[00/11] arm64: return address signing

Message ID	1571300065-10236-1-git-send-email-amit.kachhap@arm.com (mailing list archive)
Headers	show Return-Path: <SRS0=Uw+R=YK=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 75E9920663 From: Amit Daniel Kachhap <amit.kachhap@arm.com> To: linux-arm-kernel@lists.infradead.org Subject: [PATCH 00/11] arm64: return address signing Date: Thu, 17 Oct 2019 13:44:14 +0530 Message-Id: <1571300065-10236-1-git-send-email-amit.kachhap@arm.com> summary: Content analysis details: (1.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Precedence: list Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>, Suzuki K Poulose <suzuki.poulose@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Will Deacon <will.deacon@arm.com>, Kristina Martsenko <kristina.martsenko@arm.com>, James Morse <james.morse@arm.com>, Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>, Amit Daniel Kachhap <amit.kachhap@arm.com>, Vincenzo Frascino <Vincenzo.Frascino@arm.com>, Dave Martin <Dave.Martin@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	arm64: return address signing \| expand [00/11] arm64: return address signing [01/11] arm64: cpufeature: add pointer auth meta-capabilities [02/11] arm64: install user ptrauth keys at kernel exit time [03/11] arm64: cpufeature: handle conflicts based on capability [04/11] arm64: create macro to park cpu in an infinite loop [05/11] arm64: enable ptrauth earlier [06/11] arm64: rename ptrauth key structures to be user-specific [07/11] arm64: initialize and switch ptrauth kernel keys [08/11] arm64: unwind: strip PAC from kernel addresses [RFC,09/11] arm64: suspend: restore the kernel ptrauth keys [RFC,10/11] arm64: mask PAC bits of __builtin_return_address [11/11] arm64: compile the kernel with ptrauth return address signing

Message ID

1571300065-10236-1-git-send-email-amit.kachhap@arm.com (mailing list archive)

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 75E9920663
From: Amit Daniel Kachhap <amit.kachhap@arm.com>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 00/11] arm64: return address signing
Date: Thu, 17 Oct 2019 13:44:14 +0530
Message-Id: <1571300065-10236-1-git-send-email-amit.kachhap@arm.com>
Precedence: list
Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Will Deacon <will.deacon@arm.com>,
 Kristina Martsenko <kristina.martsenko@arm.com>,
 James Morse <james.morse@arm.com>,
 Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
 Amit Daniel Kachhap <amit.kachhap@arm.com>,
 Vincenzo Frascino <Vincenzo.Frascino@arm.com>,
 Dave Martin <Dave.Martin@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org

Series

arm64: return address signing | expand

Message

Amit Daniel Kachhap Oct. 17, 2019, 8:14 a.m. UTC

Hi,

This series improves function return address protection for the arm64 kernel, by
compiling the kernel with ARMv8.3 Pointer Authentication instructions (ptrauth
referred hereafter). This should help protect the kernel against attacks using
return-oriented programming.

Patch 9 and 10 are newly added and hence sent as RFC.

This series is based on v5.4-rc2.

High-level changes since RFC v2 [1] (detailed changes are listed in patches):
 - Moved enabling, key setup and context switch to assembly, to avoid using
   the pointer auth compiler attribute which Clang does not support (thanks
   Suzuki for the initial code!).
 - Added code to restore keys after cpu resume.
 - __builtin_return_address will now mask pac bits.
 - Changed gcc compiler options to add ptrauth instructions in all functions
   and not just non-leaf functions. This may be revisited later due to 
   performance concerns.
 - Rebased onto v5.4-rc2.
 - Added Reviewed-by's.

This series do not implement few things or have known limitations:
 - ftrace function tracer does not work with this series. But after using
   the posted series [2] based on -fpatchable-function-entry, it works fine.
 - kprobes/uprobes and other tracing may need some rework with ptrauth.
 - kdump, other debug may need some rework with ptrauth.
 - Generate some randomness for ptrauth keys during kernel early booting.

Feedback welcome!

Thanks,
Amit Daniel

[1] https://lore.kernel.org/linux-arm-kernel/20190529190332.29753-1-kristina.martsenko@arm.com/
[2] https://patchwork.kernel.org/patch/10803279/

Amit Daniel Kachhap (3):
  arm64: create macro to park cpu in infinite loop
  arm64: suspend: restore the kernel ptrauth keys
  arm64: mask PAC bits of __builtin_return_address

Kristina Martsenko (8):
  arm64: cpufeature: add pointer auth meta-capabilities
  arm64: install user ptrauth keys at kernel exit time
  arm64: cpufeature: handle conflicts based on capability
  arm64: enable ptrauth earlier
  arm64: rename ptrauth key structures to be user-specific
  arm64: initialize and switch ptrauth kernel keys
  arm64: unwind: strip PAC from kernel addresses
  arm64: compile the kernel with ptrauth return address signing

 arch/arm64/Kconfig                        | 21 ++++++++-
 arch/arm64/Makefile                       |  6 +++
 arch/arm64/include/asm/asm_pointer_auth.h | 59 +++++++++++++++++++++++
 arch/arm64/include/asm/compiler.h         | 15 ++++++
 arch/arm64/include/asm/cpucaps.h          |  4 +-
 arch/arm64/include/asm/cpufeature.h       | 33 ++++++++++---
 arch/arm64/include/asm/pointer_auth.h     | 50 ++++++++------------
 arch/arm64/include/asm/processor.h        |  3 +-
 arch/arm64/include/asm/smp.h              |  3 ++
 arch/arm64/kernel/asm-offsets.c           | 15 ++++++
 arch/arm64/kernel/cpufeature.c            | 53 ++++++++++++---------
 arch/arm64/kernel/entry.S                 |  6 +++
 arch/arm64/kernel/head.S                  | 78 +++++++++++++++++++++++++++----
 arch/arm64/kernel/pointer_auth.c          |  7 +--
 arch/arm64/kernel/process.c               |  3 +-
 arch/arm64/kernel/ptrace.c                | 16 +++----
 arch/arm64/kernel/sleep.S                 |  6 +++
 arch/arm64/kernel/smp.c                   |  8 ++++
 arch/arm64/kernel/stacktrace.c            |  3 ++
 19 files changed, 306 insertions(+), 83 deletions(-)
 create mode 100644 arch/arm64/include/asm/asm_pointer_auth.h
 create mode 100644 arch/arm64/include/asm/compiler.h

Comments

James Morse Oct. 23, 2019, 5:31 p.m. UTC | #1

Hi Amit,

On 17/10/2019 09:14, Amit Daniel Kachhap wrote:
> This series improves function return address protection for the arm64 kernel, by
> compiling the kernel with ARMv8.3 Pointer Authentication instructions (ptrauth
> referred hereafter). This should help protect the kernel against attacks using
> return-oriented programming.
> 
> Patch 9 and 10 are newly added and hence sent as RFC.

Please don't mix 'RFC' in a series. If one patch is RFC, the whole series should be marked
like that, including the cover letter. git format-patch's '--rfc' option will do this for
you.

If this is 'v3', please mark all the patches 'v3' too. Adding '-v 3' to git format-patch
will do this for you.

> High-level changes since RFC v2 [1] (detailed changes are listed in patches):
>  - Moved enabling, key setup and context switch to assembly, to avoid using
>    the pointer auth compiler attribute which Clang does not support (thanks
>    Suzuki for the initial code!).
>  - Added code to restore keys after cpu resume.
>  - __builtin_return_address will now mask pac bits.
>  - Changed gcc compiler options to add ptrauth instructions in all functions
>    and not just non-leaf functions. This may be revisited later due to 
>    performance concerns.
>  - Rebased onto v5.4-rc2.
>  - Added Reviewed-by's.

> This series do not implement few things or have known limitations:
>  - ftrace function tracer does not work with this series. But after using
>    the posted series [2] based on -fpatchable-function-entry, it works fine.
>  - kprobes/uprobes and other tracing may need some rework with ptrauth.
>  - kdump, other debug may need some rework with ptrauth.
>  - Generate some randomness for ptrauth keys during kernel early booting.

Its good to have this list in the cover letter. (thanks!)

Could you expand on the kprobes point? Is it emulating/stepping the ptrauth instructions,
or stuff like kretprobes, that overwrite the lr? (arch_prepare_kretprobe()).
(or both!)

SDEI (firmware assisted NMI) may be called with the user-keys, kernel-keys, or
half-way-through switching keys. I don't think this is a problem, it just means the key in
use is unknown.

Thanks,

James

> [1] https://lore.kernel.org/linux-arm-kernel/20190529190332.29753-1-kristina.martsenko@arm.com/
> [2] https://patchwork.kernel.org/patch/10803279/

Amit Daniel Kachhap Oct. 30, 2019, 3:59 a.m. UTC | #2

Hi,

On 10/23/19 11:01 PM, James Morse wrote:
> Hi Amit,
> 
> On 17/10/2019 09:14, Amit Daniel Kachhap wrote:
>> This series improves function return address protection for the arm64 kernel, by
>> compiling the kernel with ARMv8.3 Pointer Authentication instructions (ptrauth
>> referred hereafter). This should help protect the kernel against attacks using
>> return-oriented programming.
>>
>> Patch 9 and 10 are newly added and hence sent as RFC.
> 
> Please don't mix 'RFC' in a series. If one patch is RFC, the whole series should be marked
> like that, including the cover letter. git format-patch's '--rfc' option will do this for
> you.
> 
> If this is 'v3', please mark all the patches 'v3' too. Adding '-v 3' to git format-patch
> will do this for you.
Yes sure . I will do like this.
> 
> 
>> High-level changes since RFC v2 [1] (detailed changes are listed in patches):
>>   - Moved enabling, key setup and context switch to assembly, to avoid using
>>     the pointer auth compiler attribute which Clang does not support (thanks
>>     Suzuki for the initial code!).
>>   - Added code to restore keys after cpu resume.
>>   - __builtin_return_address will now mask pac bits.
>>   - Changed gcc compiler options to add ptrauth instructions in all functions
>>     and not just non-leaf functions. This may be revisited later due to
>>     performance concerns.
>>   - Rebased onto v5.4-rc2.
>>   - Added Reviewed-by's.
> 
>> This series do not implement few things or have known limitations:
>>   - ftrace function tracer does not work with this series. But after using
>>     the posted series [2] based on -fpatchable-function-entry, it works fine.
>>   - kprobes/uprobes and other tracing may need some rework with ptrauth.
>>   - kdump, other debug may need some rework with ptrauth.
>>   - Generate some randomness for ptrauth keys during kernel early booting.
> 
> Its good to have this list in the cover letter. (thanks!)
> 
> Could you expand on the kprobes point? Is it emulating/stepping the ptrauth instructions,
> or stuff like kretprobes, that overwrite the lr? (arch_prepare_kretprobe()).
> (or both!)
Yes I should have expanded it here. Currently it is able step both 
PACIASP and AUTIASP instruction as krpobes/kretprobes keeps same 
register context. In negative case,  kretprobe may cause some issue. 
Need to look more into it.
> 
> SDEI (firmware assisted NMI) may be called with the user-keys, kernel-keys, or
> half-way-through switching keys. I don't think this is a problem, it just means the key in
> use is unknown.
Thanks for pointing this out. Yes the ptrauth keys save/store may be 
added in SDEI handler. I will check more on it.

Thanks,
Amit Daniel
> 
> 
> Thanks,
> 
> James
> 
> 
>> [1] https://lore.kernel.org/linux-arm-kernel/20190529190332.29753-1-kristina.martsenko@arm.com/
>> [2] https://patchwork.kernel.org/patch/10803279/