[1/5] arm64: bti: Support building kernel C code using BTI

Message ID	20200327192107.18394-2-broonie@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=GBlT=5M=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3B8AE20663 From: Mark Brown <broonie@kernel.org> To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org> Subject: [PATCH 1/5] arm64: bti: Support building kernel C code using BTI Date: Fri, 27 Mar 2020 19:21:03 +0000 Message-Id: <20200327192107.18394-2-broonie@kernel.org> In-Reply-To: <20200327192107.18394-1-broonie@kernel.org> References: <20200327192107.18394-1-broonie@kernel.org> MIME-Version: 1.0 summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.140.110.172 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Precedence: list Cc: Mark Brown <broonie@kernel.org>, Kees Cook <keescook@chromium.org>, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	arm64: Initial BTI kernel support \| expand [0/5] arm64: Initial BTI kernel support [1/5] arm64: bti: Support building kernel C code using BTI [2/5] arm64: asm: Override SYM_FUNC_START when building the kernel with BTI [3/5] arm64: Set GP bit in kernel page tables to enable BTI for the kernel [4/5] arm64: mm: Mark module text as guarded pages [5/5] arm64: bti: Provide Kconfig for kernel mode BTI

Message ID

20200327192107.18394-2-broonie@kernel.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3B8AE20663
From: Mark Brown <broonie@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>
Subject: [PATCH 1/5] arm64: bti: Support building kernel C code using BTI
Date: Fri, 27 Mar 2020 19:21:03 +0000
Message-Id: <20200327192107.18394-2-broonie@kernel.org>
In-Reply-To: <20200327192107.18394-1-broonie@kernel.org>
References: <20200327192107.18394-1-broonie@kernel.org>
MIME-Version: 1.0
Precedence: list
Cc: Mark Brown <broonie@kernel.org>, Kees Cook <keescook@chromium.org>,
 linux-arm-kernel@lists.infradead.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org

Series

arm64: Initial BTI kernel support | expand

Commit Message

Mark Brown March 27, 2020, 7:21 p.m. UTC

When running with BTI enabled we need to ask the compiler to enable
generation of BTI landing pads beyond those generated as a result of
pointer authentication instructions being landing pads. Since the two
features are practically speaking unlikely to be used separately we
will make kernel mode BTI depend on pointer authentication in order
to simplify the Makefile.

Signed-off-by: Mark Brown <broonie@kernel.org>
---
 arch/arm64/Makefile | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Kees Cook March 28, 2020, 9:14 p.m. UTC | #1

On Fri, Mar 27, 2020 at 07:21:03PM +0000, Mark Brown wrote:
> When running with BTI enabled we need to ask the compiler to enable
> generation of BTI landing pads beyond those generated as a result of
> pointer authentication instructions being landing pads. Since the two
> features are practically speaking unlikely to be used separately we
> will make kernel mode BTI depend on pointer authentication in order
> to simplify the Makefile.

Some vendors have been making chips with weird combinations of features.
Is there a better justification to use beyond "unlikely"?

> 
> Signed-off-by: Mark Brown <broonie@kernel.org>
> ---
>  arch/arm64/Makefile | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index f15f92ba53e6..12f942531f32 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -67,7 +67,11 @@ endif
>  
>  ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
>  branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
> +ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti
> +else
>  branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> +endif

The compiler appears to accept a leading +, so how about:

__branch-prot-opts-y =

ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
__branch-prot-opts-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) += +pac-ret+leaf
# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the
# compiler to generate them and consequently to break the single image contract
# we pass it only to the assembler. This option is utilized only in case of non
# integrated assemblers.
branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
endif

if ($(CONFIG_ARM64_BTI_KERNEL),y)
__branch-prot-opts-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) += +bti
endif

ifneq ($(___branch-prot-opts-y),)
KBUILD_CFLAGS += -mbranch-protection=$(__branch-prot-opts-y) $(branch-prot-flags-y)
endif

Or, this is all overkill. :)

-Kees

>  # -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the
>  # compiler to generate them and consequently to break the single image contract
>  # we pass it only to the assembler. This option is utilized only in case of non
> -- 
> 2.20.1
>

Mark Brown March 30, 2020, 11:33 a.m. UTC | #2

On Sat, Mar 28, 2020 at 02:14:09PM -0700, Kees Cook wrote:
> On Fri, Mar 27, 2020 at 07:21:03PM +0000, Mark Brown wrote:

> > When running with BTI enabled we need to ask the compiler to enable
> > generation of BTI landing pads beyond those generated as a result of
> > pointer authentication instructions being landing pads. Since the two
> > features are practically speaking unlikely to be used separately we
> > will make kernel mode BTI depend on pointer authentication in order
> > to simplify the Makefile.

> Some vendors have been making chips with weird combinations of features.
> Is there a better justification to use beyond "unlikely"?

The design intent is that BTI is complementary to PAC so it would be a
peculiar implementation choice to do BTI without also doing PAC but yes,
implementors and system integrators have the freedom to innovate in ways
that we cannot always forsee.  The other bit of it is that there's
fairly limited overhead from running PAC enabled code on hardware
without the support.

> The compiler appears to accept a leading +, so how about:

...

> Or, this is all overkill. :)

I feel better about adding the extra dependency than feeding an option
to the compiler that looks wrong like -mbranch-protection=+bti (more
BTI!) but ultimately I don't have strong feelings either way so whatever
Catalin and Will prefer.

Kees Cook March 30, 2020, 6:06 p.m. UTC | #3

On Mon, Mar 30, 2020 at 12:33:00PM +0100, Mark Brown wrote:
> I feel better about adding the extra dependency than feeding an option
> to the compiler that looks wrong like -mbranch-protection=+bti (more
> BTI!) but ultimately I don't have strong feelings either way so whatever
> Catalin and Will prefer.

Cool cool. If I end up with a use-case for stand-alone BTI I'll take the
responsibility to sort out the future patches to support it. :)

Mark Brown March 31, 2020, 3:21 p.m. UTC | #4

On Mon, Mar 30, 2020 at 11:06:23AM -0700, Kees Cook wrote:
> On Mon, Mar 30, 2020 at 12:33:00PM +0100, Mark Brown wrote:

> > I feel better about adding the extra dependency than feeding an option
> > to the compiler that looks wrong like -mbranch-protection=+bti (more
> > BTI!) but ultimately I don't have strong feelings either way so whatever
> > Catalin and Will prefer.

> Cool cool. If I end up with a use-case for stand-alone BTI I'll take the
> responsibility to sort out the future patches to support it. :)

It turns out that we also need to explicitly force
-mbranch-protection=none for cases where we have PAC disabled for the
kernel but userspace support (configuring the pointer auth for userspace
can end up causing pointer auth instructions in the kernel to start
doing things we're not ready for) and at least GCC doesn't like
none+anything combinations anyway.

diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index f15f92ba53e6..12f942531f32 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -67,7 +67,11 @@  endif
 
 ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
 branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
+ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
+branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti
+else
 branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
+endif
 # -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the
 # compiler to generate them and consequently to break the single image contract
 # we pass it only to the assembler. This option is utilized only in case of non

[1/5] arm64: bti: Support building kernel C code using BTI

Commit Message

Comments

Patch