon Dec 7 22:46:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Kiss X-Patchwork-Id: 11957027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C275C4361B for ; Mon, 7 Dec 2020 22:47:54 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1232B239E4 for ; Mon, 7 Dec 2020 22:47:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1232B239E4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:To: From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=MYtn1NdjAg1YLyoXdlPlTAdPlaTTQ4oCytUTNlCy2ds=; b=gTqSc+uG7xm6xr/goO/ugC0iro FU/h9qZ8O/1KqgRB/BVRr0AHHYK8v92+oBBjQmwoxHB0CHO86KSg5RXjs9yLlOHKjiamUZ18BE1Bt nxbM2AMCmGvMpDOOlvQDQBKO/rKyxLRatYldkYf01ZSll2zLII3abbKYB/eA5pqFGmR5Hoj6p2ix4 +sQzxBK+59+PXFxGh4Yg15Zy9UCS2Pb4846R3i0iK1dciIQdP/fLvWLe2qWQJcuPeGyrGfrav5os3 EfrvUYm1ndoxFUOouaEpWhTyS4P/vbdTw/jPl4WY77v4p4wcspsd7yw8ZxGznKt8O7qDkdceJh9RC rixWD6zg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmPHL-0005SP-PR; Mon, 07 Dec 2020 22:46:47 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmPHI-0005RW-1i for linux-arm-kernel@lists.infradead.org; Mon, 07 Dec 2020 22:46:45 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C192D1042; Mon, 7 Dec 2020 14:46:37 -0800 (PST) Received: from e120529-lin.arm.com (unknown [10.57.30.87]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B83033F68F; Mon, 7 Dec 2020 14:46:36 -0800 (PST) From: Daniel Kiss To: linux-arm-kernel@lists.infradead.org, pcc@google.com, will@kernel.org, catalin.marinas@arm.com Subject: [PATCH 2/2] arm64: Configure kernel's PTR_AUTH key when it is built with PTR_AUTH. Date: Mon, 7 Dec 2020 23:46:25 +0100 Message-Id: <20201207224625.13764-3-daniel.kiss@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201207224625.13764-1-daniel.kiss@arm.com> References: <20201207224625.13764-1-daniel.kiss@arm.com> X-ARM-No-Footer: FoSSMail X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201207_174644_245096_B794C9B2 X-CRM114-Status: GOOD ( 14.67 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Kiss MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org If the kernel is not compiled with CONFIG_ARM64_PTR_AUTH_KERNEL, then the kernel does not need a key and kernel's key could be disabled. Signed-off-by: Daniel Kiss --- arch/arm64/include/asm/asm_pointer_auth.h | 68 ++++++++++++++++------- arch/arm64/include/asm/processor.h | 2 + arch/arm64/kernel/asm-offsets.c | 4 ++ 3 files changed, 55 insertions(+), 19 deletions(-) diff --git a/arch/arm64/include/asm/asm_pointer_auth.h b/arch/arm64/include/asm/asm_pointer_auth.h index 52dead2a8640..af3d16027e8f 100644 --- a/arch/arm64/include/asm/asm_pointer_auth.h +++ b/arch/arm64/include/asm/asm_pointer_auth.h @@ -14,6 +14,12 @@ * thread.keys_user.ap*. */ .macro ptrauth_keys_install_user tsk, tmp1, tmp2, tmp3 +#ifndef CONFIG_ARM64_PTR_AUTH_KERNEL + /* Reenable A key */ + mrs \tmp1, sctlr_el1 + orr \tmp1, \tmp1, SCTLR_ELx_ENIA + msr sctlr_el1, \tmp1 +#endif mov \tmp1, #THREAD_KEYS_USER add \tmp1, \tsk, \tmp1 alternative_if_not ARM64_HAS_ADDRESS_AUTH @@ -39,6 +45,36 @@ alternative_if ARM64_HAS_GENERIC_AUTH alternative_else_nop_endif .endm + .macro __ptrauth_keys_init_cpu tsk, tmp1, tmp2, tmp3 + mrs \tmp1, id_aa64isar1_el1 + ubfx \tmp1, \tmp1, #ID_AA64ISAR1_APA_SHIFT, #8 + cbz \tmp1, .Lno_addr_auth\@ +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL + mov_q \tmp1, (SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | \ + SCTLR_ELx_ENDA | SCTLR_ELx_ENDB) +#else + mov_q \tmp1, (SCTLR_ELx_ENIB | \ + SCTLR_ELx_ENDA | SCTLR_ELx_ENDB) +#endif + mrs \tmp2, sctlr_el1 + orr \tmp2, \tmp2, \tmp1 + msr sctlr_el1, \tmp2 +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL + __ptrauth_keys_install_kernel_nosync \tsk, \tmp1, \tmp2, \tmp3 +#endif + isb +.Lno_addr_auth\@: + .endm + + .macro ptrauth_keys_init_cpu tsk, tmp1, tmp2, tmp3 +alternative_if_not ARM64_HAS_ADDRESS_AUTH + b .Lno_addr_auth\@ +alternative_else_nop_endif + __ptrauth_keys_init_cpu \tsk, \tmp1, \tmp2, \tmp3 +.Lno_addr_auth\@: + .endm + +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL .macro __ptrauth_keys_install_kernel_nosync tsk, tmp1, tmp2, tmp3 mov \tmp1, #THREAD_KEYS_KERNEL add \tmp1, \tsk, \tmp1 @@ -60,29 +96,23 @@ alternative_if ARM64_HAS_ADDRESS_AUTH alternative_else_nop_endif .endm - .macro __ptrauth_keys_init_cpu tsk, tmp1, tmp2, tmp3 - mrs \tmp1, id_aa64isar1_el1 - ubfx \tmp1, \tmp1, #ID_AA64ISAR1_APA_SHIFT, #8 - cbz \tmp1, .Lno_addr_auth\@ - mov_q \tmp1, (SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | \ - SCTLR_ELx_ENDA | SCTLR_ELx_ENDB) - mrs \tmp2, sctlr_el1 - orr \tmp2, \tmp2, \tmp1 - msr sctlr_el1, \tmp2 - __ptrauth_keys_install_kernel_nosync \tsk, \tmp1, \tmp2, \tmp3 - isb -.Lno_addr_auth\@: +#else /* CONFIG_ARM64_PTR_AUTH_KERNEL */ + + .macro ptrauth_keys_install_kernel_nosync tsk, tmp1, tmp2, tmp3 + mrs \tmp1, sctlr_el1 + and \tmp1, \tmp1, ~SCTLR_ELx_ENIA + msr sctlr_el1, \tmp1 .endm - .macro ptrauth_keys_init_cpu tsk, tmp1, tmp2, tmp3 -alternative_if_not ARM64_HAS_ADDRESS_AUTH - b .Lno_addr_auth\@ -alternative_else_nop_endif - __ptrauth_keys_init_cpu \tsk, \tmp1, \tmp2, \tmp3 -.Lno_addr_auth\@: + .macro ptrauth_keys_install_kernel tsk, tmp1, tmp2, tmp3 + mrs \tmp1, sctlr_el1 + and \tmp1, \tmp1, ~SCTLR_ELx_ENIA + msr sctlr_el1, \tmp1 .endm -#else /* CONFIG_ARM64_PTR_AUTH */ +#endif /* CONFIG_ARM64_PTR_AUTH_KERNEL */ + +#else /* !CONFIG_ARM64_PTR_AUTH */ .macro ptrauth_keys_install_user tsk, tmp1, tmp2, tmp3 .endm diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h index fce8cbecd6bc..e20888b321e3 100644 --- a/arch/arm64/include/asm/processor.h +++ b/arch/arm64/include/asm/processor.h @@ -150,8 +150,10 @@ struct thread_struct { struct debug_info debug; /* debugging */ #ifdef CONFIG_ARM64_PTR_AUTH struct ptrauth_keys_user keys_user; +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL struct ptrauth_keys_kernel keys_kernel; #endif +#endif #ifdef CONFIG_ARM64_MTE u64 sctlr_tcf0; u64 gcr_user_incl; diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c index 7d32fc959b1a..cb7965a9f505 100644 --- a/arch/arm64/kernel/asm-offsets.c +++ b/arch/arm64/kernel/asm-offsets.c @@ -46,7 +46,9 @@ int main(void) DEFINE(THREAD_CPU_CONTEXT, offsetof(struct task_struct, thread.cpu_context)); #ifdef CONFIG_ARM64_PTR_AUTH DEFINE(THREAD_KEYS_USER, offsetof(struct task_struct, thread.keys_user)); +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL DEFINE(THREAD_KEYS_KERNEL, offsetof(struct task_struct, thread.keys_kernel)); +#endif #endif BLANK(); DEFINE(S_X0, offsetof(struct pt_regs, regs[0])); @@ -141,7 +143,9 @@ int main(void) DEFINE(PTRAUTH_USER_KEY_APDA, offsetof(struct ptrauth_keys_user, apda)); DEFINE(PTRAUTH_USER_KEY_APDB, offsetof(struct ptrauth_keys_user, apdb)); DEFINE(PTRAUTH_USER_KEY_APGA, offsetof(struct ptrauth_keys_user, apga)); +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL DEFINE(PTRAUTH_KERNEL_KEY_APIA, offsetof(struct ptrauth_keys_kernel, apia)); +#endif BLANK(); #endif return 0;