From: Will Deacon <will@kernel.org>
To: Peter Collingbourne <pcc@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Daniel Kiss <daniel.kiss@arm.com>
Subject: Re: [PATCH 2/2] arm64: Configure kernel's PTR_AUTH key when it is built with PTR_AUTH.
Date: Wed, 9 Dec 2020 10:51:03 +0000 [thread overview]
Message-ID: <20201209105103.GA7273@willie-the-truck> (raw)
In-Reply-To: <CAMn1gO4LMkaV_wkE4MGo3UVhY+A+O3b5Y_0FkWudda3fbeAzhg@mail.gmail.com>
On Tue, Dec 08, 2020 at 11:33:33AM -0800, Peter Collingbourne wrote:
> On Tue, Dec 8, 2020 at 3:00 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
> >
> > On Mon, Dec 07, 2020 at 03:07:07PM -0800, Peter Collingbourne wrote:
> > > On Mon, Dec 7, 2020 at 2:46 PM Daniel Kiss <daniel.kiss@arm.com> wrote:
> > > > If the kernel is not compiled with CONFIG_ARM64_PTR_AUTH_KERNEL,
> > > > then the kernel does not need a key and kernel's key could be disabled.
> > > >
> > > > Signed-off-by: Daniel Kiss <daniel.kiss@arm.com>
> > > > ---
> > > > arch/arm64/include/asm/asm_pointer_auth.h | 68 ++++++++++++++++-------
> > > > arch/arm64/include/asm/processor.h | 2 +
> > > > arch/arm64/kernel/asm-offsets.c | 4 ++
> > > > 3 files changed, 55 insertions(+), 19 deletions(-)
> > > >
> > > > diff --git a/arch/arm64/include/asm/asm_pointer_auth.h b/arch/arm64/include/asm/asm_pointer_auth.h
> > > > index 52dead2a8640..af3d16027e8f 100644
> > > > --- a/arch/arm64/include/asm/asm_pointer_auth.h
> > > > +++ b/arch/arm64/include/asm/asm_pointer_auth.h
> > > > @@ -14,6 +14,12 @@
> > > > * thread.keys_user.ap*.
> > > > */
> > > > .macro ptrauth_keys_install_user tsk, tmp1, tmp2, tmp3
> > > > +#ifndef CONFIG_ARM64_PTR_AUTH_KERNEL
> > > > + /* Reenable A key */
> > > > + mrs \tmp1, sctlr_el1
> > > > + orr \tmp1, \tmp1, SCTLR_ELx_ENIA
> > > > + msr sctlr_el1, \tmp1
> > > > +#endif
> > >
> > > We should avoid an unconditional MSR on exit like this as it is
> > > expensive (for my PR_PAC_SET_ENABLED_KEYS series I measured the cost
> > > of entry/exit MSR as 43.7ns on Cortex-A75 and 33.0ns on Apple M1). In
> > > that series I take care not to touch SCTLR_EL1 unless necessary.
> > > Likewise for the MSRs on entry below.
> >
> > I think that's how Daniel attempted the first (internal) version of
> > these patches. In theory you don't need to touch SCTLR_ELx_EN* at all as
> > long as the kernel does not use any PAC instructions. However, I was
> > a bit concerned about this and thought it's safer if, when
> > !CONFIG_ARM64_PTR_AUTH_KERNEL, the EnIA bit is cleared while in the
> > kernel.
> >
> > If we can guarantee that the compiler does not generate any PAC
> > instructions (it may assume they are no-ops) and vendor modules don't
> > have such instructions either, we may be able to relax this.
>
> The way I see it it isn't too different from the current prohibition
> on using IB in the kernel (and to a lesser extent DA/DB/GA since those
> can't be accessed from nop-space as far as I'm aware), or NEON
> instructions in most parts of the kernel, or the stack protector
> cookie when building with -fno-stack-protector etc. i.e. if you do
> that then you're breaking the ABI.
>
> Is your concern that distributions may default to enabling
> -mbranch-protection which would result in the PAC instructions being
> used? To address that I think it is reasonable to expect the compiler
> not to use PAC instructions when passing -mbranch-protection=none, and
> if the compiler does so then that is a bug in the compiler.
I'm inclined to agree. At the very least, I think we should start from a
position where we assume the compiler doesn't randomly emit these
instructions, and then we can revisit that decision in future if it turns
out to be wrong.
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-12-09 10:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 22:46 arm64: split ARM64_PTR_AUTH option to userspace and kernel configs Daniel Kiss
2020-12-07 22:46 ` [PATCH 1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option Daniel Kiss
2020-12-07 22:46 ` [PATCH 2/2] arm64: Configure kernel's PTR_AUTH key when it is built with PTR_AUTH Daniel Kiss
2020-12-07 23:07 ` Peter Collingbourne
2020-12-08 11:00 ` Catalin Marinas
2020-12-08 19:33 ` Peter Collingbourne
2020-12-09 10:51 ` Will Deacon [this message]
2020-12-09 11:56 ` Daniel Kiss
2020-12-18 11:56 ` arm64: split ARM64_PTR_AUTH option to userspace and kernel Daniel Kiss
2020-12-18 11:56 ` [PATCH v2 1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option Daniel Kiss
2021-01-26 13:27 ` Will Deacon
2021-02-08 14:39 ` Daniel Kiss
2020-12-18 11:56 ` [PATCH v2 2/2] arm64: Do not configure kernel's PTR_AUTH key when it not needed Daniel Kiss
2021-01-26 13:32 ` Will Deacon
2021-01-26 13:17 ` arm64: split ARM64_PTR_AUTH option to userspace and kernel Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209105103.GA7273@willie-the-truck \
--to=will@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=daniel.kiss@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=pcc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.