From: Catalin Marinas <catalin.marinas@arm.com>
To: Peter Collingbourne <pcc@google.com>
Cc: Evgenii Stepanov <eugenis@google.com>,
Kostya Serebryany <kcc@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Dave Martin <Dave.Martin@arm.com>, Will Deacon <will@kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Andrey Konovalov <andreyknvl@google.com>,
linux-api@vger.kernel.org, Szabolcs Nagy <szabolcs.nagy@arm.com>
Subject: Re: [PATCH 2/2] arm64: allow TCR_EL1.TBID0 to be configured
Date: Tue, 24 Nov 2020 18:47:42 +0000 [thread overview]
Message-ID: <20201124184742.GC42276@C02TF0J2HF1T.local> (raw)
In-Reply-To: <64c0fa360333fd5275582d25019614156a8302bc.1605952129.git.pcc@google.com>
On Sat, Nov 21, 2020 at 01:59:03AM -0800, Peter Collingbourne wrote:
> Introduce a Kconfig option that controls whether TCR_EL1.TBID0 is
> set at boot time.
>
> Setting TCR_EL1.TBID0 increases the number of signature bits used by
> the pointer authentication instructions for instruction addresses by 8,
> which improves the security of pointer authentication, but it also has
> the consequence of changing the operation of the branch instructions
> so that they no longer ignore the top byte of the target address but
> instead fault if they are non-zero. Since this is a change to the
> userspace ABI the option defaults to off.
>
> Signed-off-by: Peter Collingbourne <pcc@google.com>
> Link: https://linux-review.googlesource.com/id/Ife724ad708142bc475f42e8c1d9609124994bbbd
> ---
> This is more of an RFC. An open question is how to expose this.
> Having it be a build-time flag is probably the simplest option
> but I guess it could also be a boot flag. Since it involves an
> ABI change we may also want a prctl() so that userspace can
> figure out which mode it is in.
>
> I think we should try to avoid it being a per-task property
> so that we don't need to swap yet another system register on
> task switch.
Having it changed per task at run-time is problematic as this bit may be
cached in the TLB, so it would require a synchronisation across all CPUs
followed by TLBI. It's not even clear to me from the ARM ARM whether
this bit is tagged by ASID, which, if not, would make a per-process
setting impossible.
So this leaves us with a cmdline option. If we are confident that no
software makes use of tagged instruction pointers, we could have it
default on.
Adding Szabolcs on the gcc/glibc side.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Peter Collingbourne <pcc@google.com>
Cc: Szabolcs Nagy <szabolcs.nagy@arm.com>,
Andrey Konovalov <andreyknvl@google.com>,
Kostya Serebryany <kcc@google.com>,
Evgenii Stepanov <eugenis@google.com>,
linux-api@vger.kernel.org,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Will Deacon <will@kernel.org>, Dave Martin <Dave.Martin@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 2/2] arm64: allow TCR_EL1.TBID0 to be configured
Date: Tue, 24 Nov 2020 18:47:42 +0000 [thread overview]
Message-ID: <20201124184742.GC42276@C02TF0J2HF1T.local> (raw)
In-Reply-To: <64c0fa360333fd5275582d25019614156a8302bc.1605952129.git.pcc@google.com>
On Sat, Nov 21, 2020 at 01:59:03AM -0800, Peter Collingbourne wrote:
> Introduce a Kconfig option that controls whether TCR_EL1.TBID0 is
> set at boot time.
>
> Setting TCR_EL1.TBID0 increases the number of signature bits used by
> the pointer authentication instructions for instruction addresses by 8,
> which improves the security of pointer authentication, but it also has
> the consequence of changing the operation of the branch instructions
> so that they no longer ignore the top byte of the target address but
> instead fault if they are non-zero. Since this is a change to the
> userspace ABI the option defaults to off.
>
> Signed-off-by: Peter Collingbourne <pcc@google.com>
> Link: https://linux-review.googlesource.com/id/Ife724ad708142bc475f42e8c1d9609124994bbbd
> ---
> This is more of an RFC. An open question is how to expose this.
> Having it be a build-time flag is probably the simplest option
> but I guess it could also be a boot flag. Since it involves an
> ABI change we may also want a prctl() so that userspace can
> figure out which mode it is in.
>
> I think we should try to avoid it being a per-task property
> so that we don't need to swap yet another system register on
> task switch.
Having it changed per task at run-time is problematic as this bit may be
cached in the TLB, so it would require a synchronisation across all CPUs
followed by TLBI. It's not even clear to me from the ARM ARM whether
this bit is tagged by ASID, which, if not, would make a per-process
setting impossible.
So this leaves us with a cmdline option. If we are confident that no
software makes use of tagged instruction pointers, we could have it
default on.
Adding Szabolcs on the gcc/glibc side.
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-11-24 18:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-21 9:59 [PATCH 1/2] kasan: arm64: set TCR_EL1.TBID1 when enabled Peter Collingbourne
2020-11-21 9:59 ` Peter Collingbourne
2020-11-21 9:59 ` [PATCH 2/2] arm64: allow TCR_EL1.TBID0 to be configured Peter Collingbourne
2020-11-21 9:59 ` Peter Collingbourne
2020-11-24 18:47 ` Catalin Marinas [this message]
2020-11-24 18:47 ` Catalin Marinas
2020-11-24 19:18 ` Peter Collingbourne
2020-11-24 19:18 ` Peter Collingbourne
2020-11-25 14:37 ` Szabolcs Nagy
2020-11-25 14:37 ` Szabolcs Nagy
2021-06-15 23:41 ` Peter Collingbourne
2021-06-15 23:41 ` Peter Collingbourne
2021-06-16 12:55 ` Szabolcs Nagy
2021-06-16 12:55 ` Szabolcs Nagy
2021-06-22 5:13 ` Peter Collingbourne
2021-06-22 5:13 ` Peter Collingbourne
2020-11-23 18:20 ` [PATCH 1/2] kasan: arm64: set TCR_EL1.TBID1 when enabled Andrey Konovalov
2020-11-23 18:20 ` Andrey Konovalov
2020-11-25 18:54 ` Catalin Marinas
2020-11-25 18:54 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201124184742.GC42276@C02TF0J2HF1T.local \
--to=catalin.marinas@arm.com \
--cc=Dave.Martin@arm.com \
--cc=andreyknvl@google.com \
--cc=eugenis@google.com \
--cc=kcc@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=pcc@google.com \
--cc=szabolcs.nagy@arm.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.