mbox series

[0/4] kselftests/arm64: add PAuth tests

Message ID 20200828131606.7946-1-boyan.karatotev@arm.com
Headers show
Series kselftests/arm64: add PAuth tests | expand

Message

Boyan Karatotev Aug. 28, 2020, 1:16 p.m. UTC
Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
It introduces instructions to sign addresses and later check for potential
corruption using a second modifier value and one of a set of keys. The
signature, in the form of the Pointer Authentication Code (PAC), is stored
in some of the top unused bits of the virtual address (e.g. [54: 49] if
TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
controls are present to enable/disable groups of instructions (which use
certain keys) for compatibility with libraries that do not utilize the
feature. PAuth is used to verify the integrity of return addresses on the
stack with less memory than the stack canary.

This patchset adds kselftests to verify the kernel's configuration of the
feature and its runtime behaviour. There are 7 tests which verify that:
	* an authentication failure leads to a SIGSEGV
	* the data/instruction instruction groups are enabled
	* the generic instructions are enabled
	* all 5 keys are unique for a single thread
	* exec() changes all keys to new unique ones
	* context switching preserves the 4 data/instruction keys
	* context switching preserves the generic keys

The tests have been verified to work on qemu without a working PAUTH
Implementation and on ARM's FVP with a full or partial PAuth
implementation.

Note: This patchset is only verified for ARMv8.3 and there will be some
changes required for ARMv8.6. More details can be found here [1]. Once
ARMv8.6 PAuth is merged the first test in this series will required to be
updated.

[1] https://lore.kernel.org/linux-arm-kernel/1597734671-23407-1-git-send-email-amit.kachhap@arm.com/

Cc: Shuah Khan <shuah@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

Boyan Karatotev (4):
  kselftests/arm64: add a basic Pointer Authentication test
  kselftests/arm64: add nop checks for PAuth tests
  kselftests/arm64: add PAuth test for whether exec() changes keys
  kselftests/arm64: add PAuth tests for single threaded consistency and
    key uniqueness

 tools/testing/selftests/arm64/Makefile        |   2 +-
 .../testing/selftests/arm64/pauth/.gitignore  |   2 +
 tools/testing/selftests/arm64/pauth/Makefile  |  29 ++
 .../selftests/arm64/pauth/exec_target.c       |  35 ++
 tools/testing/selftests/arm64/pauth/helper.c  |  41 +++
 tools/testing/selftests/arm64/pauth/helper.h  |  30 ++
 tools/testing/selftests/arm64/pauth/pac.c     | 347 ++++++++++++++++++
 .../selftests/arm64/pauth/pac_corruptor.S     |  36 ++
 8 files changed, 521 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore
 create mode 100644 tools/testing/selftests/arm64/pauth/Makefile
 create mode 100644 tools/testing/selftests/arm64/pauth/exec_target.c
 create mode 100644 tools/testing/selftests/arm64/pauth/helper.c
 create mode 100644 tools/testing/selftests/arm64/pauth/helper.h
 create mode 100644 tools/testing/selftests/arm64/pauth/pac.c
 create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S

--
2.17.1

Comments

Dave Martin Sept. 2, 2020, 4:48 p.m. UTC | #1
On Fri, Aug 28, 2020 at 02:16:02PM +0100, Boyan Karatotev wrote:
> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
> It introduces instructions to sign addresses and later check for potential
> corruption using a second modifier value and one of a set of keys. The
> signature, in the form of the Pointer Authentication Code (PAC), is stored
> in some of the top unused bits of the virtual address (e.g. [54: 49] if
> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
> controls are present to enable/disable groups of instructions (which use
> certain keys) for compatibility with libraries that do not utilize the
> feature. PAuth is used to verify the integrity of return addresses on the
> stack with less memory than the stack canary.
> 
> This patchset adds kselftests to verify the kernel's configuration of the
> feature and its runtime behaviour. There are 7 tests which verify that:
> 	* an authentication failure leads to a SIGSEGV
> 	* the data/instruction instruction groups are enabled
> 	* the generic instructions are enabled
> 	* all 5 keys are unique for a single thread
> 	* exec() changes all keys to new unique ones
> 	* context switching preserves the 4 data/instruction keys
> 	* context switching preserves the generic keys
> 
> The tests have been verified to work on qemu without a working PAUTH
> Implementation and on ARM's FVP with a full or partial PAuth
> implementation.
> 
> Note: This patchset is only verified for ARMv8.3 and there will be some
> changes required for ARMv8.6. More details can be found here [1]. Once
> ARMv8.6 PAuth is merged the first test in this series will required to be
> updated.

Nit: is it worth running checkpatch over this series?

Although this is not kernel code, there are a number of formatting
weirdnesses and surplus blank lines etc. that checkpatch would probably
warn about.

[...]

Cheers
---Dave
Boyan Karatotev Sept. 3, 2020, 9:46 a.m. UTC | #2
On 02/09/2020 17:48, Dave Martin wrote:
> On Fri, Aug 28, 2020 at 02:16:02PM +0100, Boyan Karatotev wrote:
>> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
>> It introduces instructions to sign addresses and later check for potential
>> corruption using a second modifier value and one of a set of keys. The
>> signature, in the form of the Pointer Authentication Code (PAC), is stored
>> in some of the top unused bits of the virtual address (e.g. [54: 49] if
>> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
>> controls are present to enable/disable groups of instructions (which use
>> certain keys) for compatibility with libraries that do not utilize the
>> feature. PAuth is used to verify the integrity of return addresses on the
>> stack with less memory than the stack canary.
>>
>> This patchset adds kselftests to verify the kernel's configuration of the
>> feature and its runtime behaviour. There are 7 tests which verify that:
>> 	* an authentication failure leads to a SIGSEGV
>> 	* the data/instruction instruction groups are enabled
>> 	* the generic instructions are enabled
>> 	* all 5 keys are unique for a single thread
>> 	* exec() changes all keys to new unique ones
>> 	* context switching preserves the 4 data/instruction keys
>> 	* context switching preserves the generic keys
>>
>> The tests have been verified to work on qemu without a working PAUTH
>> Implementation and on ARM's FVP with a full or partial PAuth
>> implementation.
>>
>> Note: This patchset is only verified for ARMv8.3 and there will be some
>> changes required for ARMv8.6. More details can be found here [1]. Once
>> ARMv8.6 PAuth is merged the first test in this series will required to be
>> updated.
> 
> Nit: is it worth running checkpatch over this series?
> 
> Although this is not kernel code, there are a number of formatting
> weirdnesses and surplus blank lines etc. that checkpatch would probably
> warn about.
> 
I ran it through checkpatch and it came out clean except for some
MAINTAINERS warnings. I see that when I add --strict it does complain
about multiple blank lines which I can fix for the next version. Are
there any other flags I should be running checkpatch with?
> [...]
> 
> Cheers
> ---Dave
>
Dave Martin Sept. 7, 2020, 10:29 a.m. UTC | #3
On Thu, Sep 03, 2020 at 10:46:33AM +0100, Boyan Karatotev wrote:
> On 02/09/2020 17:48, Dave Martin wrote:
> > On Fri, Aug 28, 2020 at 02:16:02PM +0100, Boyan Karatotev wrote:
> >> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
> >> It introduces instructions to sign addresses and later check for potential
> >> corruption using a second modifier value and one of a set of keys. The
> >> signature, in the form of the Pointer Authentication Code (PAC), is stored
> >> in some of the top unused bits of the virtual address (e.g. [54: 49] if
> >> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
> >> controls are present to enable/disable groups of instructions (which use
> >> certain keys) for compatibility with libraries that do not utilize the
> >> feature. PAuth is used to verify the integrity of return addresses on the
> >> stack with less memory than the stack canary.
> >>
> >> This patchset adds kselftests to verify the kernel's configuration of the
> >> feature and its runtime behaviour. There are 7 tests which verify that:
> >> 	* an authentication failure leads to a SIGSEGV
> >> 	* the data/instruction instruction groups are enabled
> >> 	* the generic instructions are enabled
> >> 	* all 5 keys are unique for a single thread
> >> 	* exec() changes all keys to new unique ones
> >> 	* context switching preserves the 4 data/instruction keys
> >> 	* context switching preserves the generic keys
> >>
> >> The tests have been verified to work on qemu without a working PAUTH
> >> Implementation and on ARM's FVP with a full or partial PAuth
> >> implementation.
> >>
> >> Note: This patchset is only verified for ARMv8.3 and there will be some
> >> changes required for ARMv8.6. More details can be found here [1]. Once
> >> ARMv8.6 PAuth is merged the first test in this series will required to be
> >> updated.
> > 
> > Nit: is it worth running checkpatch over this series?
> > 
> > Although this is not kernel code, there are a number of formatting
> > weirdnesses and surplus blank lines etc. that checkpatch would probably
> > warn about.
> > 
> I ran it through checkpatch and it came out clean except for some
> MAINTAINERS warnings. I see that when I add --strict it does complain
> about multiple blank lines which I can fix for the next version. Are
> there any other flags I should be running checkpatch with?

Hmmm, probably not.  I had thought checkpatch was generally noisier
about that kind of thing.

Since the issues were all minor and nobody else objected, I would
suggest not to worry about them.

Cheers
---Dave