[v2,00/14] arm64: return address signing

Message ID	1574166746-27197-1-git-send-email-amit.kachhap@arm.com (mailing list archive)
Headers	show Return-Path: <SRS0=yEOp=ZL=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5004221850 From: Amit Daniel Kachhap <amit.kachhap@arm.com> To: linux-arm-kernel@lists.infradead.org Subject: [PATCH v2 00/14] arm64: return address signing Date: Tue, 19 Nov 2019 18:02:12 +0530 Message-Id: <1574166746-27197-1-git-send-email-amit.kachhap@arm.com> summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Precedence: list Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>, Suzuki K Poulose <suzuki.poulose@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Will Deacon <will.deacon@arm.com>, Kristina Martsenko <kristina.martsenko@arm.com>, James Morse <james.morse@arm.com>, Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>, Amit Daniel Kachhap <amit.kachhap@arm.com>, Vincenzo Frascino <Vincenzo.Frascino@arm.com>, Dave Martin <Dave.Martin@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	arm64: return address signing \| expand [v2,00/14] arm64: return address signing [v2,01/14] arm64: cpufeature: add pointer auth meta-capabilities [v2,02/14] arm64: install user ptrauth keys at kernel exit time [v2,03/14] arm64: create macro to park cpu in an infinite loop [v2,04/14] arm64: ptrauth: Add bootup/runtime flags for __cpu_setup [v2,05/14] arm64: enable ptrauth earlier [v2,06/14] arm64: rename ptrauth key structures to be user-specific [v2,07/14] arm64: initialize and switch ptrauth kernel keys [v2,08/14] arm64: mask PAC bits of __builtin_return_address [v2,09/14] arm64: unwind: strip PAC from kernel addresses [v2,10/14] arm64: __show_regs: strip PAC from lr in printk [v2,11/14] arm64: suspend: restore the kernel ptrauth keys [v2,12/14] arm64: kprobe: disable probe of ptrauth instruction [v2,13/14] arm64: compile the kernel with ptrauth return address signing [v2,14/14] lkdtm: arm64: test kernel pointer authentication

Message ID

1574166746-27197-1-git-send-email-amit.kachhap@arm.com (mailing list archive)

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5004221850
From: Amit Daniel Kachhap <amit.kachhap@arm.com>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 00/14] arm64: return address signing
Date: Tue, 19 Nov 2019 18:02:12 +0530
Message-Id: <1574166746-27197-1-git-send-email-amit.kachhap@arm.com>
Precedence: list
Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Will Deacon <will.deacon@arm.com>,
 Kristina Martsenko <kristina.martsenko@arm.com>,
 James Morse <james.morse@arm.com>,
 Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
 Amit Daniel Kachhap <amit.kachhap@arm.com>,
 Vincenzo Frascino <Vincenzo.Frascino@arm.com>,
 Dave Martin <Dave.Martin@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org

Series

arm64: return address signing | expand

Message

Amit Daniel Kachhap Nov. 19, 2019, 12:32 p.m. UTC

Hi,

This series improves function return address protection for the arm64 kernel, by
compiling the kernel with ARMv8.3 Pointer Authentication instructions (referred
ptrauth hereafter). This should help protect the kernel against attacks using
return-oriented programming.

This series is based on v5.4-rc8.

High-level changes since v1 [1] (detailed changes are listed in patches):
 - Dropped patch "arm64: cpufeature: handle conflicts based on capability"
   as pointed by Suzuki.
 - Patch 4, 10, 12 and 14 are added newly added.
 - Patch 12 adds support to block probe of authenticate ptrauth instructions.
 - Patch 14 adds support for lkdtm to test ptrauth.
 - In the last version if secondary cpus do have ptrauth and primary cpu do not
   then the secondary will silently disable ptrauth and keep running. This version
   creates panic in this case as suggested by Suzuki.
 - Many suggestion from James implemented.

This series do not implement few things or have known limitations:
 - kdump tool may need some rework to work with ptrauth.
 - Generate/Get some randomness for ptrauth keys during kernel early booting.

Feedback welcome!

Thanks,
Amit Daniel

[1]: https://www.spinics.net/lists/arm-kernel/msg761991.html

Amit Daniel Kachhap (7):
  arm64: create macro to park cpu in an infinite loop
  arm64: ptrauth: Add bootup/runtime flags for __cpu_setup
  arm64: mask PAC bits of __builtin_return_address
  arm64: __show_regs: strip PAC from lr in printk
  arm64: suspend: restore the kernel ptrauth keys
  arm64: kprobe: disable probe of ptrauth instruction
  lkdtm: arm64: test kernel pointer authentication

Kristina Martsenko (6):
  arm64: cpufeature: add pointer auth meta-capabilities
  arm64: install user ptrauth keys at kernel exit time
  arm64: enable ptrauth earlier
  arm64: rename ptrauth key structures to be user-specific
  arm64: initialize and switch ptrauth kernel keys
  arm64: compile the kernel with ptrauth return address signing

Mark Rutland (1):
  arm64: unwind: strip PAC from kernel addresses

 arch/arm64/Kconfig                        | 22 +++++++++-
 arch/arm64/Makefile                       |  6 +++
 arch/arm64/include/asm/asm_pointer_auth.h | 59 ++++++++++++++++++++++++++
 arch/arm64/include/asm/compiler.h         | 17 ++++++++
 arch/arm64/include/asm/cpucaps.h          |  4 +-
 arch/arm64/include/asm/cpufeature.h       |  6 +--
 arch/arm64/include/asm/insn.h             | 13 +++---
 arch/arm64/include/asm/pointer_auth.h     | 57 +++++++++++--------------
 arch/arm64/include/asm/processor.h        |  3 +-
 arch/arm64/include/asm/smp.h              | 10 +++++
 arch/arm64/kernel/asm-offsets.c           | 16 +++++++
 arch/arm64/kernel/cpufeature.c            | 30 +++++++++----
 arch/arm64/kernel/entry.S                 |  6 +++
 arch/arm64/kernel/head.S                  | 47 +++++++++++++++------
 arch/arm64/kernel/insn.c                  |  1 +
 arch/arm64/kernel/pointer_auth.c          |  7 +---
 arch/arm64/kernel/probes/decode-insn.c    |  2 +-
 arch/arm64/kernel/process.c               |  5 ++-
 arch/arm64/kernel/ptrace.c                | 16 +++----
 arch/arm64/kernel/sleep.S                 |  8 ++++
 arch/arm64/kernel/smp.c                   | 10 +++++
 arch/arm64/kernel/stacktrace.c            |  3 ++
 arch/arm64/mm/proc.S                      | 70 ++++++++++++++++++++++++++-----
 drivers/misc/lkdtm/bugs.c                 | 17 ++++++++
 drivers/misc/lkdtm/core.c                 |  1 +
 drivers/misc/lkdtm/lkdtm.h                |  1 +
 26 files changed, 345 insertions(+), 92 deletions(-)
 create mode 100644 arch/arm64/include/asm/asm_pointer_auth.h
 create mode 100644 arch/arm64/include/asm/compiler.h

Comments

Ard Biesheuvel Nov. 20, 2019, 4:05 p.m. UTC | #1

On Tue, 19 Nov 2019 at 13:33, Amit Daniel Kachhap <amit.kachhap@arm.com> wrote:
>
> Hi,
>
> This series improves function return address protection for the arm64 kernel, by
> compiling the kernel with ARMv8.3 Pointer Authentication instructions (referred
> ptrauth hereafter). This should help protect the kernel against attacks using
> return-oriented programming.
>
> This series is based on v5.4-rc8.
>
> High-level changes since v1 [1] (detailed changes are listed in patches):
>  - Dropped patch "arm64: cpufeature: handle conflicts based on capability"
>    as pointed by Suzuki.
>  - Patch 4, 10, 12 and 14 are added newly added.
>  - Patch 12 adds support to block probe of authenticate ptrauth instructions.
>  - Patch 14 adds support for lkdtm to test ptrauth.
>  - In the last version if secondary cpus do have ptrauth and primary cpu do not
>    then the secondary will silently disable ptrauth and keep running. This version
>    creates panic in this case as suggested by Suzuki.
>  - Many suggestion from James implemented.
>
> This series do not implement few things or have known limitations:
>  - kdump tool may need some rework to work with ptrauth.
>  - Generate/Get some randomness for ptrauth keys during kernel early booting.
>

Hello Amit,

As we discussed off line, we still need some place to initialize the
PAC keys for the boot CPU.

We should follow the same approach as boot_init_stack_canary() is
currently taking: it is called from start_kernel(), never returns, and
it is marked as __always_inline, which means it does not set up a
stack frame and so its return address will not get signed with the
wrong key.

Something like the below should be acceptable for a generic header
file, and we can wire up kernel PAC in the arm64 version of the
stackprotector.h header whichever way we like.

Amit Daniel Kachhap Nov. 21, 2019, 12:15 p.m. UTC | #2

Hi Ard,

On 11/20/19 9:35 PM, Ard Biesheuvel wrote:
> On Tue, 19 Nov 2019 at 13:33, Amit Daniel Kachhap <amit.kachhap@arm.com> wrote:
>>
>> Hi,
>>
>> This series improves function return address protection for the arm64 kernel, by
>> compiling the kernel with ARMv8.3 Pointer Authentication instructions (referred
>> ptrauth hereafter). This should help protect the kernel against attacks using
>> return-oriented programming.
>>
>> This series is based on v5.4-rc8.
>>
>> High-level changes since v1 [1] (detailed changes are listed in patches):
>>   - Dropped patch "arm64: cpufeature: handle conflicts based on capability"
>>     as pointed by Suzuki.
>>   - Patch 4, 10, 12 and 14 are added newly added.
>>   - Patch 12 adds support to block probe of authenticate ptrauth instructions.
>>   - Patch 14 adds support for lkdtm to test ptrauth.
>>   - In the last version if secondary cpus do have ptrauth and primary cpu do not
>>     then the secondary will silently disable ptrauth and keep running. This version
>>     creates panic in this case as suggested by Suzuki.
>>   - Many suggestion from James implemented.
>>
>> This series do not implement few things or have known limitations:
>>   - kdump tool may need some rework to work with ptrauth.
>>   - Generate/Get some randomness for ptrauth keys during kernel early booting.
>>
> 
> Hello Amit,
> 
> As we discussed off line, we still need some place to initialize the
> PAC keys for the boot CPU.
> 
> We should follow the same approach as boot_init_stack_canary() is
> currently taking: it is called from start_kernel(), never returns, and
> it is marked as __always_inline, which means it does not set up a
> stack frame and so its return address will not get signed with the
> wrong key.
> 
> Something like the below should be acceptable for a generic header
> file, and we can wire up kernel PAC in the arm64 version of the
> stackprotector.h header whichever way we like.
> 

This seems to be a practical approach. I tested in my local system and
it works fine. For few functions before boot_init_stack_canary, it can 
afford to run without keys as randomization driver is not initialised. 
Thanks for the pointer.

Regards,
Amit Daniel