diff mbox series

[v5,16/17] arm64: compile the kernel with ptrauth return address signing

Message ID 1581931668-11559-17-git-send-email-amit.kachhap@arm.com (mailing list archive)
State New, archived
Headers show
Series arm64: return address signing | expand

Commit Message

Amit Daniel Kachhap Feb. 17, 2020, 9:27 a.m. UTC 
From: Kristina Martsenko <kristina.martsenko@arm.com>

Compile all functions with two ptrauth instructions: PACIASP in the
prologue to sign the return address, and AUTIASP in the epilogue to
authenticate the return address (from the stack). If authentication
fails, the return will cause an instruction abort to be taken, followed
by an oops and killing the task.

This should help protect the kernel against attacks using
return-oriented programming. As ptrauth protects the return address, it
can also serve as a replacement for CONFIG_STACKPROTECTOR, although note
that it does not protect other parts of the stack.

The new instructions are in the HINT encoding space, so on a system
without ptrauth they execute as NOPs.

CONFIG_ARM64_PTR_AUTH now not only enables ptrauth for userspace and KVM
guests, but also automatically builds the kernel with ptrauth
instructions if the compiler supports it. If there is no compiler
support, we do not warn that the kernel was built without ptrauth
instructions.

GCC 7 and 8 support the -msign-return-address option, while GCC 9
deprecates that option and replaces it with -mbranch-protection. Support
both options.

Clang uses an external assembler hence this patch makes sure that the
correct parameters (-march=armv8.3-a) are passed down to help it recognize
the ptrauth instructions. This option is not used for GNU toolchain.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Co-developed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
[Amit: Cover leaf function, comments]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
---
 arch/arm64/Kconfig  | 20 +++++++++++++++++++-
 arch/arm64/Makefile | 11 +++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

Comments

Catalin Marinas Feb. 28, 2020, 6:23 p.m. UTC | #1 
On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:
> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
> +# to generate them and consequently to break the single image contract we pass it
> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
> +# this option is not used.
> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
> +KBUILD_CFLAGS += $(branch-prot-flags-y)
> +endif

Does this work with the clang integrated assembler? AFAIK it ignores the
-Wa, though it may be fine with the instructions generated by the
compiler. (while we don't officially support it, we merged patches to
facilitate it).

Also, the above comment says that the -Wa option is used only when
building with clang. I don't see this being the case in the patch above.
Amit Daniel Kachhap March 2, 2020, 10:19 a.m. UTC | #2 
On 2/28/20 11:53 PM, Catalin Marinas wrote:
> On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:
>> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
>> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
>> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
>> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
>> +# to generate them and consequently to break the single image contract we pass it
>> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
>> +# this option is not used.
>> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
>> +KBUILD_CFLAGS += $(branch-prot-flags-y)
>> +endif
> 
> Does this work with the clang integrated assembler? AFAIK it ignores the
> -Wa, though it may be fine with the instructions generated by the
> compiler. (while we don't officially support it, we merged patches to
> facilitate it).
> 
> Also, the above comment says that the -Wa option is used only when
> building with clang. I don't see this being the case in the patch above.

I will check on this and get back.

>
Mark Brown March 2, 2020, 1:16 p.m. UTC | #3 
On Fri, Feb 28, 2020 at 06:23:37PM +0000, Catalin Marinas wrote:
> On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:

> > +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
> > +# this option is not used.
> > +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
> > +KBUILD_CFLAGS += $(branch-prot-flags-y)
> > +endif

> Does this work with the clang integrated assembler? AFAIK it ignores the
> -Wa, though it may be fine with the instructions generated by the
> compiler. (while we don't officially support it, we merged patches to
> facilitate it).

If the assembler integrated into the compiler doesn't cope with
instructions emitted by the compiler that seems like something we should
push to get fixed on the compiler side.
Amit Daniel Kachhap March 3, 2020, 9:28 a.m. UTC | #4 
On 2/28/20 11:53 PM, Catalin Marinas wrote:
> On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:
>> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
>> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
>> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
>> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
>> +# to generate them and consequently to break the single image contract we pass it
>> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
>> +# this option is not used.
>> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
>> +KBUILD_CFLAGS += $(branch-prot-flags-y)
>> +endif
> 
> Does this work with the clang integrated assembler? AFAIK it ignores the
> -Wa, though it may be fine with the instructions generated by the
> compiler. (while we don't officially support it, we merged patches to
> facilitate it).

Clang integrated assembler compiles some initial c files into object
files and those contains the ptrauth instructions.

As you said it ignores the -Wa flag.

> 
> Also, the above comment says that the -Wa option is used only when
> building with clang. I don't see this being the case in the patch above.

I will update the comments.

>
Vincenzo Frascino March 4, 2020, 10:53 a.m. UTC | #5 
Hi Catalin,

On 2/28/20 6:23 PM, Catalin Marinas wrote:
> On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:
>> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
>> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
>> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
>> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
>> +# to generate them and consequently to break the single image contract we pass it
>> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
>> +# this option is not used.
>> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
>> +KBUILD_CFLAGS += $(branch-prot-flags-y)
>> +endif
> 
> Does this work with the clang integrated assembler? AFAIK it ignores the
> -Wa, though it may be fine with the instructions generated by the
> compiler. (while we don't officially support it, we merged patches to
> facilitate it).
> 

The kernel is currently built with "-no-integrated-as" (Makefile +538) when
clang is selected. This means that the only assembler supported is the one
provide by binutils in this scenario.

The only patch series that I am aware of that is trying to do something with the
integrated as is [1] that uses it for inline assembly when LTO is enabled
(mainly for Android kernels at the moment). And this series is still being
reviewed.

Curiosity, which one is the series you are referring to? And how do I enable the
clang assembler for building the kernel?

[1] https://github.com/samitolvanen/linux/commits/clang-cfi
Vincenzo Frascino March 4, 2020, 11:01 a.m. UTC | #6 
Hi Mark,

On 3/2/20 1:16 PM, Mark Brown wrote:
> On Fri, Feb 28, 2020 at 06:23:37PM +0000, Catalin Marinas wrote:
>> On Mon, Feb 17, 2020 at 02:57:47PM +0530, Amit Daniel Kachhap wrote:
> 
>>> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
>>> +# this option is not used.
>>> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
>>> +KBUILD_CFLAGS += $(branch-prot-flags-y)
>>> +endif
> 
>> Does this work with the clang integrated assembler? AFAIK it ignores the
>> -Wa, though it may be fine with the instructions generated by the
>> compiler. (while we don't officially support it, we merged patches to
>> facilitate it).
> 
> If the assembler integrated into the compiler doesn't cope with
> instructions emitted by the compiler that seems like something we should
> push to get fixed on the compiler side.
> 

This option should be required only in the "hybrid" scenario of building the
kernel with clang+binutils.

The llvm assembler relies on "--target" and "-mbranch-protection=pac-ret+leaf"
so I do not think we should report or fix anything in this case.

This series is already passing the correct parameters to clang hence seems safe
to assume that it will continue doing so once the assembler will be switched to
the native version.
diff mbox series

Patch

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 115ceea..0f3ea01 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1499,6 +1499,7 @@  config ARM64_PTR_AUTH
 	bool "Enable support for pointer authentication"
 	default y
 	depends on !KVM || ARM64_VHE
+	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC
 	help
 	  Pointer authentication (part of the ARMv8.3 Extensions) provides
 	  instructions for signing and authenticating pointers against secret
@@ -1506,11 +1507,17 @@  config ARM64_PTR_AUTH
 	  and other attacks.
 
 	  This option enables these instructions at EL0 (i.e. for userspace).
-
 	  Choosing this option will cause the kernel to initialise secret keys
 	  for each process at exec() time, with these keys being
 	  context-switched along with the process.
 
+	  If the compiler supports the -mbranch-protection or
+	  -msign-return-address flag (e.g. GCC 7 or later), then this option
+	  will also cause the kernel itself to be compiled with return address
+	  protection. In this case, and if the target hardware is known to
+	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
+	  disabled with minimal loss of protection.
+
 	  The feature is detected at runtime. If the feature is not present in
 	  hardware it will not be advertised to userspace/KVM guest nor will it
 	  be enabled. However, KVM guest also require VHE mode and hence
@@ -1522,6 +1529,17 @@  config ARM64_PTR_AUTH
 	  but with the feature disabled. On such a system, this option should
 	  not be selected.
 
+config CC_HAS_BRANCH_PROT_PAC_RET
+	# GCC 9 or later, clang 8 or later
+	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf)
+
+config CC_HAS_SIGN_RETURN_ADDRESS
+	# GCC 7, 8
+	def_bool $(cc-option,-msign-return-address=all)
+
+config AS_HAS_PAC
+	def_bool $(as-option,-Wa$(comma)-march=armv8.3-a)
+
 endmenu
 
 menu "ARMv8.5 architectural features"
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index dca1a97..ce5bdeb 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -65,6 +65,17 @@  stack_protector_prepare: prepare0
 					include/generated/asm-offsets.h))
 endif
 
+ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
+branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
+branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
+# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
+# to generate them and consequently to break the single image contract we pass it
+# only to the assembler when clang is selected as a compiler. For the GNU toolchain
+# this option is not used.
+branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
+KBUILD_CFLAGS += $(branch-prot-flags-y)
+endif
+
 ifeq ($(CONFIG_CPU_BIG_ENDIAN), y)
 KBUILD_CPPFLAGS	+= -mbig-endian
 CHECKFLAGS	+= -D__AARCH64EB__