From: Dave Martin <Dave.Martin@arm.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Peter Collingbourne <pcc@google.com>,
libc-alpha@sourceware.org,
Catalin Marinas <catalin.marinas@arm.com>,
Kevin Brodsky <kevin.brodsky@arm.com>,
linux-api@vger.kernel.org, Kostya Serebryany <kcc@google.com>,
Evgenii Stepanov <eugenis@google.com>,
Andrey Konovalov <andreyknvl@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Will Deacon <will@kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)
Date: Wed, 18 Nov 2020 17:19:45 +0000 [thread overview]
Message-ID: <20201118171945.GG6882@arm.com> (raw)
In-Reply-To: <87blfv6fj3.fsf@mid.deneb.enyo.de>
On Tue, Nov 17, 2020 at 06:48:16PM +0100, Florian Weimer wrote:
> * Peter Collingbourne:
>
> > This prctl allows the user program to control which PAC keys are enabled
> > in a particular task. The main reason why this is useful is to enable a
> > userspace ABI that uses PAC to sign and authenticate function pointers
> > and other pointers exposed outside of the function, while still allowing
> > binaries conforming to the ABI to interoperate with legacy binaries that
> > do not sign or authenticate pointers.
> >
> > The idea is that a dynamic loader or early startup code would issue
> > this prctl very early after establishing that a process may load legacy
> > binaries, but before executing any PAC instructions.
>
> I thought that the silicon did not support this?
>
> What exactly does this switch on and off? The signing itself (so that
> the bits are zero again), or just the verification?
>
> I do not know how easy it will be to adjust the glibc dynamic linker
> to this because I expect it to use PAC instructions itself. (It is an
> interesting target, I suppose, so this makes sense to me.) The loader
> code used for initial process setup and later dlopen is the same.
> Worst case, we could compile the loader twice.
I don't think this would matter if only the B key is turned on and off,
since the compiler and libc should only be using the A key (or no key at
all) when built standard compiler options.
IIUC the default compiler options when using PAC will only use the
A key, and only use the PAC instructions that execute as NOPs when the
affected key is disabled (precisely so that the code still runs on non-
PAC supporting hardware). But you can't simply flip it on and off while
there are function frames on the stack that assume it's either on or off.
However, the kernel interface should not assume any particular userspace
environment, so the controls offered should be general. There are
plenty of other prctl()s (as well as regular syscalls) that will confuse
or break glibc; this is not really any different.
[...]
Cheers
---Dave
WARNING: multiple messages have this Message-ID (diff)
From: Dave Martin <Dave.Martin@arm.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: libc-alpha@sourceware.org, Will Deacon <will@kernel.org>,
linux-api@vger.kernel.org, Kevin Brodsky <kevin.brodsky@arm.com>,
Andrey Konovalov <andreyknvl@google.com>,
Kostya Serebryany <kcc@google.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Peter Collingbourne <pcc@google.com>,
Evgenii Stepanov <eugenis@google.com>
Subject: Re: [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)
Date: Wed, 18 Nov 2020 17:19:45 +0000 [thread overview]
Message-ID: <20201118171945.GG6882@arm.com> (raw)
In-Reply-To: <87blfv6fj3.fsf@mid.deneb.enyo.de>
On Tue, Nov 17, 2020 at 06:48:16PM +0100, Florian Weimer wrote:
> * Peter Collingbourne:
>
> > This prctl allows the user program to control which PAC keys are enabled
> > in a particular task. The main reason why this is useful is to enable a
> > userspace ABI that uses PAC to sign and authenticate function pointers
> > and other pointers exposed outside of the function, while still allowing
> > binaries conforming to the ABI to interoperate with legacy binaries that
> > do not sign or authenticate pointers.
> >
> > The idea is that a dynamic loader or early startup code would issue
> > this prctl very early after establishing that a process may load legacy
> > binaries, but before executing any PAC instructions.
>
> I thought that the silicon did not support this?
>
> What exactly does this switch on and off? The signing itself (so that
> the bits are zero again), or just the verification?
>
> I do not know how easy it will be to adjust the glibc dynamic linker
> to this because I expect it to use PAC instructions itself. (It is an
> interesting target, I suppose, so this makes sense to me.) The loader
> code used for initial process setup and later dlopen is the same.
> Worst case, we could compile the loader twice.
I don't think this would matter if only the B key is turned on and off,
since the compiler and libc should only be using the A key (or no key at
all) when built standard compiler options.
IIUC the default compiler options when using PAC will only use the
A key, and only use the PAC instructions that execute as NOPs when the
affected key is disabled (precisely so that the code still runs on non-
PAC supporting hardware). But you can't simply flip it on and off while
there are function frames on the stack that assume it's either on or off.
However, the kernel interface should not assume any particular userspace
environment, so the controls offered should be general. There are
plenty of other prctl()s (as well as regular syscalls) that will confuse
or break glibc; this is not really any different.
[...]
Cheers
---Dave
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-11-18 17:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-14 5:51 [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS) Peter Collingbourne
2020-10-14 5:51 ` Peter Collingbourne
2020-11-17 17:29 ` Catalin Marinas
2020-11-17 17:29 ` Catalin Marinas
2020-11-17 18:14 ` Szabolcs Nagy
2020-11-17 18:14 ` Szabolcs Nagy
2020-11-17 18:40 ` Peter Collingbourne
2020-11-17 18:40 ` Peter Collingbourne
2020-11-17 17:48 ` Florian Weimer
2020-11-17 17:48 ` Florian Weimer
2020-11-17 18:17 ` Peter Collingbourne
2020-11-17 18:17 ` Peter Collingbourne
2020-11-17 18:39 ` Szabolcs Nagy
2020-11-17 18:39 ` Szabolcs Nagy
2020-11-18 12:33 ` Catalin Marinas
2020-11-18 12:33 ` Catalin Marinas
2020-11-18 13:31 ` Szabolcs Nagy
2020-11-18 13:31 ` Szabolcs Nagy
2020-11-18 13:37 ` Catalin Marinas
2020-11-18 13:37 ` Catalin Marinas
2020-11-18 17:19 ` Dave Martin [this message]
2020-11-18 17:19 ` Dave Martin
2020-11-18 17:31 ` Florian Weimer
2020-11-18 17:31 ` Florian Weimer
2020-11-18 18:18 ` Dave Martin
2020-11-18 18:18 ` Dave Martin
2020-11-18 12:25 ` Catalin Marinas
2020-11-18 12:25 ` Catalin Marinas
2020-11-19 5:20 ` Peter Collingbourne
2020-11-19 5:20 ` Peter Collingbourne
2020-11-18 17:55 ` Dave Martin
2020-11-18 17:55 ` Dave Martin
2020-11-18 19:05 ` Peter Collingbourne
2020-11-18 19:05 ` Peter Collingbourne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201118171945.GG6882@arm.com \
--to=dave.martin@arm.com \
--cc=andreyknvl@google.com \
--cc=catalin.marinas@arm.com \
--cc=eugenis@google.com \
--cc=fw@deneb.enyo.de \
--cc=kcc@google.com \
--cc=kevin.brodsky@arm.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=pcc@google.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.