Message ID | 20200327192107.18394-2-broonie@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | arm64: Initial BTI kernel support | expand |
On Fri, Mar 27, 2020 at 07:21:03PM +0000, Mark Brown wrote: > When running with BTI enabled we need to ask the compiler to enable > generation of BTI landing pads beyond those generated as a result of > pointer authentication instructions being landing pads. Since the two > features are practically speaking unlikely to be used separately we > will make kernel mode BTI depend on pointer authentication in order > to simplify the Makefile. Some vendors have been making chips with weird combinations of features. Is there a better justification to use beyond "unlikely"? > > Signed-off-by: Mark Brown <broonie@kernel.org> > --- > arch/arm64/Makefile | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile > index f15f92ba53e6..12f942531f32 100644 > --- a/arch/arm64/Makefile > +++ b/arch/arm64/Makefile > @@ -67,7 +67,11 @@ endif > > ifeq ($(CONFIG_ARM64_PTR_AUTH),y) > branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all > +ifeq ($(CONFIG_ARM64_BTI_KERNEL),y) > +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti > +else > branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf > +endif The compiler appears to accept a leading +, so how about: __branch-prot-opts-y = ifeq ($(CONFIG_ARM64_PTR_AUTH),y) branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all __branch-prot-opts-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) += +pac-ret+leaf # -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the # compiler to generate them and consequently to break the single image contract # we pass it only to the assembler. This option is utilized only in case of non # integrated assemblers. branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a endif if ($(CONFIG_ARM64_BTI_KERNEL),y) __branch-prot-opts-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) += +bti endif ifneq ($(___branch-prot-opts-y),) KBUILD_CFLAGS += -mbranch-protection=$(__branch-prot-opts-y) $(branch-prot-flags-y) endif Or, this is all overkill. :) -Kees > # -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the > # compiler to generate them and consequently to break the single image contract > # we pass it only to the assembler. This option is utilized only in case of non > -- > 2.20.1 >
On Sat, Mar 28, 2020 at 02:14:09PM -0700, Kees Cook wrote: > On Fri, Mar 27, 2020 at 07:21:03PM +0000, Mark Brown wrote: > > When running with BTI enabled we need to ask the compiler to enable > > generation of BTI landing pads beyond those generated as a result of > > pointer authentication instructions being landing pads. Since the two > > features are practically speaking unlikely to be used separately we > > will make kernel mode BTI depend on pointer authentication in order > > to simplify the Makefile. > Some vendors have been making chips with weird combinations of features. > Is there a better justification to use beyond "unlikely"? The design intent is that BTI is complementary to PAC so it would be a peculiar implementation choice to do BTI without also doing PAC but yes, implementors and system integrators have the freedom to innovate in ways that we cannot always forsee. The other bit of it is that there's fairly limited overhead from running PAC enabled code on hardware without the support. > The compiler appears to accept a leading +, so how about: ... > Or, this is all overkill. :) I feel better about adding the extra dependency than feeding an option to the compiler that looks wrong like -mbranch-protection=+bti (more BTI!) but ultimately I don't have strong feelings either way so whatever Catalin and Will prefer.
On Mon, Mar 30, 2020 at 12:33:00PM +0100, Mark Brown wrote: > I feel better about adding the extra dependency than feeding an option > to the compiler that looks wrong like -mbranch-protection=+bti (more > BTI!) but ultimately I don't have strong feelings either way so whatever > Catalin and Will prefer. Cool cool. If I end up with a use-case for stand-alone BTI I'll take the responsibility to sort out the future patches to support it. :)
On Mon, Mar 30, 2020 at 11:06:23AM -0700, Kees Cook wrote: > On Mon, Mar 30, 2020 at 12:33:00PM +0100, Mark Brown wrote: > > I feel better about adding the extra dependency than feeding an option > > to the compiler that looks wrong like -mbranch-protection=+bti (more > > BTI!) but ultimately I don't have strong feelings either way so whatever > > Catalin and Will prefer. > Cool cool. If I end up with a use-case for stand-alone BTI I'll take the > responsibility to sort out the future patches to support it. :) It turns out that we also need to explicitly force -mbranch-protection=none for cases where we have PAC disabled for the kernel but userspace support (configuring the pointer auth for userspace can end up causing pointer auth instructions in the kernel to start doing things we're not ready for) and at least GCC doesn't like none+anything combinations anyway.
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index f15f92ba53e6..12f942531f32 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -67,7 +67,11 @@ endif ifeq ($(CONFIG_ARM64_PTR_AUTH),y) branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all +ifeq ($(CONFIG_ARM64_BTI_KERNEL),y) +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti +else branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf +endif # -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the # compiler to generate them and consequently to break the single image contract # we pass it only to the assembler. This option is utilized only in case of non
When running with BTI enabled we need to ask the compiler to enable generation of BTI landing pads beyond those generated as a result of pointer authentication instructions being landing pads. Since the two features are practically speaking unlikely to be used separately we will make kernel mode BTI depend on pointer authentication in order to simplify the Makefile. Signed-off-by: Mark Brown <broonie@kernel.org> --- arch/arm64/Makefile | 4 ++++ 1 file changed, 4 insertions(+)