[v3,15/16] arm64: compile the kernel with ptrauth return address signing

Commit Message

Amit Daniel Kachhap Dec. 16, 2019, 8:47 a.m. UTC

From: Kristina Martsenko <kristina.martsenko@arm.com>

Compile all functions with two ptrauth instructions: PACIASP in the
prologue to sign the return address, and AUTIASP in the epilogue to
authenticate the return address (from the stack). If authentication
fails, the return will cause an instruction abort to be taken, followed
by an oops and killing the task.

This should help protect the kernel against attacks using
return-oriented programming. As ptrauth protects the return address, it
can also serve as a replacement for CONFIG_STACKPROTECTOR, although note
that it does not protect other parts of the stack.

The new instructions are in the HINT encoding space, so on a system
without ptrauth they execute as NOPs.

CONFIG_ARM64_PTR_AUTH now not only enables ptrauth for userspace and KVM
guests, but also automatically builds the kernel with ptrauth
instructions if the compiler supports it. If there is no compiler
support, we do not warn that the kernel was built without ptrauth
instructions.

GCC 7 and 8 support the -msign-return-address option, while GCC 9
deprecates that option and replaces it with -mbranch-protection. Support
both options.

Clang uses an external assembler hence this patch makes sure that the
correct parameters (-march=armv8.3-a) are passed down to help it recognize
the ptrauth instructions. This option is not used for GNU toolchain.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Co-developed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
[Amit: Cover leaf function, comments]
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
---
Change since last version:
 * Introduced clang compiler support by passing flag -march=armv8.3-a to
   external assembler. There were some changes required for dwarfs
   `.cfi_negate_ra_state' in GCC toolchain. They are taken care and will
   be present in newer GCC toochains with backward compatibility.
   The issue reported by Mark Brown [1] is now fixed.

[1]: http://lists.infradead.org/pipermail/linux-arm-kernel/2019-November/696162.html

 arch/arm64/Kconfig  | 21 ++++++++++++++++++++-
 arch/arm64/Makefile | 11 +++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

Comments

Catalin Marinas Jan. 17, 2020, 11:49 a.m. UTC | #1

On Mon, Dec 16, 2019 at 02:17:17PM +0530, Amit Daniel Kachhap wrote:
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 06b5025..f0798b7 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1466,6 +1466,7 @@ config ARM64_PTR_AUTH
>  	bool "Enable support for pointer authentication"
>  	default y
>  	depends on !KVM || ARM64_VHE
> +	depends on GCC_VERSION >= 70000 || CLANG_VERSION >= 80000

Please don't add checks on compiler versions. Use cc-option when you
need a certain option rather than guessing which compiler version
supports it. People may do backports of different features, so the
version is not relevant.

>  	help
>  	  Pointer authentication (part of the ARMv8.3 Extensions) provides
>  	  instructions for signing and authenticating pointers against secret
> @@ -1473,11 +1474,17 @@ config ARM64_PTR_AUTH
>  	  and other attacks.
>  
>  	  This option enables these instructions at EL0 (i.e. for userspace).
> -
>  	  Choosing this option will cause the kernel to initialise secret keys
>  	  for each process at exec() time, with these keys being
>  	  context-switched along with the process.
>  
> +	  If the compiler supports the -mbranch-protection or
> +	  -msign-return-address flag (e.g. GCC 7 or later), then this option
> +	  will also cause the kernel itself to be compiled with return address
> +	  protection. In this case, and if the target hardware is known to
> +	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
> +	  disabled with minimal loss of protection.
> +
>  	  The feature is detected at runtime. If the feature is not present in
>  	  hardware it will not be advertised to userspace/KVM guest nor will it
>  	  be enabled. However, KVM guest also require VHE mode and hence
> @@ -1488,6 +1495,18 @@ config ARM64_PTR_AUTH
>  	  have address auth and the late CPU has then system panic will occur.
>  	  On such a system, this option should not be selected.
>  
> +config CC_HAS_BRANCH_PROT_PAC_RET
> +	# GCC 9 or later, clang 8 or later
> +	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf)
> +
> +config CC_HAS_SIGN_RETURN_ADDRESS
> +	# GCC 7, 8
> +	def_bool $(cc-option,-msign-return-address=all)
> +
> +config AS_HAS_PAC
> +	def_bool $(as-option,-Wa,-march=armv8.3-a)
> +	depends on CC_IS_CLANG

First, as I commented on the previous patch, clang seems to ignore -Wa,
so you can write whatever you want after it and it seems to be always
true.

Second, if you need the assembler to support certain features, it needs
to be checked irrespective of whether the compiler is gcc or clang.
Binutils is a separate package.

> +
>  endmenu
>  
>  config ARM64_SVE
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 1fbe24d..6a1da59 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -72,6 +72,17 @@ stack_protector_prepare: prepare0
>  					include/generated/asm-offsets.h))
>  endif
>  
> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
> +# to generate them and consequently to break the single image contract we pass it
> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
> +# this option is not used.
> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
> +KBUILD_CFLAGS += $(branch-prot-flags-y)
> +endif

So, does this actually work with clang?

Please check the clang issue in case I'm mistaken. Otherwise, you could
use as-instr as in this patch:

https://lore.kernel.org/linux-arm-kernel/20200115113008.3334-3-catalin.marinas@arm.com/

Also Will had a preference for warning during build if the user
requested a feature in .config (i.e. PAC) but the compiler/assembler
does not support it (that was for the LSE patch above). You could
attempt something similar with this patch.

Amit Daniel Kachhap Jan. 21, 2020, 2:37 p.m. UTC | #2

On 1/17/20 11:49 AM, Catalin Marinas wrote:
> On Mon, Dec 16, 2019 at 02:17:17PM +0530, Amit Daniel Kachhap wrote:
>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>> index 06b5025..f0798b7 100644
>> --- a/arch/arm64/Kconfig
>> +++ b/arch/arm64/Kconfig
>> @@ -1466,6 +1466,7 @@ config ARM64_PTR_AUTH
>>   	bool "Enable support for pointer authentication"
>>   	default y
>>   	depends on !KVM || ARM64_VHE
>> +	depends on GCC_VERSION >= 70000 || CLANG_VERSION >= 80000
> 
> Please don't add checks on compiler versions. Use cc-option when you
> need a certain option rather than guessing which compiler version
> supports it. People may do backports of different features, so the
> version is not relevant.
ok this is fixed locally.
> 
>>   	help
>>   	  Pointer authentication (part of the ARMv8.3 Extensions) provides
>>   	  instructions for signing and authenticating pointers against secret
>> @@ -1473,11 +1474,17 @@ config ARM64_PTR_AUTH
>>   	  and other attacks.
>>   
>>   	  This option enables these instructions at EL0 (i.e. for userspace).
>> -
>>   	  Choosing this option will cause the kernel to initialise secret keys
>>   	  for each process at exec() time, with these keys being
>>   	  context-switched along with the process.
>>   
>> +	  If the compiler supports the -mbranch-protection or
>> +	  -msign-return-address flag (e.g. GCC 7 or later), then this option
>> +	  will also cause the kernel itself to be compiled with return address
>> +	  protection. In this case, and if the target hardware is known to
>> +	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
>> +	  disabled with minimal loss of protection.
>> +
>>   	  The feature is detected at runtime. If the feature is not present in
>>   	  hardware it will not be advertised to userspace/KVM guest nor will it
>>   	  be enabled. However, KVM guest also require VHE mode and hence
>> @@ -1488,6 +1495,18 @@ config ARM64_PTR_AUTH
>>   	  have address auth and the late CPU has then system panic will occur.
>>   	  On such a system, this option should not be selected.
>>   
>> +config CC_HAS_BRANCH_PROT_PAC_RET
>> +	# GCC 9 or later, clang 8 or later
>> +	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf)
>> +
>> +config CC_HAS_SIGN_RETURN_ADDRESS
>> +	# GCC 7, 8
>> +	def_bool $(cc-option,-msign-return-address=all)
>> +
>> +config AS_HAS_PAC
>> +	def_bool $(as-option,-Wa,-march=armv8.3-a)
>> +	depends on CC_IS_CLANG
> 
> First, as I commented on the previous patch, clang seems to ignore -Wa,
> so you can write whatever you want after it and it seems to be always
> true.
> 
> Second, if you need the assembler to support certain features, it needs
> to be checked irrespective of whether the compiler is gcc or clang.
> Binutils is a separate package.

ok agreed and done locally.

> 
>> +
>>   endmenu
>>   
>>   config ARM64_SVE
>> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
>> index 1fbe24d..6a1da59 100644
>> --- a/arch/arm64/Makefile
>> +++ b/arch/arm64/Makefile
>> @@ -72,6 +72,17 @@ stack_protector_prepare: prepare0
>>   					include/generated/asm-offsets.h))
>>   endif
>>   
>> +ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
>> +branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
>> +branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
>> +# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
>> +# to generate them and consequently to break the single image contract we pass it
>> +# only to the assembler when clang is selected as a compiler. For the GNU toolchain
>> +# this option is not used.
>> +branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
>> +KBUILD_CFLAGS += $(branch-prot-flags-y)
>> +endif
> 
> So, does this actually work with clang?

Yes this works with clang. If I add -v to the  KBUILD_CFLAGS then it 
splits the output and shows that the Wa arguments are given to the gcc 
assembler and clang compiler does not use it.

> 
> Please check the clang issue in case I'm mistaken. Otherwise, you could
> use as-instr as in this patch:
> 
> https://lore.kernel.org/linux-arm-kernel/20200115113008.3334-3-catalin.marinas@arm.com/
> 
> Also Will had a preference for warning during build if the user
> requested a feature in .config (i.e. PAC) but the compiler/assembler
> does not support it (that was for the LSE patch above). You could
> attempt something similar with this patch.

I tried to add warnings like below which are in similar line to the 
above link,

ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
+  ifneq ($(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS),y)
+    ifneq ($(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET),y)
+$(warning Pointer authentication not supported by compiler)
+    endif
+  endif
+  ifneq ($(CONFIG_AS_HAS_PAC),y)
+$(warning Pointer authentication not supported by assembler)
+  endif
endif

But the issue is that warnings are printed twice and becomes confusing. 
First warning computed with the incorrect Kconfig flags and later with 
the correct computed Kconfig flags. This may be due to 
arch/arm64/Kconfig sourced twice.


>

Vincenzo Frascino Jan. 21, 2020, 2:46 p.m. UTC | #3

On 21/01/2020 14:37, Amit Kachhap wrote:
[...]

>>
>> Also Will had a preference for warning during build if the user
>> requested a feature in .config (i.e. PAC) but the compiler/assembler
>> does not support it (that was for the LSE patch above). You could
>> attempt something similar with this patch.
> 
> I tried to add warnings like below which are in similar line to the above link,
> 
> ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
> +  ifneq ($(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS),y)
> +    ifneq ($(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET),y)
> +$(warning Pointer authentication not supported by compiler)
> +    endif
> +  endif
> +  ifneq ($(CONFIG_AS_HAS_PAC),y)
> +$(warning Pointer authentication not supported by assembler)
> +  endif
> endif
> 
> But the issue is that warnings are printed twice and becomes confusing. First
> warning computed with the incorrect Kconfig flags and later with the correct
> computed Kconfig flags. This may be due to arch/arm64/Kconfig sourced twice.
>

This seems similar to the problem we had on vDSOs some time ago. The main
Makefile includes the arch specific twice, once for generating the building
scripts and once for building the kernel. As a consequence of this the arch
Kconfig is sourced twice. For the vDSOs we discarded the warning because it was
causing confusion.

> 
>>

Catalin Marinas Jan. 21, 2020, 4:50 p.m. UTC | #4

On Tue, Jan 21, 2020 at 02:37:44PM +0000, Amit Kachhap wrote:
> On 1/17/20 11:49 AM, Catalin Marinas wrote:
> > Also Will had a preference for warning during build if the user
> > requested a feature in .config (i.e. PAC) but the compiler/assembler
> > does not support it (that was for the LSE patch above). You could
> > attempt something similar with this patch.
> 
> I tried to add warnings like below which are in similar line to the above
> link,
> 
> ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
> +  ifneq ($(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS),y)
> +    ifneq ($(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET),y)
> +$(warning Pointer authentication not supported by compiler)
> +    endif
> +  endif
> +  ifneq ($(CONFIG_AS_HAS_PAC),y)
> +$(warning Pointer authentication not supported by assembler)
> +  endif
> endif
> 
> But the issue is that warnings are printed twice and becomes confusing.
> First warning computed with the incorrect Kconfig flags and later with the
> correct computed Kconfig flags. This may be due to arch/arm64/Kconfig
> sourced twice.

I think there are two passes over the opt arch Makefile, hence a
warning based on the old config. Maybe there is a way to check which
pass this is and skip the check in the first instance. It needs more
digging, otherwise we could move the check to kernel/Makefile.

Yet another option would be to check whether CONFIG_AS_HAS_PAC in
.config is backed by the actual assembler option via the Makefile. It
means we duplicate the as-option check but it may be the cleanest.

Anyway, for the time being, just get the dependencies correctly in
Kconfig without the warnings.

Patch

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 06b5025..f0798b7 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1466,6 +1466,7 @@  config ARM64_PTR_AUTH
 	bool "Enable support for pointer authentication"
 	default y
 	depends on !KVM || ARM64_VHE
+	depends on GCC_VERSION >= 70000 || CLANG_VERSION >= 80000
 	help
 	  Pointer authentication (part of the ARMv8.3 Extensions) provides
 	  instructions for signing and authenticating pointers against secret
@@ -1473,11 +1474,17 @@  config ARM64_PTR_AUTH
 	  and other attacks.
 
 	  This option enables these instructions at EL0 (i.e. for userspace).
-
 	  Choosing this option will cause the kernel to initialise secret keys
 	  for each process at exec() time, with these keys being
 	  context-switched along with the process.
 
+	  If the compiler supports the -mbranch-protection or
+	  -msign-return-address flag (e.g. GCC 7 or later), then this option
+	  will also cause the kernel itself to be compiled with return address
+	  protection. In this case, and if the target hardware is known to
+	  support pointer authentication, then CONFIG_STACKPROTECTOR can be
+	  disabled with minimal loss of protection.
+
 	  The feature is detected at runtime. If the feature is not present in
 	  hardware it will not be advertised to userspace/KVM guest nor will it
 	  be enabled. However, KVM guest also require VHE mode and hence
@@ -1488,6 +1495,18 @@  config ARM64_PTR_AUTH
 	  have address auth and the late CPU has then system panic will occur.
 	  On such a system, this option should not be selected.
 
+config CC_HAS_BRANCH_PROT_PAC_RET
+	# GCC 9 or later, clang 8 or later
+	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf)
+
+config CC_HAS_SIGN_RETURN_ADDRESS
+	# GCC 7, 8
+	def_bool $(cc-option,-msign-return-address=all)
+
+config AS_HAS_PAC
+	def_bool $(as-option,-Wa,-march=armv8.3-a)
+	depends on CC_IS_CLANG
+
 endmenu
 
 config ARM64_SVE
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 1fbe24d..6a1da59 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -72,6 +72,17 @@  stack_protector_prepare: prepare0
 					include/generated/asm-offsets.h))
 endif
 
+ifeq ($(CONFIG_ARM64_PTR_AUTH),y)
+branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all
+branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
+# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the compiler
+# to generate them and consequently to break the single image contract we pass it
+# only to the assembler when clang is selected as a compiler. For the GNU toolchain
+# this option is not used.
+branch-prot-flags-$(CONFIG_AS_HAS_PAC) += -Wa,-march=armv8.3-a
+KBUILD_CFLAGS += $(branch-prot-flags-y)
+endif
+
 ifeq ($(CONFIG_CPU_BIG_ENDIAN), y)
 KBUILD_CPPFLAGS	+= -mbig-endian
 CHECKFLAGS	+= -D__AARCH64EB__