Re: [PATCH 1/2] arm64: ptrauth: add pointer authentication Armv8.6 enhanced feature

From: Will Deacon <will@kernel.org>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Kristina Martsenko <kristina.martsenko@arm.com>,
	Mark Brown <broonie@kernel.org>,
	James Morse <james.morse@arm.com>,
	Amit Daniel Kachhap <amit.kachhap@arm.com>,
	Vincenzo Frascino <Vincenzo.Frascino@arm.com>,
	Dave Martin <Dave.Martin@arm.com>,
	linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] arm64: ptrauth: add pointer authentication Armv8.6 enhanced feature
Date: Fri, 28 Feb 2020 12:23:46 +0000	[thread overview]
Message-ID: <20200228122345.GC3275@willie-the-truck> (raw)
In-Reply-To: <20200228120314.GD36089@lakrids.cambridge.arm.com>

On Fri, Feb 28, 2020 at 12:03:14PM +0000, Mark Rutland wrote:
> On Fri, Feb 28, 2020 at 11:57:37AM +0000, Will Deacon wrote:
> > On Wed, Feb 19, 2020 at 06:30:39PM +0530, Amit Daniel Kachhap wrote:
> > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > > index 8d1c979..a4f8adb 100644
> > > --- a/arch/arm64/kernel/cpufeature.c
> > > +++ b/arch/arm64/kernel/cpufeature.c
> > > @@ -154,9 +154,9 @@ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = {
> > >  	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_FCMA_SHIFT, 4, 0),
> > >  	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_JSCVT_SHIFT, 4, 0),
> > >  	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_PTR_AUTH),
> > > -		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_API_SHIFT, 4, 0),
> > > +		       FTR_STRICT, FTR_EXACT, ID_AA64ISAR1_API_SHIFT, 4, 0),
> > >  	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_PTR_AUTH),
> > > -		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_APA_SHIFT, 4, 0),
> > > +		       FTR_STRICT, FTR_EXACT, ID_AA64ISAR1_APA_SHIFT, 4, 0),
> > >  	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_DPB_SHIFT, 4, 0),
> > >  	ARM64_FTR_END,
> > 
> > Hmm. This is a user-visible change and should probably be in its own patch.
> > It also means we will no longer advertise PAC on systems where not all of
> > the cores have "Enhanced PAC"; is that really necessary?
> 
> It matters for KVM, since a guest won't expect the enhanced PAC trap if
> the ID registers say it does not have it.
> 
> For userspace, the difference is it'll get a SIGILL on the AUT*
> instruction rather than a SIGSEGV when using the result of the AUT*
> instruction.

Yes, if PAC is enabled.

> > Generally we rely on incremental updates to unsigned ID register fields
> > being a superset (i.e. compatible with) the old behaviour. If that's not
> > the case here, then older kernels are broken and we may need new HWCAPs.
> 
> In this case, the behaviour isn't a strict superset. Enhanced PAC
> unconditionally changed the behaviour of AUT* (i.e. there's no opt-in
> with a control bit), but it's not clear to me how much this matters for
> userspace.

Doesn't that violate D13.1.3 "Principles of the ID scheme for fields in
ID registers"?

The part I dislike is that older kernels will happily advertise PAC to
userspace on a system with mismatched legacy/enhanced PAC, and so the
change above doesn't make sense for userspace because the HWCAPs are
already unreliable.

Will

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel