Message ID | 1548658727-14271-2-git-send-email-amit.kachhap@arm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add ARMv8.3 pointer authentication for kvm guest | expand |
Hi Amit, On 28/01/2019 06:58, Amit Daniel Kachhap wrote: > The keys can be switched either inside an assembly or such > functions which do not have pointer authentication checks, so a GCC > attribute is added to enable it. > > A function ptrauth_keys_store is added which is similar to existing > function ptrauth_keys_switch but saves the key values in memory. > This may be useful for save/restore scenarios when CPU changes > privilege levels, suspend/resume etc. > diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h > index 15d4951..98441ce 100644 > --- a/arch/arm64/include/asm/pointer_auth.h > +++ b/arch/arm64/include/asm/pointer_auth.h > @@ -11,6 +11,13 @@ > > #ifdef CONFIG_ARM64_PTR_AUTH > /* > + * Compile the function without pointer authentication instructions. This > + * allows pointer authentication to be enabled/disabled within the function > + * (but leaves the function unprotected by pointer authentication). > + */ > +#define __no_ptrauth __attribute__((target("sign-return-address=none"))) The documentation[0] for this says 'none' is the default. Will this only take-effect once the kernel supports pointer-auth for the host? (Is this just documentation until then?) ('noptrauth' would fit with 'notrace' slightly better) Thanks, James [0] https://gcc.gnu.org/onlinedocs/gcc/AArch64-Function-Attributes.html#AArch64-Function-Attributes
On 31/01/2019 16:20, James Morse wrote: > Hi Amit, > > On 28/01/2019 06:58, Amit Daniel Kachhap wrote: >> The keys can be switched either inside an assembly or such >> functions which do not have pointer authentication checks, so a GCC >> attribute is added to enable it. >> >> A function ptrauth_keys_store is added which is similar to existing >> function ptrauth_keys_switch but saves the key values in memory. >> This may be useful for save/restore scenarios when CPU changes >> privilege levels, suspend/resume etc. > > >> diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h >> index 15d4951..98441ce 100644 >> --- a/arch/arm64/include/asm/pointer_auth.h >> +++ b/arch/arm64/include/asm/pointer_auth.h >> @@ -11,6 +11,13 @@ >> >> #ifdef CONFIG_ARM64_PTR_AUTH >> /* >> + * Compile the function without pointer authentication instructions. This >> + * allows pointer authentication to be enabled/disabled within the function >> + * (but leaves the function unprotected by pointer authentication). >> + */ >> +#define __no_ptrauth __attribute__((target("sign-return-address=none"))) > > The documentation[0] for this says 'none' is the default. Will this only > take-effect once the kernel supports pointer-auth for the host? (Is this just > documentation until then?) Yes, I don't think this should be in this series, since we're not building the kernel with pointer auth yet. > > ('noptrauth' would fit with 'notrace' slightly better) (But worse with e.g. __noreturn, __notrace_funcgraph, __init, __always_inline, __exception. Not sure what the pattern is. Would __noptrauth be better?) Thanks, Kristina > > [0] > https://gcc.gnu.org/onlinedocs/gcc/AArch64-Function-Attributes.html#AArch64-Function-Attributes >
Hi, On 2/13/19 11:02 PM, Kristina Martsenko wrote: > On 31/01/2019 16:20, James Morse wrote: >> Hi Amit, >> >> On 28/01/2019 06:58, Amit Daniel Kachhap wrote: >>> The keys can be switched either inside an assembly or such >>> functions which do not have pointer authentication checks, so a GCC >>> attribute is added to enable it. >>> >>> A function ptrauth_keys_store is added which is similar to existing >>> function ptrauth_keys_switch but saves the key values in memory. >>> This may be useful for save/restore scenarios when CPU changes >>> privilege levels, suspend/resume etc. >> >> >>> diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h >>> index 15d4951..98441ce 100644 >>> --- a/arch/arm64/include/asm/pointer_auth.h >>> +++ b/arch/arm64/include/asm/pointer_auth.h >>> @@ -11,6 +11,13 @@ >>> >>> #ifdef CONFIG_ARM64_PTR_AUTH >>> /* >>> + * Compile the function without pointer authentication instructions. This >>> + * allows pointer authentication to be enabled/disabled within the function >>> + * (but leaves the function unprotected by pointer authentication). >>> + */ >>> +#define __no_ptrauth __attribute__((target("sign-return-address=none"))) >> >> The documentation[0] for this says 'none' is the default. Will this only >> take-effect once the kernel supports pointer-auth for the host? (Is this just >> documentation until then?) > > Yes, I don't think this should be in this series, since we're not > building the kernel with pointer auth yet. I added it to stress on some functions which should be pointer authentication safe. Yes this can be dropped and a small comment may also do. //Amit D > >> >> ('noptrauth' would fit with 'notrace' slightly better) > > (But worse with e.g. __noreturn, __notrace_funcgraph, __init, > __always_inline, __exception. Not sure what the pattern is. Would > __noptrauth be better?) > > Thanks, > Kristina > >> >> [0] >> https://gcc.gnu.org/onlinedocs/gcc/AArch64-Function-Attributes.html#AArch64-Function-Attributes >> >
diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h index 15d4951..98441ce 100644 --- a/arch/arm64/include/asm/pointer_auth.h +++ b/arch/arm64/include/asm/pointer_auth.h @@ -11,6 +11,13 @@ #ifdef CONFIG_ARM64_PTR_AUTH /* + * Compile the function without pointer authentication instructions. This + * allows pointer authentication to be enabled/disabled within the function + * (but leaves the function unprotected by pointer authentication). + */ +#define __no_ptrauth __attribute__((target("sign-return-address=none"))) + +/* * Each key is a 128-bit quantity which is split across a pair of 64-bit * registers (Lo and Hi). */ @@ -50,6 +57,13 @@ do { \ write_sysreg_s(__pki_v.hi, SYS_ ## k ## KEYHI_EL1); \ } while (0) +#define __ptrauth_key_save(k, v) \ +do { \ + struct ptrauth_key __pki_v = (v); \ + __pki_v.lo = read_sysreg_s(SYS_ ## k ## KEYLO_EL1); \ + __pki_v.hi = read_sysreg_s(SYS_ ## k ## KEYHI_EL1); \ +} while (0) + static inline void ptrauth_keys_switch(struct ptrauth_keys *keys) { if (system_supports_address_auth()) { @@ -63,6 +77,19 @@ static inline void ptrauth_keys_switch(struct ptrauth_keys *keys) __ptrauth_key_install(APGA, keys->apga); } +static inline void ptrauth_keys_store(struct ptrauth_keys *keys) +{ + if (system_supports_address_auth()) { + __ptrauth_key_save(APIA, keys->apia); + __ptrauth_key_save(APIB, keys->apib); + __ptrauth_key_save(APDA, keys->apda); + __ptrauth_key_save(APDB, keys->apdb); + } + + if (system_supports_generic_auth()) + __ptrauth_key_save(APGA, keys->apga); +} + extern int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg); /* @@ -88,6 +115,7 @@ do { \ ptrauth_keys_switch(&(tsk)->thread.keys_user) #else /* CONFIG_ARM64_PTR_AUTH */ +#define __no_ptrauth #define ptrauth_prctl_reset_keys(tsk, arg) (-EINVAL) #define ptrauth_strip_insn_pac(lr) (lr) #define ptrauth_thread_init_user(tsk)
The keys can be switched either inside an assembly or such functions which do not have pointer authentication checks, so a GCC attribute is added to enable it. A function ptrauth_keys_store is added which is similar to existing function ptrauth_keys_switch but saves the key values in memory. This may be useful for save/restore scenarios when CPU changes privilege levels, suspend/resume etc. Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Marc Zyngier <marc.zyngier@arm.com> Cc: Christoffer Dall <christoffer.dall@arm.com> Cc: Kristina Martsenko <kristina.martsenko@arm.com> Cc: kvmarm@lists.cs.columbia.edu Cc: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com> Cc: Will Deacon <will.deacon@arm.com> --- arch/arm64/include/asm/pointer_auth.h | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)