From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2230BC433E6 for ; Wed, 3 Feb 2021 13:59:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C4E4864F4A for ; Wed, 3 Feb 2021 13:59:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232286AbhBCN7Y (ORCPT ); Wed, 3 Feb 2021 08:59:24 -0500 Received: from foss.arm.com ([217.140.110.172]:40636 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231869AbhBCN7Q (ORCPT ); Wed, 3 Feb 2021 08:59:16 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8148F13D5; Wed, 3 Feb 2021 05:58:29 -0800 (PST) Received: from C02TD0UTHF1T.local (unknown [10.57.11.206]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A40443F73B; Wed, 3 Feb 2021 05:58:25 -0800 (PST) Date: Wed, 3 Feb 2021 13:58:22 +0000 From: Mark Rutland To: Josh Poimboeuf Cc: Nick Desaulniers , Julien Thierry , Ard Biesheuvel , Mark Brown , Catalin Marinas , Kees Cook , Linux ARM , linux-efi , linux-hardening@vger.kernel.org, LKML , Masahiro Yamada , Michal Marek , Peter Zijlstra , raphael.gault@arm.com, Will Deacon , clang-built-linux , Bill Wendling , swine@google.com, yonghyun@google.com Subject: Re: [RFC PATCH 12/17] gcc-plugins: objtool: Add plugin to detect switch table on arm64 Message-ID: <20210203135822.GN55896@C02TD0UTHF1T.local> References: <20210120173800.1660730-13-jthierry@redhat.com> <20210127221557.1119744-1-ndesaulniers@google.com> <20210127232651.rj3mo7c2oqh4ytsr@treble> <20210201214423.dhsma73k7ccscovm@treble> <671f1aa9-975e-1bda-6768-259adbdc24c8@redhat.com> <20210203001414.idjrcrki7wmhndre@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210203001414.idjrcrki7wmhndre@treble> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 02, 2021 at 06:14:14PM -0600, Josh Poimboeuf wrote: > On Tue, Feb 02, 2021 at 03:01:22PM -0800, Nick Desaulniers wrote: > > > >> Thus far we've been able to successfully reverse engineer it on x86, > > > >> though it hasn't been easy. > > > >> > > > >> There were some particulars for arm64 which made doing so impossible. > > > >> (I don't remember the details.) > > > > > > The main issue is that the tables for arm64 have more indirection than x86. > > > > I wonder if PAC or BTI also make this slightly more complex? PAC at > > least has implications for unwinders, IIUC. > > What is PAC/BTI? PAC is "Pointer Authentication Codes". The gist is that we munge some bits in pointers when they get stored in memory (called "signing"), and undo that with a check (called "authentication") when reading from memory, in order to detect unexpected modification. There's some new instructions that may exist in function prologues and epilogues, etc. There's a basic introduction at: https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf https://www.kernel.org/doc/html/latest/arm64/pointer-authentication.html Return address signing/authentication uses the SP as an input, so without knowing the SP something was signed against it's not possible to alter it reliably (or to check it). The arm64 unwinder ignores the PAC bits, and ftrace uses patchable-function-entry so that we don't have to do anything special to manipulate the return address. Today the ABI used by the kernel doesn't mess with the pointers used in jump tables, but that may come in future as toolchain folk are working to define an ABI that might. BTI is "Branch Target Identification", which is a bit like CET's indirect branch tracking -- indirect branches need to land on a specific instruction, or they'll raise an exception. Thanks, Mark. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86CF7C433E0 for ; Wed, 3 Feb 2021 13:59:57 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F061864E4B for ; Wed, 3 Feb 2021 13:59:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F061864E4B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=iKI/u2ZbuXfT1YigR7zu7wGfOE7C2D5UeZXOyccAdtU=; b=fZkCimwZ5HMrNHRziYf9DQtrw 4zo6z3TKLjKb128ewQuyfSOZ4aBuvU8WWcq7gIpTfaQnxzb+VzgDH9OViM6pyhvU4XoHUMjbsdf9T 68hDeez4s+V5bWlF99Zd/i7yVRuunqvqDqZ/nfzxEuMR7mR6YIyZWZMQaqrLdBxQLBxYYVp0sA420 8bMN/iZPKf4VoFuostci/02DlVOfilT29yxWlaoQ6NXY6oiQw8iCaDGltsZCJuiX6FQpWqBHaTSJ/ RAYWX3vvDVBg2Inmz0ZIerY2YW+RaLX4ZeRYUQpBs8FkLkSU9hM0vEgj1fXAMWzRdDOqc10GBB8Zt 9GC1PneXQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l7Ifz-0008JV-Dy; Wed, 03 Feb 2021 13:58:35 +0000 Received: from foss.arm.com ([217.140.110.172]) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l7Ifw-0008IU-Bv for linux-arm-kernel@lists.infradead.org; Wed, 03 Feb 2021 13:58:33 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8148F13D5; Wed, 3 Feb 2021 05:58:29 -0800 (PST) Received: from C02TD0UTHF1T.local (unknown [10.57.11.206]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A40443F73B; Wed, 3 Feb 2021 05:58:25 -0800 (PST) Date: Wed, 3 Feb 2021 13:58:22 +0000 From: Mark Rutland To: Josh Poimboeuf Subject: Re: [RFC PATCH 12/17] gcc-plugins: objtool: Add plugin to detect switch table on arm64 Message-ID: <20210203135822.GN55896@C02TD0UTHF1T.local> References: <20210120173800.1660730-13-jthierry@redhat.com> <20210127221557.1119744-1-ndesaulniers@google.com> <20210127232651.rj3mo7c2oqh4ytsr@treble> <20210201214423.dhsma73k7ccscovm@treble> <671f1aa9-975e-1bda-6768-259adbdc24c8@redhat.com> <20210203001414.idjrcrki7wmhndre@treble> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210203001414.idjrcrki7wmhndre@treble> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210203_085832_537203_1DF0D93D X-CRM114-Status: GOOD ( 20.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: swine@google.com, Bill Wendling , linux-efi , Julien Thierry , clang-built-linux , Peter Zijlstra , Catalin Marinas , Masahiro Yamada , Nick Desaulniers , LKML , Michal Marek , raphael.gault@arm.com, Mark Brown , linux-hardening@vger.kernel.org, yonghyun@google.com, Will Deacon , Ard Biesheuvel , Linux ARM , Kees Cook Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Feb 02, 2021 at 06:14:14PM -0600, Josh Poimboeuf wrote: > On Tue, Feb 02, 2021 at 03:01:22PM -0800, Nick Desaulniers wrote: > > > >> Thus far we've been able to successfully reverse engineer it on x86, > > > >> though it hasn't been easy. > > > >> > > > >> There were some particulars for arm64 which made doing so impossible. > > > >> (I don't remember the details.) > > > > > > The main issue is that the tables for arm64 have more indirection than x86. > > > > I wonder if PAC or BTI also make this slightly more complex? PAC at > > least has implications for unwinders, IIUC. > > What is PAC/BTI? PAC is "Pointer Authentication Codes". The gist is that we munge some bits in pointers when they get stored in memory (called "signing"), and undo that with a check (called "authentication") when reading from memory, in order to detect unexpected modification. There's some new instructions that may exist in function prologues and epilogues, etc. There's a basic introduction at: https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf https://www.kernel.org/doc/html/latest/arm64/pointer-authentication.html Return address signing/authentication uses the SP as an input, so without knowing the SP something was signed against it's not possible to alter it reliably (or to check it). The arm64 unwinder ignores the PAC bits, and ftrace uses patchable-function-entry so that we don't have to do anything special to manipulate the return address. Today the ABI used by the kernel doesn't mess with the pointers used in jump tables, but that may come in future as toolchain folk are working to define an ABI that might. BTI is "Branch Target Identification", which is a bit like CET's indirect branch tracking -- indirect branches need to land on a specific instruction, or they'll raise an exception. Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel