| Message ID | 20210604100437.1658599-2-daniel.kiss@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm64: split ARM64_PTR_AUTH option to userspace and kernel | expand |
On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote: > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 9f1d8566bbf9..c0c0073a70c3 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features" > config ARM64_PTR_AUTH > bool "Enable support for pointer authentication" > default y [...] > +config ARM64_PTR_AUTH_KERNEL > + bool "Use pointer authentication for kernel" > + default y > + depends on ARM64_PTR_AUTH Nitpick: if you only apply this patch and disable ARM64_PTR_AUTH_KERNEL, I suspect it will go wrong. Maybe make it unselectable in this patch: config ARM64_PTR_AUTH_KERNEL bool default y depends on ARM64_PTR_AUTH and add the description in the next one, once all the other bits are in place (for bisectability reasons): With that: Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote: > This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the > build aspect of it. > > Userspace support has no dependency on the toolchain therefore all > toolchain checks and build flags are controlled the new config > option. > The default config behavior will not be changed. > > Signed-off-by: Daniel Kiss <daniel.kiss@arm.com> > Acked-by: Will Deacon <will@kernel.org> > --- > arch/arm64/Kconfig | 33 +++++++++++++++++++-------------- > arch/arm64/Makefile | 2 +- > arch/arm64/kernel/asm-offsets.c | 2 ++ > drivers/misc/lkdtm/bugs.c | 6 +++--- > 4 files changed, 25 insertions(+), 18 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 9f1d8566bbf9..c0c0073a70c3 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features" > config ARM64_PTR_AUTH > bool "Enable support for pointer authentication" > default y > - depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC > - # Modern compilers insert a .note.gnu.property section note for PAC > - # which is only understood by binutils starting with version 2.33.1. > - depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100) > - depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE > - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) > help > Pointer authentication (part of the ARMv8.3 Extensions) provides > instructions for signing and authenticating pointers against secret > @@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH > for each process at exec() time, with these keys being > context-switched along with the process. > > - If the compiler supports the -mbranch-protection or > - -msign-return-address flag (e.g. GCC 7 or later), then this option > - will also cause the kernel itself to be compiled with return address > - protection. In this case, and if the target hardware is known to > - support pointer authentication, then CONFIG_STACKPROTECTOR can be > - disabled with minimal loss of protection. > - > The feature is detected at runtime. If the feature is not present in > hardware it will not be advertised to userspace/KVM guest nor will it > be enabled. > @@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH > but with the feature disabled. On such a system, this option should > not be selected. > > +config ARM64_PTR_AUTH_KERNEL > + bool "Use pointer authentication for kernel" > + default y > + depends on ARM64_PTR_AUTH > + depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC > + # Modern compilers insert a .note.gnu.property section note for PAC > + # which is only understood by binutils starting with version 2.33.1. > + depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) Why is this checking 'LD_VERSION >= 233010000' whereas the code you removed from ARM64_PTR_AUTH was checking 'LD_VERSION >= 23301' ? Will
> On 8 Jun 2021, at 13:58, Will Deacon <will@kernel.org> wrote: > > On Fri, Jun 04, 2021 at 12:04:36PM +0200, Daniel Kiss wrote: >> This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the >> build aspect of it. >> >> Userspace support has no dependency on the toolchain therefore all >> toolchain checks and build flags are controlled the new config >> option. >> The default config behavior will not be changed. >> >> Signed-off-by: Daniel Kiss <daniel.kiss@arm.com> >> Acked-by: Will Deacon <will@kernel.org> >> --- >> arch/arm64/Kconfig | 33 +++++++++++++++++++-------------- >> arch/arm64/Makefile | 2 +- >> arch/arm64/kernel/asm-offsets.c | 2 ++ >> drivers/misc/lkdtm/bugs.c | 6 +++--- >> 4 files changed, 25 insertions(+), 18 deletions(-) >> >> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig >> index 9f1d8566bbf9..c0c0073a70c3 100644 >> --- a/arch/arm64/Kconfig >> +++ b/arch/arm64/Kconfig >> @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features" >> config ARM64_PTR_AUTH >> bool "Enable support for pointer authentication" >> default y >> - depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC >> - # Modern compilers insert a .note.gnu.property section note for PAC >> - # which is only understood by binutils starting with version 2.33.1. >> - depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100) >> - depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE >> - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) >> help >> Pointer authentication (part of the ARMv8.3 Extensions) provides >> instructions for signing and authenticating pointers against secret >> @@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH >> for each process at exec() time, with these keys being >> context-switched along with the process. >> >> - If the compiler supports the -mbranch-protection or >> - -msign-return-address flag (e.g. GCC 7 or later), then this option >> - will also cause the kernel itself to be compiled with return address >> - protection. In this case, and if the target hardware is known to >> - support pointer authentication, then CONFIG_STACKPROTECTOR can be >> - disabled with minimal loss of protection. >> - >> The feature is detected at runtime. If the feature is not present in >> hardware it will not be advertised to userspace/KVM guest nor will it >> be enabled. >> @@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH >> but with the feature disabled. On such a system, this option should >> not be selected. >> >> +config ARM64_PTR_AUTH_KERNEL >> + bool "Use pointer authentication for kernel" >> + default y >> + depends on ARM64_PTR_AUTH >> + depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC >> + # Modern compilers insert a .note.gnu.property section note for PAC >> + # which is only understood by binutils starting with version 2.33.1. >> + depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) > > Why is this checking 'LD_VERSION >= 233010000' whereas the code you removed > from ARM64_PTR_AUTH was checking 'LD_VERSION >= 23301’ ? This is unintentional, since the first patch the "kbuild: LD_VERSION redenomination” is landed and I missed during the rebase.
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 9f1d8566bbf9..c0c0073a70c3 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features" config ARM64_PTR_AUTH bool "Enable support for pointer authentication" default y - depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC - # Modern compilers insert a .note.gnu.property section note for PAC - # which is only understood by binutils starting with version 2.33.1. - depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100) - depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE - depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) help Pointer authentication (part of the ARMv8.3 Extensions) provides instructions for signing and authenticating pointers against secret @@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH for each process at exec() time, with these keys being context-switched along with the process. - If the compiler supports the -mbranch-protection or - -msign-return-address flag (e.g. GCC 7 or later), then this option - will also cause the kernel itself to be compiled with return address - protection. In this case, and if the target hardware is known to - support pointer authentication, then CONFIG_STACKPROTECTOR can be - disabled with minimal loss of protection. - The feature is detected at runtime. If the feature is not present in hardware it will not be advertised to userspace/KVM guest nor will it be enabled. @@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH but with the feature disabled. On such a system, this option should not be selected. +config ARM64_PTR_AUTH_KERNEL + bool "Use pointer authentication for kernel" + default y + depends on ARM64_PTR_AUTH + depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC + # Modern compilers insert a .note.gnu.property section note for PAC + # which is only understood by binutils starting with version 2.33.1. + depends on LD_IS_LLD || LD_VERSION >= 233010000 || (CC_IS_GCC && GCC_VERSION < 90100) + depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE + depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS) + help + If the compiler supports the -mbranch-protection or + -msign-return-address flag (e.g. GCC 7 or later), then this option + will cause the kernel itself to be compiled with return address + protection. In this case, and if the target hardware is known to + support pointer authentication, then CONFIG_STACKPROTECTOR can be + disabled with minimal loss of protection. + This feature works with FUNCTION_GRAPH_TRACER option only if DYNAMIC_FTRACE_WITH_REGS is enabled. @@ -1606,7 +1611,7 @@ config ARM64_BTI_KERNEL bool "Use Branch Target Identification for kernel" default y depends on ARM64_BTI - depends on ARM64_PTR_AUTH + depends on ARM64_PTR_AUTH_KERNEL depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697 depends on !CC_IS_GCC || GCC_VERSION >= 100100 diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index b52481f0605d..3b5b1c480449 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -70,7 +70,7 @@ endif # off, this will be overridden if we are using branch protection. branch-prot-flags-y += $(call cc-option,-mbranch-protection=none) -ifeq ($(CONFIG_ARM64_PTR_AUTH),y) +ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y) branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all # We enable additional protection for leaf functions as there is some # narrow potential for ROP protection benefits and no substantial diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c index 0cb34ccb6e73..03420b89c602 100644 --- a/arch/arm64/kernel/asm-offsets.c +++ b/arch/arm64/kernel/asm-offsets.c @@ -46,6 +46,8 @@ int main(void) DEFINE(THREAD_SCTLR_USER, offsetof(struct task_struct, thread.sctlr_user)); #ifdef CONFIG_ARM64_PTR_AUTH DEFINE(THREAD_KEYS_USER, offsetof(struct task_struct, thread.keys_user)); +#endif +#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL DEFINE(THREAD_KEYS_KERNEL, offsetof(struct task_struct, thread.keys_kernel)); #endif #ifdef CONFIG_ARM64_MTE diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index 0e8254d0cf0b..a164896dc6d4 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -463,7 +463,7 @@ void lkdtm_DOUBLE_FAULT(void) #ifdef CONFIG_ARM64 static noinline void change_pac_parameters(void) { - if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) { + if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) { /* Reset the keys of current task */ ptrauth_thread_init_kernel(current); ptrauth_thread_switch_kernel(current); @@ -477,8 +477,8 @@ noinline void lkdtm_CORRUPT_PAC(void) #define CORRUPT_PAC_ITERATE 10 int i; - if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) - pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH\n"); + if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) + pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n"); if (!system_supports_address_auth()) { pr_err("FAIL: CPU lacks pointer authentication feature\n");